Comments on: iPhone compatible IPsec VPN on an Ubuntu server, with LDAP authentication

By: Taylor

Taylor — Fri, 08 Nov 2013 21:14:18 +0000

Hah!, I solved my problem; I forgot the semi colon after the Netmask and DNS entry lines in the config file. Everything is working beautifully now. Thank you.

By: Taylor

Taylor — Fri, 08 Nov 2013 00:15:09 +0000

Okay I changed the config to this:

mode_cfg {
auth_source system; # Authenticate against Unix user database
save_passwd on; # Allow users to save passwords

network4 10.1.11.100; # Give clients addresses starting from this address
pool_size 50; # up to 50 addresses higher
# netmask4 255.255.255.0
# dns4 10.1.10.211
}

And in our Sonicwall router I set up a route like this: Source:Any Destination:Racoon VPN IP Pool Service:Any Gateway:Racoon VPN Server Interface:X0:V10

With these two changes, VPN clients can now communicate with Office LAN IP’s.

I set up the VPN gateway to have VPN clients send all traffic through the VPN gateway.

What I need to now figure out is how to get the VPN clients using our internal office DNS server so that they can get to the various intranet sites that all run off the same local IP in the office LAN. I assume if the VPN clients can successfully use this DNS server, they will also be able to access the Internet since it forwards unknown requests to google (8.8.8.8)

Right now the VPN clients cannot access the Internet when they connect, just local LAN IP’s

Any suggestions on getting this last bit working?

Thank you

By: Niobos

Niobos — Thu, 07 Nov 2013 09:09:44 +0000

Taylor,

The proposed configuration will probably never work: Your lan in 10.1.10.0/24, and your IPsec clients are in that same subnet as well. You should pick seperate subnets for LAN and IPsec-tunnel. That way, you can configure the LAN to forward all VPN-traffic to the VPN-server. Right now, they think (incorrectly) that all VPN-clients are directly connected to your LAN (since they are in the same subnet).

Also: If you pick a new, seperate subnet, make sure that the routers know about it. That way, replies from the internet will find their way to your VPN-server, and further on to the VPN clients.

Niobos

By: Taylor

Taylor — Wed, 06 Nov 2013 19:55:23 +0000

I know your thread is a bit old, but I was wondering if you could help me get my VPN gateway setup using your instructions. I am able to connect just fine from my iPhone to the VPN gateway/server, but I cannot connect to any of the LAN IP’s.

What I am trying to accomplish:
– Client access to the office LAN.
– All client traffic should be sent over the VPN.
– LAN is 10.1.10.0/24
– Firewall is set to forward UDP 500, 4500 and ESP 50 to 10.1.10.232, which is the IP of the Ubuntu server I am trying to configure as a VPN gateway.
– Clients should receive IP’s starting at 10.1.10.149 up to 10.1.10.199
– Authentication will be against system, not LDAP
– Uncommenting netmask4 and/or dns4 result in inability to access VPN server from iPhone

Below is my racoon.conf

log notify;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote anonymous { # Do not filter on source IP, anyone can connect to this tun$
passive on; # Don't initiate, only listen
exchange_mode main,aggressive; # Accept both modes
my_identifier fqdn "xxx.xxx.xxx.xx (WAN IP ADDRESS)"; # Identify ourselves with this name
mode_cfg on; # configure the client's IP address using mode configuration
verify_cert off; # Don't check client certificate
ike_frag on; # Announce IKE-fragmentation support
generate_policy on; # automatically install SPD's
nat_traversal on; # Support NAT traversal
dpd_delay 20; # Disconnect dead clients after 20 seconds
proposal { # Phase 1 parameters
 encryption_algorithm aes;
 hash_algorithm sha1;
 authentication_method xauth_psk_server; # Require PreSharedKey group authenti$
 dh_group 2;
}
}

mode_cfg {
auth_source system; # Authenticate against Unix user database
save_passwd on; # Allow users to save passwords

network4 10.1.10.149;  # Give clients addresses starting from this address
pool_size 50;  # up to 50 addresses higher
# netmask4 255.255.255.0
# dns4 10.1.10.211
}


sainfo anonymous {
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

Thank you for your time and help,
– Taylor

By: Niobos

Niobos — Fri, 05 Oct 2012 17:59:32 +0000

Adrian,

I use OpenVPN for my desktop clients (Mac, Linux and Windows). This IPsec was specially engineered to work with iOS. It also works great under MacOSX, but that is a side effect, and was not the goal.
I’m sure you can tweak some settings to get it to work under your Windows-client-of-choice, but that might break the iOS compatibility. So I would recommend to set up a separate tunnel for the Windows clients.

