[strongSwan] VPN from iPad to ubuntu-10.4

Andreas Käser strongswan2011 at insecteam.de
Wed Jun 22 11:49:43 CEST 2011 

Hi folks,

I'm trying to connect an iPad via L2TP-over-IPsec VPN to an 
Ubuntu 10.4 machine, using Niels Peen's description how he 
connected his iphone: 
http://peen.net/linux-l2tpipsec-with-iphone-and-mac-osx-clien
Looks like IPsec starts correctly (at least I see ESP packets), 
but L2 Tunnel does not get established.
If I change MySecret on one sied only, no ESP packets are seen. 
Changing MySecret2 doesn't make a difference.

Well, I'm not that very sure, that IPsec starts correctly. But 
according to the many docs I read, L2TP is accessed through 
established IPsec, and also xl2tpd doesn't talk until I see the 
first ESP packet in tcpdump.

I tried to use the iPad's pure-IPsec configuration, and no ESP 
packets were seen. So I concluded that with L2TP-over-IPsec I was 
one step more close to the goal ;-)

The Ubuntu machine has two ethernet interfaces:
   eth0 123.123.123.123
     with alias eth0:111 111.111.111.111
   eth1 192.168.1.111.

Here you can see how daemons get started in my test scenario and 
what xl2tpd says:


Ubuntu# XDAEMON=no ;  echo; echo; echo 
========================================================================; 
/etc/init.d/ipsec stop; /etc/init.d/isakmpd stop; 
/etc/init.d/xl2tpd stop; sleep 2; /etc/init.d/ipsec start; 
/etc/init.d/isakmpd start; if test $XDAEMON = yes; then 
/etc/init.d/xl2tpd start; echo; tcpdump -ni eth0 host 
111.111.111.111;  else xl2tpd -D; fi;


========================================================================
Stopping strongSwan IPsec...
Stopping OpenBSD isakmpd: done
Stopping xl2tpd: xl2tpd.
Starting strongSwan 4.4.0 IPsec [starter]...
Starting OpenBSD isakmpd: done
xl2tpd[10217]: setsockopt recvref[22]: Protocol not available
xl2tpd[10217]: This binary does not support kernel L2TP.
xl2tpd[10217]: xl2tpd version xl2tpd-1.2.6 started on bu44 PID:10217
xl2tpd[10217]: Written by Mark Spencer, Copyright (C) 1998, 
Adtran, Inc.
xl2tpd[10217]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[10217]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[10217]: Forked again by Xelerance (www.xelerance.com) (C) 2006
xl2tpd[10217]: Listening on IP address 0.0.0.0, port 1701
===== here we wait until ipad attempts to connect =====
xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, 
size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[10217]: get_call: allocating new tunnel for host 
77.24.129.184, port 57551.
xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, 
size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[10217]: get_call: allocating new tunnel for host 
77.24.129.184, port 57551.
xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, 
ignoring second one.
xl2tpd[10217]: build_fdset: closing down tunnel 55789
xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, 
size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[10217]: get_call: allocating new tunnel for host 
77.24.129.184, port 57551.
xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, 
ignoring second one.
xl2tpd[10217]: build_fdset: closing down tunnel 21469
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, 
size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[10217]: get_call: allocating new tunnel for host 
77.24.129.184, port 57551.
xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, 
ignoring second one.
xl2tpd[10217]: build_fdset: closing down tunnel 1085
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: Maximum retries exceeded for tunnel 32809.  Closing.
xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, 
size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[10217]: get_call: allocating new tunnel for host 
77.24.129.184, port 57551.
xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, 
ignoring second one.
xl2tpd[10217]: build_fdset: closing down tunnel 14964
xl2tpd[10217]: build_fdset: closing down tunnel 32809
xl2tpd[10217]: Connection 54 closed to 77.24.129.184, port 57551 
(Timeout)
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, 
size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[10217]: get_call: allocating new tunnel for host 
77.24.129.184, port 57551.
xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, 
ignoring second one.
xl2tpd[10217]: build_fdset: closing down tunnel 3236
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: network_thread: select timeout
xl2tpd[10217]: Unable to deliver closing message for tunnel 
32809. Destroying anyway.
xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, 
size = 60, tunnel = 0, call = 0 ref=0 refhim=0
xl2tpd[10217]: get_call: allocating new tunnel for host 
77.24.129.184, port 57551.
xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, 
ignoring second one.
xl2tpd[10217]: build_fdset: closing down tunnel 25612
xl2tpd[10217]: build_fdset: closing down tunnel 32809
xl2tpd[10217]: death_handler: Fatal signal 2 received
===== ipad says: "no response from server" - so I hot ^C here =====


tcpdump output during that period of time:

