[Openswan Users] Establishing VPN connection using IPSEC/L2TP

Jared Rodecker jared.rodecker at gmail.com
Wed Sep 16 20:20:39 EDT 2015 

Greetings:

I am new the list and hoping to get help resolving a problem I've add
establishing a VPN connection between my Ubuntu 14.04 server instance (on
AWS) and a VPN server that is hosted by a client of our firm.

I am able to connect to the VPN server on my MacBook by simply using the
Control Panel/Network interface to set up a VPN connection with "L2TP over
Ipsec" as my "VPN type" by providing the VPN IP address, username, password
and secret.  Each of those 4 values (IP, username, password, secret) was
provided by our client and I have successfully connected many times from my
local macbook.

I need to set up some things to run automatically from command line from a
remote AWS server but part of this process involves setting up the
appropriate VPN client on my Ubuntu server instance on AWS to be able to
connect to our client's VPN server.  I do not have access to a GUI and am
instead using the command line.  My AWS instance has both a "public" and
"private" IP address but since I got very basic error messages about
connectivity when using the "public" IP I am using the private IP in all of
my config files.  I follow the convention that LEFT = Private IP of my AWS
instance from which I'm trying to establish the connection and RIGHT = IP
of VPN server I'm trying to connect to (that is hosted externally my our
client).

I have followed a variety of online examples and settled on the
configuration that is summarized below.  When I try to connect (by typing
"ipsec auto --up VPNNAME) I get the following message:

104 "sftravelvpn" #1: STATE_MAIN_I1: initiate

003 "sftravelvpn" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000008]

003 "sftravelvpn" #1: received Vendor ID payload [RFC 3947] method set
to=115

003 "sftravelvpn" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115

003 "sftravelvpn" #1: ignoring Vendor ID payload [FRAGMENTATION]

003 "sftravelvpn" #1: ignoring Vendor ID payload [MS-Negotiation Discovery
Capable]

003 "sftravelvpn" #1: ignoring Vendor ID payload [IKE CGA version 1]

106 "sftravelvpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2

003 "sftravelvpn" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed

108 "sftravelvpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3

004 "sftravelvpn" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}

117 "sftravelvpn" #2: STATE_QUICK_I1: initiate

010 "sftravelvpn" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response

010 "sftravelvpn" #2: STATE_QUICK_I1: retransmission; will wait 40s for
response

031 "sftravelvpn" #2: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal

000 "sftravelvpn" #2: starting keying attempt 2 of at most 3, but releasing
whack


It is the 2nd to last line "No accept response to our first Quick Mode
message: perhaps no peer likes proposal" that I'm guessing is the clue to
my problem.  I have reviewed all of the archives for this list going back
to Jan 2013 and have found several related posts but reading them and
trying some things that were suggested has not worked yet.

My config files are summarized below.  Much thanks to anyone who can help
point me in the right direction!

For the config files I have masked my info as such:

IP of VPN server I'm trying to connect to: x.x.x.x

Private VPN of Ubuntu server instance on AWS: y.y.y.y

VPN password = VPNPWD

VPN user name = VPNUSER

VPN secret = VPNSECRET



File:  /etc/rc.local

for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects; done

iptables -t nat -A POSTROUTING -j SNAT --to-source x.x.x.x -o eth+

exit 0



FILE: /etc/ipsec.conf

config setup

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

        nat_traversal=yes

        protostack=netkey

        oe=off

        plutoopts="--interface=eth0"


conn sftravelvpn

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        dpddelay=30

        dpdtimeout=120

        dpdaction=clear

        rekey=yes

        ikelifetime=8h

        keylife=1h

        type=tunnel

        left=y.y.y.y

        leftnexthop=%defaultroute

        leftprotoport=17/1701

        right=x.x.x.x

        rightprotoport=17/1701

        rightnexthop=%defaultroute



File: /etc/ipsec.secrets

y.y.y.y  x.x.x.x : PSK "SECRET"


File:   /etc/xl2tpd/xl2tpd.conf


[global]

ipsec saref = yes

saref refinfo = 30


;debug avp = yes

;debug network = yes

;debug state = yes

;debug tunnel = yes


[lns default]

local ip = x.x.x.x

refuse pap = yes

require authentication = yes

;ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes


File:  /etc/ppp/options.xl2tpd


require-mschap-v2

ms-dns 8.8.8.8

ms-dns 8.8.4.4

auth

mtu 1200

mru 1000

crtscts

hide-password

modem

name sftravelvpn

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4


File:  /etc/ppp/chap-secrets

VPNUSER VPNPWD sftravelvpn VPNSECRET


Routing Rule:

sudo ip ro ad x.x.x.x via y.y.y.y


Then I restart services:

/etc/init.d/ipsec restart

/etc/init.d/xl2tpd restart


Jared Rodecker

jared.rodecker at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150916/8b0c8ca3/attachment.html>

More information about the Users mailing list