[Openswan Users] Cannot connect to Openswan from iPad
Christo Romberg
coromberg at gmail.com
Thu Dec 6 05:08:29 EST 2012
Nice, thank you for your input! I will check and test the L2TP/IPSec patch
on the OpenSwan site and I'll report back.
Thanks again,
//Chris
2012/12/4 Daniel Cave <dan.cave at me.com>
> I suspect the problem you're having applies to every iOS device,
> iphone/ipad/Mac.
>
> I *think* there's an L2TP/Ipsec Patch which is on the OpenSwan site which
> applies to iOS devices. Have you patched your OpenSwan code or looked for
> the patch?
>
> D
>
>
> On 4 Dec 2012, at 16:19, Christo Romberg wrote:
>
> Hey guys,
>
> I'm new to Openswan, and I'm having trouble getting it configured
> properly. I'm trying to get a home VPN system working, so that I can
> remotely access my files through my iPad when I'm on the go.
>
> I've successfully installed OpenSWAN on a Debian Squeeze box, and
> configured it with the settings below.
>
> The problem is that I cannot connect to the VPN server from my iPad.
>
> *Error message on the iPad:*
> *---------------------------------------*
> "*The L2TP-VPN server did not respond. Try reconnecting. If the problem
> continues, verify your settings and contact your Administrator.*"
>
> I've also tried with my MacBook, with the same error message as on the
> iPhone.
> *
> *
> */var/log/auth.log*
> *-----------------------*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> received Vendor ID payload [RFC 3947] method set to=109 *
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
> *
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
> already using method 110*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
> already using method 110*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> already using method 110*
> *Dec 3 20:57:52 debian pluto[1999]: packet from 91.150.29.228:500:
> received Vendor ID payload [Dead Peer Detection]*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
> responding to Main Mode from unknown peer 91.150.29.228*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are
> NATed*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
> STATE_MAIN_R2: sent MR2, expecting MI3*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: ignoring
> informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: Main mode
> peer ID is ID_IPV4_ADDR: '192.168.1.3'*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1: switched
> from "PSK" to "PSK"*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: deleting
> connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: new NAT
> mapping for #1, was 91.150.29.228:500, now 91.150.29.228:4500*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=aes_256 prf=oakley_sha group=modp1024}*
> *Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: Dead Peer
> Detection (RFC 3706): enabled*
> *Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: the peer
> proposed: 188.67.59.220/32:17/1701 -> 192.168.1.3/32:17/0*
> *Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
> responding to Quick Mode proposal {msgid:ac920da3}*
> *Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: us:
> 192.168.1.2<192.168.1.2>[+S=C]:17/1701---192.168.1.1*
> *Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: them:
> 91.150.29.228[192.168.1.3,+S=C]:17/51482===192.168.1.3/32*
> *Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1*
> *Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2*
> *Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2: Dead Peer
> Detection (RFC 3706): enabled*
> *Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2*
> *Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
> STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x07ec4aca
> <0x04e10fd0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=91.150.29.228:4500DPD=enabled}
> *
> *Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received
> Delete SA(0x07ec4aca) payload: deleting IPSEC State #2*
> *Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: ERROR:
> netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete
> included errno 2: No such file or directory*
> *Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received
> and ignored informational message*
> *Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1: received
> Delete SA payload: deleting ISAKMP State #1*
> *Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228: deleting
> connection "PSK" instance with peer 91.150.29.228 {isakmp=#0/ipsec=#0}*
> *Dec 3 20:58:14 debian pluto[1999]: packet from 91.150.29.228:4500:
> received and ignored informational message*
>
>
>
> *------------------------------------------**
> ------------------------------------------** IMPLEMENTATION
> ------------------------------------------**-----------------
> ------------------------- *
>
> ====================
> * NETWORK TOPOLOGY*
> ====================
>
> *[Openswan-Server]* <--------------> *WAN-router * <--------------> *(Internet)
> <*--------------> *my iPad connected via 3G*
> *192.168.1.2 192.168.1.1 //** 188.67.59.220** **
> 91.150.29.228*
> * *
>
> ===============
> *SYSTEM DETAILS*
> ===============
> - Debian Squeeze v6.0.6-i386
> - OpenSWAN v1:2.6.28+dfsg-5+squeeze1
>
>
>
> ===============
> *CONFIGURATION*
> ===============
>
> */etc/ipsec.secrets:*
> *---------------------------*
> 192.168.1.2 %any 0.0.0.0: PSK "test"
>
>
> */etc/ipsec.conf:*
> *----------------------*
> config setup
> nat_traversal=yes
> virtual_private=%v4:
> 192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
> protostack=netkey
> #protostack=mast # used for SAref + MAST only
> interfaces="%defaultroute"
> oe=off
>
> conn l2tp-psk
> authby=secret
> pfs=no
> auto=add
> # we cannot rekey for %any, let client rekey
> rekey=no
> keyingtries=3
> # Apple iOS doesn't send delete notify so we need dead peer
> detection
> # to detect vanishing clients
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> ikelifetime=8h
> keylife=1h
> # overlapip=yes # for SAref + MAST
> # sareftrack=yes # for SAref + MAST
> type=transport
> left=192.168.1.2
> leftprotoport=17/1701
> #
> # The remote user.
> #
> right=%any
> rightprotoport=17/%any
> rightsubnet=vhost:%priv,%no
> forceencaps=yes
>
>
> *
> /etc/xl2tpd/xl2tpd.conf
> -------------------------------
> [global]
> ; you cannot leave out listen-addr, causes possible wrong src ip on return
> packets
> listen-addr = 192.168.1.2
> ; ipsec saref = yes ; For SAref + MAST only
> ; debug tunnel = yes
>
> [lns default]
> ip range = 192.168.1.101-192.168.1.110
> local ip = 192.168.1.100
> assign ip = yes
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = OpenswanVPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
>
>
> *
> *
> /etc/ppp/options.xl2tpd
> --------------------------------
> ipcp-accept-local
> ipcp-accept-remote
> ms-dns 192.168.1.1
> noccp
> auth
> crtscts
> idle 1800
> mtu 1200
> mru 1200
> nodefaultroute
> debug
> lock
> proxyarp
> connect-delay 5000
> *
> *
> *
> *
> *
> */etc/ppp/chap-secrets:*
> *
> --------------------------------
> *
> greg * "thesecret" *
>
>
> */etc/sysctl.conf*
> *
> ----------------------
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.default.accept_source_route = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> *
> *
> *
> *
> *
> *
> ipsec verify
> -----------------
> "
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> or NETKEY will accept bogus ICMP redirects!
>
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Two or more interfaces found, checking IP forwarding [FAILED]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
> "
> *
> *
> *
> *
> *
> *WAN-router configurations*
> *--------------------------------------*
> I've configured the router to forward ports *500*, *1701*, and *4500* to *
> 192.168.1.2.*
>
>
> *
> *
> *
> *
> *------------------------------------------**
> ------------------------------------------** **IMPLEMENTATION
> ------------------------------------------**
> ------------------------------------------ *
> *
> *
> *
>
>
> *
> Thanks guys.
>
> Have a great day,
> //Chris
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> Regards
>
> Dan.
>
>
--
Christo Romberg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121206/c4c4fa88/attachment-0001.html>
More information about the Users
mailing list