[Swan] Problems logging into libreswan on debian
Subhi S Hashwa
lists at subhi.com
Sun Jan 11 14:16:21 EET 2015
Dear All,
I am hoping someone can help me debug this installation of libreswan I
don't have much hair left on my head to pull.
I recently migrated from openswan as libreswan seems to be more active
in development.
uname -a
Linux crucible-2 3.2.0-4-686-pae #1 SMP Debian 3.2.63-2+deb7u2 i686 GNU/Linux
ipsec --version
Linux Libreswan 3.12 (netkey) on 3.2.0-4-686-pae
xl2tpd -v
xl2tpd version: xl2tpd-1.3.1
from /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
protostack=netkey
oe=off
nat_traversal=yes
force_keepalive=yes
keep_alive=60
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a Preshared Key. Disable Perfect Forward Secrecy.
#
# PreSharedSecret needs to be specified in /etc/ipsec.secrets as
# YourIPAddress %any: "sharedsecret"
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=90
dpdaction=clear
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
# l2tp-over-ipsec is transport mode
type=transport
#
left=212.159.xxx.xxx
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
# Using the magic port of "%any" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port.
rightprotoport=17/%any
#%any
# Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
# connection with. With L2TP clients behind NAT, that's not really what
# you want. The connection below allows both l2tp/ipsec and plaintext
# connections from behind the same NAT router.
# The l2tpd use a leftprotoport, so they are more specific and will be used
# first. Then, packets for the host on different ports and protocols (eg ssh)
# will match this passthrough conn.
conn passthrough-for-non-l2tp
type=passthrough
left=212.159.xxx.xxx
leftnexthop=%defaultroute
right=%any
auto=route
from /etc/xl2tpd/xl2tpd.conf
[global]
; Global parameters:
port = 1701 ; *
Bind to port 1701
ipsec saref = yes
listen-addr = 212.159.xxx.xxx
[lns default]
ip range = 192.168.101.2-192.168.101.10
local ip = 192.168.101.1
refuse chap = yes
refuse pap = yes
require authentication = yes
name=TMP-VPN
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
assign ip = yes
length bit = yes
refuse-eap = yes
refuse-mschap = yes
require-mschap-v2 = yes
from /etc/ppp/options.xl2tpd
require-mschap-v2
ms-dns 172.18.1.1
ms-dns 8.8.8.8
ms-dns 4.2.2.1
ms-dns 8.8.4.4
proxyarp
asyncmap 0
auth
crtscts
lock
hide-password
modem
debug
refuse-chap
refuse-eap
refuse-pap
refuse-mschap
require-mschap-v2
noccp
mtu 1200
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
ipcp-accept-local
ipcp-accept-remote
noipx
idle 1800
connect-delay 5000
from /etc/ipsec.secrets
212.159.server.ip %any : PSK "secret-password-goes-here"
from /etc/ppp/chap-secrets
* TMP-VPN secret-password-goes-here *
from /var/log/auth.log
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down
Jan 11 11:49:54 crucible-2 pluto[29063]: forgetting secrets
Jan 11 11:49:54 crucible-2 pluto[29063]: "passthrough-for-non-l2tp":
deleting connection
Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-noNAT": deleting connection
Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-NAT": deleting connection
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo ::1:500
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
127.0.0.1:4500
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
127.0.0.1:500
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
eth0/eth0 172.18.1.8:4500
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
eth0/eth0 172.18.1.8:500
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
eth0:0/eth0:0 192.168.101.1:4500
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
eth0:0/eth0:0 192.168.101.1:500
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
eth1/eth1 212.159.XXX.XXX:4500
Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
eth1/eth1 212.159.XXX.XXX:500
Jan 11 11:49:54 crucible-2 ipsec__plutorun: pluto killed by SIGTERM,
terminating without restart
Jan 11 11:49:54 crucible-2 ipsec__plutorun: Starting Pluto subsystem...
Jan 11 11:49:54 crucible-2 pluto[29287]: nss directory plutomain: /etc/ipsec.d
Jan 11 11:49:54 crucible-2 pluto[29287]: NSS Initialized
Jan 11 11:49:54 crucible-2 pluto[29287]: libcap-ng support [enabled]
Jan 11 11:49:54 crucible-2 pluto[29287]: FIPS HMAC integrity support [disabled]
Jan 11 11:49:54 crucible-2 pluto[29287]: Linux audit support [disabled]
Jan 11 11:49:54 crucible-2 pluto[29287]: Starting Pluto (Libreswan
Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:29287
Jan 11 11:49:54 crucible-2 pluto[29287]: core dump dir: /var/run/pluto
Jan 11 11:49:54 crucible-2 pluto[29287]: secrets file: /etc/ipsec.secrets
Jan 11 11:49:54 crucible-2 pluto[29287]: leak-detective disabled
Jan 11 11:49:54 crucible-2 pluto[29287]: SAref support [disabled]:
Protocol not available
Jan 11 11:49:54 crucible-2 pluto[29287]: SAbind support [disabled]:
Protocol not available
Jan 11 11:49:54 crucible-2 pluto[29287]: NSS crypto [enabled]
Jan 11 11:49:54 crucible-2 pluto[29287]: XAUTH PAM support [enabled]
Jan 11 11:49:54 crucible-2 pluto[29287]: NAT-Traversal support [enabled]
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating DISABLED-OAKLEY_AES_CTR: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
Activating DISABLED-OAKLEY_AES_XCBC: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating OAKLEY_CAMELLIA_CTR: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
Activating OAKLEY_SHA2_384: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: starting up 1 crypto helpers
Jan 11 11:49:54 crucible-2 pluto[29287]: started thread for crypto
helper 0 (master fd 6)
Jan 11 11:49:54 crucible-2 pluto[29287]: Using Linux XFRM/NETKEY IPsec
interface code on 3.2.0-4-686-pae
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating aes_ccm_8: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating aes_ccm_12: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating aes_ccm_16: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating aes_gcm_8: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating aes_gcm_12: Ok
Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
Activating aes_gcm_16: Ok
Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
"L2TP-PSK-NAT"
Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
"L2TP-PSK-noNAT"
Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
"passthrough-for-non-l2tp"
Jan 11 11:49:55 crucible-2 pluto[29287]: listening for IKE messages
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
212.159.XXX.XXX:500
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
212.159.XXX.XXX:4500
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
eth0:0/eth0:0 192.168.101.1:500
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
eth0:0/eth0:0 192.168.101.1:4500
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
172.18.1.8:500
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
172.18.1.8:4500
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:500
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:4500
Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo ::1:500
Jan 11 11:49:55 crucible-2 pluto[29287]: loading secrets from
"/etc/ipsec.secrets"
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: received Vendor ID payload [FRAGMENTATION
80000000]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: received Vendor ID payload [RFC 3947]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-08]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-07]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-06]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-05]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-04]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: received Vendor ID payload [Dead Peer
Detection]
Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
87.112.client.ip:50534: initial Aggressive Mode message from
87.112.client.ip but no (wildcard) connection has been configured with
policy=PSK+AGGRESSIVE
Client is a Mac OSX default client on Yosemite 10.10.1 (14B25)
Any thoughts on how I should get this working ?
Many thanks
--
Subhi S Hashwa
When everything is heading your way, you're in the wrong lane.
Are you on LinkedIn ? Connect with me! http://linkedin.com/in/subhi
More information about the Swan
mailing list