[strongSwan] Help Connecting Strongswan to iPhone

Dan Deming dan24678 at gmail.com
Sat Mar 26 21:06:49 CET 2011 

Hello,

I'm trying to get a strongswan VPN set up so I can connect my iPhone
to my Ubuntu Lucid Lynx desktop, but I can't seem to get it
working and would appreciate any help anyone can give me.

I feel like I'm close, but networking is not one of my
strong suits, so the whole leftnexthop, rightprotoport
thing is pretty confusing to me.

I've been generally following the directions on these 3
pages:

http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
https://lists.strongswan.org/pipermail/users/2009-March/003291.html
http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html

Currently, I'm getting the following error:

cannot respond to IPsec SA request because no connection is known for
53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32

Here are the stats on what I'm running:

Ubuntu Desktop:
 * Internal IP address is 192.168.1.10
 * Running custom compiled version of strongswan-4.3.2 with
--enable-nat-transport option enabled
 * Running xl2tpd
 * Both were set up by following
http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
 * Firewall was off while I was trying to get this working

Linksys E3000 router:
 * Internal IP address is 192.168.1.1
 * Comcast IP address is 53.74.66.108 (not my actual IP, but you get the
idea)
 * NAT Enabled
 * VPN Passthrough Enabled
 * Ports 4500 and 1701 forwarded to 192.168.1.10

iPhone 3GS:
 * I guess the IP for this device is 166.121.15.14? (Again, I changed it in
the log below)

Here is my ipsec.conf:

config setup
    nat_traversal=yes
    charonstart=yes
    plutostart=yes

conn L2TP
        authby=psk
        pfs=no
        rekey=no
        type=tunnel
        esp=aes128-sha1
        ike=aes128-sha-modp1024
        left=192.168.1.10
        leftnexthop=%defaultroute
        #leftprotoport=17/%any
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        #rightsubnetwithin=10.0.0.0/8
        auto=add

And here are the errors I see:

Mar 26 15:41:11 ubuntu-desktop pluto[8372]: added connection description
"L2TP"
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
received Vendor ID payload [RFC 3947]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from 166.121.15.14:15873:
received Vendor ID payload [Dead Peer Detection]
Mar 26 15:41:51 ubuntu-desktop pluto[8372]: "L2TP"[1]
166.121.15.14:15873#1: responding to Main Mode from unknown peer
166.121.15.14:15873
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
166.121.15.14:15873#1: NAT-Traversal: Result using RFC 3947: both are
NATed
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
166.121.15.14:15873#1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
166.121.15.14:15873#1: Peer ID is ID_IPV4_ADDR: '10.70.21.33'
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15873#1: deleting connection "L2TP" instance with peer
166.121.15.14
{isakmp=#0/ipsec=#0}
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: | NAT-T: new mapping
166.121.15.14:15873/15893)
Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15893#1: sent MR3, ISAKMP SA established
Mar 26 15:41:53 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15893#1: cannot respond to IPsec SA request because no
connection is known for
53.74.66.108/32===192.168.1.10:4500:17/%any...166.121.15.14:15893[10.70.21.33]:17/%any===10.70.21.33/32
Mar 26 15:41:53 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15893#1: sending encrypted notification
INVALID_ID_INFORMATION to
166.121.15.14:15893
Mar 26 15:41:56 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15893#1: Quick Mode I1 message is unacceptable because
it uses a previously used
Message ID 0xab4fb5b4 (perhaps this is a duplicated packet)
Mar 26 15:41:56 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15893#1: sending encrypted notification
INVALID_MESSAGE_ID to
166.121.15.14:15893
Mar 26 15:41:59 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15893#1: Quick Mode I1 message is unacceptable because
it uses a previously used
Message ID 0xab4fb5b4 (perhaps this is a duplicated packet)
Mar 26 15:41:59 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15893#1: sending encrypted notification
INVALID_MESSAGE_ID to
166.121.15.14:15893
Mar 26 15:42:03 ubuntu-desktop pluto[8372]: "L2TP"[2]
166.121.15.14:15893#1: Quick Mode I1 message is unacceptable because
it uses a previously used
Message ID Mar 26 Mar 26 15:42:05 ubuntu-desktop pluto[8372]: ERROR:
asynchronous network error report on eth0 for message to 166.121.15.14 port
15893, complainant 166.121.15.14: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110326/75a3ec47/attachment.html>

More information about the Users mailing list