LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-10-2011, 01:19 PM   #1
Lord C
Member
 
Registered: Mar 2004
Location: London, UK
Distribution: Ubuntu
Posts: 69

Rep: Reputation: 15
Unhappy Problems with OpenSwan. Cannot get IPSec/L2TP VPN working


Hey all,

I'm having trouble getting OpenSwan VPN to work over L2TP/IPSsec. The server appears to run, but I can't connect from Android or Windows 7.

I've tried a couple of nice tutorials (Tut1 Tut2), but still can't get it working.

First of, this is what I'm running:
openswan-2.6.35 on 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:50 UTC 2011 i686 i686 i386 GNU/Linux

These are my configs:
/etc/ipsec.conf
Code:
version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.1.0/24
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=192.168.1.101
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

include /etc/ipsec.d/l2tp-psk.conf
/etc/xl2tpd/xl2tpd.conf
Code:
[global]
ipsec saref = yes
listen-addr = 192.168.1.101

[lns default]
ip range = 192.168.2.10-192.168.2.200
local ip = 192.168.2.1
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
Code:
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
mru 1280
mtu 1280
/etc/ppp/chap-secrets
Code:
# user      server      password            ip
test        l2tpd       testpassword        *
/etc/ipsec.d/l2tp-psk.conf
Code:
conn L2TP-PSK-NAT
        rightsubnet=vhost:%priv
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        #
        # Configuration for one user with any type of IPsec/L2TP client
        # including the updated Windows 2000/XP (MS KB Q818043), but
        # excluding the non-updated Windows 2000/XP.
        #
        #
        # Use a Preshared Key. Disable Perfect Forward Secrecy.
        #
        # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
        # YourIPAddress  %any: "sharedsecret"
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        # we cannot rekey for %any, let client rekey
        rekey=no
        # Set ikelifetime and keylife to same defaults windows has
        ikelifetime=8h
        keylife=1h
        # l2tp-over-ipsec is transport mode
        type=transport
        #
        left=192.168.1.101
        #
        # For updated Windows 2000/XP clients,
        # to support old clients as well, use leftprotoport=17/%any
        leftprotoport=17/1701
        #
        # The remote user.
        #
        right=%any
        # Using the magic port of "0" means "any one single port". This is
        # a work around required for Apple OSX clients that use a randomly
        # high port, but propose "0" instead of their port. If this does
        # not work, use 17/%any instead.
        rightprotoport=17/0

# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
# connection with. With L2TP clients behind NAT, that's not really what
# you want. The connection below allows both l2tp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg ssh)
# will match this passthrough conn.
conn passthrough-for-non-l2tp
        type=passthrough
        left=192.168.1.101
        leftnexthop=192.168.1.1
        right=0.0.0.0
        rightsubnet=0.0.0.0/0
        auto=route
/etc/ipsec.secrets
Code:
192.168.1.101   %any:   PSK     "testing"

~$ sudo ipsec verify
Code:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.35/K2.6.38-8-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
Tailing /var/log/auth.log I can see the below errors...

When I try and connect from a Windows 7 PC with Shrew Soft VPN (IP: 192.168.1.70):
Code:
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: received Vendor ID payload [XAUTH]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: received Vendor ID payload [RFC 3947] method set to=109
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: received Vendor ID payload [Dead Peer Detection]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: ignoring unknown Vendor ID payload [f14b94b7bff1fef02773b8c49feded26]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd8451]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: ignoring unknown Vendor ID payload [8404adf9cda05760b2ca292e4bff537b]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: received Vendor ID payload [Cisco-Unity]
Aug 10 19:10:25 OptiPlex-GX270 pluto[23897]: packet from 192.168.1.70:500: initial Aggressive Mode message from 192.168.1.70 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Until negotiation times out.


When I try and connect from an Android phone (IP 192.168.1.103):
Code:
Aug 10 19:12:20 OptiPlex-GX270 pluto[23897]: | payload malformed after IV
Aug 10 19:12:20 OptiPlex-GX270 pluto[23897]: |   90 14 67 8d  35 be 43 9e  9f 92 73 7e  89 4e 63 13
Aug 10 19:12:20 OptiPlex-GX270 pluto[23897]: |   c2 12 27 4c
Aug 10 19:12:20 OptiPlex-GX270 pluto[23897]: "L2TP-PSK-noNAT"[1] 192.168.1.103 #3: sending notification PAYLOAD_MALFORMED to 192.168.1.103:500
Aug 10 19:12:20 OptiPlex-GX270 pluto[23897]: "L2TP-PSK-noNAT"[1] 192.168.1.103 #3: next payload type of ISAKMP Identification Payload has an unknown value: 111
Aug 10 19:12:20 OptiPlex-GX270 pluto[23897]: "L2TP-PSK-noNAT"[1] 192.168.1.103 #3: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
It appears to be two different problems, but I wouldn't be surprised if they were related.

Thanks in advance for any help or advice you can offer.

Cheers
 
  


Reply

Tags
ipsec, l2tp, openswan, pptp, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Openswan VPN with windows using L2TP mhkhalqani Linux - Networking 0 02-21-2011 01:00 PM
IPSec L2TP VPN server on Ubuntu for iPhone Apollo77 Linux - Networking 27 12-03-2010 09:27 AM
OpenSWAN, L2TP/IPSEC on CentOS 5.5 bderry71 Linux - Server 1 10-05-2010 09:33 PM
L2TP/IPSec/openswan server for iphone help ShadowHywind Linux - Server 3 01-25-2010 04:31 PM
IPsec/L2TP VPN question IPsecLearner Linux - Networking 3 04-19-2005 11:32 AM


All times are GMT -5. The time now is 09:31 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration