N
N
NO_GLITCH2015-01-07 20:29:59
Network administration
NO_GLITCH, 2015-01-07 20:29:59

Where to look for errors in the settings of openswan, l2tp and in general :)?

Hello!
Amazon EC2 Ubuntu server
installed packages openswan, xl2pd, ppp
To connect to the server I use MAC OS 10.10
Here is part of the server log /var/log/auth.log

Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [RFC 3947] method set to=115 
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: received Vendor ID payload [Dead Peer Detection]
Jan  7 16:37:59 SERVERHOSTNAME pluto[2574]: packet from CLI.ENT.IP.ADDR:500: initial Main Mode message received on INTER.FACE.IP.ADDR:500 but no connection has been authorized with policy=PSK

Here is part of the log on MAC OS X
Jan  7 19:45:00 MacBook-Pro-Username.local pppd[68296]: L2TP connecting to server 'SER.VER.IP.ADDR' (SER.VER.IP.ADDR)...
Jan  7 19:45:00 MacBook-Pro-Username.local pppd[68296]: IPSec connection started
Jan  7 19:45:00 MacBook-Pro-Username.local racoon[68299]: accepted connection on vpn control socket.
Jan  7 19:45:00 --- last message repeated 1 time ---
Jan  7 19:45:00 MacBook-Pro-Username.local racoon[68299]: Connecting.
Jan  7 19:45:00 MacBook-Pro-Username.local racoon[68299]: IPSec Phase 1 started (Initiated by me).
Jan  7 19:45:00 --- last message repeated 1 time ---
Jan  7 19:45:00 MacBook-Pro-Username.local racoon[68299]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
Jan  7 19:45:00 MacBook-Pro-Username.local racoon[68299]: >>>>> phase change status = Phase 1 started by us
Jan  7 19:45:03 --- last message repeated 1 time ---
Jan  7 19:45:03 MacBook-Pro-Username.local racoon[68299]: IKE Packet: transmit success. (Phase 1 Retransmit).
Jan  7 19:45:10 --- last message repeated 2 times ---
Jan  7 19:45:10 MacBook-Pro-Username.local pppd[68296]: IPSec connection failed
Jan  7 19:45:10 MacBook-Pro-Username.local racoon[68299]: IPSec disconnecting from server SER.VER.IP.ADDR
Jan  7 19:45:10 --- last message repeated 1 time ---
Jan  7 19:45:10 MacBook-Pro-Username.local racoon[68299]: glob found no matches for path "/var/run/racoon/*.conf"
Jan  7 19:45:10 MacBook-Pro-Username.local nesessionmanager[68115]: NESMLegacySession[VPN (L2TP):91C66AEF-56D2-458D-B017-5D88F2D19993]: status changed to disconnecting
Jan  7 19:45:10 MacBook-Pro-Username.local nesessionmanager[68115]: NESMLegacySession[VPN (L2TP):91C66AEF-56D2-458D-B017-5D88F2D19993]: status changed to disconnected, last stop reason 0

IPsec Settings
version 2.0
config setup
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    protostack=netkey

conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=YOUR.SERVER.IP.ADDRESS
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

L2TP Settings
[global]
ipsec saref = yes

[lns default]
ip range = 10.1.2.2-10.1.2.255
local ip = 10.1.2.1
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

PPP settings
require-mschap-v2
ms-dns 8.8.8.8
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

FILE /etc/rc.local
iptables --table nat --append POSTROUTING --jump MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
for each in /proc/sys/net/ipv4/conf/*
do
    echo 0 > $each/accept_redirects
    echo 0 > $each/send_redirects
done
/etc/init.d/ipsec restart

Answer the question

In order to leave comments, you need to log in

1 answer(s)
N
NO_GLITCH, 2015-01-08
@NO_GLITCH

The problem was that I used an external ip vps instead of ip for amazon nat...

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question