[Openswan Users] Unreliable VPN - SCCR problem?
openswan-users at latter.org
Fri May 3 21:49:01 UTC 2013
I'll repeat my introduction from last time:
I have installed ipsec and xl2tpd on an openwrt  server .
We are currently focused on getting iOS devices connected so
that they can connect to the internet through the VPN. (I.e.
all traffic is routed).
The server is NATed behind a domestic router; in general the
client device is also NATed.
We are testing with an iPad.
After a boot or soft boot (i.e. restarting ipsec and xl2tpd)
on the server we are able to connect and reconnect a variable
number of times (between two and ten, put one way, or for an
hour or two, or even up to 24 or so, put another way), before
it starts failing, after which it will always fail.
Any help / ideas with the following will be much appreciated!
It seems to be at the point of Start-Control-Connection-Request.
I've got logging turned up to the max (AFAICT) and I have this
on a successful connection:
network_thread: recv packet from 220.127.116.11, size = 74, tunnel = 0,
call = 0 ref=0 refhim=0
get_call: allocating new tunnel for host 18.104.22.168, port 53229.
handle_avps: handling avp's for tunnel 61075, call 792
message_type_avp: message type 1 (Start-Control-Connection-Request)
protocol_version_avp: peer is using version 1, revision 0.
framing_caps_avp: supported peer frames: async sync
hostname_avp: peer reports hostname 'Ipad-3'
assigned_tunnel_avp: using peer's tunnel 3
receive_window_size_avp: peer wants RWS of 4. Will use flow control.
control_finish: message type is Start-Control-Connection-Request(1).
Tunnel is 3, call is 0.
control_finish: Peer requested tunnel 3 twice, ignoring second one.
build_fdset: closing down tunnel 61075
network_thread: recv packet from 22.214.171.124, size = 20, tunnel =
48954, call = 0 ref=0 refhim=0
handle_avps: handling avp's for tunnel 48954, call 57785
On a failed connection it's the same up until the last line,
at which we get:
network_thread: recv packet from 126.96.36.199, size = 74, tunnel = 0,
call = 0 ref=0 refhim=0
which would appear (?) to be the iPad issuing another SCCR rather than
moving on to the next stage. NB the "size = 74" rather than "size =
openwrt: 12.09 (final release, it's out of beta and release candidate)
ip - 3.3.0-1
ipsec-tools - 0.8.0-2
iptables - 1.4.10-4
iptables-mod-ipsec - 1.4.10-4
kmod-crypto-* - 3.3.8-1
kmod-ipsec - 3.3.8-1
xl2tpd - 1.3.1-1
Configuration info: NB that "ipsec auto --status" reports:
" Either virtual_private= is not specified, or there is a syntax
error in that line. 'left/rightsubnet=vhost:%priv' will not work!
Disallowed subnets in virtual_private= is empty. If you have
private address space in internal use, it should be excluded!"
but I figure that's a problem I can come back to later.
Although I would appreciate advice here. Given that the
remote device (iPad) can connect from anywhere, I cannot
predict what sort of network it will be on.
# /etc/ipsec.conf - IPsec configuration file
# basic config borrwed from AWS setup
# DL : from AWS setup
# Apple iOS doesn't send delete notify so we need dead peer
# detection to detect vanishing clients
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no
; DL: removed ipsec saref = yes;
; DL: trying listen-addr
listen-addr = 192.168.1.100
debug network = yes
debug tunnel = yes
debug avp = yes
debug packet = yes
debug state = yes
; DL: I've tried exclusive = no
exclusive = yes
ip range = 192.168.1.202-192.168.1.220
local ip = 192.168.1.200
;hidden bit = no
length bit = yes
name = VPNServer
ppp debug = yes
require authentication = yes
;unix authentication = no
refuse chap = no
refuse pap = yes
pppoptfile = /etc/ppp/options.xl2tpd
#DL: copied from amazon AWS setup
 TPLink domestic router; mips chip, 32MB RAM.
More information about the Users