[Openswan Users] Issues with L2TP/IPSec on Rasbian Using OpenSwan
Aroldo Carvalho
aroldopc at gmail.com
Thu Aug 24 07:20:16 EDT 2017
Hello I need help to get my VPN working properly.
I installed OpenSwan on my Raspberry Pi 3 and setup the static IP adrress
and open the ports on my router (1701 TCP, 4500 UDP and 500 UDP)
I spend several hours looking for the solution online and the setup I used
is posted also on the Raspbery Pi web site.
I tried to connect from my Mac or Windows machines but the connection is
not successful.
Attached is the file with my setup and a log from the tail -f
/var/log/auth.log I used to debug this issue.
Sincerely,
--
*Aroldo Carvalho*
*Mobile USA:* 1-848-525-6797 | *Cellular Brasil:* +55 13 9 9117-0861
*Email*: *a <acarvalho at quantumsecure.com>roldopc at gmail.com
<roldopc at gmail.com> *| *WhatsApp: *1-848-525-6797 | *SKYPE: aroldo1959*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20170824/aea924d8/attachment-0001.html>
-------------- next part --------------
root at raspberrypi:/home/pi# tail -f /var/log/auth.log
Aug 23 20:57:25 raspberrypi systemd-logind[361]: New session c4 of user pi.
Aug 23 20:57:25 raspberrypi su[1235]: pam_unix(su:session): session closed for user pi
Aug 23 20:57:25 raspberrypi systemd-logind[361]: Removed session c4.
Aug 23 20:58:05 raspberrypi su[1279]: Successful su for root by pi
Aug 23 20:58:05 raspberrypi su[1279]: + /dev/pts/0 pi:root
Aug 23 20:58:05 raspberrypi su[1279]: pam_unix(su:session): session opened for user root by (uid=1000)
Aug 23 20:58:05 raspberrypi su[1279]: pam_systemd(su:session): Cannot create session: Already running in a session
Aug 23 21:00:13 raspberrypi sudo: root : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/sbin/ipsec verify
Aug 23 21:00:13 raspberrypi sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Aug 23 21:00:13 raspberrypi sudo: pam_unix(sudo:session): session closed for user root
Aug 23 21:03:50 raspberrypi sshd[1314]: Received disconnect from 221.194.47.224 port 47467:11: [preauth]
Aug 23 21:03:50 raspberrypi sshd[1314]: Disconnected from 221.194.47.224 port 47467 [preauth]
^C
root at raspberrypi:/home/pi# tail -f /var/log/syslog
Aug 23 20:57:59 raspberrypi systemd[1]: Time has been changed
Aug 23 20:57:59 raspberrypi systemd[1]: apt-daily.timer: Adding 11h 12min 11.709068s random time.
Aug 23 20:57:59 raspberrypi systemd[1]: apt-daily-upgrade.timer: Adding 21min 46.419937s random time.
Aug 23 20:58:33 raspberrypi kernel: [ 77.119988] random: crng init done
Aug 23 21:00:40 raspberrypi dhcpcd[386]: enxb827eb5a5f3c: Router Advertisement from fe80::4af8:b3ff:feb8:5a46
Aug 23 21:00:40 raspberrypi dhcpcd[386]: enxb827eb5a5f3c: ignoring RA from fe80::4af8:b3ff:feb8:5a46 (no public prefix, no managed address)
Aug 23 21:00:40 raspberrypi dhcpcd[386]: enxb827eb5a5f3c: requesting DHCPv6 information
Aug 23 21:03:11 raspberrypi dhcpcd[386]: enxb827eb5a5f3c: Router Advertisement from fe80::4af8:b3ff:feb8:5a46
Aug 23 21:03:11 raspberrypi dhcpcd[386]: enxb827eb5a5f3c: ignoring RA from fe80::4af8:b3ff:feb8:5a46 (no public prefix, no managed address)
Aug 23 21:03:11 raspberrypi dhcpcd[386]: enxb827eb5a5f3c: requesting DHCPv6 information
^C
root at raspberrypi:/home/pi# /etc/init.d/xl2tpd restart
[ ok ] Restarting xl2tpd (via systemctl): xl2tpd.service.
root at raspberrypi:/home/pi# /etc/init.d/ipsec restart
<27>Aug 23 21:05:36 ipsec_setup: Stopping Openswan IPsec...
