Hi folks, I'm trying to connect an iPad via L2TP-over-IPsec VPN to an Ubuntu 10.4 machine, using Niels Peen's description how he connected his iphone: http://peen.net/linux-l2tpipsec-with-iphone-and-mac-osx-clien Looks like IPsec starts correctly (at least I see ESP packets), but L2 Tunnel does not get established. If I change MySecret on one sied only, no ESP packets are seen. Changing MySecret2 doesn't make a difference.
Well, I'm not that very sure, that IPsec starts correctly. But according to the many docs I read, L2TP is accessed through established IPsec, and also xl2tpd doesn't talk until I see the first ESP packet in tcpdump. I tried to use the iPad's pure-IPsec configuration, and no ESP packets were seen. So I concluded that with L2TP-over-IPsec I was one step more close to the goal ;-) The Ubuntu machine has two ethernet interfaces: eth0 123.123.123.123 with alias eth0:111 111.111.111.111 eth1 192.168.1.111. Here you can see how daemons get started in my test scenario and what xl2tpd says: Ubuntu# XDAEMON=no ; echo; echo; echo ========================================================================; /etc/init.d/ipsec stop; /etc/init.d/isakmpd stop; /etc/init.d/xl2tpd stop; sleep 2; /etc/init.d/ipsec start; /etc/init.d/isakmpd start; if test $XDAEMON = yes; then /etc/init.d/xl2tpd start; echo; tcpdump -ni eth0 host 111.111.111.111; else xl2tpd -D; fi; ======================================================================== Stopping strongSwan IPsec... Stopping OpenBSD isakmpd: done Stopping xl2tpd: xl2tpd. Starting strongSwan 4.4.0 IPsec [starter]... Starting OpenBSD isakmpd: done xl2tpd[10217]: setsockopt recvref[22]: Protocol not available xl2tpd[10217]: This binary does not support kernel L2TP. xl2tpd[10217]: xl2tpd version xl2tpd-1.2.6 started on bu44 PID:10217 xl2tpd[10217]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[10217]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[10217]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[10217]: Forked again by Xelerance (www.xelerance.com) (C) 2006 xl2tpd[10217]: Listening on IP address 0.0.0.0, port 1701 ===== here we wait until ipad attempts to connect ===== xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, size = 60, tunnel = 0, call = 0 ref=0 refhim=0 xl2tpd[10217]: get_call: allocating new tunnel for host 77.24.129.184, port 57551. xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, size = 60, tunnel = 0, call = 0 ref=0 refhim=0 xl2tpd[10217]: get_call: allocating new tunnel for host 77.24.129.184, port 57551. xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, ignoring second one. xl2tpd[10217]: build_fdset: closing down tunnel 55789 xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, size = 60, tunnel = 0, call = 0 ref=0 refhim=0 xl2tpd[10217]: get_call: allocating new tunnel for host 77.24.129.184, port 57551. xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, ignoring second one. xl2tpd[10217]: build_fdset: closing down tunnel 21469 xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, size = 60, tunnel = 0, call = 0 ref=0 refhim=0 xl2tpd[10217]: get_call: allocating new tunnel for host 77.24.129.184, port 57551. xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, ignoring second one. xl2tpd[10217]: build_fdset: closing down tunnel 1085 xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: Maximum retries exceeded for tunnel 32809. Closing. xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, size = 60, tunnel = 0, call = 0 ref=0 refhim=0 xl2tpd[10217]: get_call: allocating new tunnel for host 77.24.129.184, port 57551. xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, ignoring second one. xl2tpd[10217]: build_fdset: closing down tunnel 14964 xl2tpd[10217]: build_fdset: closing down tunnel 32809 xl2tpd[10217]: Connection 54 closed to 77.24.129.184, port 57551 (Timeout) xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, size = 60, tunnel = 0, call = 0 ref=0 refhim=0 xl2tpd[10217]: get_call: allocating new tunnel for host 77.24.129.184, port 57551. xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, ignoring second one. xl2tpd[10217]: build_fdset: closing down tunnel 3236 xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: network_thread: select timeout xl2tpd[10217]: Unable to deliver closing message for tunnel 32809. Destroying anyway. xl2tpd[10217]: network_thread: recv packet from 77.24.129.184, size = 60, tunnel = 0, call = 0 ref=0 refhim=0 xl2tpd[10217]: get_call: allocating new tunnel for host 77.24.129.184, port 57551. xl2tpd[10217]: control_finish: Peer requested tunnel 54 twice, ignoring second one. xl2tpd[10217]: build_fdset: closing down tunnel 25612 xl2tpd[10217]: build_fdset: closing down tunnel 32809 xl2tpd[10217]: death_handler: Fatal signal 2 received ===== ipad says: "no response from server" - so I hot ^C here ===== tcpdump output during that period of time: Ubuntu# tcpdump -ni eth0 host 111.111.111.111 10:15:22.529266 IP 77.24.129.184.500 > 111.111.111.111.500: isakmp: phase 1 I ident 10:15:22.529690 IP 111.111.111.111.500 > 77.24.129.184.500: isakmp: phase 1 R ident 10:15:23.027015 IP 77.24.129.184.500 > 111.111.111.111.500: isakmp: phase 1 I ident 10:15:23.032999 IP 111.111.111.111.500 > 77.24.129.184.500: isakmp: phase 1 R ident 10:15:23.406984 IP 77.24.129.184.500 > 111.111.111.111.500: isakmp: phase 1 I ident[E] 10:15:23.407170 IP 111.111.111.111.500 > 77.24.129.184.500: isakmp: phase 1 R ident[E] 10:15:25.047469 IP 77.24.129.184.500 > 111.111.111.111.500: isakmp: phase 2/others I oakley-quick[E] 10:15:25.047774 IP 111.111.111.111.500 > 77.24.129.184.500: isakmp: phase 2/others R oakley-quick[E] 10:15:25.364617 IP 77.24.129.184.500 > 111.111.111.111.500: isakmp: phase 2/others I oakley-quick[E] 10:15:25.488259 IP 77.24.129.184 > 111.111.111.111: ESP(spi=0x84273831,seq=0x1), length 116 10:15:26.247486 IP 77.24.129.184 > 111.111.111.111: ESP(spi=0x84273831,seq=0x2), length 116 10:15:28.371692 IP 77.24.129.184 > 111.111.111.111: ESP(spi=0x84273831,seq=0x3), length 116 10:15:32.389628 IP 77.24.129.184 > 111.111.111.111: ESP(spi=0x84273831,seq=0x4), length 116 10:15:36.548088 IP 77.24.129.184 > 111.111.111.111: ESP(spi=0x84273831,seq=0x5), length 116 10:15:40.530105 IP 77.24.129.184 > 111.111.111.111: ESP(spi=0x84273831,seq=0x6), length 116 10:15:44.548000 IP 77.24.129.184 > 111.111.111.111: ESP(spi=0x84273831,seq=0x7), length 116 ===== interesting enough: when I stopped daemons later, some packets was sent: ===== 10:19:24.400095 IP 111.111.111.111.500 > 77.24.129.184.500: isakmp: phase 2/others R inf[E] 10:19:24.406601 IP 111.111.111.111.500 > 77.24.129.184.500: isakmp: phase 2/others R inf[E] 10:19:25.765636 IP 77.24.129.184 > 111.111.111.111: ICMP 77.24.129.184 udp port 500 unreachable, length 36 10:19:25.948604 IP 77.24.129.184 > 111.111.111.111: ICMP 77.24.129.184 udp port 500 unreachable, length 36 Some config files: ============================================ ipsec.conf: --------------------- # ipsec.conf - strongSwan IPsec configuration file config setup # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes nat_traversal=yes charonstart=yes plutostart=yes conn L2TP authby=psk pfs=no rekey=no type=tunnel esp=aes128-sha1 ike=aes128-sha-modp1024 left=111.111.111.111 leftnexthop=%defaultroute leftprotoport=17/1701 right=%any rightprotoport=17/%any rightsubnetwithin=0.0.0.0/0 auto=add ============================================ ============================================ /etc/ipsec.secrets : --------------------- # This file holds shared secrets or RSA private keys for inter-Pluto # ... # this file is managed with debconf and will contain the automatically created private key include /var/lib/strongswan/ipsec.secrets.inc # doesn't exist, no effect omitting it 111.111.111.111 %any: PSK "MySecret" ============================================ ============================================ /etc/xl2tpd/xl2tpd.conf: --------------------- [global] ;debug avp = yes debug network = yes ;debug packet = no ;debug state = yes debug tunnel = yes [lns default] ip range = 192.168.1.1-192.168.1.20 ; * changed 2011.0621 ak local ip = 111.111.111.111 ; * Our local IP to use - set 2011.0621 ak require chap = yes refuse pap = yes require authentication = yes name = test02 ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd length bit = yes ============================================ ============================================ /etc/xl2tpd/l2tp-secrets: --------------------- # Secrets for authenticating l2tp tunnels # us them secret # * marko blah2 # zeus marko blah # * * interop * * MySecret2 * ============================================ If anyone can point me to a way to set a up pure IPsec configuration, I'll be happy - that will give the opportunity to connect more than one road warrior without making the preshared key a "public key". Thank you for any help! Andreas _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users