[strongSwan] Help Connecting Strongswan to iPhone
Uli Joergens
uli.joergens at wanadoo.fr
Sun Mar 27 11:36:12 CEST 2011
> On 03/27/2011 04:06 AM, Dan Deming wrote:
> > Hello,
> >
> > I'm trying to get a strongswan VPN set up so I can connect my iPhone
> > to my Ubuntu Lucid Lynx desktop, but I can't seem to get it
> > working and would appreciate any help anyone can give me.
> >
> > I feel like I'm close, but networking is not one of my
> > strong suits, so the whole leftnexthop, rightprotoport
> > thing is pretty confusing to me.
> >
> > I've been generally following the directions on these 3
> > pages:
> >
> > http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
> > https://lists.strongswan.org/pipermail/users/2009-March/003291.html
> > http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html
> >
> > Currently, I'm getting the following error:
> >
> > cannot respond to IPsec SA request because no connection is known for
> > 53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32
> > <http://53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32>
> >
> > Here are the stats on what I'm running:
> >
> > Ubuntu Desktop:
> > * Internal IP address is 192.168.1.10
> > * Running custom compiled version of strongswan-4.3.2 with
> > --enable-nat-transport option enabled
> > * Running xl2tpd
> > * Both were set up by following
> > http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
> > * Firewall was off while I was trying to get this working
> >
> > Linksys E3000 router:
> > * Internal IP address is 192.168.1.1
> > * Comcast IP address is 53.74.66.108 (not my actual IP, but you get
> > the idea)
> > * NAT Enabled
> > * VPN Passthrough Enabled
> > * Ports 4500 and 1701 forwarded to 192.168.1.10
> >
> > iPhone 3GS:
> > * I guess the IP for this device is 166.121.15.14? (Again, I changed
> > it in the log below)
> >
> > Here is my ipsec.conf:
> >
> > config setup
> > nat_traversal=yes
> > charonstart=yes
> > plutostart=yes
> >
> > conn L2TP
> > authby=psk
> > pfs=no
> > rekey=no
> > type=tunnel
> > esp=aes128-sha1
> > ike=aes128-sha-modp1024
> > left=192.168.1.10
> > leftnexthop=%defaultroute
> > #leftprotoport=17/%any
> > leftprotoport=17/1701
> > right=%any
> > rightprotoport=17/%any
> > #rightsubnetwithin=10.0.0.0/8 <http://10.0.0.0/8>
> > auto=add
> >
> > And here are the errors I see:
> >
> > Mar 26 15:41:11 ubuntu-desktop pluto[8372]: added connection
> > description "L2TP"
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: received Vendor ID
> > payload [RFC 3947]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [4df37928e9fc4fd1b3262170d515c662]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [8f8d83826d246b6fc7a8a6a428c11de8]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [439b59f8ba676c4c7737ae22eab8f582]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [4d1e0e136deafa34c4f3ea9f02ec7285]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [80d0bb3def54565ee84645d4c85ce3ee]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [9909b64eed937c6573de52ace952fa6b]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [draft-ietf-ipsec-nat-t-ike-03]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [draft-ietf-ipsec-nat-t-ike-02]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: ignoring Vendor ID
> > payload [draft-ietf-ipsec-nat-t-ike-02_n]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
> > 166.121.15.14:15873 <http://166.121.15.14:15873>: received Vendor ID
> > payload [Dead Peer Detection]
> > Mar 26 15:41:51 ubuntu-desktop pluto[8372]: "L2TP"[1]
> > 166.121.15.14:15873 <http://166.121.15.14:15873> #1: responding to
> > Main Mode from unknown peer 166.121.15.14:15873
> > <http://166.121.15.14:15873>
> > Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
> > 166.121.15.14:15873 <http://166.121.15.14:15873> #1: NAT-Traversal:
> > Result using RFC 3947: both are NATed
> > Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
> > 166.121.15.14:15873 <http://166.121.15.14:15873> #1: ignoring
> > informational payload, type IPSEC_INITIAL_CONTACT
> > Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
> > 166.121.15.14:15873 <http://166.121.15.14:15873> #1: Peer ID is
> > ID_IPV4_ADDR: '10.70.21.33'
> > Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15873 <http://166.121.15.14:15873> #1: deleting
> > connection "L2TP" instance with peer 166.121.15.14 {isakmp=#0/ipsec=#0}
> > Mar 26 15:41:52 ubuntu-desktop pluto[8372]: | NAT-T: new mapping
> > 166.121.15.14:15873/15893 <http://166.121.15.14:15873/15893>)
> > Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15893 <http://166.121.15.14:15893> #1: sent MR3, ISAKMP
> > SA established
> > Mar 26 15:41:53 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15893 <http://166.121.15.14:15893> #1: cannot respond to
> > IPsec SA request because no connection is known for
