L2TP/IPSEC and Android

Hello everyone, I need help configuring a VPN with “L2TP / IPSec” and android devices.
Enabled VPN l2tp, created PSK, user created, but can not establish connection.

Thank you

P.S. This is an on-line translation

Log

Apr 20 13:21:24 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #1: Dead Peer Detection (RFC 3706): enabled
Apr 20 13:21:24 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Apr 20 13:21:24 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #1: received and ignored informational message
Apr 20 13:21:25 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #1: the peer proposed: aaa.bbb.ccc.ddd:17/1701 -> 1.160.129.220/32:17/0
Apr 20 13:21:25 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #2: responding to Quick Mode proposal {msgid:f4628ac9}
Apr 20 13:21:25 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #2: us: 192.168.1.1<%eth0>[@server.local.net,+S=C]:17/1701
Apr 20 13:21:25 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #2: them: 91.253.34.186[1.160.129.220,+S=C]:17/0
Apr 20 13:21:25 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 20 13:21:25 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 20 13:21:26 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #2: Dead Peer Detection (RFC 3706): enabled
Apr 20 13:21:26 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 20 13:21:26 server pluto[15949]: “~L2TPeth0”[2] 91.253.34.186 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x072b1027 <0xc86475ea xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=91.253.34.186:40770 DPD=enabled}

Is it working from other devices?

Tried also with iPhone and PC with window 7 but nothing.
I used a system user

Thank you

P.S. This is an on-line translation

Continue Log

Apr 20 13:30:31 server pluto[15949]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 91.253.34.186 port 40384, complainant 91.253.34.186: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

OK, so it is also possible, that the Nethserver is not configured properly.
Did you already checked the Wiki-Article?
http://wiki.nethserver.org/doku.php?id=howto:howto_set_up_a_vpn&s[]=vpn

Is the log the log from the Nethserver (I don’t know how they look at the moment)?

L2TP vpns require Windows network with PDC mode.

Yes, that is correct.
See this chapter in the Wiki:
http://wiki.nethserver.org/doku.php?id=howto:howto_set_up_a_vpn&s[]=vpn#l2tp_ipsec1

Nethserver is the default gateway of the network and the router I enabled DMZ ip address of the server, and then from the outside all the doors converge towards the red zone of the server, the PDC is enabled.

Thank you

P.S. This is an on-line translation

Can you explicit forward the Ports mentioned in the Wiki to the Nethserver on your router?

Forwarding activated on the modem into the red zone of the server, but still does not go, however, the log can see that the connection comes the server, but has rejected it for this wrong authentication,.
But user, password and key psk are just checked many times.

Apr 20 13:31:38 server pluto[15949]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to 91.253.34.186 port 40384, complainant 91.253.34.186: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Thank you

P.S. This is an on-line translation

Regarding this Post

https://libreswan.org/wiki/FAQ#ERROR:asynchronous_network_error_report_on_eth0.28sport.3D500.29_for_message_to_xx.xx.xxx.xxx_port_500.2C_complainant_yy.yy.yyy.yyy:Connection_refused.5Berrno_111.2C_origin_ICMP_type_3_code_3_.28not_authenticated.29.5D

It is possible that the IKE Deamon is not running on Nethserver. Is the “xl2tpd (Layer 2 Tunneling Protocol)”-Service running?
If not: Did you already tried to restart the Nethserver (if possible)?

How can I check whether IKE daemon is running?
I also rebooted the server but nothing.

Thank you

P.S. This is an on-line translation

Select the “Services”-Tab on the Dashboard-Page of Nethserver. Be sure you see all services. By default you see only 25 Services per Page.

crond (Scheduled commands daemon) enabled Running
httpd-admin (NethServer web interface) enabled Running TCP: 980
ipsec (Internet Protocol Security - VPN) enabled Running
lsm (Link Status Monitor) enabled Stopped
messagebus (DBUS - System notifications) enabled Running
nmb (NetBIOS) enabled Running UDP: 137,138
nslcd (Local LDAP name service) enabled Running
ntpd (Network Time Protocol) enabled Running UDP: 123
openvpn (OpenVPN) enabled Stopped UDP: 1194
postfix (SMTP) enabled Running
rsyslog (System logger) enabled Running
shorewall (Firewall) enabled Running
slapd (OpenLDAP) enabled Running TCP: 389
smartd (Self-Monitoring, Analysis and Reporting Technology) enabled Running
smb (Windows share - Samba) enabled Running TCP: 139,445
snortd (IDS and IPS) disabled Running
sshd (Secure Shell) enabled Running TCP: 22
winbind (Name Service Switch) enabled Running
xl2tpd (Layer 2 Tunneling Protocol) enabled Running

Hm, maybe the problem is also caused by your router.
"It is also possible that the remote IP is actually a NAT device with the IPsec device behind it. In that case, using rekey=no and letting the other end initiate might make this error go away."
How to do this: I cannot tell you. Maybe @alefattorini or @davidep can?

In /etc/ipsec.conf files I have to add “rekey = no”?

Thank you

P.S. This is an on-line translation

However I have the same problem on a VPS server on Aruba same type of error.
On Aruba there is a modem that can create these problems.

Thank you

P.S. This is an on-line translation

I ran a test with openvpn both on Aruba that on my server behind modem, everything works great, but my intention was to use ipsec to avoid the openvpn install on devices.

Thank you

P.S. This is an on-line translation

Are you talking about L2TP/IPsec or “pure” IPSec? That is something different.

L2tp/ipsec