[Openswan Users] Cannot connect to Openswan from iPad
Christian Huldt
christian at solvare.se
Fri Dec 7 12:48:57 EST 2012
I've three openswan installation with l2tp psk, two of which works fine
with iOS, the third one not at all
The third one doesn't really need iOS for the moment, but sometimes I
play around just to understand the problem a little more...
Can't say I do, the sites all have about the same configurations...
Christo Romberg skrev 2012-12-07 18:32:
> Thank you for your help,
>
> I was not able to find the patch on the Openswan website, so I decided
> to give strongSwan a go and got it working ok with that package instead.
>
> Thank you all for your kind help,
>
> Have a good evening,
> //Chris
>
>
> 2012/12/6 Elison Niven <elison.niven at elitecore.com
> <mailto:elison.niven at elitecore.com>>
>
> Any other clients apart from Apple iPhone and Macbook are able to
> connect?
> What do your xl2tpd and pppd logs say?
>
>
> On Thursday 06 December 2012 03:38:29 PM IST, Christo Romberg wrote:
>
> Nice, thank you for your input! I will check and test the L2TP/IPSec
> patch on the OpenSwan site and I'll report back.
>
> Thanks again,
> //Chris
>
>
> 2012/12/4 Daniel Cave <dan.cave at me.com <mailto:dan.cave at me.com>
> <mailto:dan.cave at me.com <mailto:dan.cave at me.com>>>
>
>
> I suspect the problem you're having applies to every iOS
> device,
> iphone/ipad/Mac.
>
> I *think* there's an L2TP/Ipsec Patch which is on the OpenSwan
> site which applies to iOS devices. Have you patched your
> OpenSwan
> code or looked for the patch?
>
> D
>
>
> On 4 Dec 2012, at 16:19, Christo Romberg wrote:
>
> Hey guys,
>
> I'm new to Openswan, and I'm having trouble getting it
> configured
> properly. I'm trying to get a home VPN system working,
> so that I
> can remotely access my files through my iPad when I'm
> on the go.
>
> I've successfully installed OpenSWAN on a Debian
> Squeeze box, and
> configured it with the settings below.
>
> The problem is that I cannot connect to the VPN server
> from my iPad.
>
> *Error message on the iPad:*
> *-----------------------------__----------*
> "/The L2TP-VPN server did not respond. Try
> reconnecting. If the
>
> problem continues, verify your settings and contact your
> Administrator./"
>
>
> I've also tried with my MacBook, with the same error
> message as
> on the iPhone.
> *
> *
> */var/log/auth.log*
> *-----------------------*
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: received Vendor ID
> payload [RFC 3947] method set to=109 /
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: received Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike] method set to=110 /
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: ignoring unknown
> Vendor ID payload [__8f8d83826d246b6fc7a8a6a428c11d__e8]/
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: ignoring unknown
> Vendor ID payload [__439b59f8ba676c4c7737ae22eab8f5__82]/
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: ignoring unknown
> Vendor ID payload [__4d1e0e136deafa34c4f3ea9f02ec72__85]/
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: ignoring unknown
> Vendor ID payload [__80d0bb3def54565ee84645d4c85ce3__ee]/
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: ignoring unknown
> Vendor ID payload [__9909b64eed937c6573de52ace952fa__6b]/
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: received Vendor ID
>
> payload [draft-ietf-ipsec-nat-t-ike-__03] meth=108, but
> already
> using method 110/
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: received Vendor ID
>
> payload [draft-ietf-ipsec-nat-t-ike-__02] meth=107, but
> already
> using method 110/
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: received Vendor ID
>
> payload [draft-ietf-ipsec-nat-t-ike-__02_n] meth=106,
> but already
> using method 110/
> /Dec 3 20:57:52 debian pluto[1999]: packet from
> 91.150.29.228:500 <http://91.150.29.228:500>
> <http://91.150.29.228:500/>: received Vendor ID
> payload [Dead Peer Detection]/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
> responding to Main Mode from unknown peer
> 91.150.29.228/ <http://91.150.29.228/>
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
>
> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike
> (MacOS X):
> both are NATed/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
> STATE_MAIN_R2: sent MR2, expecting MI3/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
>
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
> msgid=00000000/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
> Main mode peer ID is ID_IPV4_ADDR: '192.168.1.3'/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[1]
> 91.150.29.228 #1:
> switched from "PSK" to "PSK"/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
>
> deleting connection "PSK" instance with peer 91.150.29.228
