ipsec configuration problems on Ubuntu. Errors on IP forwarding" connection authorization from Android client

3

2

I'm trying to create a L2TP/IPSec PSK VPN from my Android phone to my Ubuntu server on my home network.

I am receiving two errors. the first one is a failure checking IP forwarding when I run ipsec verify.

"Two or more interfaces found, checking IP forwarding            [FAILED]"

The second error occurs when I try and connect to ipsec from my Android phone. In the auth.log I get this error; 

Aug  7 19:47:57 ubuntu pluto[5019]: packet from 70.192.193.159:13305: initial Main Mode message received on 192.168.10.104:500 but no connection has been authorized with policy=PSK

Regarding IP forwarding, yes I've added "net.ipv4.ip_forward=1" into sysctl.conf and ran "sysctl -p /etc/sysctl.conf"

From my research the common thoughts are that these problem are caused by a misconfiguration in ipsec.conf and/or ipsec.secrets.

I'm thinking the problem has to do with subtle difference when on a natted network. First I have a Comcast cable modem in bridge mode. Next I have a Linksys wired/wireless router that uses DHCP to retrieve my public IP address, 70.192.193.70. My Ubuntu server retrieves it's reserved DHCP natted IP address, et al from my Linksys router, 192.168.10.104. My Linksys router is the default gateway, 192.168.10.1.

I am hoping somebody is going to read this and say silly Chris can't you see that you have to configure these files like this.. LOL!. This reading I've done all uses example IP{ addresses like a.b.c.d and e.f.g.h. I've given you actual IP addresses to make everything less confusing. With all that below are what my files currently look like.

/etc/ipsec.secrets
192.168.10.104 %any: PSK "myPSKpassword"

/etc/ipsec.conf
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.152.2.0/24
    # virtual_private=%v4:192.168.10.0/24
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    # Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    # Set ikelifetime and keylife to same defaults windows has
    ikelifetime=8h
    keylife=1h
    type=transport
    # Replace IP address with your local IP (private, behind NAT IP is okay as well)
    #left=x.x.x.x
    left=192.168.10.104
    # For updated Windows 2000/XP clients,
    # to support old clients as well, use leftprotoport=17/%any
    leftprotoport=17/%any
    right=%any
    rightprotoport=17/%any
    #force all to be nat'ed. because of iOS
    forceencaps=yes

I am so stuck.. Any and all advice is greatly welcome!

Chris Boyd

Posted 2014-08-08T00:16:07.200

Reputation: 31

Answers

2

Here is how i fixed it:

1.

echo 0 > /proc/sys/net/ipv4/ip_forward

2.

ipsec verify

3.

echo 1 > /proc/sys/net/ipv4/ip_forward

Then it should work.

Hope that i could help :P

RootedMaster

Posted 2014-08-08T00:16:07.200

Reputation: 21

This helped get rid of my "Two or more interfaces found" problem. – Kevin Li – 2016-01-23T15:11:43.427

1

One of the things I've noticed is an error in /etc/ipsec.secrets. My configuration is as follows:

<outside  world>
       |
       V
    public ip
       |
       V
     router (private IP 10.0.100.1)
       |
       V
    10.0.1.1 (ubuntu IP)

My /etc/ipsec.secrets looks like this:

10.0.1.1   %any:  PSK "whateverpassword"

My /etc/ipsec.conf looks like this:

<code>
version 2.0
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:!10.0.151.0/24
        oe=off
        protostack=netkey
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        ikelifetime=8h
        keylife=1h
        type=transport
        left=10.0.1.1
        leftnexthop=10.0.1.1
        leftprotoport=17/%any
        right=%any
        rightprotoport=17/%any
        forceencaps=yes
</code>

As you can see, in both files the ip address of the VPN-server is used, not the ip address of the router.

10.0.151.0/24 is the subnet I use for VPN. My Ubuntu machine has the 10.0.151.0 address, the first client to connect get the 10.0.151.1 address assigned, and so on.

Hope this helps. Also, please clean up your post with code blocks, because your config files are unreadable.

Luc van Donkersgoed

Posted 2014-08-08T00:16:07.200

Reputation: 111

I made this small change and it worked! – Kevin Li – 2016-01-23T15:10:57.590

@LucvanDonkersgoed Yes, this suggestion helped me as well. Thank you. – Dustin Oprea – 2016-05-15T05:21:02.240

Asked: 2014-08-08T00:16:07.200

Viewed: 16 930 times

Active: 2016-06-16T00:12:34.580