LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-14-2012, 07:52 AM   #1
poorlittlelinuxuser
LQ Newbie
 
Registered: Sep 2012
Posts: 2

Rep: Reputation: Disabled
Question L2TP/IPsec VPN connection with client behind NAT


Hi, everyone. I have a problem with my L2TP/IPsec VPN setup.

Map:

My server <---> Internet <---> Router (NAT) <---> My client
(public IP) (Public IP) 192.168.0.XXX


I used openswan xl2tpd to setup the vpn server on debian.

The server received the request properly, but xl2tpd daemon never received any thing.

So I digged out /var/log/auth.log, found the following:

Code:
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: responding to Main Mode from unknown peer MY.CLIENT.IP.ADDRESS
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.102'
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: deleting connection "L2TP-PSK-NAT" instance with peer MY.CLIENT.IP.ADDRESS {isakmp=#0/ipsec=#0}
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: new NAT mapping for #8, was MY.CLIENT.IP.ADDRESS:500, now MY.CLIENT.IP.ADDRESS:4500
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: the peer proposed: VPN.SERVER.IP.ADDRESS/32:17/1701 -> 192.168.0.102/32:17/0
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #9: responding to Quick Mode proposal {msgid:01000000}
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #9:     us: VPN.SERVER.IP.ADDRESS<VPN.SERVER.IP.ADDRESS>[+S=C]:17/1701
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #9:   them: MY.CLIENT.IP.ADDRESS[192.168.0.102,+S=C]:17/1701===192.168.0.102/32
Then it just retry several time and give up, because server IP cant connect to the 192.168.0.102 :S

I am a newbie to linux, Please help
 
Old 09-15-2012, 05:28 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,412

Rep: Reputation: Disabled
This is not so much a Linux problem as an IPsec issue. From the log:
Code:
pluto[4599]: "L2TP-PSK-NAT"[3] MY.CLIENT.IP.ADDRESS #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
OK, so both your PC and the VPN server are behind NAT. That means the server you're trying to establish a connection with has a private IP address, and the public IP belongs to a NATing router that's forwarding the relevant ports and protocols. That should work, as long as both parties adhere to RFC 3947.

Then this happens:
Code:
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: new NAT mapping for #8, was MY.CLIENT.IP.ADDRESS:500, now MY.CLIENT.IP.ADDRESS:4500
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: the peer proposed: VPN.SERVER.IP.ADDRESS/32:17/1701 -> 192.168.0.102/32:17/0
pluto[4599]: "L2TP-PSK-NAT"[4] MY.CLIENT.IP.ADDRESS #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
I haven't seen this particular log format before, but lines 1 and 3 look a bit odd. As for line 1, does "MY.CLIENT.IP.ADDRESS" refer to a private or public IP adress? It should be your public IP.

Line 3 looke odd for the same reason, but I'm not sure if the entry says "we'll be using the punlic server IP rathern than 192.168.0.102" or if the addresses refer to connection endpoints. Perhaps someone with more detailed knowledge of the log format can clarify.
 
1 members found this post helpful.
Old 09-16-2012, 10:41 PM   #3
poorlittlelinuxuser
LQ Newbie
 
Registered: Sep 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks Ser Olmy

The MY.CLIENT.IP.ADDRESS and VPN.SERVER.IP.ADDRESS are both public IP.

It seems the server (public IP) was trying to connect to the client's private IP, which does not make any sense to me.

I will try to put my client in DMZ to see if it works.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Setting up L2TP over IPSec VPN server under CentOS 5.3 fantasygoat Linux - Networking 6 01-12-2016 04:41 AM
IPSec L2TP VPN server on Ubuntu for iPhone Apollo77 Linux - Networking 27 12-03-2010 10:27 AM
outbound VPN's fail (pptp/l2tp/ipsec) RattleSn@ke Linux - Security 3 05-21-2008 04:55 PM
IPsec/L2TP VPN question IPsecLearner Linux - Networking 3 04-19-2005 12:32 PM
Linux VPN - IPSEC connection for client? jon3k Linux - Networking 2 12-08-2003 01:47 AM


All times are GMT -5. The time now is 06:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration