
<div class="gmail_quote">I’m having a problem getting over some last hurdles.<span>  </span>Hopefully someone can help. Here is my

scenario:<br>


<p class="MsoNormal"> </p>


<p><span><span>-<span style="font:7.0pt "Times New Roman"">      

</span></span></span>True road warrior, never know where the clients

will connect from</p>


<p><span><span>-<span style="font:7.0pt "Times New Roman"">      

</span></span></span>Currently testing with OS X and iPhone LT2P

clients and will expand to Win and other clients. Server is Linux</p>


<p><span><span>-<span style="font:7.0pt "Times New Roman"">      

</span></span></span>Currently using PSK with no IP, username, or

server restrictions (all wild cards) to make testing easier</p>


<p><span><span>-<span style="font:7.0pt "Times New Roman"">      

</span></span></span>BOTH ends are behind NAT</p>


<p><span><span>-<span style="font:7.0pt "Times New Roman"">      

</span></span></span>Server local IP (eth0) =<span>  </span>10.254.90.xxx</p>


<p><span><span>-<span style="font:7.0pt "Times New Roman"">      

</span></span></span>Server Public IP = 50.17.152.xxx (Amazon EC2)</p>


<p><span><span>-<span style="font:7.0pt "Times New Roman"">      

</span></span></span>All ports/protocols allowed to server</p>


<p><span><span>-<span style="font:7.0pt "Times New Roman"">      

</span></span></span>Client IP = ANY</p>


<p> </p>


<p> </p>


<p class="MsoNormal">During install, enabled NAT transport support:</p>


<p class="MsoNormal"> </p>


<p>./configure –enable-nat-transport</p>


<p> </p>


<p class="MsoNormal">ipsec.conf:</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">config setup</p>


<p class="MsoNormal"><span>        </span>nat_traversal=yes</p>


<p class="MsoNormal"><span>       

</span>charonstart=yes</p>


<p class="MsoNormal"><span>       

</span>plutostart=yes<span>   </span></p>


<p class="MsoNormal">virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24" target="_blank">10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24</a></p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">conn L2TP</p>


<p class="MsoNormal"><span>       </span>dpddelay=40</p>


<p class="MsoNormal"><span>       </span>dpdtimeout=130</p>


<p class="MsoNormal"><span>       </span>dpdaction=clear</p>


<p class="MsoNormal"><span>        </span>authby=psk</p>


<p class="MsoNormal"><span>        </span>pfs=no</p>


<p class="MsoNormal"><span>        </span>type=tunnel</p>


<p class="MsoNormal"><span>       

</span>esp=aes128-sha1</p>


<p class="MsoNormal"><span>       

</span>ike=aes128-sha-modp1024</p>


<p class="MsoNormal"><span>       

</span>keyexchange=ikev1</p>


<p class="MsoNormal"><span>        </span>keyingtries=3</p>


<p class="MsoNormal"><span>       

</span>left=10.254.90.xxx</p>


<p class="MsoNormal"><span>       

</span>leftnexthop=%defaultroute</p>


<p class="MsoNormal"><span>       

</span>leftprotoport=17/1701</p>


<p class="MsoNormal"><span>       

</span>leftsubnet=50.17.152.xxx/32</p>


<p class="MsoNormal"><span>        </span>right=%any</p>


<p class="MsoNormal"><span>       

</span>rightprotoport=17/%any</p>


<p class="MsoNormal"><span>       

</span>rightsubnet=vhost:%no,%priv</p>


<p class="MsoNormal"><span>       

</span>forceencaps=yes</p>


<p class="MsoNormal"><span>        </span>auto=add</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">more /etc/xl2tpd/l2tp-secrets </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">*<span>          </span>*<span>          </span>password</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">more /etc/xl2tpd/xl2tpd.conf </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">[global]</p>


<p class="MsoNormal">debug network = yes</p>


<p class="MsoNormal">debug tunnel = yes</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">[lns default]</p>


<p class="MsoNormal">ip range = 172.16.1.200-172.16.1.254</p>


<p class="MsoNormal">local ip = 172.16.1.201</p>


<p class="MsoNormal">require chap = yes</p>


<p class="MsoNormal">refuse pap = yes</p>


<p class="MsoNormal">require authentication = yes</p>


<p class="MsoNormal">name = <a href="http://vpn.adamely.com" target="_blank">vpn.adamely.com</a></p>


<p class="MsoNormal">ppp debug = yes</p>


<p class="MsoNormal">pppoptfile = /etc/ppp/options.xl2tpd</p>


<p class="MsoNormal">length bit = yes</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">more /etc/ppp/options.xl2tpd </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">ipcp-accept-local</p>


<p class="MsoNormal">ipcp-accept-remote</p>


<p class="MsoNormal">ms-dns 172.16.0.23</p>


<p class="MsoNormal">noccp</p>


<p class="MsoNormal">auth</p>


<p class="MsoNormal">crtscts</p>


<p class="MsoNormal">idle 1800</p>


<p class="MsoNormal">mtu 1410</p>


<p class="MsoNormal">mru 1410</p>


<p class="MsoNormal">nodefaultroute</p>


<p class="MsoNormal">debug</p>


<p class="MsoNormal">lock</p>


<p class="MsoNormal">proxyarp</p>


<p class="MsoNormal">connect-delay 5000</p>


<p class="MsoNormal">name testbox</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">more /etc/ppp/chap-secrets</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">* * password *</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">Log:</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal">/var/log/secure</p>


<p class="MsoNormal"> </p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica">pluto[1833]: packet from 75.208.217.xxx:57364:

received Vendor ID payload [RFC 3947]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:

received Vendor ID payload [Dead Peer Detection]</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[7]

75.208.217.xxx:57364 #7: responding to Main Mode from unknown peer

75.208.217.xxx:57364</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[7]

75.208.217.xxx:57364 #7: NAT-Traversal: Result using RFC 3947: both are NATed</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[7]

75.208.217.xxx:57364 #7: ignoring informational payload, type

IPSEC_INITIAL_CONTACT</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[7]

75.208.217.xxx:57364 #7: Peer ID is ID_IPV4_ADDR: '192.168.1.2'</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]:

"L2TP"[8] 75.208.217.xxx:57364 #7: deleting connection

"L2TP" instance with peer 75.208.217.xxx {isakmp=#0/ipsec=#0}</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: | NAT-T: new mapping

75.208.217.xxx:<a href="tel:57364%2F57365" value="+15736457365" target="_blank">57364/57365</a>)</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[8]

75.208.217.xxx:57365 #7: sent MR3, ISAKMP SA established</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica">Jul 27 17:04:11 domU-12-31-39-00-54-F1

pluto[1833]: "L2TP"[8] 75.208.217.xxx:57365 #8: NAT-Traversal:

received 2 NAT-OA. using first, ignoring others</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica">Jul 27 17:04:11 domU-12-31-39-00-54-F1

pluto[1833]: "L2TP"[8] 75.208.217.xxx:57365 #8: responding to Quick

Mode</span></p>


<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica">Jul 27 17:04:11 domU-12-31-39-00-54-F1

pluto[1833]: "L2TP"[8] 75.208.217.xxx:57365 #7: ignoring

informational payload, type INVALID_HASH_INFORMATION</span></p>


<p class="MsoNormal"><span style="font-family:Helvetica">Jul 27 17:04:11 domU-12-31-39-00-54-F1 pluto[1833]:

"L2TP"[8] 75.208.217.xxx:57365 #7: received Delete SA payload:

deleting ISAKMP State #7</span></p>


<p class="MsoNormal"><span style="font-family:Helvetica"> </span></p>


<p class="MsoNormal"><span style="font-family:Helvetica"> </span></p>


<p class="MsoNormal"><span style="font-family:Helvetica">I’m not sure where to look now. I’ve read the mailing list, forums,

tutorials, and blogs.<span>  </span>I’ve compared my

configure against others that say theirs works but seem to keep running into

the same result.<span>  </span>Logs look the same,

client disconnects.<span>  </span></span></p>


<p class="MsoNormal"><span style="font-family:Helvetica"> </span></p>


<p class="MsoNormal"><span style="font-family:Helvetica">Any help is much appreciated.</span></p>


</div><br>