Re: L2TP/IPSEC with 4.9 and Ipad - fails to complete
On Saturday, February 11, 2012 02:37 CET, Stuart Henderson s...@spacehopper.org wrote: On 2012-02-10, Ted Wynnychenko ted@comcast.net wrote: I am hoping someone can point me in some sort of direction. I have been trying to connect an iPad (ios 5.0.1) to an openbsd 4.9 server using L2TP/IPSEC. Looks like nat is involved, try -current, there have been changes which may well help I didn't tried with iPad, but with Android mobile phone. With -current, it worked fairly well. You should also apply the patch to fix LCP keepalice failures with L2TP (was at least needed to keep the tunnel from my Android stable). Yasuoka@ sent it to tech@ (Thread: diff: fix LCP keepalive failures on L2TP.) There is still this unsolved problem with multiple clients behind the same NAT gateway, which still doesn't work. A single client behind a NAT is OK, but not multiple behind the same. Sebastian
L2TP/IPSEC with 4.9 and Ipad - fails to complete
Hello: I am hoping someone can point me in some sort of direction. I have been trying to connect an iPad (ios 5.0.1) to an openbsd 4.9 server using L2TP/IPSEC. I followed the outline in /usr/src/usr.sbin/npppd/HOWTO_PIPEX_NPPPD.txt, and was able to get npppd compiled. I then started isakmpd and updated ipsecctl (sudo ipsecctl -f /etc/ipsec.conf). Finally, started npppd: npppd -d 2012-02-10 15:02:48:NOTICE: Load configuration from='/etc/npppd/npppd.conf' successfully. 2012-02-10 15:02:48:WARNING: write() failed in in_route0 on RTM_ADD : File exists 2012-02-10 15:02:48:INFO: tun0 Started ip4addr=10.0.3.1 2012-02-10 15:02:48:INFO: pool name=default dyn_pool=[10.0.3.0/25] pool=[10.0.3.0/24] 2012-02-10 15:02:48:INFO: Added 2 routes for new pool addresses 2012-02-10 15:02:48:INFO: Loading pool config successfully. 2012-02-10 15:02:48:INFO: realm name=local(local) Loaded users from='/etc/npppd/npppd-users.csv' successfully. 2 users 2012-02-10 15:02:48:INFO: Listening /var/run/npppd_ctl (npppd_ctl) 2012-02-10 15:02:48:INFO: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS) [L2TP] 2012-02-10 15:02:48:INFO: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP] 2012-02-10 15:02:48:INFO: pptpd Listening 0.0.0.0:1723/tcp (PPTP PAC) [PPTP] 2012-02-10 15:02:48:INFO: pptpd Listening 0.0.0.0:gre (PPTP PAC) 2012-02-10 15:02:48:INFO: tun0 is using ipcp=default(1 pools). --- Now, when I try enabling the L2TP/IPSEC VPN on the iPad, I can see that the IPSEC tunnel is created. isakmpd -Kv -d --- 150059.011921 Default isakmpd: starting [priv] 150358.338625 Default isakmpd: phase 1 done: initiator id 10.0.222.201, responder id 10.0.28.20, src: 10.0.28.20 dst: 10.0.28.201 150359.377301 Default isakmpd: quick mode done: src: 10.0.28.20 dst: 10.0.28.201 --- And flows get established: ipsecctl -s all --- FLOWS: flow esp in proto udp from 10.0.222.201 port 56701 to 10.0.28.20 port l2tp peer 10.0.28.201 srcid 10.0.28.20/32 dstid 10.0.222.201/32 type use flow esp out proto udp from 10.0.28.20 port l2tp to 10.0.222.201 port 56701 peer 10.0.28.201 srcid 10.0.28.20/32 dstid 10.0.222.201/32 type require SAD: esp transport from 10.0.28.20 to 10.0.28.201 spi 0x06c8118f auth hmac-sha1 enc aes-256 esp transport from 10.0.28.201 to 10.0.28.20 spi 0x55c61855 auth hmac-sha1 enc aes-256 --- And, then, npppd tries to negotiate the L2TP connection, but it fails: npppd -d (continued) --- 2012-02-10 15:03:59:NOTICE: l2tpd ctrl=1 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=1/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:03:59:INFO: l2tpd ctrl=1 SendSCCRP 2012-02-10 15:04:00:NOTICE: l2tpd ctrl=2 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=2/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:00:INFO: l2tpd ctrl=2 SendSCCRP 2012-02-10 15:04:02:NOTICE: l2tpd ctrl=3 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=3/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:02:INFO: l2tpd ctrl=3 SendSCCRP 2012-02-10 15:04:06:NOTICE: l2tpd ctrl=4 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=4/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:06:INFO: l2tpd ctrl=4 SendSCCRP 2012-02-10 15:04:10:NOTICE: l2tpd ctrl=5 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=5/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:10:INFO: l2tpd ctrl=5 SendSCCRP 2012-02-10 15:04:11:NOTICE: l2tpd ctrl=1 timeout waiting ack for ctrl packets. 2012-02-10 15:04:11:NOTICE: l2tpd ctrl=1 logtype=Finished 2012-02-10 15:04:12:NOTICE: l2tpd ctrl=2 timeout waiting ack for ctrl packets. 2012-02-10 15:04:12:NOTICE: l2tpd ctrl=2 logtype=Finished 2012-02-10 15:04:14:NOTICE: l2tpd ctrl=6 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=6/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:14:INFO: l2tpd ctrl=6 SendSCCRP 2012-02-10 15:04:14:NOTICE: l2tpd ctrl=3 timeout waiting ack for ctrl packets. 2012-02-10 15:04:14:NOTICE: l2tpd ctrl=3 logtype=Finished 2012-02-10 15:04:18:NOTICE: l2tpd ctrl=7 logtype=Started RecvSCCRQ from=10.0.28.201:56701/udp tunnel_id=7/14 protocol=1.0 winsize=4 hostname=iPad vendor=(no vendorname) firm= 2012-02-10 15:04:18:INFO: l2tpd ctrl=7 SendSCCRP 2012-02-10 15:04:18:NOTICE: l2tpd ctrl=4 timeout waiting ack for ctrl packets. 2012-02-10 15:04:18:NOTICE: l2tpd ctrl=4 logtype=Finished 2012-02-10 15:04:22:NOTICE: l2tpd ctrl=5 timeout waiting ack for ctrl packets. 2012-02-10 15:04:22:NOTICE: l2tpd ctrl=5 logtype=Finished 2012-02-10 15:04:26:NOTICE: l2tpd ctrl=6 timeout waiting ack for ctrl packets. 2012-02-10 15:04:26:NOTICE: l2tpd ctrl=6 logtype=Finished 2012-02-10 15:04:30:NOTICE: l2tpd ctrl=7 timeout waiting ack for ctrl packets. 2012-02-10 15:04:30:NOTICE: l2tpd ctrl=7
Re: L2TP/IPSEC with 4.9 and Ipad - fails to complete
On 2012-02-10, Ted Wynnychenko ted@comcast.net wrote: I am hoping someone can point me in some sort of direction. I have been trying to connect an iPad (ios 5.0.1) to an openbsd 4.9 server using L2TP/IPSEC. Looks like nat is involved, try -current, there have been changes which may well help
