[Openswan Users] Filtered UDP ports, How to open them?

Mohsen B.Sarmadi mohsen.bsarmadi at gmail.com
Sat Nov 23 03:46:28 UTC 2013 

Dear All,
I am using a EC2 Ubuntu 12.04 LTS instance in AWS. Openswan is listening to
UDP ports but the ports have been filtered, can you help me to open them?
I have tried to write a new ufw config but it didn't have any effect.
$ cat /etc/ufw/applications.d/openswan.common
[OpenswanL2TP]
title=L2TP
description=vpn is good thing.
ports=1701/udp

[Openswannat-t-ike]
title=Openswan nat-t-ike
description=Openswannat-t-ike
ports=4500/udp

[Openswanisakmp]
title=Openswanisakmp
description=Openswanisakmp
ports=500/udp

$ sudo nmap -sU localhost

Starting Nmap 5.21 ( http://nmap.org ) at 2013-11-23 03:26 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Hostname localhost resolves to 2 IPs. Only scanned 127.0.0.1
Not shown: 996 closed ports
PORT     STATE         SERVICE
68/udp   open|filtered dhcpc
500/udp  open          isakmp
1701/udp open|filtered L2TP
4500/udp open|filtered nat-t-ike

According to this(https://help.ubuntu.com/community/L2TPServer) I created a
new init job.

$ cat /etc/init.d/ipsec.vpn

case "$1" in
start)
echo "Starting my Ipsec VPN"
iptables  -t nat   -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
 echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
     echo 0 > $each/accept_redirects
echo 0 > $each/send_redirects
 done
/etc/init.d/ipsec start
/etc/init.d/xl2tpd start
 ;;
stop)
echo "Stopping my Ipsec VPN"
iptables --table nat --flush
 echo 0 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/ipsec stop
/etc/init.d/xl2tpd stop
 ;;
restart)
echo "Restarting my Ipsec VPN"
iptables  -t nat   -A POSTROUTING -o eth0 -s 10.152.2.0/24 -j MASQUERADE
 echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
     echo 0 > $each/accept_redirects
     echo 0 > $each/send_redirects
 done
/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart
 ;;
*)
echo "Pay Attention!! Usage: /etc/init.d/ipsec.vpn  {start|stop|restart}"
exit 1
 ;;
esac


$ cat /etc/ipsec.conf

config setup
  nat_traversal=yes
    virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
    #contains the networks that are allowed as subnet= for the remote
client. In other words, the address ranges that may live behind a NAT
router through which a client connects.
    oe=off
    protostack=netkey
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    type=transport
    # Replace IP address with your local IP (private, behind NAT IP is okay
as well)
    left=127.0.0.1
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any
    #force all to be nat'ed. because of iOS
    forceencaps=yes

$ sudo cat /etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically
created RSA keys
#include /var/lib/openswan/ipsec.secrets.inc

127.0.0.1  %any:  PSK "PASSWORD"

$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                              [OK]
Linux Openswan U2.6.37/K3.2.0-54-virtual (netkey)
Checking for IPsec support in kernel                         [OK]
 SAref kernel support                                        [N/A]
 NETKEY:  Testing XFRM related proc values                   [OK]
[OK]
 [OK]
Checking that pluto is running                               [OK]
 Pluto listening for IKE on udp 500                          [OK]
 Pluto listening for NAT-T on udp 4500                       [OK]
Checking for 'ip' command                                    [OK]
Checking /bin/sh is not /bin/dash                            [WARNING]
Checking for 'iptables' command                              [OK]
Opportunistic Encryption Support                             [DISABLED]

$ cat  /etc/xl2tpd/xl2tpd.conf
 [global] ; Global parameters:
ipsec saref = no

[lns default] ; Our fallthrough LNS definition
ip range = 10.152.2.2-10.152.2.254
local ip = 10.152.2.1
require chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes


Here is the log:

Nov 23 03:29:07 ip-10-185-160-186 ipsec_setup: Stopping Openswan IPsec...
Nov 23 03:29:08 ip-10-185-160-186 kernel: [1559520.098812] NET:
Unregistered protocol family 15
Nov 23 03:29:08 ip-10-185-160-186 ipsec_setup: ...Openswan IPsec stopped
Nov 23 03:29:08 ip-10-185-160-186 kernel: [1559520.148547] NET: Registered
protocol family 15
Nov 23 03:29:08 ip-10-185-160-186 ipsec_setup: Starting Openswan IPsec
U2.6.37/K3.2.0-54-virtual...
Nov 23 03:29:08 ip-10-185-160-186 ipsec_setup: Using NETKEY(XFRM) stack
Nov 23 03:29:09 ip-10-185-160-186 kernel: [1559520.248456] Initializing
XFRM netlink socket
Nov 23 03:29:09 ip-10-185-160-186 ipsec_setup: ...Openswan IPsec started
Nov 23 03:29:09 ip-10-185-160-186 xl2tpd[2095]: death_handler: Fatal signal
15 received
Nov 23 03:29:09 ip-10-185-160-186 ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d
Nov 23 03:29:09 ip-10-185-160-186 pluto: adjusting ipsec.d to /etc/ipsec.d
Nov 23 03:29:09 ip-10-185-160-186 ipsec__plutorun: 002 added connection
description "L2TP-PSK-NAT"
Nov 23 03:29:09 ip-10-185-160-186 ipsec__plutorun: 002 added connection
description "L2TP-PSK-noNAT"
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2319]: IPsec SAref does not work
with L2TP kernel mode yet, enabling forceuserspace=yes
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2319]: setsockopt recvref[30]:
Protocol not available
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2319]: This binary does not
support kernel L2TP.
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: xl2tpd version xl2tpd-1.3.1
started on ip-10-185-160-186 PID:2320
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Written by Mark Spencer,
Copyright (C) 1998, Adtran, Inc.
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Forked by Scott Balmos and
David Stipp, (C) 2001
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Inherited by Jeff McAdams,
(C) 2002
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Forked again by Xelerance (
www.xelerance.com) (C) 2006
Nov 23 03:29:10 ip-10-185-160-186 xl2tpd[2320]: Listening on IP address
0.0.0.0, port 1701


please give me hint,

Thanks
Regards
Mohsen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131123/a1ec87ad/attachment.html>

More information about the Users mailing list