[Openswan Users] iOS devices not always be dedected and NATted

Nev nev at itsnev.co.uk
Wed Nov 14 02:19:25 EST 2012


Hi Leto,

This happens at the first phase even before IPSec passes the connection to xl2tpd for processing as can be seen in the log. IPSec does not see the device as NATted. 

Any other ideas?

Thx
Nev

On 14 Nov 2012, at 04:54, Leto <letoams at gmail.com> wrote:

> configure xl2tpd to listen to 1 address. 
> 
> On the road...
> 
> On 2012-11-13, at 18:46, "Neville" <nev at itsnev.co.uk> wrote:
> 
>> Anyone as this is driving me nuts.
>> 
>> Thx
>> Neville
>> 
>> -----Original Message-----
>> From: Neville [mailto:nev at itsnev.co.uk] 
>> Sent: 10 November 2012 1:17 PM
>> To: 'users at lists.openswan.org'
>> Subject: RE: iOS devices not always be dedected and NATted. (Neville)
>> 
>> Any ideas anyone or is this a result of the recent iOS upgrade 6.0, 6.1
>> 
>> (Also corrected some of my bad English below)
>> 
>> Thx
>> Nev
>> 
>> 
>> Hi,
>> 
>> All of a sudden, from today without any changes being made to the server,
>> all iPhones and iPads have started to fail to connect via IPSEC. 
>> 
>> The issue seems to be happening with devices which are NATed only, as we've
>> started to see the following messages in the logs...
>> 
>> "L2TP-PSK-NAT"[40] 46.A.B.C #58: responding to Main Mode from unknown peer
>> 46.A.B.C Nov  8 21:39:26 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
>> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Nov  8 21:39:26
>> vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
>> STATE_MAIN_R1: sent MR1, expecting MI2
>> Nov  8 21:39:27 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
>> NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
>> detected Nov  8 21:39:27 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Nov  8 21:39:27
>> vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58: new NAT mapping for #58,
>> was 46.A.B.C:500, now 192.168.1.101:500 Nov  8 21:39:27 vpn3 pluto[15290]:
>> "L2TP-PSK-NAT"[40] 192.168.1.101 #58:
>> STATE_MAIN_R2: sent MR2, expecting MI3
>> Nov  8 21:39:30 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 192.168.1.101 #58:
>> discarding duplicate packet; already STATE_MAIN_R2 Nov  8 21:39:48 vpn3 last
>> message repeated 3 times Nov  8 21:40:37 vpn3 pluto[15290]:
>> "L2TP-PSK-NAT"[40] 192.168.1.101 #58: max number of retransmissions (2)
>> reached STATE_MAIN_R2
>> 
>> 46.A.B.C is the customers Gateway Address and 192.168.1.101 is there NATed
>> IP address and 91.A.B.C is the servers IP Address
>> 
>> /etc/ipsec.conf
>> config setup
>>       protostack=netkey
>>       nat_traversal=yes
>>       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>       oe=off
>>       nhelpers=0
>> include /etc/ipsec.d/*.conf
>> 
>> /etc/ipsec.d/l2tp-psk-nat.conf
>> 
>> conn L2TP-PSK-NAT
>>       rightsubnet=vhost:%no,%priv
>>       also=L2TP-PSK-noNAT-vpn2
>> 
>> conn L2TP-PSK-noNAT-vpn2
>>       authby=secret
>>       pfs=no
>>       auto=add
>>       keyingtries=3
>>       rekey=no
>>       ikelifetime=8h
>>       keylife=1h
>>       dpdaction=clear
>>       dpdtimeout=120
>>       dpddelay=3
>>       type=transport
>>       left=%defaultroute
>>       leftnexthop=91.A.B.C  (servers IP Address)
>>       leftprotoport=17/1701
>>       right=%any
>>       rightprotoport=17/%any
>> 
>> conn passthrough-for-non-l2tp
>>       type=passthrough
>>       left=%defaultroute
>>       leftnexthop=91.A.B.C  (servers IP Address)
>>       right=0.0.0.0
>>       rightsubnet=0.0.0.0/0
>>       auto=route
>> 
>> 
>> /etc/xl2tpd/xl2tpd.conf
>> 
>> [global]
>> ; listen-addr = 192.168.1.98
>> ;
>> ; requires openswan-2.5.18 or higher - Also does not yet work in combination
>> ; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ;
>> forceuserspace = yes ; ; debug tunnel = yes
>> 
>> [lns default]
>> ip range = 10.200.11.2-10.200.11.254
>> local ip = 10.200.10.1
>> assign ip = yes
>> require chap = yes
>> refuse pap = yes
>> require authentication = no
>> name = OpenVPN-VPN3
>> ppp debug = yes
>> pppoptfile = /etc/ppp/options.xl2tpd
>> length bit = yes
>> 
>> 
>> /etc/ppp/options.xl2tpd
>> 
>> ipcp-accept-local
>> ipcp-accept-remote
>> ms-dns 8.8.8.8
>> ms-dns 8.8.4.4
>> 10.200.10.1:
>> noccp
>> auth
>> crtscts
