drazik64
Posts: 8
Joined: Mon Jul 30, 2012 5:39 pm

[HELP] Vpn OpenSwan IPsec

Mon Jul 30, 2012 5:49 pm

Hi all,

I tried for several days to mount a VPN on my OpenSWAN RASPBERRY PI under RASBIAN but I can not do it too.

I followed a tutorial that I used previously on another machine and it was operating under DEBIAN fine but on the RASPBERRY nothing to do.

If you have information about it or has managed to run this type of server I'm interested.

thank you in advance.

tech_monkey
Posts: 130
Joined: Fri Mar 09, 2012 6:12 pm

Re: [HELP] Vpn OpenSwan IPsec

Mon Jul 30, 2012 6:07 pm

I would be interested in this too.
Is there a network manager in Raspbian.
Leaving it out of the initial package distro seems odd to me.
http://www.casatech.eu

drazik64
Posts: 8
Joined: Mon Jul 30, 2012 5:39 pm

Re: [HELP] Vpn OpenSwan IPsec

Mon Jul 30, 2012 7:08 pm

this is my log file :

Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: received Vendor ID payload [RFC 3947] method set to=109
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jul 30 21:04:45 raspberrypi pluto[1565]: packet from 37.8.167.24:44006: received Vendor ID payload [Dead Peer Detection]
Jul 30 21:04:45 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: responding to Main Mode from unknown peer 37.8.167.24
Jul 30 21:04:45 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 30 21:04:45 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 30 21:04:46 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Jul 30 21:04:46 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 30 21:04:46 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 30 21:04:47 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jul 30 21:04:47 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: Main mode peer ID is ID_IPV4_ADDR: '10.102.181.219'
Jul 30 21:04:47 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[24] 37.8.167.24 #45: switched from "L2TP-PSK-NAT" to "L2TP-PSK-NAT"
Jul 30 21:04:47 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #45: deleting connection "L2TP-PSK-NAT" instance with peer 37.8.167.24 {isakmp=#0/ipsec=#0}
Jul 30 21:04:47 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #45: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 30 21:04:47 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #45: new NAT mapping for #45, was 37.8.167.24:44006, now 37.8.167.24:44007
Jul 30 21:04:47 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #45: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jul 30 21:04:48 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #45: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Jul 30 21:04:48 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #45: the peer proposed: 82.233.144.104/32:17/1701 -> 37.8.167.24/32:17/0
Jul 30 21:04:48 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: responding to Quick Mode proposal {msgid:8dc99c1c}
Jul 30 21:04:48 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: us: 192.168.0.1<192.168.0.1>[+S=C]:17/1701
Jul 30 21:04:48 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: them: 37.8.167.24[10.102.181.219,+S=C]:17/51309
Jul 30 21:04:48 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: ERROR: netlink response for Add SA [email protected]7.24 included errno 93: Protocol not supported
Jul 30 21:04:48 raspberrypi pluto[1565]: | failed to install outgoing SA: 0
Jul 30 21:04:51 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:04:56 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:05:00 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:05:03 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:05:08 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:05:13 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:05:19 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:05:19 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:05:19 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #46: discarding duplicate packet; already STATE_QUICK_R0
Jul 30 21:05:19 raspberrypi pluto[1565]: "L2TP-PSK-NAT"[25] 37.8.167.24 #45: received Delete SA payload: deleting ISAKMP State #45
Jul 30 21:05:19 raspberrypi pluto[1565]: packet from 37.8.167.24:44007: received and ignored informational message


nobody to help me find a solution to my problems?

