LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-25-2009, 09:45 AM   #16
bleargh
Member
 
Registered: Jul 2004
Location: New York, NY
Distribution: Ubuntu
Posts: 67

Rep: Reputation: 16

Yeah, speed's not that important. I'd be connecting through Wi-Fi nodes only, so I want everything encrypted. I'll try to set this up when I have some time to spend. Thanks for the info!
 
Old 11-26-2009, 06:35 PM   #17
yyz
LQ Newbie
 
Registered: Aug 2003
Location: Toronto, ON Canada
Distribution: Kubuntu
Posts: 7

Rep: Reputation: 0
Apollo77,

Is this setup still working for you? Are you on Rogers or Fido? I thought both Fido and Rogers have blocked vpn on cellular network since last month and it's now only available as 10$ add-on on Rogers... (http://www.howardforums.com/showthread.php?t=1573850)

I'm looking for a way to access Pandora radio from iPhone in Canada... Would you have some ideas how to extend your setup to achieve this? It would certainly make your go commute much more pleasant

Thanks,
yyz
 
Old 11-27-2009, 10:24 AM   #18
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
I'm on Rogers. I used the VPN today. It's still working in Toronto and I'm not paying extra. Same deal on tethering ... I see it on the bill, but they don't charge me yet. Maybe it depends on your package. I've got 6 gigs per month. After ripoff fees and taxes I'm paying $100. Maybe VPN blocking is coming.

If they start blocking my VPN I'll need to use an SSH tunnel instead. That won't be as convenient, but it will serve my purposes for some things I do on the iphone. I can see what Rogers motives might be. I've got Skype installed on my iphone and I've tried it a few times through the VPN over 3G (I think I had to hack something to get it to work on 3G, but I can't recall the details). It doesn't work very well, but potentially Skype could cut into Rogers regular cell service and use up 3G bandwidth. The day is coming when traditional cell phone service providers need to realize they are now providing data services, not phone call services.

Pandora radio ...
"We are deeply, deeply sorry to say that due to licensing constraints, we can no longer allow access to Pandora for listeners located outside of the U.S."

hmmmm, that's a tough one. They are using IP address to determine country. The only solution I can think of is some kind of proxy scheme based in the US. Maybe it exists. Google it.
 
Old 12-02-2009, 03:55 AM   #19
MidSpeck
LQ Newbie
 
Registered: Jul 2009
Posts: 9

Rep: Reputation: 6
Depends on your default gateway

Quote:
Originally Posted by Apollo77 View Post
I think I am correct in saying once connected to the VPN everything gets routed through the VPN.
Apollo is right. I can't speak for the iPhone since I haven't played with it much, but the way it works for Windows depends on a single setting.
In Windows, "Use default gateway on remote network" is normally set, which means that everything gets routed to the VPN server. If you uncheck that setting, then Windows only routes a single subnet to the VPN server.
 
Old 12-09-2009, 08:20 PM   #20
yyz
LQ Newbie
 
Registered: Aug 2003
Location: Toronto, ON Canada
Distribution: Kubuntu
Posts: 7

Rep: Reputation: 0
@Apollo77

I have the exact same configuration as you do but I can't seem to get l2tp/ipsec working. IPSec part seems ok as I see the following in auth.log:

Code:
Dec  9 21:05:27 xxxxxx pluto[7500]: "L2TP-PSK-NAT"[2] 24.24.24.24 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec  9 21:05:27 xxxxxx pluto[7500]: "L2TP-PSK-NAT"[2] 24.24.24.24 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0220d810 <0x2b3876b2 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=24.24.24.24:42500 DPD=none}
ipsec verify shows this:

Code:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.22/K2.6.31-16-generic (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
However, no clue what's going on with xl2tpd. All I see is:

Code:
Dec  9 21:05:29 xxxxxx xl2tpd[7924]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Dec  9 21:05:30 xxxxxx xl2tpd[7924]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Dec  9 21:05:34 xxxxxx xl2tpd[7924]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Dec  9 21:05:34 xxxxxx xl2tpd[7924]: Maximum retries exceeded for tunnel 58710.  Closing.
Dec  9 21:05:43 xxxxxx xl2tpd[7924]: control_finish: Peer requested tunnel 3 twice, ignoring second one.
Dec  9 21:05:43 xxxxxx xl2tpd[7924]: Connection 3 closed to 24.24.24.24, port 49201 (Timeout)
Dec  9 21:05:48 xxxxxx xl2tpd[7924]: Unable to deliver closing message for tunnel 58710. Destroying anyway.
Any idea what might be wrong? The only difference that I'm aware of is that Bell's crappy 2wire modem wouldn't let me forward protocol 50. Could that be the issue here?

Thanks!
 
Old 12-09-2009, 08:25 PM   #21
yyz
LQ Newbie
 
Registered: Aug 2003
Location: Toronto, ON Canada
Distribution: Kubuntu
Posts: 7

Rep: Reputation: 0
Fido/Rogers blocking vpn

BTW, it seems Fido/Rogers have only blocked PPTP on 3G network (now available as premium service on Rogers). There have been many reports that L2TP/IPSEC still works (this is confirmed by Apollo77 too).
 