>> idle 600
>> mtu 1410
>> mru 1410
>> nodefaultroute
>> debug
>> lock
>> proxyarp
>> connect-delay 5000
>> idle 600
>> plugin radius.so
>> plugin radattr.so
>> 
>> /etc/pptpd.conf
>> 
>> ppp /usr/sbin/pppd
>> option /etc/ppp/options.pptpd
>> delegate
>> localip 10.200.10.1
>> 
>> 
>> 
>> Here is the output for ipsec verify.  Please note that although this is on
>> 2.6.33 off openswan, I'm getting exactly the same on 2.6.38 will the same
>> configuration on a different server.
>> 
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path                                 [OK]
>> Linux Openswan U2.6.33/K2.6.18-164.15.1.el5 (netkey)
>> Checking for IPsec support in kernel                            [OK]
>> SAref kernel support                                           [N/A]
>> NETKEY:  Testing XFRM related proc values                      [OK]
>>       [OK]
>>       [OK]
>> Checking that pluto is running                                  [OK]
>> Pluto listening for IKE on udp 500                             [OK]
>> Pluto listening for NAT-T on udp 4500                          [OK]
>> Two or more interfaces found, checking IP forwarding            [OK]
>> Checking NAT and MASQUERADEing                              
>> Checking for 'ip' command                                       [OK]
>> Checking /bin/sh is not /bin/dash                               [OK]
>> Checking for 'iptables' command                                 [OK]
>> Opportunistic Encryption Support                                [DISABLED]
>> 
>> 
>> /etc/sysconfig/iptables
>> 
>> # Firewall configuration written by system-config-securitylevel # Manual
>> customization of this file is not recommended.
>> *filter
>> :FORWARD ACCEPT [0:0]
>> :INPUT ACCEPT [0:0]
>> :RH-Firewall-1-INPUT - [0:0]
>> :OUTPUT ACCEPT [0:0]
>> # -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A
>> RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A
>> RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp
>> --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A
>> RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -d
>> 224.0.0.251 --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp
>> --dport 10000 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j
>> ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A
>> RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 3389 --state NEW -j
>> ACCEPT # PPP Port -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1723 -j
>> ACCEPT -A RH-Firewall-1-INPUT -p gre -j ACCEPT # ipsec -A
>> RH-Firewall-1-INPUT -p tcp -m tcp --dport 4500 -j ACCEPT -A
>> RH-Firewall-1-INPUT -p udp -m udp --dport 4500 -j ACCEPT -A
>> RH-Firewall-1-INPUT -p udp -m udp --dport 500 -j ACCEPT # ntop -A
>> RH-Firewall-1-INPUT -p tcp -m tcp --dport 3000 -j ACCEPT # Accept response
>> to DNS queries -A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535
>> --sport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 1701 -j
>> ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1701 -j ACCEPT # Radius
>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1812:1814 -j ACCEPT -A
>> RH-Firewall-1-INPUT -s 193.33.186.190 -j ACCEPT # mySQL -A
>> RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A
>> RH-Firewall-1-INPUT -p udp -m udp --dport 3799 -j ACCEPT -A
>> RH-Firewall-1-INPUT -p udp -m udp --dport 1700 -j ACCEPT -A
>> RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited # Munin
>> Host -A INPUT -j RH-Firewall-1-INPUT COMMIT # Generated by webmin *mangle
>> :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING
>> ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by
>> webmin *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING
>> ACCEPT [0:0] # PPP NAT Translation -A POSTROUTING -s 10.200.10.0/24 -o eth0
>> -j SNAT --to-source 91.A.B.C COMMIT # Completed
>> 
>> Any ideas would me greatly received.
>> 
>> Thx
>> Nev
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> ------------------------------
>> 
>> _______________________________________________
>> Users mailing list
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> 
>> 
>> End of Users Digest, Vol 103, Issue 6
>> *************************************
>> 
>> 
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list