> {isakmp=#0/ipsec=#0}/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
>
> new NAT mapping for #1, was 91.150.29.228:500
> <http://91.150.29.228:500>
> <http://91.150.29.228:500/>, now 91.150.29.228:4500
> <http://91.150.29.228:4500>
> <http://91.150.29.228:4500/>/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
>
> STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
> group=modp1024}/
> /Dec 3 20:57:52 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
> Dead Peer Detection (RFC 3706): enabled/
> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
>
> the peer proposed: 188.67.59.220/32:17/1701
> <http://188.67.59.220/32:17/1701>
> <http://188.67.59.220/32:17/__1701
> <http://188.67.59.220/32:17/1701>> -> 192.168.1.3/32:17/0
> <http://192.168.1.3/32:17/0>
> <http://192.168.1.3/32:17/0>/
> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #2:
> responding to Quick Mode proposal {msgid:ac920da3}/
> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #2:
> us:
> 192.168.1.2<192.168.1.2>[+S=C]__:17/1701---192.168.1.1/
> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #2:
> them:
> 91.150.29.228[192.168.1.3,+S=__C]:17/51482===192.168.1.3/32
> <http://192.168.1.3/32>
> <http://192.168.1.3/32>/
> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #2:
> transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1/
> /Dec 3 20:57:53 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #2:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
> expecting QI2/
> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #2:
> Dead Peer Detection (RFC 3706): enabled/
> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #2:
> transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2/
> /Dec 3 20:57:54 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #2:
>
> STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP/NAT=>0x07ec4aca <0x04e10fd0 xfrm=AES_256-HMAC_SHA1
> NATOA=none NATD=91.150.29.228:4500
> <http://91.150.29.228:4500> <http://91.150.29.228:4500/>
> DPD=enabled}/
> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
> received Delete SA(0x07ec4aca) payload: deleting IPSEC
> State #2/
> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
>
> ERROR: netlink XFRM_MSG_DELPOLICY response for flow
> eroute_connection delete included errno 2: No such file
> or directory/
> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
> received and ignored informational message/
> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2]
> 91.150.29.228 #1:
> received Delete SA payload: deleting ISAKMP State #1/
> /Dec 3 20:58:14 debian pluto[1999]: "PSK"[2] 91.150.29.228
> <http://91.150.29.228/>: deleting connection "PSK"
> instance with
> peer 91.150.29.228 {isakmp=#0/ipsec=#0}/
> /Dec 3 20:58:14 debian pluto[1999]: packet from
> 91.150.29.228:4500 <http://91.150.29.228:4500>
> <http://91.150.29.228:4500/>: received and
> ignored informational message/
>
>
>
>
> *-----------------------------__-------------**---------------__---------------------------**__IMPLEMENTATION
>
> ------------------------------__------------**----------------__-
> ------------------------- *
>
> ====================
> * NETWORK TOPOLOGY*
> ====================
>
> *[Openswan-Server]* <--------------> *WAN-router
> * <--------------> *(Internet) <*--------------> *my iPad
> connected via 3G*
> *192.168.1.2 192.168.1.1 //**
> 188.67.59.220***/*91.150.29.__228*/
> **
>
> ===============
> *SYSTEM DETAILS*
>
> ===============
> - Debian Squeeze v6.0.6-i386
> - OpenSWAN v1:2.6.28+dfsg-5+squeeze1
>
>
>
> ===============
> *CONFIGURATION*
> ===============
>
> */etc/ipsec.secrets:*
> *---------------------------*
> 192.168.1.2%any 0.0.0.0 <http://0.0.0.0/>: PSK "test"
>
>
> */etc/ipsec.conf:*
> *----------------------*
>
> config setup
> nat_traversal=yes
>
>
> virtual_private=%v4:192.168.0.__0/16,%v4:10.0.0.0/8,%v4:172.__16.0.0/12,%v4:25.0.0.0/8,%v4:!__10.254.253.0/24
> <http://192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.254.253.0/24>
>
> <http://192.168.0.0/16,%v4:10.__0.0.0/8,%v4:172.16.0.0/12,%v4:__25.0.0.0/8,%v4:%2110.254.253.__0/24
> <http://192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:%2110.254.253.0/24>>
>
> protostack=netkey
> #protostack=mast # used for SAref + MAST only
> interfaces="%defaultroute"
> oe=off
>
> conn l2tp-psk
> authby=secret
> pfs=no
> auto=add
> # we cannot rekey for %any, let client rekey
> rekey=no
> keyingtries=3
> # Apple iOS doesn't send delete notify so we
> need dead
> peer detection
> # to detect vanishing clients
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> ikelifetime=8h
> keylife=1h
> # overlapip=yes # for SAref + MAST
> # sareftrack=yes # for SAref + MAST
> type=transport
> left=192.168.1.2
> leftprotoport=17/1701
> #
> # The remote user.