> > 53.74.66.108/32===192.168.1.10:4500:17/%any...166.121.15.14:15893[10.70.21.33]:17/%any===10.70.21.33/32
> > <http://53.74.66.108/32===192.168.1.10:4500:17/%any...166.121.15.14:15893[10.70.21.33]:17/%any===10.70.21.33/32>
> > Mar 26 15:41:53 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15893 <http://166.121.15.14:15893> #1: sending encrypted
> > notification INVALID_ID_INFORMATION to 166.121.15.14:15893
> > <http://166.121.15.14:15893>
> > Mar 26 15:41:56 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15893 <http://166.121.15.14:15893> #1: Quick Mode I1
> > message is unacceptable because it uses a previously used Message ID
> > 0xab4fb5b4 (perhaps this is a duplicated packet)
> > Mar 26 15:41:56 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15893 <http://166.121.15.14:15893> #1: sending encrypted
> > notification INVALID_MESSAGE_ID to 166.121.15.14:15893
> > <http://166.121.15.14:15893>
> > Mar 26 15:41:59 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15893 <http://166.121.15.14:15893> #1: Quick Mode I1
> > message is unacceptable because it uses a previously used Message ID
> > 0xab4fb5b4 (perhaps this is a duplicated packet)
> > Mar 26 15:41:59 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15893 <http://166.121.15.14:15893> #1: sending encrypted
> > notification INVALID_MESSAGE_ID to 166.121.15.14:15893
> > <http://166.121.15.14:15893>
> > Mar 26 15:42:03 ubuntu-desktop pluto[8372]: "L2TP"[2]
> > 166.121.15.14:15893 <http://166.121.15.14:15893> #1: Quick Mode I1
> > message is unacceptable because it uses a previously used Message ID
> > Mar 26 Mar 26 15:42:05 ubuntu-desktop pluto[8372]: ERROR: asynchronous
> > network error report on eth0 for message to 166.121.15.14 port 15893,
> > complainant 166.121.15.14 <http://166.121.15.14>: Connection refused
> > [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> Hi Dan,
>
> It looks like your connection cannot be matched right. I'm a newby so
> may advices may be misleading, but you can try a two more configuration
> for your ipsec.conf ( one at a time)
>
> ipsec.conf of openswan/debian:
>
> config setup
> nat_traversal=yes
> charonstart=yes
> plutostart=yes
>
> conn L2TP-PSK-NAT-OSX
> authby=secret
> forceencaps=yes
> pfs=no
> auto=add
> keyingtries=3
> dpdtimeout=60
> dpdaction=clear
> rekey=no
> left=%defaultroute
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
> rightsubnet=vhost:%priv,%no
>
> or
>
> conn %default
> nat_traversal=yes
> charonstart=yes
> plutostart=yes
> forceencaps=yes
> dpddelay=10
> dpdtimeout=60
> dpdaction=clear
> auto=add
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%priv
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> rekey=no
> ikelifetime=8h
> keylife=1h
> type=transport
> left=192.168.1.10
> leftprotoport=17/1701
> leftnexthop=53.74.66.108 ( or whatever pub IP you have)
> rightnexthop=%defaultroute
> right=%any
> rightprotoport=17/%any
>
> if you get any errors for some of the options , just comment them.
> make sure that xl2tpd is running and listening on port 1701, and ipsec(pluto or charon I'm not shure) are listenning on port 500,4500,
> you can check with #netstat -lpna
> and if still is not working paste #tcpdump proto UDP , and the same output log that you include in fur firs mail
>
> You better disable port forward 1701 on your router, only VPN pass-trough and if does not work correctly then enable forward UDP 500, 4500 to
> 192.168.1.10,
>
> Also #iptables -L will be useful but not necessary .
>
> Recently I had problems with IPhone connecting to Ubuntu box, second time, because tunnel cannot be disconnected, but you are not there yet ;) I sow fix for that in strongswan 4.5.1.
>
>
> Regards
> Martin
>
>
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.strongswan.org/pipermail/users/attachments/20110328/18cac209/attachment-0001.html
Hi,
I tried the very same with my Ipad and I hat the wall, the NAT firewall, to be more precise.
My settings worked well via WLAN even into a NATed VM but as soon as I tried to connect from the outside I ran into the same error.
The problem sems to be caused by the fact that the IPAD is NATed as well with a dynamic IP adrees. Two NATed dynamic IP addresses seems to be more than strongswan can handle.
There's been another posting on that this month asking whether this is a bug or a feature. It's a pity that it doesn't work because I would love to be able to access my home network with my Ipad in a safer way.
I hope I didn't discourage you, please keep trying if you have the time and energy. I'd be happy to know if there is a solution to that.
Somewhere I read that Openswan may do the trick. Did you try that one?
Cheers
Uli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110327/a2e831e2/attachment.html>
More information about the Users
mailing list