No VPN Connection on 10.04

[Techstyle]

I updated the ticket

[robwoodward75]

Thanks pw44

Just edited /usr/pluto/bin/Network_Firewall.sh

I would suggest adding the following to the bottom of /usr/pluto/bin/Network_Firewall.sh

Code:

# Set VPN Protocols
if [[ "$VPNenabled" == "on" ]]; then
        iptables --append FORWARD -o ppp+ --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu
        iptables --append INPUT  --protocol 47 --jump ACCEPT
        iptables --append OUTPUT --protocol 47 --jump ACCEPT
fi

I have tested the above, and it appears to be working,

In as much as I now have the same issue as connecting locally, which I presume will be incompatibility issue between Openswan and Android 2.3!!!

Going to try from my Kubuntu & Windows laptops........again!!

[Techstyle]

Can you check that the ticket matches the changes you have made?:

http://svn.linuxmce.org/trac.cgi/ticket/1598#comment:2

[pw44]

It's all in this wiki: http://wiki.linuxmce.org/index.php/PPTP_server
I created it two years ago.

[polly]

Hey...
tried to setup everything as showed in the ticket http://svn.linuxmce.org/trac.cgi/ticket/1598

cant connect with my macbook, iphone.

i cant find a fix for this:

Code:

Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [RFC 3947] method set to=115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] meth=114, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-08] meth=113, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-07] meth=112, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-06] meth=111, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-05] meth=110, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-04] meth=109, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: received Vendor ID payload [Dead Peer Detection]
Nov  2 18:53:15 dcerouter pluto[29818]: packet from 192.168.80.131:500: initial Main Mode message received on XX.XXX.XXX.XXX:500 but no connection has been authorized with policy=PSK

Thanks.

ochorocho

EDIT:
output of /var/log/auth.log while restarting ipsec:

Code:

Nov  2 20:38:31 dcerouter pluto[30482]: Using Linux 2.6 IPsec interface code on 2.6.32-42-generic (experimental code)
Nov  2 20:38:31 dcerouter pluto[30484]: using /dev/urandom as source of random entropy
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Nov  2 20:38:31 dcerouter pluto[30482]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Nov  2 20:38:31 dcerouter pluto[30482]: added connection description "L2TP-PSK-NAT"
Nov  2 20:38:31 dcerouter pluto[30482]: added connection description "L2TP-PSK-noNAT"
Nov  2 20:38:31 dcerouter pluto[30482]: listening for IKE messages
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface ppp0/ppp0 80.143.122.134:500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface ppp0/ppp0 80.143.122.134:4500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface eth0/eth0 192.168.80.1:500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface eth0/eth0 192.168.80.1:4500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface lo/lo 127.0.0.1:500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface lo/lo 127.0.0.1:4500
Nov  2 20:38:31 dcerouter pluto[30482]: adding interface lo/lo ::1:500
Nov  2 20:38:31 dcerouter pluto[30482]: loading secrets from "/etc/ipsec.secrets"
Nov  2 20:38:31 dcerouter pluto[30482]: ERROR "/etc/ipsec.secrets" line 11: index "%defaultroute" illegal (non-DNS-name) character in name

[Techstyle]

Code:

Nov  2 20:38:31 dcerouter pluto[30482]: ERROR "/etc/ipsec.secrets" line 11: index "%defaultroute" illegal (non-DNS-name) character in name

I get that also, I changed this to %any and 192.168.80.1 with no success (but no errors).

There is still something wrong.  I do get another error message refering to RSASIG no being authorised and wonder if

Code:

authby=PSK

perhaps, instead of

Code:

authby=secret

in ipsec.conf

I am totally guessing and will play with this once I have re-installed

[Techstyle]

Code:

authby=PSK

doesn't work and 'secret' should point the system to the shared secret so should work.

not sure where I have gone wrong robwoodward75 can you post your setup so we can fix this with a ticket?

[sambuca]

Just for reference, this is the wiki page that describes VPN in LMCE (http://wiki.linuxmce.org/index.php/VPN). I'm sure most of you have read it already, though.

There are some gotchas in there as well, for instance this

Note: Currently you need to re-enable the user and change his username after any change to the Network settings page as the files are rewritten

Also, messing around with forwarding network ports without understanding how VPN works can be a big security problem:

Do NOT forward port 1701 (L2TP), this would have allowed direct access to the L2TP server, bypassing IPSEC entirely and sending all your data unencrypted. The whole idea is that the IPSEC connection encrypts your data from end to end, and on the server end, this data will be passed on to port 1701 internally.