> #
> right=%any
> rightprotoport=17/%any
> rightsubnet=vhost:%priv,%no
> forceencaps=yes
>
>
> */
> */etc/xl2tpd/xl2tpd.conf*
> *-----------------------------__--*
>
> /
> [global]
> ; you cannot leave out listen-addr, causes possible
> wrong src ip
> on return packets
> listen-addr = 192.168.1.2
> ; ipsec saref = yes ; For SAref + MAST only
> ; debug tunnel = yes
>
> [lns default]
> ip range = 192.168.1.101-192.168.1.110
> local ip = 192.168.1.100
> assign ip = yes
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = OpenswanVPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
>
>
> *
> *
> */etc/ppp/options.xl2tpd*
> *-----------------------------__---*
>
> /
> ipcp-accept-local
> ipcp-accept-remote
> ms-dns 192.168.1.1
> noccp
> auth
> crtscts
> idle 1800
> mtu 1200
> mru 1200
> nodefaultroute
> debug
> lock
> proxyarp
> connect-delay 5000
> /
> *
> *
> *
> *
> *
> */etc/ppp/chap-secrets:*
> **
> *-----------------------------__---*
> **
> greg*"thesecret"*
>
>
> */etc/sysctl.conf*
> /
> *----------------------*
>
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp___filter = 0
> net.ipv4.conf.default.accept___source_route = 0
> net.ipv4.conf.all.send___redirects = 0
> net.ipv4.conf.default.send___redirects = 0
> net.ipv4.icmp_ignore_bogus___error_responses = 1
> /
> *
> *
> /
> /
> /
> *ipsec verify*
> *-----------------*
> "
> /Version check and ipsec on-path [OK]/
> /Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)/
> /Checking for IPsec support in kernel [OK]/
> /NETKEY detected, testing for disabled ICMP
> send_redirects [FAILED]/
> /
> /
> / Please disable
> /proc/sys/net/ipv4/conf/*/__send_redirects/
> / or NETKEY will cause the sending of bogus ICMP
> redirects!/
> /
> /
> /NETKEY detected, testing for disabled ICMP
> accept_redirects
> [FAILED]/
> /
> /
> / Please disable
> /proc/sys/net/ipv4/conf/*/__accept_redirects/
> / or NETKEY will accept bogus ICMP redirects!/
> /
> /
> /Checking that pluto is running [OK]/
> /Pluto listening for IKE on udp 500 [OK]/
> /Pluto listening for NAT-T on udp 4500 [OK]/
> /Two or more interfaces found, checking IP forwarding
> [FAILED]/
> /Checking for 'ip' command [OK]/
> /Checking for 'iptables' command [OK]/
> /Opportunistic Encryption Support [DISABLED]/
> "
> /
> /
> /
> /
> /
> *WAN-router configurations*
> /*----------------------------__----------*/
> I've configured the router to forward ports /500/,
> /1701/, and
> /4500/ to /192.168.1.2./
>
>
> /
> /
> /
> /
>
> *-----------------------------__-------------**---------------__---------------------------***__**IMPLEMENTATION*
>
> ------------------------------__------------**----------------__--------------------------
> *
> *
> *
> *
>
>
> *
>
> Thanks guys.
>
> Have a great day,
> //Chris
> _________________________________________________
> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> <mailto:Users at lists.openswan.__org
> <mailto:Users at lists.openswan.org>>
>
> https://lists.openswan.org/__mailman/listinfo/users
> <https://lists.openswan.org/mailman/listinfo/users>
> Micropayments:
> https://flattr.com/thing/__38387/IPsec-for-Linux-made-__easy
> <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> Building and Integrating Virtual Private Networks with
> Openswan:
> http://www.amazon.com/gp/__product/1904811256/104-__3099591-2946327?n=283155
> <http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>
>
> Regards
>
> Dan.
>
>
>
>
> --
> Christo Romberg
>
>
> _________________________________________________
> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> https://lists.openswan.org/__mailman/listinfo/users
> <https://lists.openswan.org/mailman/listinfo/users>
> Micropayments:
> https://flattr.com/thing/__38387/IPsec-for-Linux-made-__easy
> <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/__product/1904811256/104-__3099591-2946327?n=283155
> <http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>
>
> --
> Best Regards,
> Elison Niven
>
>
>
>
> --
> Christo Romberg
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list