[Swan] Problems converting from OpenSWAN to LibreSWAN

Nels Lindquist nlindq at maei.ca
Tue Aug 19 00:25:06 EEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, all.

On 5/7/2014 4:04 PM, Nels Lindquist wrote:
> On 5/7/2014 2:32 PM, Paul Wouters wrote:
>> On Wed, 7 May 2014, Nels Lindquist wrote:
> 
>>>> May  7 07:57:10 mail pluto[28834]: | sending IKE fragment id 
>>>> '1', number '1'
>>>> 
>>>> Can you try with both ike_frag=force and ike_frag=no ?
>>> 
>>> With ike_frag=force we get additional lines (discarding 
>>> duplicate packet; already STATE_MAIN_R2); with ike_frag=no the 
>>> behaviour is the same as before.  Would you like
>>> "plutodebug=all" logs for either or both of these settings?
> 
>> Hmm. I don't think that will help as it is the other end that is
>>  unhappy. Have you tried this with another device, eg an iphone
>> in L2TP mode or something? Just as reference?
> 
> I've only tested with other Windows devices.  In production that's
> all we're using for clients connecting from outside.  Our current
> main VPN gateway is still OpenSWAN, with a bunch of clients
> (Windows 7 mostly, but a couple of legacy XP) successfully
> connecting.
> 
>>> May  7 13:45:04 mail pluto[14792]: "L2TP-Win2KXP"[1]
>>> 209.82.26.89 #6: discarding duplicate packet; already
>>> STATE_MAIN_R2
> 
>> Is there a way to get the ipsec logs from the Windows machine to 
>> find out what it is complaining about?
> 
>> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx?mfr=true
>
>> 
> I'll have to work more on this.  So far I've enabled IKE logging
> in the Advanced Firewall, but the only message I get is:
> 
> An IPsec main mode negotiation failed. Failure Reason:	New policy
> invalidated SAs formed with old policy
> 
> I think I'm going to have to delve into enabling the Oakly logs,
> which apparently involve downloading XP programs to Windows 7, etc.
> I'll have to tackle that tomorrow.

Boy howdy, did THAT ever turn out to be harder than I expected (in
fact, I'm still not able to read logs for Win7).  I've been away on
leave for a couple of months and other priorities were higher in the
time leading up to my leave, so it's been a while...

The good news is that I now have some detailed logs from Windows Vista
wherin the problem may be captured.  The logs encompass the connection
attempt to LibreSWAN/L2TP from inside our network.  Please see attached.

I'm still working on getting logs from Windows 7, but it turns out
that WFP.TMF files (required to interpret the binary logfiles
generated by the IKEEXT service) are very difficult to find for
anything later than 32-bit Vista (hence the attached log files)...

Please let me know if you need additional logging from the Windows
side and I'll see what I can do.

In case you're curious, I've already tried upgrading to LibreSWAN 3.9,
which didn't resolve the issue.

Nels Lindquist
<nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)

iEYEARECAAYFAlPyby8ACgkQh6z5POoOLgRdjQCfZB5pByKc3Gh1AeUxFIIHpr4B
Lh8An1nUPYyVmIeYynkmzWJesNhhN5Ts
=kZD1
-----END PGP SIGNATURE-----

An attachment named:
        wfpout.zip
was stripped from this message.  It is not possible to retrieve it;
please contact the sender if you require it.

More information about the Swan mailing list