[Openswan Users] Cannot connect to Openswan from iPad
Elison Niven
elison.niven at elitecore.com
Thu Dec 6 05:14:14 EST 2012
Any other clients apart from Apple iPhone and Macbook are able to
connect?
What do your xl2tpd and pppd logs say?
On Thursday 06 December 2012 03:38:29 PM IST, Christo Romberg wrote:
> Nice, thank you for your input! I will check and test the L2TP/IPSec
> patch on the OpenSwan site and I'll report back.
>
> Thanks again,
> //Chris
>
>
> 2012/12/4 Daniel Cave <dan.cave at me.com <mailto:dan.cave at me.com>>
>
> I suspect the problem you're having applies to every iOS device,
> iphone/ipad/Mac.
>
> I *think* there's an L2TP/Ipsec Patch which is on the OpenSwan
> site which applies to iOS devices. Have you patched your OpenSwan
> code or looked for the patch?
>
> D
>
>
> On 4 Dec 2012, at 16:19, Christo Romberg wrote:
>
>> Hey guys,
>>
>> I'm new to Openswan, and I'm having trouble getting it configured
>> properly. I'm trying to get a home VPN system working, so that I
>> can remotely access my files through my iPad when I'm on the go.
>>
>> I've successfully installed OpenSWAN on a Debian Squeeze box, and
>> configured it with the settings below.
>>
>> The problem is that I cannot connect to the VPN server from my iPad.
>>
>> *Error message on the iPad:*
>> *---------------------------------------*
>> "/The L2TP-VPN server did not respond. Try reconnecting. If the
>> problem continues, verify your settings and contact your
>> Administrator./"
>>
>> I've also tried with my MacBook, with the same error message as
>> on the iPhone.
>> *
>> *
>> */var/log/auth.log*
>> *-----------------------*
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>> payload [RFC 3947] method set to=109 /
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>> payload [draft-ietf-ipsec-nat-t-ike] method set to=110 /
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>> Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]/
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>> Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]/
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>> Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]/
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>> Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]/
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>> Vendor ID payload [9909b64eed937c6573de52ace952fa6b]/
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>> payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already
>> using method 110/
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>> payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
>> using method 110/
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>> payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already
>> using method 110/
>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>> payload [Dead Peer Detection]/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> responding to Main Mode from unknown peer 91.150.29.228/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> STATE_MAIN_R1: sent MR1, expecting MI2/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X):
>> both are NATed/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> STATE_MAIN_R2: sent MR2, expecting MI3/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> ignoring informational payload, type IPSEC_INITIAL_CONTACT
>> msgid=00000000/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>> switched from "PSK" to "PSK"/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> deleting connection "PSK" instance with peer 91.150.29.228
>> {isakmp=#0/ipsec=#0}/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> new NAT mapping for #1, was 91.150.29.228:500
>> <http://91.150.29.228:500/>, now 91.150.29.228:4500
>> <http://91.150.29.228:4500/>/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
>> group=modp1024}/
>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> Dead Peer Detection (RFC 3706): enabled/
>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> the peer proposed: 188.67.59.220/32:17/1701
>> <http://188.67.59.220/32:17/1701> -> 192.168.1.3/32:17/0
>> <http://192.168.1.3/32:17/0>/
>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>> responding to Quick Mode proposal {msgid:ac920da3}/
>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>> us: 192.168.1.2<192.168.1.2>[+S=C]:17/1701---192.168.1.1/
>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>> them: 91.150.29.228[192.168.1.3,+S=C]:17/51482===192.168.1.3/32
>> <http://192.168.1.3/32>/
>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1/
>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2/
>> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>> Dead Peer Detection (RFC 3706): enabled/
>> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2/
>> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>> STATE_QUICK_R2: IPsec SA established tunnel mode
>> {ESP/NAT=>0x07ec4aca <0x04e10fd0 xfrm=AES_256-HMAC_SHA1
>> NATOA=none NATD=91.150.29.228:4500 <http://91.150.29.228:4500/>
>> DPD=enabled}/
>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> received Delete SA(0x07ec4aca) payload: deleting IPSEC State #2/
>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> ERROR: netlink XFRM_MSG_DELPOLICY response for flow
>> eroute_connection delete included errno 2: No such file or directory/
>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> received and ignored informational message/
>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>> received Delete SA payload: deleting ISAKMP State #1/
>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228
>> <http://91.150.29.228/>: deleting connection "PSK" instance with
>> peer 91.150.29.228 {isakmp=#0/ipsec=#0}/
>> /Dec 3 20:58:14 debian pluto[1999]: packet from
>> 91.150.29.228:4500 <http://91.150.29.228:4500/>: received and
>> ignored informational message/
>>
>>
>>
>> *------------------------------------------**------------------------------------------**IMPLEMENTATION
>> ------------------------------------------**-----------------
>> ------------------------- *
>>
>> ====================
>> * NETWORK TOPOLOGY*
>> ====================
>>
>> *[Openswan-Server]* <--------------> *WAN-router
>> * <--------------> *(Internet) <*--------------> *my iPad
>> connected via 3G*
>> *192.168.1.2 192.168.1.1 //** 188.67.59.220***/*91.150.29.228*/
>> **
>>
>> ===============
>> *SYSTEM DETAILS*
>> ===============
>> - Debian Squeeze v6.0.6-i386
>> - OpenSWAN v1:2.6.28+dfsg-5+squeeze1
>>
>>
>>
>> ===============
>> *CONFIGURATION*
>> ===============
>>
>> */etc/ipsec.secrets:*
>> *---------------------------*
>> 192.168.1.2%any 0.0.0.0 <http://0.0.0.0/>: PSK "test"
>>
>>
>> */etc/ipsec.conf:*
>> *----------------------*
>> config setup
>> nat_traversal=yes
>>
>> virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24
>> <http://192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:%2110.254.253.0/24>
>> protostack=netkey
>> #protostack=mast # used for SAref + MAST only
>> interfaces="%defaultroute"
>> oe=off
>>
>> conn l2tp-psk
>> authby=secret
>> pfs=no
>> auto=add
>> # we cannot rekey for %any, let client rekey
>> rekey=no
>> keyingtries=3
>> # Apple iOS doesn't send delete notify so we need dead
>> peer detection
>> # to detect vanishing clients
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=clear
>> ikelifetime=8h
>> keylife=1h
>> # overlapip=yes # for SAref + MAST
>> # sareftrack=yes # for SAref + MAST
>> type=transport
>> left=192.168.1.2
>> leftprotoport=17/1701
>> #
>> # The remote user.
