I need some help to setup a l2tp/ipsec VPN.
I need some help to setup a l2tp/ipsec VPN on my linode.
I'm from China.A month ago,I setup a pptp vpn.
Even my IPHONE can reach twitter/facebook through my pptp vpn.
but,these days,my IPHONE cannot reach twitter/facebook with pptp vpn any more.
Because,our mobile service provider banned the pptp protocal.
Now,i have to setup a l2tp/ipsec VPN for my IPHONE.
Can some one give a Tutorial to explan how to setup a l2tp/ipsec vpn on centos 5?
There is no clue in the Linode Library.
Thx a lot!
4 Replies
Or use OpenVPN - easier to setup (although I don't know if there is a iPhone App for that) and looks like SSL traffic.
IPSEC is just as easy to spot and block as PPTP traffic.
So,I can not install ssh client or openvpn into my iPhone.
i know ipsec is easy to block.
at least,it is not be blocked until now.
With linode's help,I try to setup a l2tp vpn server guided by this link:
In this atricle,the author using Openswan-2.4.12 & xl2tpd-1.2.0.
In my linode box,i'm useing openswan-2.6.21 & xl2tpd-1.2.4
a.b.c.d-(isp's IP) is my ISP's ip,
e.f.g.h-(my linode box) is my linode box ,
e.f.g.1 is my linode box's gateway,
192.168.1.62 is a l2tp client in my local network.
in /etc/ipsec.conf, only changed following line:
leftnexthop=e.f.g.1 (my linode box's gateway)
the /etc/ipsec.secrets is:
include /etc/ipsec.d/*.secrets
e.f.g.h-(my linode box) %any: "password"
the other config files almost is copy/paste from the tutorial completely.
When my l2tp client program try to connect to my linode box,
ipsec result the following info in /var/log/secure
===================CUT START===================
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [RFC 3947] method set to=109
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [Dead Peer Detection]
Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: responding to Main Mode from unknown peer a.b.c.d-(isp's IP)
Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATEMAINR0 to state STATEMAINR1
Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATEMAINR1: sent MR1, expecting MI2
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Jan 22 20:31:44 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: plutodocrypto: helper (-1) is exiting
Jan 22 20:31:44 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: plutodocrypto: helper (-1) is exiting
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATEMAINR1 to state STATEMAINR2
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATEMAINR2: sent MR2, expecting MI3
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: Main mode peer ID is IDIPV4ADDR: '192.168.1.62'
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATEMAINR2 to state STATEMAINR3
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: new NAT mapping for #5, was a.b.c.d-(isp's IP):32439, now a.b.c.d-(isp's IP):32869
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATEMAINR3: sent MR3, ISAKMP SA established {auth=OAKLEYPRESHAREDKEY cipher=oakley3descbc192 prf=oakleysha group=modp1024}
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: ignoring informational payload, type IPSECINITIALCONTACT msgid=00000000
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: received and ignored informational message
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: the peer proposed: e.f.g.h-(my linode box)/32:17/1701 -> 192.168.1.62/32:17/49228
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP): plutodocrypto: helper (-1) is exiting
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: responding to Quick Mode proposal {msgid:33abfafa}
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: us: e.f.g.h-(my linode box)[+S=C]:17/1701–-e.f.g.1
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: them: a.b.c.d-(isp's IP)[192.168.1.62,+S=C]:17/49230===192.168.1.62/32
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: transition from state STATEQUICKR0 to state STATEQUICKR1
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: STATEQUICKR1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: transition from state STATEQUICKR1 to state STATEQUICKR2
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: STATEQUICKR2: IPsec SA established transport mode {ESP=>0x019ec134 <0xbde56628 xfrm=AES128-HMACSHA1 NATOA=none NATD=a.b.c.d-(isp's IP):32869 DPD=none}
===================CUT END===================
after 3-5 seconds,i got the following info from /var/log/messages
===================CUT START===================
Jan 22 20:31:52 vpn-server xl2tpd[26529]: Maximum retries exceeded for tunnel 13554. Closing.
Jan 22 20:32:00 vpn-server xl2tpd[26529]: Connection 79 closed to a.b.c.d-(isp's IP), port 49230 (Timeout)
===================CUT END===================
then,my l2tp client shows the connection failed message box.
seems that something wrong with the NAT?
How can i slove this problem?
Maybe you can try to upgrade your Openswan on Linode to 2.6.24,that fixed L2TP broken with NAT'ed clients.