[strongSwan] Help Connecting Strongswan to iPhone
Martin Lambev
fsh3mve at gmail.com
Sun Mar 27 20:17:00 CEST 2011
On 03/27/2011 05:36 PM, Uli Joergens wrote:
>> On 03/27/2011 04:06 AM, Dan Deming wrote:
>> >/ Hello,
>> />/
>> />/ I'm trying to get a strongswan VPN set up so I can connect my iPhone
>> />/ to my Ubuntu Lucid Lynx desktop, but I can't seem to get it
>> />/ working and would appreciate any help anyone can give me.
>> />/
>> />/ I feel like I'm close, but networking is not one of my
>> />/ strong suits, so the whole leftnexthop, rightprotoport
>> />/ thing is pretty confusing to me.
>> />/
>> />/ I've been generally following the directions on these 3
>> />/ pages:
>> />/
>> />/ http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
>> />/ https://lists.strongswan.org/pipermail/users/2009-March/003291.html
>> />/ http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html
>> />/
>> />/ Currently, I'm getting the following error:
>> />/
>> />/ cannot respond to IPsec SA request because no connection is known for
>> />/ 53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32 <tel:192.168.1.12/32>
>> />/ <http://53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32>
>> />/
>> />/ Here are the stats on what I'm running:
>> />/
>> />/ Ubuntu Desktop:
>> />/ * Internal IP address is 192.168.1.10
>> />/ * Running custom compiled version of strongswan-4.3.2 with
>> />/ --enable-nat-transport option enabled
>> />/ * Running xl2tpd
>> />/ * Both were set up by following
>> />/ http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
>> />/ * Firewall was off while I was trying to get this working
>> />/
>> />/ Linksys E3000 router:
>> />/ * Internal IP address is 192.168.1.1
>> />/ * Comcast IP address is 53.74.66.108 (not my actual IP, but you get
>> />/ the idea)
>> />/ * NAT Enabled
>> />/ * VPN Passthrough Enabled
>> />/ * Ports 4500 and 1701 forwarded to 192.168.1.10
>> />/
>> />/ iPhone 3GS:
>> />/ * I guess the IP for this device is 166.121.15.14? (Again, I changed
>> />/ it in the log below)
>> />/
>> />/ Here is my ipsec.conf:
>> />/
>> />/ config setup
>> />/ nat_traversal=yes
>> />/ charonstart=yes
>> />/ plutostart=yes
>> />/
>> />/ conn L2TP
>> />/ authby=psk
>> />/ pfs=no
>> />/ rekey=no
>> />/ type=tunnel
>> />/ esp=aes128-sha1
>> />/ ike=aes128-sha-modp1024
>> />/ left=192.168.1.10 <tel:192.168.1.10>
>> />/ leftnexthop=%defaultroute
>> />/ #leftprotoport=17/%any
>> />/ leftprotoport=17/1701
>> />/ right=%any
>> />/ rightprotoport=17/%any
>> />/ #rightsubnetwithin=10.0.0.0/8 <tel:10.0.0.0/8> <http://10.0.0.0/8>
>> />/ auto=add
>> />/
>> />/ And here are the errors I see:
>> />/
>> />/ Mar 26 15:41:11 ubuntu-desktop pluto[8372]: added connection
>> />/ description "L2TP"
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: received Vendor ID
>> />/ payload [RFC 3947]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [4df37928e9fc4fd1b3262170d515c662]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [8f8d83826d246b6fc7a8a6a428c11de8]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [439b59f8ba676c4c7737ae22eab8f582]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [4d1e0e136deafa34c4f3ea9f02ec7285]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [80d0bb3def54565ee84645d4c85ce3ee]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [9909b64eed937c6573de52ace952fa6b]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [draft-ietf-ipsec-nat-t-ike-03]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [draft-ietf-ipsec-nat-t-ike-02]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: ignoring Vendor ID
>> />/ payload [draft-ietf-ipsec-nat-t-ike-02_n]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: packet from
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873>: received Vendor ID
