[Openswan Users] iOS devices not always be dedected and NATted.

Neville nev at itsnev.co.uk
Thu Nov 8 16:54:14 EST 2012 

Hi,

All of a sudden, from today with any changes be made to the server iPhone
and iPads have failed to connect to ipsec and its seems temporary hit or
miss issue.

The issue seems to be with devices which are NATed as we've started to see
the following messages in the logs...

"L2TP-PSK-NAT"[40] 46.A.B.C #58: responding to Main Mode from unknown peer
46.A.B.C
Nov  8 21:39:26 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  8 21:39:26 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov  8 21:39:27 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
detected
Nov  8 21:39:27 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  8 21:39:27 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58: new NAT
mapping for #58, was 46.A.B.C:500, now 192.168.1.101:500
Nov  8 21:39:27 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 192.168.1.101 #58:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov  8 21:39:30 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 192.168.1.101 #58:
discarding duplicate packet; already STATE_MAIN_R2
Nov  8 21:39:48 vpn3 last message repeated 3 times
Nov  8 21:40:37 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 192.168.1.101 #58: max
number of retransmissions (2) reached STATE_MAIN_R2

46.A.B.C is the customers Gateway Address and 192.168.1.101 is there NATed
IP address and 91.A.B.C is the servers IP Address

/etc/ipsec.conf
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        nhelpers=0
include /etc/ipsec.d/*.conf

/etc/ipsec.d/l2tp-psk-nat.conf

conn L2TP-PSK-NAT
        rightsubnet=vhost:%no,%priv
        also=L2TP-PSK-noNAT-vpn2

conn L2TP-PSK-noNAT-vpn2
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        ikelifetime=8h
        keylife=1h
        dpdaction=clear
        dpdtimeout=120
        dpddelay=3
        type=transport
        left=%defaultroute
        leftnexthop=91.A.B.C  (servers IP Address)
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

conn passthrough-for-non-l2tp
        type=passthrough
        left=%defaultroute
        leftnexthop=91.A.B.C  (servers IP Address)
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route


/etc/xl2tpd/xl2tpd.conf

 [global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; forceuserspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 10.200.11.2-10.200.11.254
local ip = 10.200.10.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = no
name = OpenVPN-VPN3
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/options.xl2tpd

ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
10.200.10.1:
noccp
auth
crtscts
idle 600
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
idle 600
plugin radius.so
plugin radattr.so

/etc/pptpd.conf

ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
delegate
localip 10.200.10.1



Here is the output for ipsec verify.  Please note that although this is on
2.6.33 off openswan, I'm getting exactly the same on 2.6.38 will the same
configuration on a different server.

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.33/K2.6.18-164.15.1.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


/etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
# -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 3389 --state NEW -j
ACCEPT
# PPP Port
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A RH-Firewall-1-INPUT -p gre -j ACCEPT
# ipsec
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 4500 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 500 -j ACCEPT
# ntop
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
# Accept response to DNS queries
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1701 -j ACCEPT
# Radius
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1812:1814 -j ACCEPT
-A RH-Firewall-1-INPUT -s 193.33.186.190 -j ACCEPT
# mySQL
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 3799 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 1700 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
# Munin Host
-A INPUT -j RH-Firewall-1-INPUT
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# PPP NAT Translation
-A POSTROUTING -s 10.200.10.0/24 -o eth0 -j SNAT --to-source 91.A.B.C
COMMIT
# Completed

Any ideas with me greatly received.

Thx
Nev

More information about the Users mailing list