It *is* easier to get a connection when not going through IPSEC, but some devices will happily connect to the L2TP server if the IPSEC fails for some reason.

That said, my biggest hurdle getting VPN set up was to configure other network routers in the path (my broadband router) properly. This was mostly a try-and-fail history until I got the correct setting. Any setting related to IPSEC should be tried in all their possible settings (I had to turn one IPSEC setting off to get mine working). It seems to me that IPSEC is the cause of most problems with this VPN, so that is where I would do my investigations.

And in one case I was unable to get VPN working from one particular network because of the router at that site (or possibly other network limitation at that site).

If you have any concrete questions I can try to answer them.

best regards,
sambuca

[polly]

Note: Currently you need to re-enable the user and change his username after any change to the Network settings page as the files are rewritten

first, how can i re-enable users?
I did some changes to php.ini (i think, cant remember exactly) and i was able to check "can connect to VPN" and save within webadmin.

Thanks.

ochorocho

[sambuca]

It is the "Can connect to VPN" setting, yes.

br,
sambuca

[polly]

It is the "Can connect to VPN" setting, yes.

br,
sambuca

thanks.

regards,
ochorocho

[robwoodward75]

My current settings for the brief connections I can get:

/etc/ipsec.conf

Code:

# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0

config setup
  nat_traversal=yes
  virtual_private=%4:192.168.80.0/24
  oe=off
  protostack=netkey

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv
  also=L2TP-PSK-noNAT


conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=%defaultroute
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any
  dpddelay=15
  dpdtimeout=30
  dpdaction=clear

/etc/ipsec.secret

Code:

# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

192.168.80.1 %any: PSK "MyPSKSecret"

/etc/xl2tpd/xl2tpd.conf

Code:

[global]
ipsec saref = yes

[lns default]
ip range = 192.168.80.200-192.168.80.220
local ip = 192.168.80.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name = LinuxMCE_VPN_Server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/ppp/options.xl2tpd

Code:

require-mschap-v2
ms-dns 192.168.80.1
ms-dns 8.8.4.4
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4

/etc/ppp/chap-secrets

Code:

# Secrets for authentication using CHAP
test1     l2tpd   MyPasswd        *

I found I couldn't get a connection to work however until I replaced the !VPNpass1 against my user with a plain text password.  Hope this helps someone make sense of the issues.

[Techstyle]

interesting to see:

Code:

virtual_private=%4:192.168.80.0/24

in /etc/ipsec.conf, I was expecting a %v4

is this correct or is this after you have rebooted?  I believe they revert back after reboot based on the files being written from the templates. (it is these we will have to change in the end)

I will configure as per yours tonight and check

[sambuca]

Mine is

virtual_private=%4:192.168.80.0/24

and it is working, so I don't think that is your problem.

I found I couldn't get a connection to work however until I replaced the !VPNpass1 against my user with a plain text password.  Hope this helps someone make sense of the issues.

What do you mean, "!VPNPass1" seems pretty plain text to me..?

br,
sambuca

[robwoodward75]

Techstyle,

Good spot, yes, I have rebooted, well, power cut anyway!!  Next step I think is a UPS!!!!  Although, judging by Sambuca's comments, this may have been a red herring in the first place.  It was simply something I had spotted in the Openswan setup guides which was different, therefore, worth a try!


Sambuca,

What do you mean, "!VPNPass1" seems pretty plain text to me..?

In my chap-secrets file, all my users have the same password, "!VPNpass1", and !VPNpass1 is not my, nor any other of the users password!!  I presume from this, you do not?!

i.e it looks roughly like this (obviously my users aren't called test1, test2...... but you get the picture!):

Code:

# Secrets for authentication using CHAP
test1     l2tpd   !VPNpass1        *
test2     l2tpd   !VPNpass1        *
test3     l2tpd   !VPNpass1        *
test4     l2tpd   !VPNpass1        *

I'm beginning to wonder if I have something wrong with my webadmin after Sambuca's comments?!

For any LinuxMCE God's about, I'd be interested to know how the average user, who is not happy to fiddle in the command line, or less still access the MySQL database is able as the primary / admin user within their LinuxMCE system to reset a forgotten normal or VPN passwords for others?  This is a fairly basic Admin type task, yet I see no feature for it?!