drazik64
Posts: 8
Joined: Mon Jul 30, 2012 5:39 pm

Re: [HELP] Vpn OpenSwan IPsec

Sun Aug 05, 2012 9:21 pm

Nobody to help me ? :cry:

tech_monkey
Posts: 130
Joined: Fri Mar 09, 2012 6:12 pm

Re: [HELP] Vpn OpenSwan IPsec

Mon Aug 06, 2012 9:10 am

Does it have to be Openswan. You may want to take a look at what packages are available in Raspbian and see if another VPN IPsec will work.
Are you able to use another Linux/Debian based machine and do the same then compare logs.
I am about to have a play with the network manager and set up a PPTP VPN . I had a look at what packages are available and to my surprise Network-Manager is available.
http://www.casatech.eu

alexchamberlain
Posts: 121
Joined: Thu Jun 14, 2012 11:20 am
Location: Leamington Spa, UK
Contact: Website

Re: [HELP] Vpn OpenSwan IPsec

Mon Aug 06, 2012 9:28 am

tech_monkey wrote:Does it have to be Openswan. You may want to take a look at what packages are available in Raspbian and see if another VPN IPsec will work.
Are you able to use another Linux/Debian based machine and do the same then compare logs.
I am about to have a play with the network manager and set up a PPTP VPN . I had a look at what packages are available and to my surprise Network-Manager is available.
I really think VPN's should be done below the network manager. They should really be up before you log in!
Developer of piimg, a utility for working with RPi images.

tech_monkey
Posts: 130
Joined: Fri Mar 09, 2012 6:12 pm

Re: [HELP] Vpn OpenSwan IPsec

Mon Aug 06, 2012 11:22 am

On my Ubuntu machine, I log in then select the VPN I want to use from the network manager. I can even set it to automatically start the VPN when I log in.
This is available IKE which isan IPSec VPN client. MAybe try this and see if its any better.
http://www.casatech.eu

jerhat
Posts: 14
Joined: Fri Jun 08, 2012 1:26 am

Re: [HELP] Vpn OpenSwan IPsec

Thu Aug 09, 2012 1:11 am

Hi drazik64,
I got the exact same pb with openswan on my raspbian. Could you find a solution for this? This is actually the first time I'm trying this installation and the connection fails at the same stage:

Code: Select all

ERROR: netlink response for Add SA xxxxxxxxxxx included errno 93: Protocol not supported
FYI my vpn client is the IPhone one, I didn't try to connect with any other clients so far.

drazik64
Posts: 8
Joined: Mon Jul 30, 2012 5:39 pm

Re: [HELP] Vpn OpenSwan IPsec

Thu Aug 09, 2012 11:12 pm

jerhat wrote:Hi drazik64,
I got the exact same pb with openswan on my raspbian. Could you find a solution for this? This is actually the first time I'm trying this installation and the connection fails at the same stage:

Code: Select all

ERROR: netlink response for Add SA xxxxxxxxxxx included errno 93: Protocol not supported
FYI my vpn client is the IPhone one, I didn't try to connect with any other clients so far.
Hi, i don't have a solution for the moment, sorry.
I try to connect with an iPhone or iPad.

jerhat
Posts: 14
Joined: Fri Jun 08, 2012 1:26 am

Re: [HELP] Vpn OpenSwan IPsec

Sat Aug 11, 2012 12:44 pm

This error was coming from missing kernel modules. I added the folowing ones and got is working: http://wiki.strongswan.org/projects/str ... nelModules

I also switched from openswan to strongswan which seems to have a better kernel 3.x support. I am not using L2TP/PPP anymore, but a "pure ipsec" vpn with certificate authentication (PSK should work as well). This how-to was very helpful: http://wiki.strongswan.org/projects/str ... OS_(Apple)

Hope this helps

wh1p
Posts: 29
Joined: Tue Jul 03, 2012 11:00 pm
Location: South East UK
Contact: Website

Re: [HELP] Vpn OpenSwan IPsec

Sun Aug 12, 2012 8:00 pm

jerhat wrote:This error was coming from missing kernel modules. I added the folowing ones and got is working: http://wiki.strongswan.org/projects/str ... nelModules

I also switched from openswan to strongswan which seems to have a better kernel 3.x support. I am not using L2TP/PPP anymore, but a "pure ipsec" vpn with certificate authentication (PSK should work as well). This how-to was very helpful: http://wiki.strongswan.org/projects/str ... OS_(Apple)

Hope this helps
Hi thanks for this post but i only found this post today and the link no longer works any chance you could replace the link with one which works, thanks, wh1p :)

jerhat
Posts: 14
Joined: Fri Jun 08, 2012 1:26 am

Re: [HELP] Vpn OpenSwan IPsec

Mon Aug 13, 2012 1:36 am

Sorry for the bad link (missing right parenthesis). Here is the good one:
http://wiki.strongswan.org/projects/str ... OS_(Apple)
This only covers the strongswan configuration. Just to make it clear, you first need to add the missing kernel modules. you can follow one of the numerous guides to do so (eg. for ubuntu cross-compiling: http://mitchtech.net/raspberry-pi-kernel-compile/, the "make menuconfig" is where you have to select the modules as per strongswan doc: http://wiki.strongswan.org/projects/str ... nelModules)

After booting your new kernel, the "Protocol not supported" error should disappear.

If you wish to switch from openswan to strongswan : apt-get purge openswan ippd and xl2tpd && apt-get install strongswan, then follow the guide it should be straightforward.

MC1RMutant
Posts: 5
Joined: Mon Sep 24, 2012 10:30 pm

Re: [HELP] Vpn OpenSwan IPsec

Mon Sep 24, 2012 10:34 pm

This post was tremendously helpful in getting me started. I've got StrongSwan running on my RPi.

I'm having a little trouble, though. After I connect a VPN session, my clients can't reach any destinations. All traffic seems to die. Wondering if anyone else has experienced this?

For what it's worth, I followed the StrongSwan configuration guide here: http://wiki.strongswan.org/projects/str ... OS_(Apple)

gstreeter
Posts: 106
Joined: Sun Sep 02, 2012 11:11 am
Location: UK

Re: [HELP] Vpn OpenSwan IPsec

Tue Sep 25, 2012 10:05 pm

I have Openswan working fine. The protocol error is caused by earlier versions of Raspbian using a kernel which did not have the required module support for IPSec present (ESP, lt2p). These modules are now in the latest build. You need to use rpi-update and apt-get upgrade to load the latest kernel and modules then openswan IPSec will work.

MC1RMutant
Posts: 5
Joined: Mon Sep 24, 2012 10:30 pm

Re: [HELP] Vpn OpenSwan IPsec

Thu Sep 27, 2012 10:03 pm

I'm not actually having any protocol errors.

I had already run the updates and even compiled my own kernel with the necessary modules for StrongSwan.

My problem is that after my clients successfully connect to StrongSwan, nothing happens. I can't route to any destinations.

jerhat
Posts: 14
Joined: Fri Jun 08, 2012 1:26 am

Re: [HELP] Vpn OpenSwan IPsec

Fri Sep 28, 2012 12:59 am

Are you having problems to reach machines inside you lan or only outside your lan? If only outside your lan, then my guess would be that your router is not NATing the packets originating from your vpn connected device and forward them with their private ip, thus preventing the destination server from sending you back any response. You could try something like this: iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
HTH

MC1RMutant
Posts: 5
Joined: Mon Sep 24, 2012 10:30 pm

Re: [HELP] Vpn OpenSwan IPsec

Fri Sep 28, 2012 1:05 pm

I'm having problems reaching anything, including machines inside my LAN.

gstreeter
Posts: 106
Joined: Sun Sep 02, 2012 11:11 am
Location: UK

Re: [HELP] Vpn OpenSwan IPsec

Fri Sep 28, 2012 1:19 pm

Once you've got a client connected via Strongswan please run the 4 commands below on the Pi and post the output to the forum. As jerhat says it's probably either no forwarding enabled or the packets are being blocked by the iptables firewall:

ifconfig
route
sudo iptables --list -v
sudo sysctl -a | grep forward

MC1RMutant
Posts: 5
Joined: Mon Sep 24, 2012 10:30 pm

Re: [HELP] Vpn OpenSwan IPsec

Fri Sep 28, 2012 6:59 pm

gstreeter wrote:Once you've got a client connected via Strongswan please run the 4 commands below on the Pi and post the output to the forum. As jerhat says it's probably either no forwarding enabled or the packets are being blocked by the iptables firewall:
Thanks for the response! Here they are...
gstreeter wrote:ifconfig

