This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP Certificate & Android: No public key known

I'm really pulling at strings here to get Android working with this.

PPTP doesn't work, L2TP/IPSec doesn't work with PSK (Android wants to use CHAP, which Astaro doesn't support).

So I'm trying L2TP/IPSec with certificates, hoping maybe this will work better.

I'm all doing it in a virtual sort of enviroment, so there are no routers, firewalls, or NAT in the way.

2010:09:26-13:02:58 ASG8 pluto[10531]: | *received 352 bytes from 192.168.1.139:500 on eth1
2010:09:26-13:02:58 ASG8 pluto[10531]: packet from 192.168.1.139:500: received Vendor ID payload [RFC 3947]
2010:09:26-13:02:58 ASG8 pluto[10531]: packet from 192.168.1.139:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2010:09:26-13:02:58 ASG8 pluto[10531]: packet from 192.168.1.139:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2010:09:26-13:02:58 ASG8 pluto[10531]: packet from 192.168.1.139:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2010:09:26-13:02:58 ASG8 pluto[10531]: packet from 192.168.1.139:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]
2010:09:26-13:02:58 ASG8 pluto[10531]: | preparse_isakmp_policy: peer requests PUBKEY authentication
2010:09:26-13:02:58 ASG8 pluto[10531]: | instantiated "D_Android" for 192.168.1.139
2010:09:26-13:02:58 ASG8 pluto[10531]: | creating state object #1 at 0x8e80c10
2010:09:26-13:02:58 ASG8 pluto[10531]: | ICOOKIE: 88 ed 8c 32 47 fc 41 cd
2010:09:26-13:02:58 ASG8 pluto[10531]: | RCOOKIE: a1 19 ff 94 1c 10 f6 c6
2010:09:26-13:02:58 ASG8 pluto[10531]: | peer: c0 a8 01 8b
2010:09:26-13:02:58 ASG8 pluto[10531]: | state hash entry 21
2010:09:26-13:02:58 ASG8 pluto[10531]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
2010:09:26-13:02:58 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: responding to Main Mode from unknown peer 192.168.1.139
2010:09:26-13:02:58 ASG8 pluto[10531]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
2010:09:26-13:02:58 ASG8 pluto[10531]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2010:09:26-13:02:58 ASG8 pluto[10531]: |
2010:09:26-13:02:58 ASG8 pluto[10531]: | *received 228 bytes from 192.168.1.139:500 on eth1
2010:09:26-13:02:58 ASG8 pluto[10531]: | ICOOKIE: 88 ed 8c 32 47 fc 41 cd
2010:09:26-13:02:58 ASG8 pluto[10531]: | RCOOKIE: a1 19 ff 94 1c 10 f6 c6
2010:09:26-13:02:58 ASG8 pluto[10531]: | peer: c0 a8 01 8b
2010:09:26-13:02:58 ASG8 pluto[10531]: | state hash entry 21
2010:09:26-13:02:58 ASG8 pluto[10531]: | state object #1 found, in STATE_MAIN_R1
2010:09:26-13:02:58 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: NAT-Traversal: Result using RFC 3947: no NAT detected
2010:09:26-13:02:58 ASG8 pluto[10531]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 60 seconds
2010:09:26-13:02:58 ASG8 pluto[10531]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
2010:09:26-13:02:58 ASG8 pluto[10531]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2010:09:26-13:02:58 ASG8 pluto[10531]: |
2010:09:26-13:02:58 ASG8 pluto[10531]: | *received 988 bytes from 192.168.1.139:500 on eth1
2010:09:26-13:02:58 ASG8 pluto[10531]: | ICOOKIE: 88 ed 8c 32 47 fc 41 cd
2010:09:26-13:02:58 ASG8 pluto[10531]: | RCOOKIE: a1 19 ff 94 1c 10 f6 c6
2010:09:26-13:02:58 ASG8 pluto[10531]: | peer: c0 a8 01 8b
2010:09:26-13:02:58 ASG8 pluto[10531]: | state hash entry 21
2010:09:26-13:02:58 ASG8 pluto[10531]: | state object #1 found, in STATE_MAIN_R2
2010:09:26-13:02:58 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: Peer ID is ID_IPV4_ADDR: '192.168.1.139'
2010:09:26-13:02:58 ASG8 pluto[10531]: | subject: 'C=us, L=*****, O=*****, CN=*****'
2010:09:26-13:02:58 ASG8 pluto[10531]: | issuer: 'C=us, L=*****, O=*****, CN=***** VPN CA, E=*****@gmail.com'
2010:09:26-13:02:58 ASG8 pluto[10531]: | authkey: da:2b:a6[:D]4:af:44:2a:5b:9f:c8:4f:2a:8a:6b:fc:a3:a5:c2:90:eb
2010:09:26-13:02:58 ASG8 pluto[10531]: | certificate is valid
2010:09:26-13:02:58 ASG8 pluto[10531]: | issuer cacert found
2010:09:26-13:02:58 ASG8 pluto[10531]: | certificate signature is valid
2010:09:26-13:02:58 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: crl not found
2010:09:26-13:02:58 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: certificate status unknown
2010:09:26-13:02:58 ASG8 pluto[10531]: | subject: 'C=us, L=*****, O=*****, CN=***** VPN CA, E=*****@gmail.com'
2010:09:26-13:02:58 ASG8 pluto[10531]: | issuer: 'C=us, L=*****, O=*****, CN=***** VPN CA, E=*****@gmail.com'
2010:09:26-13:02:58 ASG8 pluto[10531]: | certificate is valid
2010:09:26-13:02:58 ASG8 pluto[10531]: | issuer cacert found
2010:09:26-13:02:58 ASG8 pluto[10531]: | certificate signature is valid
2010:09:26-13:02:58 ASG8 pluto[10531]: | reached self-signed root ca with a path length of 0
2010:09:26-13:02:58 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: no public key known for '192.168.1.139'
2010:09:26-13:02:58 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.168.1.139:500
2010:09:26-13:02:58 ASG8 pluto[10531]: | state transition function for STATE_MAIN_R2 failed: INVALID_KEY_INFORMATION
2010:09:26-13:02:58 ASG8 pluto[10531]: | next event EVENT_RETRANSMIT in 10 seconds for #1

It does that a couple of times and then fails with this

2010:09:26-13:03:28 ASG8 pluto[10531]: | *time to handle event
2010:09:26-13:03:28 ASG8 pluto[10531]: | event after this is EVENT_NAT_T_KEEPALIVE in 30 seconds
2010:09:26-13:03:28 ASG8 pluto[10531]: | handling event EVENT_RETRANSMIT for 192.168.1.139 "D_Android" #1
2010:09:26-13:03:28 ASG8 pluto[10531]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
2010:09:26-13:03:28 ASG8 pluto[10531]: | next event EVENT_NAT_T_KEEPALIVE in 30 seconds
2010:09:26-13:03:28 ASG8 pluto[10531]: | rejected packet:
2010:09:26-13:03:28 ASG8 pluto[10531]: | 88 ed 8c 32 47 fc 41 cd a1 19 ff 94 1c 10 f6 c6
2010:09:26-13:03:28 ASG8 pluto[10531]: | 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
2010:09:26-13:03:28 ASG8 pluto[10531]: | 78 db 1c 97 a1 b4 58 2a 8d 9b 93 5e 22 41 2d 5c
2010:09:26-13:03:28 ASG8 pluto[10531]: | 8c 3d b0 ed 61 49 7f 6f ef 0b 4d 88 cc ed d2 ac
2010:09:26-13:03:28 ASG8 pluto[10531]: | 6f 8f 54 c7 b1 d7 3c 69 51 42 c7 86 3b 30 c5 5e
2010:09:26-13:03:28 ASG8 pluto[10531]: | 0b 1f eb e2 e8 db 26 a8 1f ee 5f da ec 3e bf ee
2010:09:26-13:03:28 ASG8 pluto[10531]: | 1d 91 22 d1 cf 20 e6 fb 21 dd 59 19 6b f0 89 ef
2010:09:26-13:03:28 ASG8 pluto[10531]: | b7 e5 4d 76 56 15 ac 5b 57 66 0d be 85 a9 f5 f7
2010:09:26-13:03:28 ASG8 pluto[10531]: | eb d6 87 57 08 eb a6 ed 63 86 b2 fd 36 12 fc 8c
2010:09:26-13:03:28 ASG8 pluto[10531]: | 79 22 43 32 8d e4 6c 37 e4 98 f1 82 25 53 e0 1a
2010:09:26-13:03:28 ASG8 pluto[10531]: | 14 00 00 14 9a e3 c8 30 b9 e5 ed 34 73 88 0a f8
2010:09:26-13:03:28 ASG8 pluto[10531]: | 1a 71 ca 54 14 00 00 18 dd ea 91 06 d4 4b 0c 70
2010:09:26-13:03:28 ASG8 pluto[10531]: | ea 6f 79 1d f1 35 66 5b 33 57 e1 d5 00 00 00 18
2010:09:26-13:03:28 ASG8 pluto[10531]: | c0 71 8e a8 ea 7f a9 48 2b d5 e4 07 a0 5b 3d 21
2010:09:26-13:03:28 ASG8 pluto[10531]: | de fa 90 5e
2010:09:26-13:03:28 ASG8 pluto[10531]: | control:
2010:09:26-13:03:28 ASG8 pluto[10531]: | 2c 00 00 00 00 00 00 00 0b 00 00 00 6f 00 00 00
2010:09:26-13:03:28 ASG8 pluto[10531]: | 02 03 03 00 00 00 00 00 00 00 00 00 02 00 00 00
2010:09:26-13:03:28 ASG8 pluto[10531]: | c0 a8 01 8b 00 00 00 00 00 00 00 00
2010:09:26-13:03:28 ASG8 pluto[10531]: | name:
2010:09:26-13:03:28 ASG8 pluto[10531]: | 02 00 01 f4 c0 a8 01 8b 00 00 00 00 00 00 00 00
2010:09:26-13:03:28 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: ERROR: asynchronous network error report on eth1 for message to 192.168.1.139 port 500, complainant 192.168.1.139: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
2010:09:26-13:03:28 ASG8 pluto[10531]: | next event EVENT_NAT_T_KEEPALIVE in 30 seconds
2010:09:26-13:03:58 ASG8 pluto[10531]: |
2010:09:26-13:03:58 ASG8 pluto[10531]: | *time to handle event
2010:09:26-13:03:58 ASG8 pluto[10531]: | event after this is EVENT_RETRANSMIT in 10 seconds
2010:09:26-13:03:58 ASG8 pluto[10531]: | next event EVENT_RETRANSMIT in 10 seconds for #1
2010:09:26-13:04:08 ASG8 pluto[10531]: |
2010:09:26-13:04:08 ASG8 pluto[10531]: | *time to handle event
2010:09:26-13:04:08 ASG8 pluto[10531]: | event after this is EVENT_REINIT_SECRET in 3515 seconds
2010:09:26-13:04:08 ASG8 pluto[10531]: | handling event EVENT_RETRANSMIT for 192.168.1.139 "D_Android" #1
2010:09:26-13:04:08 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139 #1: max number of retransmissions (2) reached STATE_MAIN_R2
2010:09:26-13:04:08 ASG8 pluto[10531]: | ICOOKIE: 88 ed 8c 32 47 fc 41 cd
2010:09:26-13:04:08 ASG8 pluto[10531]: | RCOOKIE: a1 19 ff 94 1c 10 f6 c6
2010:09:26-13:04:08 ASG8 pluto[10531]: | peer: c0 a8 01 8b
2010:09:26-13:04:08 ASG8 pluto[10531]: | state hash entry 21
2010:09:26-13:04:08 ASG8 pluto[10531]: "D_Android"[1] 192.168.1.139: deleting connection "D_Android" instance with peer 192.168.1.139 {isakmp=#0/ipsec=#0}

I have a remote access rule called Android, interface external (which is the 192.168.1.x network), TripleDES Policy, Local network is the virtual internal network (eth0), I have the user i'm trying to log on as set in the allowed users, and automatic packet filter rules checked.

This thread was automatically locked due to age.

0 coreno over 14 years ago in reply to d12fk

Hah! It's a bug in mdw. L2TP doesn't get started when certificate based authentication is selected.
Will be fixed it in 8.004. Bug ID is #15216. Thanks for the help finding it.
After all this, that just makes me laugh haha

Now back to your actual problem. Let's make L2TP/PSK work for you until 8.004 is publically available. Could you post the complete IPsec log output with L2TP debug enabled when you connect with your Droid and L2TP/PSK configured?

I'm at work at the moment, so this is now going through NAT a couple of times, so traffic could be getting lost on my current home router. I'll paste the log anyway, maybe it has some clues...

2010:09:29-15:51:48 ASG8 pluto[32421]: | *received 284 bytes from 24.103.62.86:4500 on eth1
2010:09:29-15:51:48 ASG8 pluto[32421]: | **parse ISAKMP Message:
2010:09:29-15:51:48 ASG8 pluto[32421]: | initiator cookie:
2010:09:29-15:51:48 ASG8 pluto[32421]: | b8 48 20 12 17 ce 95 9c
2010:09:29-15:51:48 ASG8 pluto[32421]: | responder cookie:
2010:09:29-15:51:48 ASG8 pluto[32421]: | 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:51:48 ASG8 pluto[32421]: | next payload type: ISAKMP_NEXT_HASH
2010:09:29-15:51:48 ASG8 pluto[32421]: | ISAKMP version: ISAKMP Version 1.0
2010:09:29-15:51:48 ASG8 pluto[32421]: | exchange type: ISAKMP_XCHG_QUICK
2010:09:29-15:51:48 ASG8 pluto[32421]: | flags: ISAKMP_FLAG_ENCRYPTION
2010:09:29-15:51:48 ASG8 pluto[32421]: | message ID: cb e3 41 0d
2010:09:29-15:51:48 ASG8 pluto[32421]: | length: 284
2010:09:29-15:51:48 ASG8 pluto[32421]: | ICOOKIE: b8 48 20 12 17 ce 95 9c
2010:09:29-15:51:48 ASG8 pluto[32421]: | RCOOKIE: 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:51:48 ASG8 pluto[32421]: | peer: 18 67 3e 56
2010:09:29-15:51:48 ASG8 pluto[32421]: | state hash entry 22
2010:09:29-15:51:48 ASG8 pluto[32421]: | state object not found
2010:09:29-15:51:48 ASG8 pluto[32421]: | ICOOKIE: b8 48 20 12 17 ce 95 9c
2010:09:29-15:51:48 ASG8 pluto[32421]: | RCOOKIE: 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:51:48 ASG8 pluto[32421]: | peer: 18 67 3e 56
2010:09:29-15:51:48 ASG8 pluto[32421]: | state hash entry 22
2010:09:29-15:51:48 ASG8 pluto[32421]: | state object #5 found, in STATE_MAIN_R3
2010:09:29-15:51:48 ASG8 pluto[32421]: | ***parse ISAKMP Hash Payload:
2010:09:29-15:51:48 ASG8 pluto[32421]: | next payload type: ISAKMP_NEXT_SA
2010:09:29-15:51:48 ASG8 pluto[32421]: | length: 24
2010:09:29-15:51:48 ASG8 pluto[32421]: | ***parse ISAKMP Security Association Payload:
2010:09:29-15:51:48 ASG8 pluto[32421]: | next payload type: ISAKMP_NEXT_NONCE
2010:09:29-15:51:48 ASG8 pluto[32421]: | length: 176
2010:09:29-15:51:48 ASG8 pluto[32421]: | DOI: ISAKMP_DOI_IPSEC
2010:09:29-15:51:48 ASG8 pluto[32421]: | ***parse ISAKMP Nonce Payload:
2010:09:29-15:51:48 ASG8 pluto[32421]: | next payload type: ISAKMP_NEXT_ID
2010:09:29-15:51:48 ASG8 pluto[32421]: | length: 20
2010:09:29-15:51:48 ASG8 pluto[32421]: | ***parse ISAKMP Identification Payload (IPsec DOI):
2010:09:29-15:51:48 ASG8 pluto[32421]: | next payload type: ISAKMP_NEXT_ID
2010:09:29-15:51:48 ASG8 pluto[32421]: | length: 12
2010:09:29-15:51:48 ASG8 pluto[32421]: | ID type: ID_IPV4_ADDR
2010:09:29-15:51:48 ASG8 pluto[32421]: | Protocol ID: 17
2010:09:29-15:51:48 ASG8 pluto[32421]: | port: 0
2010:09:29-15:51:48 ASG8 pluto[32421]: | ***parse ISAKMP Identification Payload (IPsec DOI):
2010:09:29-15:51:48 ASG8 pluto[32421]: | next payload type: ISAKMP_NEXT_NONE
2010:09:29-15:51:48 ASG8 pluto[32421]: | length: 12
2010:09:29-15:51:48 ASG8 pluto[32421]: | ID type: ID_IPV4_ADDR
2010:09:29-15:51:48 ASG8 pluto[32421]: | Protocol ID: 17
2010:09:29-15:51:48 ASG8 pluto[32421]: | port: 1701
2010:09:29-15:51:48 ASG8 pluto[32421]: | removing 12 bytes of padding
2010:09:29-15:51:48 ASG8 pluto[32421]: | peer client is 192.168.0.5
2010:09:29-15:51:48 ASG8 pluto[32421]: | peer client protocol/port is 17/0
2010:09:29-15:51:48 ASG8 pluto[32421]: | our client is 24.168.53.142
2010:09:29-15:51:48 ASG8 pluto[32421]: | our client protocol/port is 17/1701
2010:09:29-15:51:48 ASG8 pluto[32421]: "S_REF_wIrcuPcFdi"[3] 24.103.62.86:4500 #5: cannot respond to IPsec SA request because no connection is known for 24.168.53.142/32===192.168.1.154:4500[192.168.1.154]:17/1701...24.103.62.86:4500[192.168.0.5]:17/%any==={192.168.0.5/32}
2010:09:29-15:51:48 ASG8 pluto[32421]: "S_REF_wIrcuPcFdi"[3] 24.103.62.86:4500 #5: sending encrypted notification INVALID_ID_INFORMATION to 24.103.62.86:4500
2010:09:29-15:51:48 ASG8 pluto[32421]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
2010:09:29-15:51:48 ASG8 pluto[32421]: | next event EVENT_NAT_T_KEEPALIVE in 7 seconds
2010:09:29-15:51:55 ASG8 pluto[32421]: |
2010:09:29-15:51:55 ASG8 pluto[32421]: | *time to handle event
2010:09:29-15:51:55 ASG8 pluto[32421]: | event after this is EVENT_REINIT_SECRET in 2702 seconds
2010:09:29-15:51:55 ASG8 pluto[32421]: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 60 seconds
2010:09:29-15:51:55 ASG8 pluto[32421]: | next event EVENT_NAT_T_KEEPALIVE in 60 seconds
2010:09:29-15:51:58 ASG8 pluto[32421]: |
2010:09:29-15:51:58 ASG8 pluto[32421]: | *received 284 bytes from 24.103.62.86:4500 on eth1
2010:09:29-15:51:58 ASG8 pluto[32421]: | **parse ISAKMP Message:
2010:09:29-15:51:58 ASG8 pluto[32421]: | initiator cookie:
2010:09:29-15:51:58 ASG8 pluto[32421]: | b8 48 20 12 17 ce 95 9c
2010:09:29-15:51:58 ASG8 pluto[32421]: | responder cookie:
2010:09:29-15:51:58 ASG8 pluto[32421]: | 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:51:58 ASG8 pluto[32421]: | next payload type: ISAKMP_NEXT_HASH
2010:09:29-15:51:58 ASG8 pluto[32421]: | ISAKMP version: ISAKMP Version 1.0
2010:09:29-15:51:58 ASG8 pluto[32421]: | exchange type: ISAKMP_XCHG_QUICK
2010:09:29-15:51:58 ASG8 pluto[32421]: | flags: ISAKMP_FLAG_ENCRYPTION
2010:09:29-15:51:58 ASG8 pluto[32421]: | message ID: cb e3 41 0d
2010:09:29-15:51:58 ASG8 pluto[32421]: | length: 284
2010:09:29-15:51:58 ASG8 pluto[32421]: | ICOOKIE: b8 48 20 12 17 ce 95 9c
2010:09:29-15:51:58 ASG8 pluto[32421]: | RCOOKIE: 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:51:58 ASG8 pluto[32421]: | peer: 18 67 3e 56
2010:09:29-15:51:58 ASG8 pluto[32421]: | state hash entry 22
2010:09:29-15:51:58 ASG8 pluto[32421]: | state object not found
2010:09:29-15:51:58 ASG8 pluto[32421]: | ICOOKIE: b8 48 20 12 17 ce 95 9c
2010:09:29-15:51:58 ASG8 pluto[32421]: | RCOOKIE: 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:51:58 ASG8 pluto[32421]: | peer: 18 67 3e 56
2010:09:29-15:51:58 ASG8 pluto[32421]: | state hash entry 22
2010:09:29-15:51:58 ASG8 pluto[32421]: | state object #5 found, in STATE_MAIN_R3
2010:09:29-15:51:58 ASG8 pluto[32421]: "S_REF_wIrcuPcFdi"[3] 24.103.62.86:4500 #5: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x0d41e3cb (perhaps this is a duplicated packet)
2010:09:29-15:51:58 ASG8 pluto[32421]: "S_REF_wIrcuPcFdi"[3] 24.103.62.86:4500 #5: sending encrypted notification INVALID_MESSAGE_ID to 24.103.62.86:4500
2010:09:29-15:51:58 ASG8 pluto[32421]: | next event EVENT_NAT_T_KEEPALIVE in 57 seconds
2010:09:29-15:52:08 ASG8 pluto[32421]: |
2010:09:29-15:52:08 ASG8 pluto[32421]: | *received 284 bytes from 24.103.62.86:4500 on eth1
2010:09:29-15:52:08 ASG8 pluto[32421]: | **parse ISAKMP Message:
2010:09:29-15:52:08 ASG8 pluto[32421]: | initiator cookie:
2010:09:29-15:52:08 ASG8 pluto[32421]: | b8 48 20 12 17 ce 95 9c
2010:09:29-15:52:08 ASG8 pluto[32421]: | responder cookie:
2010:09:29-15:52:08 ASG8 pluto[32421]: | 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:52:08 ASG8 pluto[32421]: | next payload type: ISAKMP_NEXT_HASH
2010:09:29-15:52:08 ASG8 pluto[32421]: | ISAKMP version: ISAKMP Version 1.0
2010:09:29-15:52:08 ASG8 pluto[32421]: | exchange type: ISAKMP_XCHG_QUICK
2010:09:29-15:52:08 ASG8 pluto[32421]: | flags: ISAKMP_FLAG_ENCRYPTION
2010:09:29-15:52:08 ASG8 pluto[32421]: | message ID: cb e3 41 0d
2010:09:29-15:52:08 ASG8 pluto[32421]: | length: 284
2010:09:29-15:52:08 ASG8 pluto[32421]: | ICOOKIE: b8 48 20 12 17 ce 95 9c
2010:09:29-15:52:08 ASG8 pluto[32421]: | RCOOKIE: 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:52:08 ASG8 pluto[32421]: | peer: 18 67 3e 56
2010:09:29-15:52:08 ASG8 pluto[32421]: | state hash entry 22
2010:09:29-15:52:08 ASG8 pluto[32421]: | state object not found
2010:09:29-15:52:08 ASG8 pluto[32421]: | ICOOKIE: b8 48 20 12 17 ce 95 9c
2010:09:29-15:52:08 ASG8 pluto[32421]: | RCOOKIE: 85 2f 86 ac 05 eb a6 e3
2010:09:29-15:52:08 ASG8 pluto[32421]: | peer: 18 67 3e 56
2010:09:29-15:52:08 ASG8 pluto[32421]: | state hash entry 22
2010:09:29-15:52:08 ASG8 pluto[32421]: | state object #5 found, in STATE_MAIN_R3
2010:09:29-15:52:08 ASG8 pluto[32421]: "S_REF_wIrcuPcFdi"[3] 24.103.62.86:4500 #5: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x0d41e3cb (perhaps this is a duplicated packet)
2010:09:29-15:52:08 ASG8 pluto[32421]: "S_REF_wIrcuPcFdi"[3] 24.103.62.86:4500 #5: sending encrypted notification INVALID_MESSAGE_ID to 24.103.62.86:4500
2010:09:29-15:52:08 ASG8 pluto[32421]: | next event EVENT_NAT_T_KEEPALIVE in 47 seconds
Cancel
Vote Up 0 Vote Down

Cancel
0 coreno over 14 years ago in reply to coreno

Here is the log without any NAT/Firewall in the way.

2010:09:29-19:34:21 ASG8 pluto - Coreno - xjLwAPFU - Pastebin.com
Cancel
Vote Up 0 Vote Down

Cancel
0 coreno over 14 years ago in reply to d12fk

Hah! It's a bug in mdw. L2TP doesn't get started when certificate based authentication is selected.
Will be fixed it in 8.004. Bug ID is #15216. Thanks for the help finding it.

Now back to your actual problem. Let's make L2TP/PSK work for you until 8.004 is publically available. Could you post the complete IPsec log output with L2TP debug enabled when you connect with your Droid and L2TP/PSK configured?
At risk of feeling like I'm spamming my own thread... also partially out of boredom and some thing time...

Where can I go to view the bugs and bug reports?
Can I start the L2TP service(s) manually? I want to ask this before I start rummaging through the Astaro scripts and seeing what I can break in there [:D]
Cancel
Vote Up 0 Vote Down

Cancel
0 d12fk over 14 years ago

You may want to upvote VPN: Standard CHAP Support for L2TP (Android), btw. =)
Cancel
Vote Up 0 Vote Down

Cancel
0 d12fk over 14 years ago
The ASG can only handle MD4 hashed passwords. CHAP uses MD5, so currently there is no chance for a tweak here. Instead, let's try what the Android does if the ASG refuses to do CHAP authentication. Maybe it proposes MS-CHAP-V2 as a last resort. Enable L2TP/PSK and add the line "require-mschap-v2" to the file /var/chroot-ipsec/etc/ppp/options. You need to be root to do that. While pppd is configured to "refuse-chap" and even "refuse-mschap" (v1) already, it still requests  after the Droid NAKed it's EAP proposal:

rcvd [LCP ConfNak id=0x1 ]
sent [LCP ConfReq id=0x2    ]
rcvd [LCP ConfAck id=0x2    ]

I'll have a look at the pppd code in the meantime.
Cancel
Vote Up 0 Vote Down

Cancel
0 coreno over 14 years ago in reply to d12fk

You sir, are a genius! Android successfully connects! [:D]

Of course, this just turns up another hurdle.

It seems the phone isn't getting any DNS server information. I can ping and even browse to IP addresses on the internet, but using the hostname doesn't work.

I have the L2TP VPN Pool as an allowed network in the DNS config.
VPN Pool NAT'd to External in the NAT config.
I have the LT2P VPN Pool to Any network over Any protocol rule turned on in the Packet Filter.

Via the power of rooting my phone, I can run nslookup and see that the phone has no DNS server to lookup with. So it seems for some reason maybe Astaro isn't giving one. I'm doing to keep digging around though.

I really appreciate your help thus far.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 14 years ago

Have you configured DNS on the 'Remote Access >> Advanced' page?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 coreno over 14 years ago in reply to BAlfson

Hahaha! Sneaky setting!

Thank you so much d12fk and BAlfson, you've both been a great help!

We've overcome the combined bugs of Android and Astaro to assemble a working VPN solution!

I'm going to have to write up a how-to guide somewhere so others don't have to go through this. Though VPN'ing from android to Astaro probably isn't a very common senario.

(just blacklisted yahoo as a test, i don't actually have anything against yahoo)
Cancel
Vote Up 0 Vote Down

Cancel
0 coreno over 14 years ago in reply to coreno

Quick note.... using a external DHCP server with L2TP seems to be seriously broken... pegs the CPU at nearly 100% when I tried it several times. Also appears to stop the L2TP service as well.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 14 years ago

using a external DHCP server with L2TP seems to be seriously broken

Not sure what you mean by this, but your best choice is to use the "VPN Pool (L2TP)" in every case.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel