Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
ProRunner2012-12-21 22:50:25
VPN
ProRunner, 2012-12-21 22:50:25

IPSEC/L2TP VPN on Ubuntu 12.04.1 on AWS

The problem was solved by using this script specifically for setting up on aws.

I set up PPTP VPN on the Amazon cloud without any problems - everything works.
Now I'm trying to set up an IPSEC / L2TP connection on this topic (then I found another instruction )

At first, when I tried to reload the settings, the console wrote to me (with an empty line in place of the error):

Segmentation fault (core dumped)
failed to start openswan IKE daemon - the following error occured:
Empirically, it turned out that the reason is in the line rightprotoport=17/%any in /etc/ipsec.conf . Changed it to rightprotoport=17/0 (I have no idea what that means). Reloading the settings began to pass without errors. Changed back, magic, but everything works. The possible reason was the lack of a line break in the configuration file. In general, it doesn't matter anymore.

sudo ipsec verify now says:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-31-virtual (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


It seems everything should work, but attempts to connect fail. Win7 writes: "Error 789. The L2TP connection attempt failed due to an error that occurred in the security layer during negotiations with the remote computer."
The iPhone can't connect either.

Here are the settings files (collected from wherever possible):

/etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
exit 0


/etc/ipsec.conf
config setup
    dumpdir=/var/run/pluto/ 
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret    
    pfs=no
    auto=add
    keyingtries=3   
    ikelifetime=8h
    keylife=1h
    type=transport   
    left=ELASTIC IP ADDRESS    
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/0


/etc/ipsec.secret
ELASTIC IP   %any:  PSK "Passphrase"


/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = ELASTIC IP
port = 1701                                                     ; * Bind to port 1701
auth file = /etc/ppp/chap-secrets       ; * Where our challenge secrets are

[lns default]
ip range = 172.16.1.30-172.16.1.100     ; ip range = range of IPs to give to the connecting clients
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = no                          ; yes for testing
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


/etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx


/etc/ppp/chap-secrets
  user1        pptpd   Pass       *
  user2        l2tpd   Pass       *


It seems to be everything. Does anyone have any ideas what is the reason why this is not working?
And, yes, all tcp and udp ports are open for the instance in the security group for the duration of the experiments. Ubuntu 64 bit.

Here is what auth.log says about a connection attempt:
Hidden text
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: received Vendor ID payload [RFC 3947] method set to=109 
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [FRAGMENTATION]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [IKE CGA version 1]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: initial Main Mode message received on (instance local ip):500 but no connection has been authorized with policy=PSK


UPD: in general, the first problem was that in place of Elastic IP it was necessary to register Private IP 10.xxxx. But it still won't connect.

Log auth.log now:
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: responding to Main Mode from unknown peer (my ip)
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.135'
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: deleting connection "L2TP-PSK-NAT" instance with peer (my ip) {isakmp=#0/ipsec=#0}
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: new NAT mapping for #8, was (my ip):500, now (my ip):4500
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: responding to Quick Mode proposal {msgid:01000000}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x35ff6b7f <0xa773bf4b xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: responding to Quick Mode proposal {msgid:02000000}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: keeping refhim=4294901761 during rekey
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xef37b4d9 <0xfe15824a xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0x35ff6b7f) payload: deleting IPSEC State #9
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: responding to Quick Mode proposal {msgid:03000000}
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: keeping refhim=4294901761 during rekey
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xa91336d8 <0xa61d7729 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0xef37b4d9) payload: deleting IPSEC State #10
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: responding to Quick Mode proposal {msgid:04000000}
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: keeping refhim=4294901761 during rekey
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x3bde910e <0x6886459f xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0xa91336d8) payload: deleting IPSEC State #11
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:13 (instance local ip) sshd[9247]: Accepted publickey for root from (my ip) port 6131 ssh2
Dec 21 22:28:13 (instance local ip) sshd[9247]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 21 22:28:14 (instance local ip) sshd[9247]: subsystem request for sftp by user root
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: responding to Quick Mode proposal {msgid:05000000}
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13:     us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13:   them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: keeping refhim=4294901761 during rekey
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xb3583b07 <0x5aad44cc xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0x3bde910e) payload: deleting IPSEC State #12
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
S
Sergey Toy, 2014-01-13
@Toy

Check out the config here . It helped me :-)
True, the iPhone for some reason cannot download applications from the AppStore, maybe you have come across something similar?

Report
R
Rengenius, 2015-07-09
@Rengenius

I also configured this maunal on 14.04, the problem is clearly in the line feed at the end of the config.

Similar questions
M
Michael Sne Bjorn Palagin2015-08-12 13:31:58
How to find yourself in activity? Need tips, your experience? 4Reply
I
Ilya2021-03-23 20:06:11
How to set up IIS and VPN access? 0Reply
L
Legan2019-09-06 01:13:24
Use the IP address from another router to access the Internet. VPN, proxy? 1Reply
Y
yarrybka2019-09-08 17:15:18
TouchVPN plugin not working in Tor browser? 0Reply
I
Ilya Kuznetsov2017-04-13 10:34:17
How to connect zyxel keenetic omni II and zyxel keenetic start using VPN? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question