<27>Aug 23 21:05:39 ipsec_setup: Starting Openswan IPsec U2.6.38/K4.9.41-v7+...
root at raspberrypi:/home/pi# tail -f /var/log/auth.log
Aug 23 21:05:40 raspberrypi pluto[1553]: added connection description "passthrough-for-non-l2tp"
Aug 23 21:05:40 raspberrypi pluto[1560]: using /dev/urandom as source of random entropy
Aug 23 21:05:40 raspberrypi pluto[1553]: listening for IKE messages
Aug 23 21:05:40 raspberrypi pluto[1553]: adding interface enxb827eb5a5f3c/enxb827eb5a5f3c 192.168.1.100:500
Aug 23 21:05:40 raspberrypi pluto[1553]: adding interface enxb827eb5a5f3c/enxb827eb5a5f3c 192.168.1.100:4500
Aug 23 21:05:40 raspberrypi pluto[1553]: adding interface lo/lo 127.0.0.1:500
Aug 23 21:05:40 raspberrypi pluto[1553]: adding interface lo/lo 127.0.0.1:4500
Aug 23 21:05:40 raspberrypi pluto[1553]: adding interface lo/lo ::1:500
Aug 23 21:05:40 raspberrypi pluto[1553]: loading secrets from "/etc/ipsec.secrets"
Aug 23 21:05:40 raspberrypi pluto[1553]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [RFC 3947] method set to=115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug 23 21:06:05 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [Dead Peer Detection]
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: responding to Main Mode from unknown peer 189.4.188.4
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.134'
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[1] 189.4.188.4 #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: deleting connection "L2TP-PSK-NAT" instance with peer 189.4.188.4 {isakmp=#0/ipsec=#0}
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: new NAT mapping for #1, was 189.4.188.4:500, now 189.4.188.4:4500
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=OAKLEY_SHA2_256 group=modp2048}
Aug 23 21:06:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: Dead Peer Detection (RFC 3706): enabled
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: the peer proposed: 24.185.148.4/32:17/1701 -> 192.168.1.134/32:17/0
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #2: responding to Quick Mode proposal {msgid:87537ecb}
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #2: us: 192.168.1.100<192.168.1.100>:17/1701
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #2: them: 189.4.188.4[192.168.1.134]:17/62166===192.168.1.134/32
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #2: Dead Peer Detection (RFC 3706): enabled
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 21:06:06 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0fe128b2 <0xec583241 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.1.134 NATD=189.4.188.4:4500 DPD=enabled}
Aug 23 21:06:26 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: received Delete SA(0x0fe128b2) payload: deleting IPSEC State #2
Aug 23 21:06:26 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Aug 23 21:06:26 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: received and ignored informational message
Aug 23 21:06:26 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4 #1: received Delete SA payload: deleting ISAKMP State #1
Aug 23 21:06:26 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[2] 189.4.188.4: deleting connection "L2TP-PSK-NAT" instance with peer 189.4.188.4 {isakmp=#0/ipsec=#0}
Aug 23 21:06:26 raspberrypi pluto[1553]: packet from 189.4.188.4:4500: received and ignored informational message
Aug 23 21:06:39 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Aug 23 21:06:39 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Aug 23 21:06:39 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [RFC 3947] method set to=115
Aug 23 21:06:39 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Aug 23 21:06:39 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Aug 23 21:06:39 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Aug 23 21:06:39 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 23 21:06:39 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [IKE CGA version 1]
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: responding to Main Mode from unknown peer 189.4.188.4
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.14'
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[3] 189.4.188.4 #3: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: deleting connection "L2TP-PSK-NAT" instance with peer 189.4.188.4 {isakmp=#0/ipsec=#0}
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: new NAT mapping for #3, was 189.4.188.4:500, now 189.4.188.4:62279
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: the peer proposed: 24.185.148.4/32:17/1701 -> 192.168.0.14/32:17/0
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #4: responding to Quick Mode proposal {msgid:01000000}
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #4: us: 192.168.1.100<192.168.1.100>:17/1701
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #4: them: 189.4.188.4[192.168.0.14]:17/1701===192.168.0.14/32
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 21:06:39 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #4: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xf61d738a <0xd55c5550 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.0.14 NATD=189.4.188.4:62279 DPD=none}
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: the peer proposed: 24.185.148.4/32:17/1701 -> 192.168.0.14/32:17/1701
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: responding to Quick Mode proposal {msgid:02000000}
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: us: 192.168.1.100<192.168.1.100>:17/1701
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: them: 189.4.188.4[192.168.0.14]:17/1701===192.168.0.14/32
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: keeping refhim=4294901761 during rekey
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #5: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xd4e1c864 <0xdbffee47 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.0.14 NATD=189.4.188.4:62279 DPD=none}
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: received Delete SA(0xf61d738a) payload: deleting IPSEC State #4
Aug 23 21:06:40 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: received and ignored informational message
Aug 23 21:06:43 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: the peer proposed: 24.185.148.4/32:17/1701 -> 192.168.0.14/32:17/1701
Aug 23 21:06:43 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 23 21:06:43 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: responding to Quick Mode proposal {msgid:03000000}
Aug 23 21:06:43 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: us: 192.168.1.100<192.168.1.100>:17/1701
Aug 23 21:06:43 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: them: 189.4.188.4[192.168.0.14]:17/1701===192.168.0.14/32
Aug 23 21:06:43 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: keeping refhim=4294901761 during rekey
Aug 23 21:06:43 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 21:06:43 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 23 21:06:44 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: next payload type of ISAKMP Hash Payload has an unknown value: 175
Aug 23 21:06:44 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: malformed payload in packet
Aug 23 21:06:44 raspberrypi pluto[1553]: | payload malformed after IV
Aug 23 21:06:44 raspberrypi pluto[1553]: | 23 96 7a d2 c5 4a 0e 84 ec 93 b0 e1 ed 71 4a 55
Aug 23 21:06:44 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: sending notification PAYLOAD_MALFORMED to 189.4.188.4:62279
Aug 23 21:06:44 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: next payload type of ISAKMP Hash Payload has an unknown value: 175
Aug 23 21:06:44 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #6: malformed payload in packet
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring unknown Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [RFC 3947] method set to=115
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [FRAGMENTATION]
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:500: ignoring Vendor ID payload [IKE CGA version 1]
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: responding to Main Mode from unknown peer 189.4.188.4
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: received Delete SA(0xd4e1c864) payload: deleting IPSEC State #5
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: received and ignored informational message
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #3: received Delete SA payload: deleting ISAKMP State #3
Aug 23 21:06:46 raspberrypi pluto[1553]: packet from 189.4.188.4:62279: received and ignored informational message
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.14'
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: new NAT mapping for #7, was 189.4.188.4:500, now 189.4.188.4:62279
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: the peer proposed: 24.185.148.4/32:17/1701 -> 192.168.0.14/32:17/1701
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: responding to Quick Mode proposal {msgid:01000000}
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: us: 192.168.1.100<192.168.1.100>:17/1701
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: them: 189.4.188.4[192.168.0.14]:17/1701===192.168.0.14/32
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 21:06:46 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 23 21:06:47 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 62279 don't match. Using that_client port.
Aug 23 21:06:47 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 23 21:06:47 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 21:06:47 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #8: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xf5a6adf0 <0x77dc7380 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.0.14 NATD=189.4.188.4:62279 DPD=none}
Aug 23 21:06:54 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: the peer proposed: 24.185.148.4/32:17/1701 -> 192.168.0.14/32:17/1701
Aug 23 21:06:54 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 23 21:06:54 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: responding to Quick Mode proposal {msgid:02000000}
Aug 23 21:06:54 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: us: 192.168.1.100<192.168.1.100>:17/1701
Aug 23 21:06:54 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: them: 189.4.188.4[192.168.0.14]:17/1701===192.168.0.14/32
Aug 23 21:06:54 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: keeping refhim=4294901761 during rekey
Aug 23 21:06:54 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 21:06:54 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 23 21:06:55 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 62279 don't match. Using that_client port.