>> />/ payload [Dead Peer Detection]
>> />/ Mar 26 15:41:51 ubuntu-desktop pluto[8372]: "L2TP"[1]
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873> #1: responding to
>> />/ Main Mode from unknown peer 166.121.15.14:15873
>> />/ <http://166.121.15.14:15873>
>> />/ Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873> #1: NAT-Traversal:
>> />/ Result using RFC 3947: both are NATed
>> />/ Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873> #1: ignoring
>> />/ informational payload, type IPSEC_INITIAL_CONTACT
>> />/ Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[1]
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873> #1: Peer ID is
>> />/ ID_IPV4_ADDR: '10.70.21.33 <tel:10.70.21.33>'
>> />/ Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15873<http://166.121.15.14:15873> #1: deleting
>> />/ connection "L2TP" instance with peer 166.121.15.14 {isakmp=#0/ipsec=#0}
>> />/ Mar 26 15:41:52 ubuntu-desktop pluto[8372]: | NAT-T: new mapping
>> />/ 166.121.15.14:15873/15893 <tel:15873/15893> <http://166.121.15.14:15873/15893>)
>> />/ Mar 26 15:41:52 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15893<http://166.121.15.14:15893> #1: sent MR3, ISAKMP
>> />/ SA established
>> />/ Mar 26 15:41:53 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15893<http://166.121.15.14:15893> #1: cannot respond to
>> />/ IPsec SA request because no connection is known for
>> />/ 53.74.66.108/32===192.168.1.10:4500:17/%any...166.121.15.14:15893[10.70.21.33]:17/%any===10.70.21.33/32 <tel:10.70.21.33/32>
>> />/ <http://53.74.66.108/32===192.168.1.10:4500:17/%any...166.121.15.14:15893[10.70.21.33]:17/%any===10.70.21.33/32>
>> />/ Mar 26 15:41:53 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15893<http://166.121.15.14:15893> #1: sending encrypted
>> />/ notification INVALID_ID_INFORMATION to 166.121.15.14:15893
>> />/ <http://166.121.15.14:15893>
>> />/ Mar 26 15:41:56 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15893<http://166.121.15.14:15893> #1: Quick Mode I1
>> />/ message is unacceptable because it uses a previously used Message ID
>> />/ 0xab4fb5b4 (perhaps this is a duplicated packet)
>> />/ Mar 26 15:41:56 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15893<http://166.121.15.14:15893> #1: sending encrypted
>> />/ notification INVALID_MESSAGE_ID to 166.121.15.14:15893
>> />/ <http://166.121.15.14:15893>
>> />/ Mar 26 15:41:59 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15893<http://166.121.15.14:15893> #1: Quick Mode I1
>> />/ message is unacceptable because it uses a previously used Message ID
>> />/ 0xab4fb5b4 (perhaps this is a duplicated packet)
>> />/ Mar 26 15:41:59 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15893<http://166.121.15.14:15893> #1: sending encrypted
>> />/ notification INVALID_MESSAGE_ID to 166.121.15.14:15893
>> />/ <http://166.121.15.14:15893>
>> />/ Mar 26 15:42:03 ubuntu-desktop pluto[8372]: "L2TP"[2]
>> />/ 166.121.15.14:15893<http://166.121.15.14:15893> #1: Quick Mode I1
>> />/ message is unacceptable because it uses a previously used Message ID
>> />/ Mar 26 Mar 26 15:42:05 ubuntu-desktop pluto[8372]: ERROR: asynchronous
>> />/ network error report on eth0 for message to 166.121.15.14 port 15893,
>> />/ complainant 166.121.15.14<http://166.121.15.14>: Connection refused
>> />/ [errno 111, origin ICMP type 3 code 3 (not authenticated)]
>> />/
>> />/
>> />/ _______________________________________________
>> />/ Users mailing list
>> />/ Users at <https://lists.strongswan.org/mailman/listinfo/users>lists.strongswan.org <http://lists.strongswan.org>
>> />/ https://lists.strongswan.org/mailman/listinfo/users
>> /Hi Dan,
>>
>> It looks like your connection cannot be matched right. I'm a newby so
>> may advices may be misleading, but you can try a two more configuration
>> for your ipsec.conf ( one at a time)
>>
>> ipsec.conf of openswan/debian:
>>
>> config setup
>> nat_traversal=yes
>> charonstart=yes
>> plutostart=yes
>>
>> conn L2TP-PSK-NAT-OSX
>> authby=secret
>> forceencaps=yes
>> pfs=no
>> auto=add
>> keyingtries=3
>> dpdtimeout=60
>> dpdaction=clear
>> rekey=no
>> left=%defaultroute
>> leftprotoport=17/1701
>> right=%any
>> rightprotoport=17/%any
>> rightsubnet=vhost:%priv,%no
>>
>> or
>>
>> conn %default
>> nat_traversal=yes
>> charonstart=yes
>> plutostart=yes
>> forceencaps=yes
>> dpddelay=10
>> dpdtimeout=60
>> dpdaction=clear
>> auto=add
>>
>> conn L2TP-PSK-NAT
>> rightsubnet=vhost:%priv
>> also=L2TP-PSK-noNAT
>>
>> conn L2TP-PSK-noNAT
>> authby=secret
>> pfs=no
>> auto=add
>> keyingtries=3
>> rekey=no
>> ikelifetime=8h
>> keylife=1h
>> type=transport
>> left=192.168.1.10 <tel:192.168.1.10>
>> leftprotoport=17/1701
>> leftnexthop=53.74.66.108 <tel:53.74.66.108> ( or whatever pub IP you have)
>> rightnexthop=%defaultroute
>> right=%any
>> rightprotoport=17/%any
>>
>> if you get any errors for some of the options , just comment them.
>> make sure that xl2tpd is running and listening on port 1701, and ipsec(pluto or charon I'm not shure) are listenning on port 500,4500,
>> you can check with #netstat -lpna
>> and if still is not working paste #tcpdump proto UDP , and the same output log that you include in fur firs mail
>>
>> You better disable port forward 1701 on your router, only VPN pass-trough and if does not work correctly then enable forward UDP 500, 4500 to
>> 192.168.1.10,
>>
>> Also #iptables -L will be useful but not necessary .
>>
>> Recently I had problems with IPhone connecting to Ubuntu box, second time, because tunnel cannot be disconnected, but you are not there yet ;) I sow fix for that in strongswan 4.5.1.
>>
>>
>> Regards
>> Martin
>>
>>
>>
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:http://lists.strongswan.org/pipermail/users/attachments/20110328/18cac209/attachment-0001.html
> Hi,
> I tried the very same with my Ipad and I hat the wall, the NAT firewall, to be more precise.
> My settings worked well via WLAN even into a NATed VM but as soon as I tried to connect from the outside I ran into the same error.
> The problem sems to be caused by the fact that the IPAD is NATed as well with a dynamic IP adrees. Two NATed dynamic IP addresses seems to be more than strongswan can handle.
> There's been another posting on that this month asking whether this is a bug or a feature. It's a pity that it doesn't work because I would love to be able to access my home network with my Ipad in a safer way.
> I hope I didn't discourage you, please keep trying if you have the time and energy. I'd be happy to know if there is a solution to that.
> Somewhere I read that Openswan may do the trick. Did you try that one?
> Cheers
> Uli
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Hi Uli,
I'm not happy to hear that you did not have succeed with connection your
I dev. behind two NATs...
But if for amazon EC2 instance we can say that is behind NAT you have
private IP and Elastic IP (real one) then testing Iphone connected at
home behind 2nd NAT router ( running IPfire for NAT and firewall without
any port forwarding) I got it working with StrongSwan and openswan, but
the problem was after that. After first disconnection of first
connection, then the strongswan continuing sending keep-alive, because
Iphone (l2tp/ipsec) does not send disconnect package to server ( dpd
does not help) but I sow that it was fixed as I already mentioned, but
still did not have time to compile and try the fixed version...
> http://wiki.strongswan.org/issues/119
Regards,
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110328/711e1c80/attachment.html>
More information about the Users
mailing list