>> #
>> right=%any
>> rightprotoport=17/%any
>> rightsubnet=vhost:%priv,%no
>> forceencaps=yes
>>
>>
>> */
>> */etc/xl2tpd/xl2tpd.conf*
>> *-------------------------------*
>> /
>> [global]
>> ; you cannot leave out listen-addr, causes possible wrong src ip
>> on return packets
>> listen-addr = 192.168.1.2
>> ; ipsec saref = yes ; For SAref + MAST only
>> ; debug tunnel = yes
>>
>> [lns default]
>> ip range = 192.168.1.101-192.168.1.110
>> local ip = 192.168.1.100
>> assign ip = yes
>> require chap = yes
>> refuse pap = yes
>> require authentication = yes
>> name = OpenswanVPN
>> ppp debug = yes
>> pppoptfile = /etc/ppp/options.xl2tpd
>> length bit = yes
>>
>>
>> *
>> *
>> */etc/ppp/options.xl2tpd*
>> *--------------------------------*
>> /
>> ipcp-accept-local
>> ipcp-accept-remote
>> ms-dns 192.168.1.1
>> noccp
>> auth
>> crtscts
>> idle 1800
>> mtu 1200
>> mru 1200
>> nodefaultroute
>> debug
>> lock
>> proxyarp
>> connect-delay 5000
>> /
>> *
>> *
>> *
>> *
>> *
>> */etc/ppp/chap-secrets:*
>> **
>> *--------------------------------*
>> **
>> greg*"thesecret"*
>>
>>
>> */etc/sysctl.conf*
>> /
>> *----------------------*
>> net.ipv4.ip_forward = 1
>> net.ipv4.conf.default.rp_filter = 0
>> net.ipv4.conf.default.accept_source_route = 0
>> net.ipv4.conf.all.send_redirects = 0
>> net.ipv4.conf.default.send_redirects = 0
>> net.ipv4.icmp_ignore_bogus_error_responses = 1
>> /
>> *
>> *
>> /
>> /
>> /
>> *ipsec verify*
>> *-----------------*
>> "
>> /Version check and ipsec on-path [OK]/
>> /Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)/
>> /Checking for IPsec support in kernel [OK]/
>> /NETKEY detected, testing for disabled ICMP send_redirects [FAILED]/
>> /
>> /
>> / Please disable /proc/sys/net/ipv4/conf/*/send_redirects/
>> / or NETKEY will cause the sending of bogus ICMP redirects!/
>> /
>> /
>> /NETKEY detected, testing for disabled ICMP accept_redirects
>> [FAILED]/
>> /
>> /
>> / Please disable /proc/sys/net/ipv4/conf/*/accept_redirects/
>> / or NETKEY will accept bogus ICMP redirects!/
>> /
>> /
>> /Checking that pluto is running [OK]/
>> /Pluto listening for IKE on udp 500 [OK]/
>> /Pluto listening for NAT-T on udp 4500 [OK]/
>> /Two or more interfaces found, checking IP forwarding [FAILED]/
>> /Checking for 'ip' command [OK]/
>> /Checking for 'iptables' command [OK]/
>> /Opportunistic Encryption Support [DISABLED]/
>> "
>> /
>> /
>> /
>> /
>> /
>> *WAN-router configurations*
>> /*--------------------------------------*/
>> I've configured the router to forward ports /500/, /1701/, and
>> /4500/ to /192.168.1.2./
>>
>>
>> /
>> /
>> /
>> /
>> *------------------------------------------**------------------------------------------*****IMPLEMENTATION*
>> ------------------------------------------**------------------------------------------
>> *
>> *
>> *
>> *
>>
>>
>> *
>> Thanks guys.
>>
>> Have a great day,
>> //Chris
>> _______________________________________________
>> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> Regards
>
> Dan.
>
>
>
>
> --
> Christo Romberg
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
--
Best Regards,
Elison Niven
More information about the Users
mailing list