Answer the question
In order to leave comments, you need to log in
P
P
ProRunner2012-12-21 22:50:25
ProRunner, 2012-12-21 22:50:25
IPSEC/L2TP VPN on Ubuntu 12.04.1 on AWS
The problem was solved by using this script specifically for setting up on aws.
I set up PPTP VPN on the Amazon cloud without any problems - everything works.
Now I'm trying to set up an IPSEC / L2TP connection on this topic (then I found another instruction )
At first, when I tried to reload the settings, the console wrote to me (with an empty line in place of the error):
Segmentation fault (core dumped)
failed to start openswan IKE daemon - the following error occured:
sudo ipsec verify now says:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-31-virtual (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]It seems everything should work, but attempts to connect fail. Win7 writes: "Error 789. The L2TP connection attempt failed due to an error that occurred in the security layer during negotiations with the remote computer."
The iPhone can't connect either.
Here are the settings files (collected from wherever possible):
/etc/rc.local
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
iptables --table nat --append POSTROUTING --jump MASQUERADE
exit 0
/etc/ipsec.conf
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
protostack=netkey
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
ikelifetime=8h
keylife=1h
type=transport
left=ELASTIC IP ADDRESS
leftprotoport=17/1701
right=%any
rightprotoport=17/0
/etc/ipsec.secret
ELASTIC IP %any: PSK "Passphrase"
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
listen-addr = ELASTIC IP
port = 1701 ; * Bind to port 1701
auth file = /etc/ppp/chap-secrets ; * Where our challenge secrets are
[lns default]
ip range = 172.16.1.30-172.16.1.100 ; ip range = range of IPs to give to the connecting clients
local ip = 172.16.1.1
refuse pap = yes
require authentication = yes
ppp debug = no ; yes for testing
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
/etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
mtu 1200
mru 1000
crtscts
hide-password
modem
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
noipx
/etc/ppp/chap-secrets
user1 pptpd Pass *
user2 l2tpd Pass *
It seems to be everything. Does anyone have any ideas what is the reason why this is not working?
And, yes, all tcp and udp ports are open for the instance in the security group for the duration of the experiments. Ubuntu 64 bit.
Here is what auth.log says about a connection attempt:
Hidden text
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: received Vendor ID payload [RFC 3947] method set to=109
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [FRAGMENTATION]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [Vid-Initial-Contact]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: ignoring Vendor ID payload [IKE CGA version 1]
Dec 21 20:26:00 (instance local ip) pluto[5222]: packet from (my ip):500: initial Main Mode message received on (instance local ip):500 but no connection has been authorized with policy=PSK
UPD: in general, the first problem was that in place of Elastic IP it was necessary to register Private IP 10.xxxx. But it still won't connect.
Log auth.log now:
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: responding to Main Mode from unknown peer (my ip)
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: OAKLEY_GROUP 20 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: OAKLEY_GROUP 19 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.135'
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[3] (my ip) #8: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: deleting connection "L2TP-PSK-NAT" instance with peer (my ip) {isakmp=#0/ipsec=#0}
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: new NAT mapping for #8, was (my ip):500, now (my ip):4500
Dec 21 22:27:59 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: responding to Quick Mode proposal {msgid:01000000}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #9: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x35ff6b7f <0xa773bf4b xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: responding to Quick Mode proposal {msgid:02000000}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: keeping refhim=4294901761 during rekey
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #10: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xef37b4d9 <0xfe15824a xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0x35ff6b7f) payload: deleting IPSEC State #9
Dec 21 22:28:00 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: responding to Quick Mode proposal {msgid:03000000}
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: keeping refhim=4294901761 during rekey
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #11: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xa91336d8 <0xa61d7729 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0xef37b4d9) payload: deleting IPSEC State #10
Dec 21 22:28:03 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: responding to Quick Mode proposal {msgid:04000000}
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: keeping refhim=4294901761 during rekey
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x3bde910e <0x6886459f xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0xa91336d8) payload: deleting IPSEC State #11
Dec 21 22:28:07 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
Dec 21 22:28:13 (instance local ip) sshd[9247]: Accepted publickey for root from (my ip) port 6131 ssh2
Dec 21 22:28:13 (instance local ip) sshd[9247]: pam_unix(sshd:session): session opened for user root by (uid=0)
Dec 21 22:28:14 (instance local ip) sshd[9247]: subsystem request for sftp by user root
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: the peer proposed: 107.21.125.170/32:17/1701 -> 192.168.1.135/32:17/0
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: responding to Quick Mode proposal {msgid:05000000}
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: us: (instance local ip)<(instance local ip)>[+S=C]:17/1701
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: them: (my ip)[192.168.1.135,+S=C]:17/0===192.168.1.135/32
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: keeping refhim=4294901761 during rekey
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 4500 don't match. Using that_client port.
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #13: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xb3583b07 <0x5aad44cc xfrm=AES_128-HMAC_SHA1 NATOA=192.168.1.135 NATD=(my ip):4500 DPD=none}
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received Delete SA(0x3bde910e) payload: deleting IPSEC State #12
Dec 21 22:28:15 (instance local ip) pluto[9175]: "L2TP-PSK-NAT"[4] (my ip) #8: received and ignored informational message
2 answer(s)
@Toy
S
Sergey Toy, 2014-01-13 @Toy
Check out the config here . It helped me :-)
True, the iPhone for some reason cannot download applications from the AppStore, maybe you have come across something similar?
Similar questions
G
G
V
S
S
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question