[Openswan Users] iOS devices not always be dedected and NATted. (Neville)
Walter Robert Ditzler
ditwal001 at gmail.com
Mon Jan 14 12:12:49 EST 2013
hi,
my config works on debian wheezy, with 3.7.1 kernel. configs bellow,
walter.
/etc/ipsec.conf
***
version 2.0
config setup
interfaces="%defaultroute"
nat_traversal=yes
dumpdir=/var/run/pluto/
oe=off
protostack=netkey
uniqueids=yes
conn ABO_MOBILE
authby=secret
pfs=no
rekey=no
keyingtries=3
dpddelay=30
dpdtimeout=60
dpdaction=clear
compress=yes
left=%defaultroute
leftprotoport=udp/1701
right=%any
rightprotoport=udp/0
auto=add
aggrmode=no
ike=3des-md5;modp1024
esp=3des-md5;modp1024
***
/etc/ppp/options.l2tp
***
ipcp-accept-local
ipcp-accept-remote
ms-dns x.x.x.1
ms-dns x.x.x.2
noccp
name vpn
auth
crtscts
idle 1800
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
plugin pppol2tp.so
require-mschap-v2
***
/etc/ppp/chap-secrets
***
[abc] vpn "SECRET" 10.x.x.71
vpn [abc] "SECRET" 10.x.x.71
***
/etc/xl2tpd/xl2tpd.conf
***
[global]
access control = no
rand source = dev
[lns default]
ip range = 10.x.x.71-10.x.x.254
local ip = 10.x.x.1
require chap = yes
refuse pap = no
require authentication = yes
name = linuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tp
length bit = yes
***
iptables
***
IFW=eth0 #internal
IFL=eth1 #world
IPT=/sbin/iptables
if [ -z "`lsmod|grep iptable_nat`" ]; then
modprobe iptable_nat;
fi
if [ -z "`lsmod|grep ip_conntrack`" ]; then
modprobe ip_conntrack;
fi
if [ -z "`lsmod|grep ip_conntrack_ftp`" ]; then
modprobe ip_conntrack_ftp;
fi
if [ -z "`lsmod|grep ip_conntrack_irc`" ]; then
modprobe ip_conntrack_irc;
fi
if [ -z "`lsmod|grep ip_nat_ftp`" ]; then
modprobe ip_nat_ftp;
fi
#if [ -z "`lsmod|grep ip_nat_irc`" ]; then
# modprobe ip_nat_irc;
#fi
if [ -z "`lsmod|grep ipt_MASQUERADE`" ]; then
modprobe ipt_MASQUERADE;
fi
# SET ALL TO DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# FLUSH ALL CHAINS
$IPT -F
$IPT -X
for table in filter nat mangle; do
$IPT -t $table -F
$IPT -t $table -X
$IPT -t $table -Z
done
# LO IN/OUT ALL
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done
$IPT -A FORWARD -i $IFW -o $IFL -m state --state
ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $IFL -o $IFW -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $IFL -o $IFL
-j ACCEPT
$IPT -t nat -A POSTROUTING -o $IFW
-j MASQUERADE
$IPT -A INPUT -i ppp+
-j ACCEPT
$IPT -A OUTPUT -o ppp+
-j ACCEPT
$IPT -A INPUT -i $IFW -p udp --dport 500 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IFW -p udp --sport 500 -m state
--state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IFW -p udp --dport 1701 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IFW -p udp --sport 1701 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IFW -p udp --dport 4500 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IFW -p udp --sport 4500 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IFW -p tcp --dport 1723 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IFW -p tcp --sport 1723 -m
state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IFW -p tcp --dport 1723 -m
state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IFW -p tcp --sport 1723 -m
state --state ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IFW -p 47 -m state --state
ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IFW -p 47 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IFW -p 50 -m state --state
ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IFW -p 50 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IFW -p 51 -m state --state
ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $IFW -p 51 -m state --state
NEW,ESTABLISHED -j ACCEPT
$IPT -A FORWARD -i $IFL -o ppp+ -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $IFW -o ppp+ -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ppp+ -o $IFL -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i ppp+ -o $IFW -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
***
-----Original Message-----
From: users-bounces at lists.openswan.org
[mailto:users-bounces at lists.openswan.org] On Behalf Of Neville
Sent: Montag, 14. Januar 2013 13:48
To: users at lists.openswan.org
Subject: Re: [Openswan Users] iOS devices not always be dedected and NATted.
(Neville)
Hi, Can anyone help with this as its not only iOS devices, but also Windows
devices. On first connection attempt it picks up client external IP as the
NAT'd IP address which his not corrent, then adventually after 2-3 attempts
at connecting it works.
Thx
Neville
Hi,
All of a sudden, from today with any changes be made to the server iPhone
and iPads have failed to connect to ipsec and its seems temporary hit or
miss issue.
The issue seems to be with devices which are NATed as we've started to see
the following messages in the logs...
"L2TP-PSK-NAT"[40] 46.A.B.C #58: responding to Main Mode from unknown peer
46.A.B.C Nov 8 21:39:26 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Nov 8 21:39:26
vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov 8 21:39:27 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT
detected Nov 8 21:39:27 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Nov 8 21:39:27
vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 46.A.B.C #58: new NAT mapping for #58,
was 46.A.B.C:500, now 192.168.1.101:500 Nov 8 21:39:27 vpn3 pluto[15290]:
"L2TP-PSK-NAT"[40] 192.168.1.101 #58:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov 8 21:39:30 vpn3 pluto[15290]: "L2TP-PSK-NAT"[40] 192.168.1.101 #58:
discarding duplicate packet; already STATE_MAIN_R2 Nov 8 21:39:48 vpn3 last
message repeated 3 times Nov 8 21:40:37 vpn3 pluto[15290]:
"L2TP-PSK-NAT"[40] 192.168.1.101 #58: max number of retransmissions (2)
reached STATE_MAIN_R2
46.A.B.C is the customers Gateway Address and 192.168.1.101 is there NATed
IP address and 91.A.B.C is the servers IP Address
/etc/ipsec.conf
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
nhelpers=0
include /etc/ipsec.d/*.conf
/etc/ipsec.d/l2tp-psk-nat.conf
conn L2TP-PSK-NAT
rightsubnet=vhost:%no,%priv
also=L2TP-PSK-noNAT-vpn2
conn L2TP-PSK-noNAT-vpn2
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
dpdaction=clear
dpdtimeout=120
dpddelay=3
type=transport
left=%defaultroute
leftnexthop=91.A.B.C (servers IP Address)
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
conn passthrough-for-non-l2tp
type=passthrough
left=%defaultroute
leftnexthop=91.A.B.C (servers IP Address)
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route
/etc/xl2tpd/xl2tpd.conf
[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+ ; ipsec saref = yes ;
forceuserspace = yes ; ; debug tunnel = yes
[lns default]
ip range = 10.200.11.2-10.200.11.254
local ip = 10.200.10.1
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = no
name = OpenVPN-VPN3
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 8.8.8.8
ms-dns 8.8.4.4
10.200.10.1:
noccp
auth
crtscts
idle 600
mtu 1410
mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
idle 600
plugin radius.so
plugin radattr.so
/etc/pptpd.conf
ppp /usr/sbin/pppd
option /etc/ppp/options.pptpd
delegate
localip 10.200.10.1
Here is the output for ipsec verify. Please note that although this is on
2.6.33 off openswan, I'm getting exactly the same on 2.6.38 will the same
configuration on a different server.
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.33/K2.6.18-164.15.1.el5 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
/etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel # Manual
customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
# -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A
RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A
RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp
--icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A
RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -d
224.0.0.251 --dport 5353 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp
--dport 10000 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j
ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A
RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 3389 --state NEW -j
ACCEPT # PPP Port -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1723 -j
ACCEPT -A RH-Firewall-1-INPUT -p gre -j ACCEPT # ipsec -A
RH-Firewall-1-INPUT -p tcp -m tcp --dport 4500 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m udp --dport 4500 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m udp --dport 500 -j ACCEPT # ntop -A
RH-Firewall-1-INPUT -p tcp -m tcp --dport 3000 -j ACCEPT # Accept response
to DNS queries -A RH-Firewall-1-INPUT -p udp -m udp --dport 1024:65535
--sport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 1701 -j
ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1701 -j ACCEPT # Radius
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 1812:1814 -j ACCEPT -A
RH-Firewall-1-INPUT -s 193.33.186.190 -j ACCEPT # mySQL -A
RH-Firewall-1-INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m udp --dport 3799 -j ACCEPT -A
RH-Firewall-1-INPUT -p udp -m udp --dport 1700 -j ACCEPT -A
RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited # Munin
Host -A INPUT -j RH-Firewall-1-INPUT COMMIT # Generated by webmin *mangle
:FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING
ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by
webmin *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING
ACCEPT [0:0] # PPP NAT Translation -A POSTROUTING -s 10.200.10.0/24 -o eth0
-j SNAT --to-source 91.A.B.C COMMIT # Completed
Any ideas with me greatly received.
Thx
Nev
------------------------------
_______________________________________________
Users mailing list
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
End of Users Digest, Vol 103, Issue 6
*************************************
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list