0
I followed the directions from here: http://samsclass.info/ipv6/proj/proj-L5-VPN-Server.html
I used the same exact files as posted at that site. On my router, I have port-forwarded 500 UDP and 4500 UDP to the Ubuntu box. On Android, when I try, it goes to "Connecting..." then eventually "Timeout". Also tested on iOS (iPad) and also does not work. I noticed that syslog has nothing from xl2tpd for each connection attempt, so I am guessing the openswan ipsec is not passing the traffic to xl2tpd?
All the steps from the guide were completed:
added local ip address 172.22.1.1 eth0:0 (the Ubuntu box has eth0 192.168.0.50)
installed openswan
edited ipsec.conf, ipsec.secrets
stopped redirects
ipsec verify
restarted openswan
installed xl2tpd
edited xl2tpd.conf
ppp was already installed, so skipped this step
edited options.xl2tpd and chaps-secrets
restarted xl2tpd
[ipsec.conf]
# diff ipsec.conf ipsec.conf.template
21c21
< left=192.168.0.50
---
> left=YOUR.SERVER.IP.ADDRESS
The .50 IP address is the eth0 IP address of the Ubuntu server on my LAN.
[ipsec.secrets]
# cat /etc/ipsec.secrets
192.168.0.50 %any: PSK "YourSharedSecret"
[xl2tpd.conf / options.xl2tpd / chap-secrets]
All 3 files identical to the examples provided at the site.
=== /var/log/auth.log
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [RFC 3947] method set to=115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Sep 20 02:05:51 sbowne pluto[12590]: packet from 166.147.67.29:58529: received Vendor ID payload [Dead Peer Detection]
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: responding to Main Mode from unknown peer 166.147.67.29
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: Main mode peer ID is ID_IPV4_ADDR: '10.4.23.140'
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[1] 166.147.67.29 #1: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: deleting connection "L2TP-PSK-NAT" instance with peer 166.147.67.29 {isakmp=#0/ipsec=#0}
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: new NAT mapping for #1, was 166.147.67.29:58529, now 166.147.67.29:37048
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Sep 20 02:05:51 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: received and ignored informational message
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #1: the peer proposed: 98.201.212.153/32:17/1701 -> 10.4.23.140/32:17/0
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: responding to Quick Mode proposal {msgid:76a9dec2}
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: us: 192.168.0.50<192.168.0.50>:17/1701
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: them: 166.147.67.29[10.4.23.140]:17/0===10.4.23.140/32
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 20 02:05:52 sbowne pluto[12590]: "L2TP-PSK-NAT"[2] 166.147.67.29 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x01bbb0b5 <0xee2829cb xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=166.147.67.29:37048 DPD=none}
=== /var/log/syslog
Sep 20 02:00:52 sbowne kernel: [28283.272399] NET: Unregistered protocol family 15
Sep 20 02:00:52 sbowne ipsec_setup: ...Openswan IPsec stopped
Sep 20 02:00:52 sbowne kernel: [28283.357232] NET: Registered protocol family 15
Sep 20 02:00:52 sbowne ipsec_setup: Starting Openswan IPsec U2.6.38/K3.8.0-19-generic...
Sep 20 02:00:52 sbowne ipsec_setup: Using NETKEY(XFRM) stack
Sep 20 02:00:52 sbowne kernel: [28283.414490] Initializing XFRM netlink socket
Sep 20 02:00:52 sbowne kernel: [28283.446177] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.450489] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.459554] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.462983] AVX instructions are not detected.
Sep 20 02:00:52 sbowne kernel: [28283.470054] AVX or AES-NI instructions are not detected.
Sep 20 02:00:52 sbowne ipsec_setup: multiple ip addresses, using 192.168.0.50 on eth0
Sep 20 02:00:52 sbowne ipsec_setup: ...Openswan IPsec started
Sep 20 02:00:52 sbowne ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Sep 20 02:00:52 sbowne pluto: adjusting ipsec.d to /etc/ipsec.d
Sep 20 02:00:52 sbowne ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Sep 20 02:00:52 sbowne ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
Sep 20 02:03:17 sbowne xl2tpd[8264]: death_handler: Fatal signal 15 received
Sep 20 02:03:19 sbowne xl2tpd[12634]: IPsec SAref does not work with L2TP kernel mode yet, enabling forceuserspace=yes
Sep 20 02:03:19 sbowne xl2tpd[12634]: setsockopt recvref[30]: Protocol not available
Sep 20 02:03:19 sbowne xl2tpd[12634]: This binary does not support kernel L2TP.
Sep 20 02:03:19 sbowne xl2tpd[12635]: xl2tpd version xl2tpd-1.3.1 started on sbowne PID:12635
Sep 20 02:03:19 sbowne xl2tpd[12635]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Sep 20 02:03:19 sbowne xl2tpd[12635]: Forked by Scott Balmos and David Stipp, (C) 2001
Sep 20 02:03:19 sbowne xl2tpd[12635]: Inherited by Jeff McAdams, (C) 2002
Sep 20 02:03:19 sbowne xl2tpd[12635]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Sep 20 02:03:19 sbowne xl2tpd[12635]: Listening on IP address 0.0.0.0, port 1701
Lawrence Chiu
Posted 2013-09-20T13:01:16.767
Reputation: 1
Does it have to be L2TP? Lots of people have told me that L2TP is awful to set up and maintain, and that one should just go with OpenVPN instead.
– Blacklight Shining – 2013-09-20T13:47:07.443Thank you for the reply. I want to use something that does not involve generating and pushing certificates to each remote client. The only choices are then: 1) PPTP (hackable within 1 day using Cloud Cracker), 2) IPSEC-IKEv1 with PSK (but Windows 7 does not support natively; it only supports IKEv2 which requires a certificate), or 3) L2TP-IPSEC with PSK. – Lawrence Chiu – 2013-09-20T15:36:31.377
I think the problem is the tutorial says: "What you need: A Linux machine. It's best if you use a machine with a public IPv4 address, such as an Amazon E2C virtual machine." My Ubuntu server is behind a router at 192.168.0.50. So ipsec.conf is likely the problem. – Lawrence Chiu – 2013-09-20T15:40:46.427
I got it working by deleting the following block:{conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT} – Lawrence Chiu – 2013-09-20T16:41:32.503
I got it to work with iPad by adding "forceencaps=yes" and "dpdaction=clear", but I still need help. Windows 7 will not connect even with registry hack: http://support.microsoft.com/kb/926179/en-us I set AssumeUDPEncapsulationContextOnSendRule=2 no difference. Error 809: "The network connection between your computer and the VPN server could not be established because the remote server is not responding"
– Lawrence Chiu – 2013-09-20T18:13:51.040These comments give progress updates and more information—they should be added to your question. – Blacklight Shining – 2013-09-20T22:49:19.440