Dear friends,

I need some help to setup a l2tp/ipsec VPN on my linode.
I'm from China.A month ago,I setup a pptp vpn.
Even my IPHONE can reach twitter/facebook through my pptp vpn.
but,these days,my IPHONE cannot reach twitter/facebook with pptp vpn any more.
Because,our mobile service provider banned the pptp protocal.
Now,i have to setup a l2tp/ipsec VPN for my IPHONE.

Can some one give a Tutorial to explan how to setup a l2tp/ipsec vpn on centos 5?
There is no clue in the Linode Library.

Thx a lot!

Why not tunnel over SSH? Very easy to setup (even on the iPhone) and looks like normal SSH traffic.

Or use OpenVPN - easier to setup (although I don't know if there is a iPhone App for that) and looks like SSL traffic.

IPSEC is just as easy to spot and block as PPTP traffic.

I'm using the official version IPHONE from China Unicom,the business partner of Apple in China.
So,I can not install ssh client or openvpn into my iPhone.
i know ipsec is easy to block.
at least,it is not be blocked until now.

Hi all

With linode's help,I try to setup a l2tp vpn server guided by this link:
http://adamantsys.com/blog/alternate-pa ... -for-linux

In this atricle,the author using Openswan-2.4.12 & xl2tpd-1.2.0.
In my linode box,i'm useing openswan-2.6.21 & xl2tpd-1.2.4

a.b.c.d-(isp's IP) is my ISP's ip,
e.f.g.h-(my linode box) is my linode box ,
e.f.g.1 is my linode box's gateway,
192.168.1.62 is a l2tp client in my local network.

in /etc/ipsec.conf, only changed following line:
leftnexthop=e.f.g.1 (my linode box's gateway)

the /etc/ipsec.secrets is:
#include /etc/ipsec.d/*.secrets
e.f.g.h-(my linode box) %any: "password"

the other config files almost is copy/paste from the tutorial completely.

When my l2tp client program try to connect to my linode box,
ipsec result the following info in /var/log/secure

===================CUT START===================
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [RFC 3947] method set to=109
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Jan 22 20:31:43 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: received Vendor ID payload [Dead Peer Detection]
Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: responding to Main Mode from unknown peer a.b.c.d-(isp's IP)
Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 22 20:31:43 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Jan 22 20:31:44 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: pluto_do_crypto: helper (-1) is exiting
Jan 22 20:31:44 vpn-server pluto[26692]: packet from a.b.c.d-(isp's IP):32439: pluto_do_crypto: helper (-1) is exiting
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.62'
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: new NAT mapping for #5, was a.b.c.d-(isp's IP):32439, now a.b.c.d-(isp's IP):32869
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 22 20:31:44 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: received and ignored informational message
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[3] a.b.c.d-(isp's IP) #5: the peer proposed: e.f.g.h-(my linode box)/32:17/1701 -> 192.168.1.62/32:17/49228
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP): pluto_do_crypto: helper (-1) is exiting
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: responding to Quick Mode proposal {msgid:33abfafa}
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: us: e.f.g.h-(my linode box)[+S=C]:17/1701---e.f.g.1
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: them: a.b.c.d-(isp's IP)[192.168.1.62,+S=C]:17/49230===192.168.1.62/32
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 22 20:31:45 vpn-server pluto[26692]: "L2TP-PSK-NAT"[4] a.b.c.d-(isp's IP) #6: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x019ec134 <0xbde56628 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=a.b.c.d-(isp's IP):32869 DPD=none}
===================CUT END===================


after 3-5 seconds,i got the following info from /var/log/messages
===================CUT START===================
Jan 22 20:31:52 vpn-server xl2tpd[26529]: Maximum retries exceeded for tunnel 13554. Closing.
Jan 22 20:32:00 vpn-server xl2tpd[26529]: Connection 79 closed to a.b.c.d-(isp's IP), port 49230 (Timeout)
===================CUT END===================

then,my l2tp client shows the connection failed message box.

seems that something wrong with the NAT?
How can i slove this problem?

I got same error with you.
Maybe you can try to upgrade your Openswan on Linode to 2.6.24,that fixed L2TP broken with NAT'ed clients.