Aug 23 21:06:55 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 23 21:06:55 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 21:06:55 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #9: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x028a3898 <0x03529e05 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.0.14 NATD=189.4.188.4:62279 DPD=none}
Aug 23 21:06:55 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: received Delete SA(0xf5a6adf0) payload: deleting IPSEC State #8
Aug 23 21:06:55 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: received and ignored informational message
Aug 23 21:07:04 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: the peer proposed: 24.185.148.4/32:17/1701 -> 192.168.0.14/32:17/1701
Aug 23 21:07:04 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Aug 23 21:07:04 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: responding to Quick Mode proposal {msgid:03000000}
Aug 23 21:07:04 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: us: 192.168.1.100<192.168.1.100>:17/1701
Aug 23 21:07:04 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: them: 189.4.188.4[192.168.0.14]:17/1701===192.168.0.14/32
Aug 23 21:07:04 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: keeping refhim=4294901761 during rekey
Aug 23 21:07:04 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 23 21:07:04 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 23 21:07:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 62279 don't match. Using that_client port.
Aug 23 21:07:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Aug 23 21:07:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 23 21:07:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #10: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0xe0ba5296 <0xce5a6fe1 xfrm=AES_256-HMAC_SHA1 NATOA=192.168.0.14 NATD=189.4.188.4:62279 DPD=none}
Aug 23 21:07:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: received Delete SA(0x028a3898) payload: deleting IPSEC State #9
Aug 23 21:07:05 raspberrypi pluto[1553]: "L2TP-PSK-NAT"[4] 189.4.188.4 #7: received and ignored informational message
-------------- next part --------------
# to Run Commands as Super user or root
sudo passwd
su
# update system and Install packages
apt-get update;
apt-get install openswan xl2tpd ppp lsof
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
sysctl -p
# Edit /etc/rc.local
nano /etc/rc.local
# Past code in the rc.local
for vpn in /proc/sys/net/ipv4/conf/*;
do
echo 0 > $vpn/accept_redirects;
echo 0 > $vpn/send_redirects;
done
iptables --table nat --append POSTROUTING --jump MASQUERADE
# Rename /etc/ipsec.conf to /etc/ipsec.conf.old
mv /etc/ipsec.conf /etc/ipsec.conf.old
# Edit /etc/ipsec.conf
nano /etc/ipsec.conf
# Replace contents in file
version 2.0
config setup
nat_traversal=yes
protostack=netkey
virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4!10.25$
oe=on
conn L2TP-PSK-NAT
# rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client retry
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
# Set ikelifetime and keylife to the same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
type=transport
#
left=192.168.1.100
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The Remote user
#
right=%any
# Using the magic port of "%any" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port.
rightprotoport=17/%any
# force all to be nat'ed. because of ios
forceencaps=yes
# Normally, KLIPS drops all plaintext traffic from IP's it has a crypeted
# connection with. With L2TP clients behinds NAT, that's not really what
# you want. The connection below allow both lstp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg ssh)
# will match passthrough conn.
conn passthrough-for-non-l2tp
type=passthrough
left=192.168.1.100
leftnexthop=192.168.1.1
right=0.0.0.0
rightsubnet=0.0.0.0/0
auto=route
# Edit file /etc/ipsec.secrets
nano /etc/ipsec.secrets
# Add the secret password
192.168.1.100 %any: PSK "victoriasecrets"
# Edit file /etc/xl2tpd/xl2tpd.conf
nano /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = 192.168.1.100
[lns default]
ip range = 192.168.1.140-192.168.1.159
local ip = 192.168.1.100
assign ip = yes
require chap = yes
refuse pap = yes
require authentication = yes
name = linkVPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
# Edit file /etc/ppp/options.xl2tpd
nano /etc/ppp/options.xl2tpd
# Paste the following code
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
asyncmap 0
auth
crtscts
lock
idle 1800
mtu 1200
mru 1200
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
nodefaultroute
connect-delay 5000
# Edit /etc/ppp/chap-secrets
nano /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
pi * Marape17! *
# Add Service to bootup
update-rc.d -f ipsec remove
update-rc.d ipsec defaults
# Now restart services
/etc/init.d/xl2tpd restart
/etc/init.d/ipsec restart
# Check if IPSec is correctly setup
sudo ipsec verify
# Monitor /var/log/system.log on your Raspberry PI by running
tail -f /var/log/syslog
tail -f /var/log/auth.log
More information about the Users
mailing list