Niobos

By: Adrian

Adrian — Fri, 05 Oct 2012 14:28:27 +0000

Hi folks,
This set up work grate for me on my macbook pro and on my iphone/ipad, ubuntu was working grate as well, however, i had some serious trouble to get my windows stuff running.
I try a free vpn ipsec client called shew ( http://www.shrew.net/) but it did not work…..
so i try cisco vpn client and kaboom nothing……
The only vpn client that i found working well was a non free one form a German company called NCP (http://www.ncp-e.com/en/downloads/software.html#c3201) this one works like a charm however 140 or s euro are a bit too much to be honest :-/
Has anyone got shew running whit a pre shared key?? or is there another free alternative for windows ???
A little hint is seriously appreciated 😉
Thank you Adrian
p.s.
Grate stuff this brain dump!!!

By: analogue

analogue — Fri, 27 Apr 2012 23:11:41 +0000

Once you add dns, you need to add an iptable rule to allow the traffic originating from the ios device to be routed to the public internet through your machine running racoon. Example:

sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE

By: Niobos

Niobos — Tue, 14 Feb 2012 14:50:54 +0000

Can you rerun this test with a higher debugging level enabled? It seems to be a problem negotiating the phase1 settings. Also, can you post your racoon.conf?

By: Serge

Serge — Fri, 27 Jan 2012 16:47:47 +0000

Hi,

I’m trying to connect using an iphone running ios 5.0.1
As a first step, I try the connection on my LAN.
I always receive the following errors on racoon:
Jan 27 17:36:55 localhost racoon: INFO: begin Aggressive mode.
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: RFC 3947
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 27 17:36:55 localhost racoon: INFO: received Vendor ID: DPD
Jan 27 17:36:55 localhost racoon: INFO: Selected NAT-T version: RFC 3947
Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth RSASIG server:GSS-API on Kerberos 5
Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#1) = 1536-bit MODP group:1024-bit MODP group
Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#2) = XAuth RSASIG server:GSS-API on Kerberos 5
Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#2) = 1536-bit MODP group:1024-bit MODP group
Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#3) = XAuth RSASIG server:GSS-API on Kerberos 5
Jan 27 17:36:55 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#3) = SHA:MD5
Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#3) = 1536-bit MODP group:1024-bit MODP group
Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#4) = XAuth RSASIG server:GSS-API on Kerberos 5
Jan 27 17:36:55 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#4) = SHA:MD5
Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#4) = 1536-bit MODP group:1024-bit MODP group
Jan 27 17:36:55 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#5) = AES-CBC:3DES-CBC
Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#5) = XAuth RSASIG server:GSS-API on Kerberos 5
Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#5) = 1536-bit MODP group:1024-bit MODP group
Jan 27 17:36:55 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = AES-CBC:3DES-CBC
Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#6) = XAuth RSASIG server:GSS-API on Kerberos 5
Jan 27 17:36:55 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#6) = SHA:MD5
Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#6) = 1536-bit MODP group:1024-bit MODP group
Jan 27 17:36:55 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#7) = AES-CBC:DES-CBC
Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#7) = XAuth RSASIG server:GSS-API on Kerberos 5
Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#7) = 1536-bit MODP group:1024-bit MODP group
Jan 27 17:36:55 localhost racoon: ERROR: rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = AES-CBC:DES-CBC
Jan 27 17:36:55 localhost racoon: ERROR: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#8) = XAuth RSASIG server:GSS-API on Kerberos 5
Jan 27 17:36:55 localhost racoon: ERROR: rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#8) = SHA:MD5
Jan 27 17:36:55 localhost racoon: ERROR: rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#8) = 1536-bit MODP group:1024-bit MODP group
Jan 27 17:36:55 localhost racoon: ERROR: no suitable proposal found.
Jan 27 17:36:55 localhost racoon: ERROR: failed to get valid proposal.
Jan 27 17:36:55 localhost racoon: ERROR: failed to pre-process packet.
Jan 27 17:36:55 localhost racoon: ERROR: phase1 negotiation failed.

Has anyone an idea ?
Many thanks in advance.

By: Niobos

Niobos — Mon, 23 Jan 2012 16:28:56 +0000

whit,

I just checked this on my setup, it works fine over a cellular connection (tried both EDGE and UMTS). Maybe your provider is doing some filtering?
What steps fail from 3G? The connection setup or the data transfer?