<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
On 03/27/2011 04:06 AM, Dan Deming wrote:
<blockquote
cite="mid:AANLkTinwxYUKw2fRjCaxVRfMoanHsAEyxNtZ=9jLwqsv@mail.gmail.com"
type="cite">Hello,<br>
<br>
I'm trying to get a strongswan VPN set up so I can connect my
iPhone<br>
to my Ubuntu Lucid Lynx desktop, but I can't seem to get it<br>
working and would appreciate any help anyone can give me.<br>
<br>
I feel like I'm close, but networking is not one of my<br>
strong suits, so the whole leftnexthop, rightprotoport<br>
thing is pretty confusing to me.<br>
<br>
I've been generally following the directions on these 3<br>
pages:<br>
<br>
<a moz-do-not-send="true"
href="http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/">http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/</a><br>
<a moz-do-not-send="true"
href="https://lists.strongswan.org/pipermail/users/2009-March/003291.html">https://lists.strongswan.org/pipermail/users/2009-March/003291.html</a><br>
<a moz-do-not-send="true"
href="http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html">http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html</a><br>
<br>
Currently, I'm getting the following error:<br>
<br>
cannot respond to IPsec SA request because no connection is known
for <a moz-do-not-send="true"
href="http://53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32">53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32</a><br>
<br>
Here are the stats on what I'm running:<br>
<br>
Ubuntu Desktop:<br>
* Internal IP address is 192.168.1.10<br>
* Running custom compiled version of strongswan-4.3.2 with
--enable-nat-transport option enabled<br>
* Running xl2tpd<br>
* Both were set up by following <a moz-do-not-send="true"
href="http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/">http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/</a><br>
* Firewall was off while I was trying to get this working<br>
<br>
Linksys E3000 router:<br>
* Internal IP address is 192.168.1.1<br>
* Comcast IP address is 53.74.66.108 (not my actual IP, but you
get the idea)<br>
* NAT Enabled<br>
* VPN Passthrough Enabled<br>
* Ports 4500 and 1701 forwarded to 192.168.1.10<br>
<br>
iPhone 3GS:<br>
* I guess the IP for this device is 166.121.15.14? (Again, I
changed it in the log below)<br>
<br>
Here is my ipsec.conf:<br>
<br>
config setup<br>
nat_traversal=yes<br>
charonstart=yes<br>
plutostart=yes<br>
<br>
conn L2TP<br>
authby=psk<br>
pfs=no<br>
rekey=no<br>
type=tunnel<br>
esp=aes128-sha1<br>
ike=aes128-sha-modp1024<br>
left=192.168.1.10<br>
leftnexthop=%defaultroute<br>
#leftprotoport=17/%any<br>
leftprotoport=17/1701<br>
right=%any<br>
rightprotoport=17/%any<br>
#rightsubnetwithin=<a moz-do-not-send="true"
href="http://10.0.0.0/8">10.0.0.0/8</a><br>
auto=add<br>
<br>
And here are the errors I see:<br>
<br>
Mar 26 15:41:11 ubuntu-desktop pluto[8372]: added connection
description "L2TP"<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
received Vendor ID payload [RFC 3947]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>:
received Vendor ID payload [Dead Peer Detection]<br>
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: "L2TP"[1] <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>
#1: responding to Main Mode from unknown peer <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a><br>
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1] <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>
#1: NAT-Traversal: Result using RFC 3947: both are NATed<br>
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1] <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>
#1: ignoring informational payload, type IPSEC_INITIAL_CONTACT<br>
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1] <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>
#1: Peer ID is ID_IPV4_ADDR: '10.70.21.33'<br>
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15873">166.121.15.14:15873</a>
#1: deleting connection "L2TP" instance with peer 166.121.15.14
{isakmp=#0/ipsec=#0}<br>
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: | NAT-T: new mapping <a
moz-do-not-send="true" href="http://166.121.15.14:15873/15893">166.121.15.14:15873/15893</a>)<br>
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a>
#1: sent MR3, ISAKMP SA established<br>
Mar 26 15:41:53 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a>
#1: cannot respond to IPsec SA request because no connection is
known for <a moz-do-not-send="true"
href="http://53.74.66.108/32===192.168.1.10:4500:17/%any...166.121.15.14:15893[10.70.21.33]:17/%any===10.70.21.33/32">53.74.66.108/32===192.168.1.10:4500:17/%any...166.121.15.14:15893[10.70.21.33]:17/%any===10.70.21.33/32</a><br>
Mar 26 15:41:53 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a>
#1: sending encrypted notification INVALID_ID_INFORMATION to <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a><br>
Mar 26 15:41:56 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a>
#1: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0xab4fb5b4 (perhaps this is a
duplicated packet)<br>
Mar 26 15:41:56 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a>
#1: sending encrypted notification INVALID_MESSAGE_ID to <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a><br>
Mar 26 15:41:59 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a>
#1: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID 0xab4fb5b4 (perhaps this is a
duplicated packet)<br>
Mar 26 15:41:59 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a>
#1: sending encrypted notification INVALID_MESSAGE_ID to <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a><br>
Mar 26 15:42:03 ubuntu-desktop pluto[8372]: "L2TP"[2] <a
moz-do-not-send="true" href="http://166.121.15.14:15893">166.121.15.14:15893</a>
#1: Quick Mode I1 message is unacceptable because it uses a
previously used Message ID Mar 26 Mar 26 15:42:05 ubuntu-desktop
pluto[8372]: ERROR: asynchronous network error report on eth0 for
message to 166.121.15.14 port 15893, complainant <a
moz-do-not-send="true" href="http://166.121.15.14">166.121.15.14</a>:
Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]<br>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
Hi Dan, <br>
<br>
It looks like your connection cannot be matched right. I'm a newby
so may advices may be misleading, but you can try a two more
configuration for your ipsec.conf ( one at a time)<br>
<br>
<p class="bodytext">ipsec.conf of openswan/debian:
</p>
<pre>config setup
nat_traversal=yes
charonstart=yes
plutostart=yes</pre>
<pre>conn L2TP-PSK-NAT-OSX
authby=secret
forceencaps=yes
pfs=no
auto=add
keyingtries=3
dpdtimeout=60
dpdaction=clear
rekey=no
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnet=vhost:%priv,%no
or
conn %default
nat_traversal=yes
charonstart=yes
plutostart=yes
forceencaps=yes
dpddelay=10
dpdtimeout=60
dpdaction=clear
auto=add
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.1.10
leftprotoport=17/1701
leftnexthop=53.74.66.108 ( or whatever pub IP you have)
rightnexthop=%defaultroute
right=%any
rightprotoport=17/%any
if you get any errors for some of the options , just comment them.
make sure that xl2tpd is running and listening on port 1701, and ipsec(pluto or charon I'm not shure) are listenning on port 500,4500,
you can check with #netstat -lpna
and if still is not working paste #tcpdump proto UDP , and the same output log that you include in fur firs mail
You better disable port forward 1701 on your router, only VPN pass-trough and if does not work correctly then enable forward UDP 500, 4500 to
192.168.1.10,
Also #iptables -L will be useful but not necessary .
Recently I had problems with IPhone connecting to Ubuntu box, second time, because tunnel cannot be disconnected, but you are not there yet ;) I sow fix for that in strongswan 4.5.1.
Regards
Martin
</pre>
<br>
</body>
</html>