Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Yeah, speed's not that important. I'd be connecting through Wi-Fi nodes only, so I want everything encrypted. I'll try to set this up when I have some time to spend. Thanks for the info!
Is this setup still working for you? Are you on Rogers or Fido? I thought both Fido and Rogers have blocked vpn on cellular network since last month and it's now only available as 10$ add-on on Rogers... (http://www.howardforums.com/showthread.php?t=1573850)
I'm looking for a way to access Pandora radio from iPhone in Canada... Would you have some ideas how to extend your setup to achieve this? It would certainly make your go commute much more pleasant
I'm on Rogers. I used the VPN today. It's still working in Toronto and I'm not paying extra. Same deal on tethering ... I see it on the bill, but they don't charge me yet. Maybe it depends on your package. I've got 6 gigs per month. After ripoff fees and taxes I'm paying $100. Maybe VPN blocking is coming.
If they start blocking my VPN I'll need to use an SSH tunnel instead. That won't be as convenient, but it will serve my purposes for some things I do on the iphone. I can see what Rogers motives might be. I've got Skype installed on my iphone and I've tried it a few times through the VPN over 3G (I think I had to hack something to get it to work on 3G, but I can't recall the details). It doesn't work very well, but potentially Skype could cut into Rogers regular cell service and use up 3G bandwidth. The day is coming when traditional cell phone service providers need to realize they are now providing data services, not phone call services.
Pandora radio ...
"We are deeply, deeply sorry to say that due to licensing constraints, we can no longer allow access to Pandora for listeners located outside of the U.S."
hmmmm, that's a tough one. They are using IP address to determine country. The only solution I can think of is some kind of proxy scheme based in the US. Maybe it exists. Google it.
I think I am correct in saying once connected to the VPN everything gets routed through the VPN.
Apollo is right. I can't speak for the iPhone since I haven't played with it much, but the way it works for Windows depends on a single setting.
In Windows, "Use default gateway on remote network" is normally set, which means that everything gets routed to the VPN server. If you uncheck that setting, then Windows only routes a single subnet to the VPN server.
I have the exact same configuration as you do but I can't seem to get l2tp/ipsec working. IPSec part seems ok as I see the following in auth.log:
Code:
Dec 9 21:05:27 xxxxxx pluto[7500]: "L2TP-PSK-NAT"[2] 24.24.24.24 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 9 21:05:27 xxxxxx pluto[7500]: "L2TP-PSK-NAT"[2] 24.24.24.24 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0220d810 <0x2b3876b2 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=24.24.24.24:42500 DPD=none}
ipsec verify shows this:
Code:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.22/K2.6.31-16-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
However, no clue what's going on with xl2tpd. All I see is:
Code:
Dec 9 21:05:29 xxxxxx xl2tpd[7924]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Dec 9 21:05:30 xxxxxx xl2tpd[7924]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Dec 9 21:05:34 xxxxxx xl2tpd[7924]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Dec 9 21:05:34 xxxxxx xl2tpd[7924]: Maximum retries exceeded for tunnel 58710. Closing.
Dec 9 21:05:43 xxxxxx xl2tpd[7924]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Dec 9 21:05:43 xxxxxx xl2tpd[7924]: Connection 3 closed to 24.24.24.24, port 49201 (Timeout)
Dec 9 21:05:48 xxxxxx xl2tpd[7924]: Unable to deliver closing message for tunnel 58710. Destroying anyway.
Any idea what might be wrong? The only difference that I'm aware of is that Bell's crappy 2wire modem wouldn't let me forward protocol 50. Could that be the issue here?
BTW, it seems Fido/Rogers have only blocked PPTP on 3G network (now available as premium service on Rogers). There have been many reports that L2TP/IPSEC still works (this is confirmed by Apollo77 too).
This issue is resolved now. I got some help from this thread. The problem was that the latest version of openswan has a bug that causes xl2tpd to fail. Downgrading to 2.4.12 version from the jaunty release fixed this problem. A small issue that I'm still facing is that if I disconnect and immediately try to reconnect, the connection fails with the same error that I posted before. However, if I try after a few hours or do an ipsec restart, it works again.
Also, I'd like to point out that the protocol 50 (ESP) forwarding isn't required for this to work. I think NAT-T takes care of this.
@Apollo77, thanks a lot for all the configs you posted - they were tremendous help.
Glad you resolved it. I actually tried to send you a private message, but was not able. Since you are in Toronto (as am I), I was going to offer to hand you a copy on a CD of the VMware virtual machine where I run the VPN server. Running this in a VM works quite well and gives it portability.
However, that offer is now off the table (I don't wish to be inundated with requests for it). Perhaps, this could be distributed as a VMware appliance, but I am not volunteering to do this.
Also, I'd like to point out that the protocol 50 (ESP) forwarding isn't required for this to work. I think NAT-T takes care of this.
Correct, if you are behind a NAT such that your connection must use UDP port 4500 (NAT-T), then proto 50 isn't used directly. Protocol 50 is used when both sides have route-able IP address.
This post was very useful for me to establish connection between my iphone and remote server.
My connection ipsec is OK, my connection l2tp is OK, i can access my remote network address but i cant access another remote internet ip address.
I can see some traffic in my interface ppp0 with tcpdump.
I can see some traffic in my interface ppp0 with tcpdump.
I think its a routing problem or iptables ?
If you can see some traffic on ppp0, it's probably exactly what you guessed.
Is ip_forward enabled? (/proc/sys/net/ipv4/ip_forward should be 1)
If so, I would lean toward an iptables issue.
Check your FORWARD chain rules and make sure that ppp0 can talk to the desired network. Conversely, make sure that your internal network can talk to ppp0.
Perhaps your rules would look something like:
-A FORWARD -i ppp+ -p all -j ACCEPT
-A FORWARD -o ppp+ -p all -j ACCEPT
Glad you resolved it. I actually tried to send you a private message, but was not able. Since you are in Toronto (as am I), I was going to offer to hand you a copy on a CD of the VMware virtual machine where I run the VPN server. Running this in a VM works quite well and gives it portability.
However, that offer is now off the table (I don't wish to be inundated with requests for it). Perhaps, this could be distributed as a VMware appliance, but I am not volunteering to do this.
Apollo
Great work Apollo77. I'd be happy to distribute this as a Virtual Appliance for you. It would be a shame to see all that work, all that effort not shared with the community.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
