<div class="gmail_quote">I’m having a problem getting over some last hurdles.<span> </span>Hopefully someone can help. Here is my
scenario:<br>
<p class="MsoNormal"> </p>
<p><span><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span>True road warrior, never know where the clients
will connect from</p>
<p><span><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span>Currently testing with OS X and iPhone LT2P
clients and will expand to Win and other clients. Server is Linux</p>
<p><span><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span>Currently using PSK with no IP, username, or
server restrictions (all wild cards) to make testing easier</p>
<p><span><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span>BOTH ends are behind NAT</p>
<p><span><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span>Server local IP (eth0) =<span> </span>10.254.90.xxx</p>
<p><span><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span>Server Public IP = 50.17.152.xxx (Amazon EC2)</p>
<p><span><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span>All ports/protocols allowed to server</p>
<p><span><span>-<span style="font:7.0pt "Times New Roman"">
</span></span></span>Client IP = ANY</p>
<p> </p>
<p> </p>
<p class="MsoNormal">During install, enabled NAT transport support:</p>
<p class="MsoNormal"> </p>
<p>./configure –enable-nat-transport</p>
<p> </p>
<p class="MsoNormal">ipsec.conf:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">config setup</p>
<p class="MsoNormal"><span> </span>nat_traversal=yes</p>
<p class="MsoNormal"><span>
</span>charonstart=yes</p>
<p class="MsoNormal"><span>
</span>plutostart=yes<span> </span></p>
<p class="MsoNormal">virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24" target="_blank">10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">conn L2TP</p>
<p class="MsoNormal"><span> </span>dpddelay=40</p>
<p class="MsoNormal"><span> </span>dpdtimeout=130</p>
<p class="MsoNormal"><span> </span>dpdaction=clear</p>
<p class="MsoNormal"><span> </span>authby=psk</p>
<p class="MsoNormal"><span> </span>pfs=no</p>
<p class="MsoNormal"><span> </span>type=tunnel</p>
<p class="MsoNormal"><span>
</span>esp=aes128-sha1</p>
<p class="MsoNormal"><span>
</span>ike=aes128-sha-modp1024</p>
<p class="MsoNormal"><span>
</span>keyexchange=ikev1</p>
<p class="MsoNormal"><span> </span>keyingtries=3</p>
<p class="MsoNormal"><span>
</span>left=10.254.90.xxx</p>
<p class="MsoNormal"><span>
</span>leftnexthop=%defaultroute</p>
<p class="MsoNormal"><span>
</span>leftprotoport=17/1701</p>
<p class="MsoNormal"><span>
</span>leftsubnet=50.17.152.xxx/32</p>
<p class="MsoNormal"><span> </span>right=%any</p>
<p class="MsoNormal"><span>
</span>rightprotoport=17/%any</p>
<p class="MsoNormal"><span>
</span>rightsubnet=vhost:%no,%priv</p>
<p class="MsoNormal"><span>
</span>forceencaps=yes</p>
<p class="MsoNormal"><span> </span>auto=add</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">more /etc/xl2tpd/l2tp-secrets </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">*<span> </span>*<span> </span>password</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">more /etc/xl2tpd/xl2tpd.conf </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">[global]</p>
<p class="MsoNormal">debug network = yes</p>
<p class="MsoNormal">debug tunnel = yes</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">[lns default]</p>
<p class="MsoNormal">ip range = 172.16.1.200-172.16.1.254</p>
<p class="MsoNormal">local ip = 172.16.1.201</p>
<p class="MsoNormal">require chap = yes</p>
<p class="MsoNormal">refuse pap = yes</p>
<p class="MsoNormal">require authentication = yes</p>
<p class="MsoNormal">name = <a href="http://vpn.adamely.com" target="_blank">vpn.adamely.com</a></p>
<p class="MsoNormal">ppp debug = yes</p>
<p class="MsoNormal">pppoptfile = /etc/ppp/options.xl2tpd</p>
