Openswan für Android und Laptop

**dereulenspiegel** · 02.06.10, 16:06

Hallo,

ich würde gerne auf meinem Rootserver Openswan laufen lassen um die Möglichkeit zu haben den Netzwerkverkehr von meinem Android-Handy und meinem Laptop zu verschlüsseln wenn ich über öffentliche HotSpots online gehe. Ein Zugriff auf ein fremdes privates Netzwerk findet dabei nicht statt, da der Rootserver in keinem privaten Netz hängt. Aber irgendwie scheint das nicht recht zu klappen. Ich setzte Openswan und xl2tp ein. Hier mal die Configs
/etc/ipsec.conf

Code:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0
#Disable Opportunistic Encryption
include /etc/ipsec.d/configs/android-psk.conf
include /etc/ipsec.d/examples/no_oe.conf

/etc/ipsec.d/configs/android-psk.conf

Code:

conn L2TP-PSK-NAT
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        rekey=no
        type=transport
        left=IP meines Servers

        leftprotoport=17/1701
        #leftsubnet=0.0.0.0/0
        right=%any
        rightprotoport=17/%any 
        rightsubnet=vhost:%no,%priv

/etc/xl2tp/xl2tpc.conf

Code:

[global]
ipsec saref = yes

[lns default]
ip range = 192.168.0.231-192.168.0.239 #Habe das aus einer Anleitung
local ip = 192.168.0.230
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

Gerade die privaten IP-Adressen in der xl2tp.conf wundern mich und ich denke, dass diese nicht zu meinem Setup passen. Aber was trage ich stattdessen ein? Eine öffentliche IP soll mein Handy dadurch ja nicht kriegen.

Hier mal ein Auszug aus dem auth.log

Code:

Jun  2 16:53:00 85-31-186-26 pluto[1594]: packet from 89.204.153.67:6338: received Vendor ID payload [RFC 3947] method set to=109
Jun  2 16:53:00 85-31-186-26 pluto[1594]: packet from 89.204.153.67:6338: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jun  2 16:53:00 85-31-186-26 pluto[1594]: packet from 89.204.153.67:6338: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Jun  2 16:53:00 85-31-186-26 pluto[1594]: packet from 89.204.153.67:6338: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun  2 16:53:00 85-31-186-26 pluto[1594]: packet from 89.204.153.67:6338: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jun  2 16:53:00 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: responding to Main Mode from unknown peer 89.204.153.67
Jun  2 16:53:00 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun  2 16:53:00 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: STATE_MAIN_R1: sent MR1, expecting MI2
Jun  2 16:53:01 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Jun  2 16:53:01 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun  2 16:53:01 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: STATE_MAIN_R2: sent MR2, expecting MI3
Jun  2 16:53:02 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: Main mode peer ID is ID_IPV4_ADDR: '10.153.140.195'
Jun  2 16:53:02 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: I did not send a certificate because I do not have one.
Jun  2 16:53:02 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun  2 16:53:02 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jun  2 16:53:02 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun  2 16:53:02 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: received and ignored informational message
Jun  2 16:53:03 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[5] 89.204.153.67 #8: responding to Quick Mode {msgid:4bcf1891}
Jun  2 16:53:03 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[5] 89.204.153.67 #8: cannot install eroute -- it is in use for "L2TP-PSK-NAT"[2] 89.204.153.67 #2
Jun  2 16:53:03 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[5] 89.204.153.67: deleting connection "L2TP-PSK-NAT" instance with peer 89.204.153.67 {isakmp=#0/ipsec=#0}
Jun  2 16:53:13 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4bcf1891 (perhaps this is a duplicated packet)
Jun  2 16:53:13 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: sending encrypted notification INVALID_MESSAGE_ID to 89.204.153.67:29072
Jun  2 16:53:22 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x4bcf1891 (perhaps this is a duplicated packet)
Jun  2 16:53:22 85-31-186-26 pluto[1594]: "L2TP-PSK-NAT"[2] 89.204.153.67 #7: sending encrypted notification INVALID_MESSAGE_ID to 89.204.153.67:29072

Zwischendurch scheint es zu klappen und dann plötzlich nicht mehr. Bin hier ziemlich am verzweifeln. Über Hilfe würde ich mich echt freuen.

Danke im Voraus.