Ubuntu# tcpdump -ni eth0 host 111.111.111.111
10:15:22.529266 IP 77.24.129.184.500 > 111.111.111.111.500: 
isakmp: phase 1 I ident
10:15:22.529690 IP 111.111.111.111.500 > 77.24.129.184.500: 
isakmp: phase 1 R ident
10:15:23.027015 IP 77.24.129.184.500 > 111.111.111.111.500: 
isakmp: phase 1 I ident
10:15:23.032999 IP 111.111.111.111.500 > 77.24.129.184.500: 
isakmp: phase 1 R ident
10:15:23.406984 IP 77.24.129.184.500 > 111.111.111.111.500: 
isakmp: phase 1 I ident[E]
10:15:23.407170 IP 111.111.111.111.500 > 77.24.129.184.500: 
isakmp: phase 1 R ident[E]
10:15:25.047469 IP 77.24.129.184.500 > 111.111.111.111.500: 
isakmp: phase 2/others I oakley-quick[E]
10:15:25.047774 IP 111.111.111.111.500 > 77.24.129.184.500: 
isakmp: phase 2/others R oakley-quick[E]
10:15:25.364617 IP 77.24.129.184.500 > 111.111.111.111.500: 
isakmp: phase 2/others I oakley-quick[E]
10:15:25.488259 IP 77.24.129.184 > 111.111.111.111: 
ESP(spi=0x84273831,seq=0x1), length 116
10:15:26.247486 IP 77.24.129.184 > 111.111.111.111: 
ESP(spi=0x84273831,seq=0x2), length 116
10:15:28.371692 IP 77.24.129.184 > 111.111.111.111: 
ESP(spi=0x84273831,seq=0x3), length 116
10:15:32.389628 IP 77.24.129.184 > 111.111.111.111: 
ESP(spi=0x84273831,seq=0x4), length 116
10:15:36.548088 IP 77.24.129.184 > 111.111.111.111: 
ESP(spi=0x84273831,seq=0x5), length 116
10:15:40.530105 IP 77.24.129.184 > 111.111.111.111: 
ESP(spi=0x84273831,seq=0x6), length 116
10:15:44.548000 IP 77.24.129.184 > 111.111.111.111: 
ESP(spi=0x84273831,seq=0x7), length 116
===== interesting enough: when I stopped daemons later, some 
packets was sent: =====
10:19:24.400095 IP 111.111.111.111.500 > 77.24.129.184.500: 
isakmp: phase 2/others R inf[E]
10:19:24.406601 IP 111.111.111.111.500 > 77.24.129.184.500: 
isakmp: phase 2/others R inf[E]
10:19:25.765636 IP 77.24.129.184 > 111.111.111.111: ICMP 
77.24.129.184 udp port 500 unreachable, length 36
10:19:25.948604 IP 77.24.129.184 > 111.111.111.111: ICMP 
77.24.129.184 udp port 500 unreachable, length 36


Some config files:

============================================
ipsec.conf:
---------------------
# ipsec.conf - strongSwan IPsec configuration file

config setup
         # crlcheckinterval=600
         # strictcrlpolicy=yes
         # cachecrls=yes
         nat_traversal=yes
         charonstart=yes
         plutostart=yes

conn L2TP
         authby=psk
         pfs=no
         rekey=no
         type=tunnel
         esp=aes128-sha1
         ike=aes128-sha-modp1024
         left=111.111.111.111
         leftnexthop=%defaultroute
         leftprotoport=17/1701
         right=%any
         rightprotoport=17/%any
         rightsubnetwithin=0.0.0.0/0
         auto=add
============================================


============================================
/etc/ipsec.secrets :
---------------------
# This file holds shared secrets or RSA private keys for inter-Pluto
# ...
# this file is managed with debconf and will contain the 
automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc    # doesn't exist, 
no effect omitting it

111.111.111.111 %any:     PSK "MySecret"
============================================


============================================
/etc/xl2tpd/xl2tpd.conf:
---------------------
[global]
;debug avp     = yes
debug network = yes
;debug packet  = no
;debug state   = yes
debug tunnel  = yes

[lns default]
ip range = 192.168.1.1-192.168.1.20     ; * changed 2011.0621 ak
local ip = 111.111.111.111                 ; * Our local IP to 
use         - set 2011.0621 ak
require chap = yes
refuse pap = yes
require authentication = yes
name = test02
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
============================================


============================================
/etc/xl2tpd/l2tp-secrets:
---------------------
# Secrets for authenticating l2tp tunnels
# us    them    secret
# *             marko blah2
# zeus          marko   blah
# *     *       interop
*       *       MySecret2 *
============================================


If anyone can point me to a way to set a up pure IPsec 
configuration, I'll be happy - that will give the opportunity to 
connect more than one road warrior without making the preshared 
key a "public key".


Thank you for any help!

Andreas

More information about the Users mailing list