I need some help to setup a l2tp/ipsec VPN.

Dear friends,

I need some help to setup a l2tp/ipsec VPN on my linode.

I'm from China.A month ago,I setup a pptp vpn.

Even my IPHONE can reach twitter/facebook through my pptp vpn.

but,these days,my IPHONE cannot reach twitter/facebook with pptp vpn any more.

Because,our mobile service provider banned the pptp protocal.

Now,i have to setup a l2tp/ipsec VPN for my IPHONE.

Can some one give a Tutorial to explan how to setup a l2tp/ipsec vpn on centos 5?

There is no clue in the Linode Library.

Thx a lot!

4 Replies

Why not tunnel over SSH? Very easy to setup (even on the iPhone) and looks like normal SSH traffic.

Or use OpenVPN - easier to setup (although I don't know if there is a iPhone App for that) and looks like SSL traffic.

IPSEC is just as easy to spot and block as PPTP traffic.

I'm using the official version IPHONE from China Unicom,the business partner of Apple in China.

So,I can not install ssh client or openvpn into my iPhone.

i know ipsec is easy to block.

at least,it is not be blocked until now.

Hi all

With linode's help,I try to setup a l2tp vpn server guided by this link:

http://adamantsys.com/blog/alternate-pa … -for-linux">http://adamantsys.com/blog/alternate-path/l2tp-ipsec-server-setup-for-linux

In this atricle,the author using Openswan-2.4.12 & xl2tpd-1.2.0.

In my linode box,i'm useing openswan-2.6.21 & xl2tpd-1.2.4

a.b.c.d-(isp's IP) is my ISP's ip,

e.f.g.h-(my linode box) is my linode box ,

e.f.g.1 is my linode box's gateway,

192.168.1.62 is a l2tp client in my local network.

in /etc/ipsec.conf, only changed following line:

leftnexthop=e.f.g.1 (my linode box's gateway)

the /etc/ipsec.secrets is:

include /etc/ipsec.d/*.secrets

e.f.g.h-(my linode box) %any: "password"

the other config files almost is copy/paste from the tutorial completely.

When my l2tp client program try to connect to my linode box,

ipsec result the following info in /var/log/secure

===================CUT START===================

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [RFC 3947] method set to=109

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110

Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [Dead Peer Detection]

Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: responding to Main Mode from unknown peer a.b.c.d-(isp's IP)

Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATEMAINR0 to state STATEMAINR1

Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATEMAINR1: sent MR1, expecting MI2

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed

Jan 22 20:31:44 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: plutodocrypto: helper (-1) is exiting

Jan 22 20:31:44 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: plutodocrypto: helper (-1) is exiting

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATEMAINR1 to state STATEMAINR2

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATEMAINR2: sent MR2, expecting MI3

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: Main mode peer ID is IDIPV4ADDR: '192.168.1.62'

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATEMAINR2 to state STATEMAINR3

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: new NAT mapping for #5, was a.b.c.d-(isp's IP):32439, now a.b.c.d-(isp's IP):32869

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATEMAINR3: sent MR3, ISAKMP SA established {auth=OAKLEYPRESHAREDKEY cipher=oakley3descbc192 prf=oakleysha group=modp1024}

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: ignoring informational payload, type IPSECINITIALCONTACT msgid=00000000

Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: received and ignored informational message

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: the peer proposed: e.f.g.h-(my linode box)/32:17/1701 -> 192.168.1.62/32:17/49228

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP): plutodocrypto: helper (-1) is exiting

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: responding to Quick Mode proposal {msgid:33abfafa}

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: us: e.f.g.h-(my linode box)[+S=C]:17/1701–-e.f.g.1

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: them: a.b.c.d-(isp's IP)[192.168.1.62,+S=C]:17/49230===192.168.1.62/32

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: transition from state STATEQUICKR0 to state STATEQUICKR1

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: STATEQUICKR1: sent QR1, inbound IPsec SA installed, expecting QI2

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: transition from state STATEQUICKR1 to state STATEQUICKR2

Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: STATEQUICKR2: IPsec SA established transport mode {ESP=>0x019ec134 <0xbde56628 xfrm=AES128-HMACSHA1 NATOA=none NATD=a.b.c.d-(isp's IP):32869 DPD=none}

===================CUT END===================

after 3-5 seconds,i got the following info from /var/log/messages

===================CUT START===================

Jan 22 20:31:52 vpn-server xl2tpd[26529]: Maximum retries exceeded for tunnel 13554. Closing.

Jan 22 20:32:00 vpn-server xl2tpd[26529]: Connection 79 closed to a.b.c.d-(isp's IP), port 49230 (Timeout)

===================CUT END===================

then,my l2tp client shows the connection failed message box.

seems that something wrong with the NAT?

How can i slove this problem?

I got same error with you.

Maybe you can try to upgrade your Openswan on Linode to 2.6.24,that fixed L2TP broken with NAT'ed clients.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct