[Openswan Users] Cannot connect to Openswan from iPad
Christo Romberg
coromberg at gmail.com
Fri Dec 7 12:32:21 EST 2012
Thank you for your help,
I was not able to find the patch on the Openswan website, so I decided to
give strongSwan a go and got it working ok with that package instead.
Thank you all for your kind help,
Have a good evening,
//Chris
2012/12/6 Elison Niven <elison.niven at elitecore.com>
> Any other clients apart from Apple iPhone and Macbook are able to connect?
> What do your xl2tpd and pppd logs say?
>
>
> On Thursday 06 December 2012 03:38:29 PM IST, Christo Romberg wrote:
>
>> Nice, thank you for your input! I will check and test the L2TP/IPSec
>> patch on the OpenSwan site and I'll report back.
>>
>> Thanks again,
>> //Chris
>>
>>
>> 2012/12/4 Daniel Cave <dan.cave at me.com <mailto:dan.cave at me.com>>
>>
>>
>> I suspect the problem you're having applies to every iOS device,
>> iphone/ipad/Mac.
>>
>> I *think* there's an L2TP/Ipsec Patch which is on the OpenSwan
>> site which applies to iOS devices. Have you patched your OpenSwan
>> code or looked for the patch?
>>
>> D
>>
>>
>> On 4 Dec 2012, at 16:19, Christo Romberg wrote:
>>
>> Hey guys,
>>>
>>> I'm new to Openswan, and I'm having trouble getting it configured
>>> properly. I'm trying to get a home VPN system working, so that I
>>> can remotely access my files through my iPad when I'm on the go.
>>>
>>> I've successfully installed OpenSWAN on a Debian Squeeze box, and
>>> configured it with the settings below.
>>>
>>> The problem is that I cannot connect to the VPN server from my iPad.
>>>
>>> *Error message on the iPad:*
>>> *-----------------------------**----------*
>>> "/The L2TP-VPN server did not respond. Try reconnecting. If the
>>>
>>> problem continues, verify your settings and contact your
>>> Administrator./"
>>>
>>>
>>> I've also tried with my MacBook, with the same error message as
>>> on the iPhone.
>>> *
>>> *
>>> */var/log/auth.log*
>>> *-----------------------*
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>>> payload [RFC 3947] method set to=109 /
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>>> payload [draft-ietf-ipsec-nat-t-ike] method set to=110 /
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>>> Vendor ID payload [**8f8d83826d246b6fc7a8a6a428c11d**e8]/
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>>> Vendor ID payload [**439b59f8ba676c4c7737ae22eab8f5**82]/
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>>> Vendor ID payload [**4d1e0e136deafa34c4f3ea9f02ec72**85]/
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>>> Vendor ID payload [**80d0bb3def54565ee84645d4c85ce3**ee]/
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: ignoring unknown
>>> Vendor ID payload [**9909b64eed937c6573de52ace952fa**6b]/
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>>>
>>> payload [draft-ietf-ipsec-nat-t-ike-**03] meth=108, but already
>>> using method 110/
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>>>
>>> payload [draft-ietf-ipsec-nat-t-ike-**02] meth=107, but already
>>> using method 110/
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>>>
>>> payload [draft-ietf-ipsec-nat-t-ike-**02_n] meth=106, but already
>>> using method 110/
>>> /Dec 3 20:57:52 debian pluto[1999]: packet from
>>> 91.150.29.228:500 <http://91.150.29.228:500/>: received Vendor ID
>>> payload [Dead Peer Detection]/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>> responding to Main Mode from unknown peer 91.150.29.228/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>> STATE_MAIN_R1: sent MR1, expecting MI2/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>>
>>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X):
>>> both are NATed/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>> STATE_MAIN_R2: sent MR2, expecting MI3/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>>
>>> ignoring informational payload, type IPSEC_INITIAL_CONTACT
>>> msgid=00000000/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>> Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1] 91.150.29.228 #1:
>>> switched from "PSK" to "PSK"/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>>
>>> deleting connection "PSK" instance with peer 91.150.29.228
>>> {isakmp=#0/ipsec=#0}/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>>
>>> new NAT mapping for #1, was 91.150.29.228:500
>>> <http://91.150.29.228:500/>, now 91.150.29.228:4500
>>> <http://91.150.29.228:4500/>/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>>
>>> STATE_MAIN_R3: sent MR3, ISAKMP SA established
>>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
>>> group=modp1024}/
>>> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>> Dead Peer Detection (RFC 3706): enabled/
>>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>>
>>> the peer proposed: 188.67.59.220/32:17/1701
>>> <http://188.67.59.220/32:17/**1701 <http://188.67.59.220/32:17/1701>>
>>> -> 192.168.1.3/32:17/0
>>> <http://192.168.1.3/32:17/0>/
>>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>>> responding to Quick Mode proposal {msgid:ac920da3}/
>>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>>> us: 192.168.1.2<192.168.1.2>[+S=C]**:17/1701---192.168.1.1/
>>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>>> them: 91.150.29.228[192.168.1.3,+S=**C]:17/51482===192.168.1.3/32
>>> <http://192.168.1.3/32>/
>>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>>> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1/
>>> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>>> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2/
>>> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>>> Dead Peer Detection (RFC 3706): enabled/
>>> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>>> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2/
>>> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2] 91.150.29.228 #2:
>>>
>>> STATE_QUICK_R2: IPsec SA established tunnel mode
>>> {ESP/NAT=>0x07ec4aca <0x04e10fd0 xfrm=AES_256-HMAC_SHA1
>>> NATOA=none NATD=91.150.29.228:4500 <http://91.150.29.228:4500/>
>>> DPD=enabled}/
>>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>> received Delete SA(0x07ec4aca) payload: deleting IPSEC State #2/
>>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>>
>>> ERROR: netlink XFRM_MSG_DELPOLICY response for flow
>>> eroute_connection delete included errno 2: No such file or directory/
>>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>> received and ignored informational message/
>>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228 #1:
>>> received Delete SA payload: deleting ISAKMP State #1/
>>> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228
>>> <http://91.150.29.228/>: deleting connection "PSK" instance with
>>> peer 91.150.29.228 {isakmp=#0/ipsec=#0}/
>>> /Dec 3 20:58:14 debian pluto[1999]: packet from
>>> 91.150.29.228:4500 <http://91.150.29.228:4500/>: received and
>>> ignored informational message/
>>>
>>>
>>>
>>> *-----------------------------**-------------**---------------**
>>> ---------------------------****IMPLEMENTATION
>>> ------------------------------**------------**----------------**-
>>> ------------------------- *
>>>
>>> ====================
>>> * NETWORK TOPOLOGY*
>>> ====================
>>>
>>> *[Openswan-Server]* <--------------> *WAN-router
>>> * <--------------> *(Internet) <*--------------> *my iPad
>>> connected via 3G*
>>> *192.168.1.2 192.168.1.1 //** 188.67.59.220***/*91.150.29.**
>>> 228*/
>>> **
>>>
>>> ===============
>>> *SYSTEM DETAILS*
>>>
>>> ===============
>>> - Debian Squeeze v6.0.6-i386
>>> - OpenSWAN v1:2.6.28+dfsg-5+squeeze1
>>>
>>>
>>>
>>> ===============
>>> *CONFIGURATION*
>>> ===============
>>>
>>> */etc/ipsec.secrets:*
>>> *---------------------------*
>>> 192.168.1.2%any 0.0.0.0 <http://0.0.0.0/>: PSK "test"
>>>
>>>
>>> */etc/ipsec.conf:*
>>> *----------------------*
>>>
>>> config setup
>>> nat_traversal=yes
>>>
>>> virtual_private=%v4:192.168.0.**0/16,%v4:10.0.0.0/8,%v4:172.**
>>> 16.0.0/12,%v4:25.0.0.0/8,%v4:!**10.254.253.0/24
>>> <http://192.168.0.0/16,%v4:10.**0.0.0/8,%v4:172.16.0.0/12,%v4:**
>>> 25.0.0.0/8,%v4:%2110.254.253.**0/24>
>>>
>>> protostack=netkey
>>> #protostack=mast # used for SAref + MAST only
>>> interfaces="%defaultroute"
>>> oe=off
>>>
>>> conn l2tp-psk
>>> authby=secret
>>> pfs=no
>>> auto=add
>>> # we cannot rekey for %any, let client rekey
>>> rekey=no
>>> keyingtries=3
>>> # Apple iOS doesn't send delete notify so we need dead
>>> peer detection
>>> # to detect vanishing clients
>>> dpddelay=30
>>> dpdtimeout=120
>>> dpdaction=clear
>>> ikelifetime=8h
>>> keylife=1h
>>> # overlapip=yes # for SAref + MAST
>>> # sareftrack=yes # for SAref + MAST
>>> type=transport
>>> left=192.168.1.2
>>> leftprotoport=17/1701
>>> #
>>> # The remote user.
>>> #
>>> right=%any
>>> rightprotoport=17/%any
>>> rightsubnet=vhost:%priv,%no
>>> forceencaps=yes
>>>
>>>
>>> */
>>> */etc/xl2tpd/xl2tpd.conf*
>>> *-----------------------------**--*
>>>
>>> /
>>> [global]
>>> ; you cannot leave out listen-addr, causes possible wrong src ip
>>> on return packets
>>> listen-addr = 192.168.1.2
>>> ; ipsec saref = yes ; For SAref + MAST only
>>> ; debug tunnel = yes
>>>
>>> [lns default]
>>> ip range = 192.168.1.101-192.168.1.110
>>> local ip = 192.168.1.100
>>> assign ip = yes
>>> require chap = yes
>>> refuse pap = yes
>>> require authentication = yes
>>> name = OpenswanVPN
>>> ppp debug = yes
>>> pppoptfile = /etc/ppp/options.xl2tpd
>>> length bit = yes
>>>
>>>
>>> *
>>> *
>>> */etc/ppp/options.xl2tpd*
>>> *-----------------------------**---*
>>>
>>> /
>>> ipcp-accept-local
>>> ipcp-accept-remote
>>> ms-dns 192.168.1.1
>>> noccp
>>> auth
>>> crtscts
>>> idle 1800
>>> mtu 1200
>>> mru 1200
>>> nodefaultroute
>>> debug
>>> lock
>>> proxyarp
>>> connect-delay 5000
>>> /
>>> *
>>> *
>>> *
>>> *
>>> *
>>> */etc/ppp/chap-secrets:*
>>> **
>>> *-----------------------------**---*
>>> **
>>> greg*"thesecret"*
>>>
>>>
>>> */etc/sysctl.conf*
>>> /
>>> *----------------------*
>>>
>>> net.ipv4.ip_forward = 1
>>> net.ipv4.conf.default.rp_**filter = 0
>>> net.ipv4.conf.default.accept_**source_route = 0
>>> net.ipv4.conf.all.send_**redirects = 0
>>> net.ipv4.conf.default.send_**redirects = 0
>>> net.ipv4.icmp_ignore_bogus_**error_responses = 1
>>> /
>>> *
>>> *
>>> /
>>> /
>>> /
>>> *ipsec verify*
>>> *-----------------*
>>> "
>>> /Version check and ipsec on-path [OK]/
>>> /Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)/
>>> /Checking for IPsec support in kernel [OK]/
>>> /NETKEY detected, testing for disabled ICMP send_redirects [FAILED]/
>>> /
>>> /
>>> / Please disable /proc/sys/net/ipv4/conf/*/**send_redirects/
>>> / or NETKEY will cause the sending of bogus ICMP redirects!/
>>> /
>>> /
>>> /NETKEY detected, testing for disabled ICMP accept_redirects
>>> [FAILED]/
>>> /
>>> /
>>> / Please disable /proc/sys/net/ipv4/conf/*/**accept_redirects/
>>> / or NETKEY will accept bogus ICMP redirects!/
>>> /
>>> /
>>> /Checking that pluto is running [OK]/
>>> /Pluto listening for IKE on udp 500 [OK]/
>>> /Pluto listening for NAT-T on udp 4500 [OK]/
>>> /Two or more interfaces found, checking IP forwarding [FAILED]/
>>> /Checking for 'ip' command [OK]/
>>> /Checking for 'iptables' command [OK]/
>>> /Opportunistic Encryption Support [DISABLED]/
>>> "
>>> /
>>> /
>>> /
>>> /
>>> /
>>> *WAN-router configurations*
>>> /*----------------------------**----------*/
>>> I've configured the router to forward ports /500/, /1701/, and
>>> /4500/ to /192.168.1.2./
>>>
>>>
>>> /
>>> /
>>> /
>>> /
>>> *-----------------------------**-------------**---------------**
>>> ---------------------------*******IMPLEMENTATION*
>>> ------------------------------**------------**----------------**
>>> --------------------------
>>> *
>>> *
>>> *
>>> *
>>>
>>>
>>> *
>>>
>>> Thanks guys.
>>>
>>> Have a great day,
>>> //Chris
>>> ______________________________**_________________
>>> Users at lists.openswan.org <mailto:Users at lists.openswan.**org<Users at lists.openswan.org>
>>> >
>>>
>>> https://lists.openswan.org/**mailman/listinfo/users<https://lists.openswan.org/mailman/listinfo/users>
>>> Micropayments:
>>> https://flattr.com/thing/**38387/IPsec-for-Linux-made-**easy<https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/**product/1904811256/104-**
>>> 3099591-2946327?n=283155<http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>>>
>>
>> Regards
>>
>> Dan.
>>
>>
>>
>>
>> --
>> Christo Romberg
>>
>>
>> ______________________________**_________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/**mailman/listinfo/users<https://lists.openswan.org/mailman/listinfo/users>
>> Micropayments: https://flattr.com/thing/**38387/IPsec-for-Linux-made-**
>> easy <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/**product/1904811256/104-**
>> 3099591-2946327?n=283155<http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>>
>
> --
> Best Regards,
> Elison Niven
>
--
Christo Romberg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121207/a967258b/attachment-0001.html>
More information about the Users
mailing list