Old 12-10-2009, 01:03 PM   #22
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
yyz, I will compare your logs with mine. However, it might be a few days before I get to it (busy time of year).
 
Old 12-14-2009, 12:13 PM   #23
yyz
LQ Newbie
 
Registered: Aug 2003
Location: Toronto, ON Canada
Distribution: Kubuntu
Posts: 7

Rep: Reputation: 0
Its working now!

This issue is resolved now. I got some help from this thread. The problem was that the latest version of openswan has a bug that causes xl2tpd to fail. Downgrading to 2.4.12 version from the jaunty release fixed this problem. A small issue that I'm still facing is that if I disconnect and immediately try to reconnect, the connection fails with the same error that I posted before. However, if I try after a few hours or do an ipsec restart, it works again.

Also, I'd like to point out that the protocol 50 (ESP) forwarding isn't required for this to work. I think NAT-T takes care of this.

@Apollo77, thanks a lot for all the configs you posted - they were tremendous help.

Cheers!
YYZ
 
Old 12-15-2009, 10:59 AM   #24
Apollo77
Member
 
Registered: Feb 2003
Location: Toronto
Distribution: RH8 / FC1 / Gentoo / Debian / FreeBSD / Centos / Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 35
Glad you resolved it. I actually tried to send you a private message, but was not able. Since you are in Toronto (as am I), I was going to offer to hand you a copy on a CD of the VMware virtual machine where I run the VPN server. Running this in a VM works quite well and gives it portability.

However, that offer is now off the table (I don't wish to be inundated with requests for it). Perhaps, this could be distributed as a VMware appliance, but I am not volunteering to do this.

Apollo
 
Old 12-30-2009, 11:28 AM   #25
MidSpeck
LQ Newbie
 
Registered: Jul 2009
Posts: 9

Rep: Reputation: 6
Quote:
Originally Posted by yyz View Post
Also, I'd like to point out that the protocol 50 (ESP) forwarding isn't required for this to work. I think NAT-T takes care of this.
Correct, if you are behind a NAT such that your connection must use UDP port 4500 (NAT-T), then proto 50 isn't used directly. Protocol 50 is used when both sides have route-able IP address.
 
Old 06-24-2010, 04:00 AM   #26
Delcarlos
LQ Newbie
 
Registered: Jun 2010
Posts: 1

Rep: Reputation: 0
Hello,

This post was very useful for me to establish connection between my iphone and remote server.
My connection ipsec is OK, my connection l2tp is OK, i can access my remote network address but i cant access another remote internet ip address.

I can see some traffic in my interface ppp0 with tcpdump.

I think its a routing problem or iptables ?

Is everyone can help me with this issue ?
 
Old 06-24-2010, 03:19 PM   #27
MidSpeck
LQ Newbie
 
Registered: Jul 2009
Posts: 9

Rep: Reputation: 6
Quote:
Originally Posted by Delcarlos View Post
I can see some traffic in my interface ppp0 with tcpdump.

I think its a routing problem or iptables ?
If you can see some traffic on ppp0, it's probably exactly what you guessed.
Is ip_forward enabled? (/proc/sys/net/ipv4/ip_forward should be 1)
If so, I would lean toward an iptables issue.
Check your FORWARD chain rules and make sure that ppp0 can talk to the desired network. Conversely, make sure that your internal network can talk to ppp0.

Perhaps your rules would look something like:
-A FORWARD -i ppp+ -p all -j ACCEPT
-A FORWARD -o ppp+ -p all -j ACCEPT
 
Old 12-03-2010, 09:27 AM   #28
VMsAreGreat
LQ Newbie
 
Registered: Dec 2010
Posts: 1

Rep: Reputation: 0
Tis the season

Quote:
Originally Posted by Apollo77 View Post
Glad you resolved it. I actually tried to send you a private message, but was not able. Since you are in Toronto (as am I), I was going to offer to hand you a copy on a CD of the VMware virtual machine where I run the VPN server. Running this in a VM works quite well and gives it portability.

However, that offer is now off the table (I don't wish to be inundated with requests for it). Perhaps, this could be distributed as a VMware appliance, but I am not volunteering to do this.

Apollo
Great work Apollo77. I'd be happy to distribute this as a Virtual Appliance for you. It would be a shame to see all that work, all that effort not shared with the community.

VMsAreGreat
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSec/L2TP mahesh_sonawane Linux - Networking 1 06-04-2007 01:32 AM
IPSec VPN Client on Ubuntu noorania Linux - Software 2 04-25-2006 05:32 PM
IPSEC/L2TP VPN Server on Fedora Core 3 using Kernel 2.6 petwalrus Linux - Networking 3 04-21-2005 10:55 AM
IPsec/L2TP VPN question IPsecLearner Linux - Networking 3 04-19-2005 11:32 AM
L2TP VPN connections to an ISA Server kendoucet Linux - Networking 0 03-24-2004 08:07 AM


All times are GMT -5. The time now is 05:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration