[Openswan Users] Establishing VPN connection using IPSEC/L2TP

Fri Sep 18 08:36:20 EDT 2015

Hi Jared.

This appears to be quite a common issue. If you search the archives, there's a mail which I sent the group to Prakesh Palanisamy, relating to CISCO IPsec termination with OpenSwan., the mail you need to refer to was 2nd September, if you want i'll gladly forward it to you if you can't find it.

Since you mail doesn't mention what vendor the remote device is, you're leaving OpenSwan to figure out what negotiation its going to make with the remote peer device, i'm pretty much guessing its a cisco, and unfortunately the only thing which seems to work (from my own experience) on Cisco's *ASA's and PIX's* is 3des-md5 for phase1/2.

Try and get the IPsec bit working first before you introduce the L2tp part and ensure the stability of the tunnel :)

Otherwise I'm shooting in the dark and 2nd guessing you so I could well be wrong.com. :)

H.t.H.

D.
On Sep 17, 2015, at 01:22 AM, Jared Rodecker <jared.rodecker at gmail.com> wrote:

Greetings:

I am new the list and hoping to get help resolving a problem I've add establishing a VPN connection between my Ubuntu 14.04 server instance (on AWS) and a VPN server that is hosted by a client of our firm.

I am able to connect to the VPN server on my MacBook by simply using the Control Panel/Network interface to set up a VPN connection with "L2TP over Ipsec" as my "VPN type" by providing the VPN IP address, username, password and secret.  Each of those 4 values (IP, username, password, secret) was provided by our client and I have successfully connected many times from my local macbook.

I need to set up some things to run automatically from command line from a remote AWS server but part of this process involves setting up the appropriate VPN client on my Ubuntu server instance on AWS to be able to connect to our client's VPN server.  I do not have access to a GUI and am instead using the command line.  My AWS instance has both a "public" and "private" IP address but since I got very basic error messages about connectivity when using the "public" IP I am using the private IP in all of my config files.  I follow the convention that LEFT = Private IP of my AWS instance from which I'm trying to establish the connection and RIGHT = IP of VPN server I'm trying to connect to (that is hosted externally my our client).

I have followed a variety of online examples and settled on the configuration that is summarized below.  When I try to connect (by typing "ipsec auto --up VPNNAME) I get the following message:

104 "sftravelvpn" #1: STATE_MAIN_I1: initiate
003 "sftravelvpn" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
003 "sftravelvpn" #1: received Vendor ID payload [RFC 3947] method set to=115 
003 "sftravelvpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
003 "sftravelvpn" #1: ignoring Vendor ID payload [FRAGMENTATION]
003 "sftravelvpn" #1: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
003 "sftravelvpn" #1: ignoring Vendor ID payload [IKE CGA version 1]
106 "sftravelvpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sftravelvpn" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
108 "sftravelvpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "sftravelvpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "sftravelvpn" #2: STATE_QUICK_I1: initiate
010 "sftravelvpn" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "sftravelvpn" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "sftravelvpn" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "sftravelvpn" #2: starting keying attempt 2 of at most 3, but releasing whack

It is the 2nd to last line "No accept response to our first Quick Mode message: perhaps no peer likes proposal" that I'm guessing is the clue to my problem.  I have reviewed all of the archives for this list going back to Jan 2013 and have found several related posts but reading them and trying some things that were suggested has not worked yet.
My config files are summarized below.  Much thanks to anyone who can help point me in the right direction!
For the config files I have masked my info as such:
IP of VPN server I'm trying to connect to: x.x.x.x
Private VPN of Ubuntu server instance on AWS: y.y.y.y
VPN password = VPNPWD
VPN user name = VPNUSER
VPN secret = VPNSECRET

File:  /etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; doecho 0 >$vpn/accept_redirects; echo 0 >$vpn/send_redirects; done
iptables -t nat -A POSTROUTING -j SNAT --to-source x.x.x.x -o eth+

exit0

FILE: /etc/ipsec.conf
config setup
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nat_traversal=yes
        protostack=netkey
        oe=off
        plutoopts="--interface=eth0"

conn sftravelvpn
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        rekey=yes
        ikelifetime=8h
        keylife=1h
        type=tunnel
        left=y.y.y.y
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        right=x.x.x.x
        rightprotoport=17/1701
        rightnexthop=%defaultroute

File: /etc/ipsec.secrets

y.y.y.y  x.x.x.x : PSK "SECRET"

File:   /etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
saref refinfo = 30

;debug avp = yes
;debug network = yes
;debug state = yes
;debug tunnel = yes

[lns default]
local ip = x.x.x.x
refuse pap = yes
require authentication = yes
;ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

File:  /etc/ppp/options.xl2tpd

require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name sftravelvpn
proxyarp
lcp-echo-interval 30

lcp-echo-failure 4

File:  /etc/ppp/chap-secrets
VPNUSER VPNPWD sftravelvpn VPNSECRET

Routing Rule:
sudo ip ro ad x.x.x.x via y.y.y.y

Then I restart services:

/etc/init.d/ipsec restart

/etc/init.d/xl2tpd restart

Jared Rodecker
jared.rodecker at gmail.com

_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150918/1c55974c/attachment.html>