Code: Select all

eth0      Link encap:Ethernet  HWaddr b8:27:eb:ce:7d:cb  
          inet addr:192.168.35.2  Bcast:192.168.35.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:73428 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4715 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5577174 (5.3 MiB)  TX bytes:677060 (661.1 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
gstreeter wrote:route

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.35.1        0.0.0.0             UG        0      0        0      eth0
192.168.35.0     *               255.255.255.0           U        0      0        0      eth0
gstreeter wrote:sudo iptables --list -v

Code: Select all

Chain INPUT (policy ACCEPT 1785 packets, 187K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   25  1598 ACCEPT     all  --  eth0   any     172.16.35.2          anywhere             policy match dir in pol ipsec reqid 16388 proto esp
    0     0 ACCEPT     all  --  any    eth0    anywhere             172.16.35.2          policy match dir out pol ipsec reqid 16388 proto esp

Chain OUTPUT (policy ACCEPT 121 packets, 13606 bytes)
 pkts bytes target     prot opt in     out     source               destination 
gstreeter wrote:sudo sysctl -a | grep forward

Code: Select all

net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.ip_forward = 1
My firewall is forwarding UDP 500 and 4500 to the RasPi running StrongSwan. I have a successful connection on my client. Just no traffic.

gstreeter
Posts: 106
Joined: Sun Sep 02, 2012 11:11 am
Location: UK

Re: [HELP] Vpn OpenSwan IPsec

Fri Sep 28, 2012 7:52 pm

Ok it looks like jerhat is right as you have packets forwarded out from eth0 but no packets coming back in. My xl2tpd.config uses the IP range 10.0.1.10-10.0.1.254 and hence I have the following rules in the iptables firewall:

-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j SNAT --to-source 192.168.1.101

The Raspberry Pi is the 192.168.1.101 device and this causes the outgoing packets from the VPN PPP device 10.0.1.* to appear as if they come direct from the Pi otherwise the NAT broadband router can't work out where they should be returned to and drops them. When the responses arrive back on the Pi they get routed back to the PPP device and 10.0.1.* address.

I think if you add the appropriate line for your xl2tpd address range to your iptables you'll be in business.

MC1RMutant
Posts: 5
Joined: Mon Sep 24, 2012 10:30 pm

Re: [HELP] Vpn OpenSwan IPsec

Fri Sep 28, 2012 8:03 pm

gstreeter wrote:Ok it looks like jerhat is right as you have packets forwarded out from eth0 but no packets coming back in. My xl2tpd.config uses the IP range 10.0.1.10-10.0.1.254 and hence I have the following rules in the iptables firewall:

-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j SNAT --to-source 192.168.1.101

The Raspberry Pi is the 192.168.1.101 device and this causes the outgoing packets from the VPN PPP device 10.0.1.* to appear as if they come direct from the Pi otherwise the NAT broadband router can't work out where they should be returned to and drops them. When the responses arrive back on the Pi they get routed back to the PPP device and 10.0.1.* address.

I think if you add the appropriate line for your xl2tpd address range to your iptables you'll be in business.
Brilliant. This was the problem. Thank you.

For anyone else who may come along after this, be sure to specify the nat table when adding the iptables rule like the one mentioned above.

drazik64
Posts: 8
Joined: Mon Jul 30, 2012 5:39 pm

Re: [HELP] Vpn OpenSwan IPsec

Mon Mar 04, 2013 10:20 pm

after a lot of research I started and I created a tutorial for setting up a VPN server on RBPY.

http://bidouiller.fr/2013/03/01/tuto-me ... pberry-pi/

What do you think?

sorry but the tutorial is in french

Return to “Networking and servers”