<p class="MsoNormal">length bit = yes</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">more /etc/ppp/options.xl2tpd </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">ipcp-accept-local</p>
<p class="MsoNormal">ipcp-accept-remote</p>
<p class="MsoNormal">ms-dns 172.16.0.23</p>
<p class="MsoNormal">noccp</p>
<p class="MsoNormal">auth</p>
<p class="MsoNormal">crtscts</p>
<p class="MsoNormal">idle 1800</p>
<p class="MsoNormal">mtu 1410</p>
<p class="MsoNormal">mru 1410</p>
<p class="MsoNormal">nodefaultroute</p>
<p class="MsoNormal">debug</p>
<p class="MsoNormal">lock</p>
<p class="MsoNormal">proxyarp</p>
<p class="MsoNormal">connect-delay 5000</p>
<p class="MsoNormal">name testbox</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">more /etc/ppp/chap-secrets</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">* * password *</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Log:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">/var/log/secure</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica">pluto[1833]: packet from 75.208.217.xxx:57364:
received Vendor ID payload [RFC 3947]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: packet from 75.208.217.xxx:57364:
received Vendor ID payload [Dead Peer Detection]</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[7]
75.208.217.xxx:57364 #7: responding to Main Mode from unknown peer
75.208.217.xxx:57364</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[7]
75.208.217.xxx:57364 #7: NAT-Traversal: Result using RFC 3947: both are NATed</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[7]
75.208.217.xxx:57364 #7: ignoring informational payload, type
IPSEC_INITIAL_CONTACT</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[7]
75.208.217.xxx:57364 #7: Peer ID is ID_IPV4_ADDR: '192.168.1.2'</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]:
"L2TP"[8] 75.208.217.xxx:57364 #7: deleting connection
"L2TP" instance with peer 75.208.217.xxx {isakmp=#0/ipsec=#0}</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: | NAT-T: new mapping
75.208.217.xxx:<a href="tel:57364%2F57365" value="+15736457365" target="_blank">57364/57365</a>)</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica"><span> </span>pluto[1833]: "L2TP"[8]
75.208.217.xxx:57365 #7: sent MR3, ISAKMP SA established</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica">Jul 27 17:04:11 domU-12-31-39-00-54-F1
pluto[1833]: "L2TP"[8] 75.208.217.xxx:57365 #8: NAT-Traversal:
received 2 NAT-OA. using first, ignoring others</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica">Jul 27 17:04:11 domU-12-31-39-00-54-F1
pluto[1833]: "L2TP"[8] 75.208.217.xxx:57365 #8: responding to Quick
Mode</span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-family:Helvetica">Jul 27 17:04:11 domU-12-31-39-00-54-F1
pluto[1833]: "L2TP"[8] 75.208.217.xxx:57365 #7: ignoring
informational payload, type INVALID_HASH_INFORMATION</span></p>
<p class="MsoNormal"><span style="font-family:Helvetica">Jul 27 17:04:11 domU-12-31-39-00-54-F1 pluto[1833]:
"L2TP"[8] 75.208.217.xxx:57365 #7: received Delete SA payload:
deleting ISAKMP State #7</span></p>
<p class="MsoNormal"><span style="font-family:Helvetica"> </span></p>
<p class="MsoNormal"><span style="font-family:Helvetica"> </span></p>
<p class="MsoNormal"><span style="font-family:Helvetica">I’m not sure where to look now. I’ve read the mailing list, forums,
tutorials, and blogs.<span> </span>I’ve compared my
configure against others that say theirs works but seem to keep running into
the same result.<span> </span>Logs look the same,
client disconnects.<span> </span></span></p>
<p class="MsoNormal"><span style="font-family:Helvetica"> </span></p>
<p class="MsoNormal"><span style="font-family:Helvetica">Any help is much appreciated.</span></p>
</div><br>