[Openswan Users] Fwd: Roadwarrior cannot connect from the outside
Stian Skarsbø Solheim
lists at m3ua.net
Fri Jul 11 10:25:45 EDT 2014
Hi,
I stumbled over this script: https://gist.github.com/hwdsl2/9030462 (http://blog.ls20.com/ipsec-l2tp-vpn-auto-setup-for-ubuntu-12-04-on-amazon-ec2/)
Using the following ipsec.conf my openswan setup works perfectly. iOS5, iOS7, OS X 10.9 simultaneous internal and external connections. Some fine tuning is still needed, but at least it works :)
ipsec.conf
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
oe=off
protostack=netkey
nhelpers=0
interfaces=%defaultroute
conn vpnpsk
connaddrfamily=ipv4
auto=add
left=privateIP
leftid=publicIP
leftsubnet=privateIP subnet
leftnexthop=%defaultroute
leftprotoport=17/1701
rightprotoport=17/%any
right=%any
rightsubnetwithin=0.0.0.0/0
forceencaps=yes
authby=secret
pfs=no
type=transport
auth=esp
ike=3des-sha1,aes-sha1
phase2alg=3des-sha1,aes-sha1
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
Begin forwarded message:
> From: Stian Skarsbø Solheim <lists at m3ua.net>
> Subject: [Openswan Users] Roadwarrior cannot connect from the outside
> Date: 5 Jun 2014 08:16:16 GMT+2
> To: users at lists.openswan.org
>
> Hi all,
>
> Following a number of tutorials on the interwebs I have (finnaly!) gotten openswan/xl2tpd/pppd up and running on my Ubuntu 12.04 LTS box.
>
> From my internal lan I can connect with iOS7, iOS5 (trusty old iPad 1), and OS X 10.9. However, when I try to connect from the cellular network (iPhone) I get the “L2TP server is not responding” error.
>
> My setup is your normal home cable situation:
>
> Internet <—> Cable Modem (bridge) <—> Home router (NAT) <—> openSwan server
>
>
> Here is my ipsec.conf:
>
> version 2.0
>
> config setup
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/16,%v4:172.16.0.0/12
> oe=off
> protostack=netkey
> listen=10.1.2.3
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%priv
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> rekey=no
> type=transport
> left=10.1.2.3
> leftnexthop=10.1.2.1
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
> dpddelay=15
> dpdtimeout=30
> dpdaction=clear
>
>
> In /var/log/auth.log when connecting from the outside I get this:
>
> I see that the client is offering up 10.235.73.47 as its address and I suspect this is the culprit. Does anyone know a way around this? Thankful for any pointers :)
>
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [RFC 3947] method set to=115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
> Jun 5 07:56:23 ltsbox pluto[798]: packet from 126.11.18.148:500: received Vendor ID payload [Dead Peer Detection]
> Jun 5 07:56:23 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: responding to Main Mode from unknown peer 126.11.18.148
> Jun 5 07:56:23 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun 5 07:56:23 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: STATE_MAIN_R1: sent MR1, expecting MI2
> Jun 5 07:56:24 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
> Jun 5 07:56:24 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun 5 07:56:24 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: STATE_MAIN_R2: sent MR2, expecting MI3
> Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: Main mode peer ID is ID_IPV4_ADDR: '10.235.73.47'
> Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[24] 126.11.18.148 #25: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
> Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: deleting connection "L2TP-PSK-NAT" instance with peer 126.11.18.148 {isakmp=#0/ipsec=#0}
> Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: new NAT mapping for #25, was 126.11.18.148:500, now 126.11.18.148:4500
> Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
> Jun 5 07:56:25 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: Dead Peer Detection (RFC 3706): enabled
> Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: the peer proposed: 87.115.5.45/32:17/1701 -> 10.235.73.47/32:17/0
> Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: responding to Quick Mode proposal {msgid:789f60f3}
> Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: us: 10.1.2.3<10.1.2.3>:17/1701---10.1.2.1
> Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: them: 126.11.18.148[10.235.73.47]:17/54988===10.235.73.47/32
> Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun 5 07:56:27 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jun 5 07:56:28 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: Dead Peer Detection (RFC 3706): enabled
> Jun 5 07:56:28 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jun 5 07:56:28 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #26: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x07d16b80 <0xd7ba0515 xfrm=AES_256-HMAC_SHA1 NATOA=10.235.73.47 NATD=126.11.18.148:4500 DPD=enabled}
> Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: received Delete SA(0x07d16b80) payload: deleting IPSEC State #26
> Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
> Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: received and ignored informational message
> Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148 #25: received Delete SA payload: deleting ISAKMP State #25
> Jun 5 07:56:48 ltsbox pluto[798]: "L2TP-PSK-NAT"[25] 126.11.18.148: deleting connection "L2TP-PSK-NAT" instance with peer 126.11.18.148 {isakmp=#0/ipsec=#0}
> Jun 5 07:56:48 ltsbox pluto[798]: packet from 126.11.18.148:4500: received and ignored informational message
>
>
>
> Br
> Stian Skarsbø Solheim
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140711/8fe348b0/attachment-0001.html>
More information about the Users
mailing list