Hi all,
I've managed to set up a Ubuntu Server at home (behind NAT), and I've got the following types of VPN all working: OpenVPN, PPTP, L2TP over IPSEC. I can connect to all of them okay from my laptop away from home (roadwarrior setup). I can even connect to L2TP over IPSEC fine from my iPhone and iPad.
I've been trying to set up a VPN client from a Ubuntu Desktop (Precise x32) but I'm also struggling with OpenSwan. My Ubuntu Desktop is in a bridged VM on my roadwarrior laptop, so the journey is something like:
Ubuntu VM -> NAT (192.168.1.x) -> {Internet} -> NAT {192.168.42.y} -> UbuntuSrv
The same path works from a Windows VM, so this would seem to just be a configuration issue with my OpenSwan client, maybe I'm being stupid. Here's my /etc/ipsec.conf:
Code:
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
dumpdir=/var/run/pluto/
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=auto
# Add connections here
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
#rightsubnet=vhost:%no,%priv # Bit confused here, but tried both
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=%any
leftid=@ubuntu
#leftsubnet=192.168.1.0/24 # Tried this, didn't make a difference
leftnexthop=%defaultroute
leftprotoport=17/%any
right=86.151.218.43
rightid=@oberth.dyndns.org
rightprotoport=17/1701
I tried to make 'left' the local, and 'right' the remote, but may have gotten slightly confused
My /etc/ipsec.secrets just includes /var/lib/openswan/ipsec.secrets.inc, which contains:
System config:
Code:
uname -r
3.2.0-34-generic
ipsec -- version
Linux Openswan U2.6.37/K3.2.0-34-generic (netkey)
See `ipsec --copyright' for copyright information.
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:92:c0:26
inet addr:192.168.1.72 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe92:c026/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:39841 errors:0 dropped:0 overruns:0 frame:0
TX packets:23339 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39020329 (39.0 MB) TX bytes:2385719 (2.3 MB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:804 errors:0 dropped:0 overruns:0 frame:0
TX packets:804 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:81027 (81.0 KB) TX bytes:81027 (81.0 KB)
(I've turned on IP forwarding, etc.)
Here is my auth.log:
Code:
Dec 11 22:38:49 ubuntu ipsec__plutorun: Starting Pluto subsystem...
Dec 11 22:38:49 ubuntu pluto[8525]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:8525
Dec 11 22:38:49 ubuntu pluto[8525]: LEAK_DETECTIVE support [disabled]
Dec 11 22:38:49 ubuntu pluto[8525]: OCF support for IKE [disabled]
Dec 11 22:38:49 ubuntu pluto[8525]: SAref support [disabled]: Protocol not available
Dec 11 22:38:49 ubuntu pluto[8525]: SAbind support [disabled]: Protocol not available
Dec 11 22:38:49 ubuntu pluto[8525]: NSS support [disabled]
Dec 11 22:38:49 ubuntu pluto[8525]: HAVE_STATSD notification support not compiled in
Dec 11 22:38:49 ubuntu pluto[8525]: Setting NAT-Traversal port-4500 floating to on
Dec 11 22:38:49 ubuntu pluto[8525]: port floating activation criteria nat_t=1/port_float=1
Dec 11 22:38:49 ubuntu pluto[8525]: NAT-Traversal support [enabled]
Dec 11 22:38:49 ubuntu pluto[8525]: using /dev/urandom as source of random entropy
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 11 22:38:49 ubuntu pluto[8525]: starting up 3 cryptographic helpers
Dec 11 22:38:49 ubuntu pluto[8525]: started helper pid=8528 (fd:6)
Dec 11 22:38:49 ubuntu pluto[8525]: started helper pid=8529 (fd:7)
Dec 11 22:38:49 ubuntu pluto[8525]: started helper pid=8530 (fd:8)
Dec 11 22:38:49 ubuntu pluto[8525]: Kernel interface auto-pick
Dec 11 22:38:49 ubuntu pluto[8525]: Using Linux 2.6 IPsec interface code on 3.2.0-34-generic (experimental code)
Dec 11 22:38:49 ubuntu pluto[8529]: using /dev/urandom as source of random entropy
Dec 11 22:38:49 ubuntu pluto[8528]: using /dev/urandom as source of random entropy
Dec 11 22:38:49 ubuntu pluto[8530]: using /dev/urandom as source of random entropy
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 22:38:49 ubuntu pluto[8525]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Dec 11 22:38:49 ubuntu pluto[8525]: Changed path to directory '/etc/ipsec.d/cacerts'
Dec 11 22:38:49 ubuntu pluto[8525]: Changed path to directory '/etc/ipsec.d/aacerts'
Dec 11 22:38:49 ubuntu pluto[8525]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Dec 11 22:38:49 ubuntu pluto[8525]: Changing to directory '/etc/ipsec.d/crls'
Dec 11 22:38:49 ubuntu pluto[8525]: Warning: empty directory
Dec 11 22:38:49 ubuntu pluto[8525]: added connection description "L2TP-PSK-NAT"
Dec 11 22:38:49 ubuntu pluto[8525]: added connection description "L2TP-PSK-noNAT"
Dec 11 22:38:49 ubuntu pluto[8525]: listening for IKE messages
Dec 11 22:38:49 ubuntu pluto[8525]: adding interface eth0/eth0 192.168.1.72:500
Dec 11 22:38:49 ubuntu pluto[8525]: adding interface eth0/eth0 192.168.1.72:4500
Dec 11 22:38:49 ubuntu pluto[8525]: adding interface lo/lo 127.0.0.1:500
Dec 11 22:38:49 ubuntu pluto[8525]: adding interface lo/lo 127.0.0.1:4500
Dec 11 22:38:49 ubuntu pluto[8525]: adding interface lo/lo ::1:500
Dec 11 22:38:49 ubuntu pluto[8525]: loading secrets from "/etc/ipsec.secrets"
Dec 11 22:38:49 ubuntu pluto[8525]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
Dec 11 22:38:52 ubuntu pluto[8525]: "L2TP-PSK-NAT": deleting connection
Dec 11 22:38:52 ubuntu pluto[8525]: added connection description "L2TP-PSK-NAT"
Dec 11 22:38:56 ubuntu pluto[8525]: "L2TP-PSK-NAT": We cannot identify ourselves with either end of this connection.
And here's my syslog:
Code:
Dec 11 22:38:48 ubuntu kernel: [ 8712.000693] NET: Unregistered protocol family 15
Dec 11 22:38:48 ubuntu ipsec_setup: ...Openswan IPsec stopped
Dec 11 22:38:48 ubuntu ipsec_setup: Starting Openswan IPsec 2.6.37...
Dec 11 22:38:48 ubuntu ipsec_setup: Using KLIPS/legacy stack
Dec 11 22:38:49 ubuntu kernel: [ 8712.317860] padlock_sha: VIA PadLock Hash Engine not detected.
Dec 11 22:38:49 ubuntu ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
Dec 11 22:38:49 ubuntu ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
Dec 11 22:38:49 ubuntu kernel: [ 8712.548053] NET: Registered protocol family 15
Dec 11 22:38:49 ubuntu ipsec_setup: Using NETKEY(XFRM) stack
Dec 11 22:38:49 ubuntu kernel: [ 8712.729217] Initializing XFRM netlink socket
Dec 11 22:38:49 ubuntu kernel: [ 8712.779124] padlock_sha: VIA PadLock Hash Engine not detected.
Dec 11 22:38:49 ubuntu ipsec_setup: ...Openswan IPsec started
Dec 11 22:38:49 ubuntu pluto: adjusting ipsec.d to /etc/ipsec.d
Dec 11 22:38:49 ubuntu ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Dec 11 22:38:49 ubuntu ipsec__plutorun: 002 added connection description "L2TP-PSK-NAT"
Dec 11 22:38:49 ubuntu ipsec__plutorun: 002 added connection description "L2TP-PSK-noNAT"
And finally the ipsec verify output:
Code:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-34-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
[FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
I'm stuck on the error: We cannot identify ourselves with either end of this connection. I can't seem to get past that. I've tried putting the local IP address (192.168.1.72), but if I do that I get a different error:
Code:
root@ubuntu:/var/log# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
root@ubuntu:/var/log# ipsec auto --add L2TP-PSK-NAT
023 address family inconsistency in this connection=2 host=2/nexthop=0
037 attempt to load incomplete connection
I'm totally puzzled! If anyone has any clue what I'm doing wrong, please help! I'd be so grateful, thanks!
Cheers,
Dave
Bookmarks