[Swan] Problems logging into libreswan on debian

Paul Wouters paul at nohats.ca
Sun Jan 11 16:21:17 EET 2015


You have ipsec saref = yes on netkey, which is wrong. Saref is for "mast" only.

Sent from my iPhone

> On Jan 11, 2015, at 07:16, Subhi S Hashwa <lists at subhi.com> wrote:
> 
> Dear All,
> 
> I am hoping someone can help me debug this installation of libreswan I
> don't have much hair left on my head to pull.
> 
> I recently migrated from openswan as libreswan seems to be more active
> in development.
> 
> uname -a
> 
> Linux crucible-2 3.2.0-4-686-pae #1 SMP Debian 3.2.63-2+deb7u2 i686 GNU/Linux
> 
> ipsec --version
> 
> Linux Libreswan 3.12 (netkey) on 3.2.0-4-686-pae
> 
> xl2tpd -v
> 
> xl2tpd version:  xl2tpd-1.3.1
> 
> from /etc/ipsec.conf
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> config setup
>        protostack=netkey
>        oe=off
>        nat_traversal=yes
>        force_keepalive=yes
>        keep_alive=60
> 
> conn L2TP-PSK-NAT
>        rightsubnet=vhost:%priv
>        also=L2TP-PSK-noNAT
> 
> conn L2TP-PSK-noNAT
>        #
>        # Configuration for one user with any type of IPsec/L2TP client
>        # including the updated Windows 2000/XP (MS KB Q818043), but
>        # excluding the non-updated Windows 2000/XP.
>        #
>        #
>        # Use a Preshared Key. Disable Perfect Forward Secrecy.
>        #
>        # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
>        # YourIPAddress  %any: "sharedsecret"
>        authby=secret
>        pfs=no
>        auto=add
>        keyingtries=3
>        # we cannot rekey for %any, let client rekey
>        rekey=no
>        # Apple iOS doesn't send delete notify so we need dead peer detection
>        # to detect vanishing clients
>        dpddelay=10
>        dpdtimeout=90
>        dpdaction=clear
>        # Set ikelifetime and keylife to same defaults windows has
>        ikelifetime=8h
>        keylife=1h
>        # l2tp-over-ipsec is transport mode
>        type=transport
>        #
>        left=212.159.xxx.xxx
>        #
>        # For updated Windows 2000/XP clients,
>        # to support old clients as well, use leftprotoport=17/%any
>        leftprotoport=17/1701
>        #
>        # The remote user.
>        #
>        right=%any
>        # Using the magic port of "%any" means "any one single port". This is
>        # a work around required for Apple OSX clients that use a randomly
>        # high port.
>        rightprotoport=17/%any
>        #%any
> 
> # Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
> # connection with. With L2TP clients behind NAT, that's not really what
> # you want. The connection below allows both l2tp/ipsec and plaintext
> # connections from behind the same NAT router.
> # The l2tpd use a leftprotoport, so they are more specific and will be used
> # first. Then, packets for the host on different ports and protocols (eg ssh)
> # will match this passthrough conn.
> conn passthrough-for-non-l2tp
>        type=passthrough
>        left=212.159.xxx.xxx
>        leftnexthop=%defaultroute
>        right=%any
>        auto=route
> 
> from /etc/xl2tpd/xl2tpd.conf
> 
> [global]
> ; Global parameters:
> 
> port = 1701                                                     ; *
> Bind to port 1701
> ipsec saref = yes
> listen-addr = 212.159.xxx.xxx
> 
> [lns default]
> 
> ip range = 192.168.101.2-192.168.101.10
> local ip = 192.168.101.1
> refuse chap = yes
> refuse pap = yes
> require authentication = yes
> name=TMP-VPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
> assign ip = yes
> length bit = yes
> refuse-eap = yes
> refuse-mschap = yes
> require-mschap-v2 = yes
> 
> 
> from /etc/ppp/options.xl2tpd
> 
> require-mschap-v2
> ms-dns 172.18.1.1
> ms-dns 8.8.8.8
> ms-dns 4.2.2.1
> ms-dns 8.8.4.4
> proxyarp
> asyncmap 0
> auth
> crtscts
> lock
> hide-password
> modem
> debug
> refuse-chap
> refuse-eap
> refuse-pap
> refuse-mschap
> require-mschap-v2
> noccp
> mtu 1200
> proxyarp
> lcp-echo-interval 30
> lcp-echo-failure 4
> ipcp-accept-local
> ipcp-accept-remote
> noipx
> idle 1800
> connect-delay 5000
> 
> from /etc/ipsec.secrets
> 
> 212.159.server.ip %any : PSK "secret-password-goes-here"
> 
> 
> from /etc/ppp/chap-secrets
> 
> *       TMP-VPN secret-password-goes-here   *
> 
> from /var/log/auth.log
> 
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down
> Jan 11 11:49:54 crucible-2 pluto[29063]: forgetting secrets
> Jan 11 11:49:54 crucible-2 pluto[29063]: "passthrough-for-non-l2tp":
> deleting connection
> Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-noNAT": deleting connection
> Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-NAT": deleting connection
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo ::1:500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
> 127.0.0.1:4500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
> 127.0.0.1:500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth0/eth0 172.18.1.8:4500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth0/eth0 172.18.1.8:500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth0:0/eth0:0 192.168.101.1:4500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth0:0/eth0:0 192.168.101.1:500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth1/eth1 212.159.XXX.XXX:4500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth1/eth1 212.159.XXX.XXX:500
> Jan 11 11:49:54 crucible-2 ipsec__plutorun: pluto killed by SIGTERM,
> terminating without restart
> Jan 11 11:49:54 crucible-2 ipsec__plutorun: Starting Pluto subsystem...
> Jan 11 11:49:54 crucible-2 pluto[29287]: nss directory plutomain: /etc/ipsec.d
> Jan 11 11:49:54 crucible-2 pluto[29287]: NSS Initialized
> Jan 11 11:49:54 crucible-2 pluto[29287]: libcap-ng support [enabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: FIPS HMAC integrity support [disabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: Linux audit support [disabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: Starting Pluto (Libreswan
> Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
> NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:29287
> Jan 11 11:49:54 crucible-2 pluto[29287]: core dump dir: /var/run/pluto
> Jan 11 11:49:54 crucible-2 pluto[29287]: secrets file: /etc/ipsec.secrets
> Jan 11 11:49:54 crucible-2 pluto[29287]: leak-detective disabled
> Jan 11 11:49:54 crucible-2 pluto[29287]: SAref support [disabled]:
> Protocol not available
> Jan 11 11:49:54 crucible-2 pluto[29287]: SAbind support [disabled]:
> Protocol not available
> Jan 11 11:49:54 crucible-2 pluto[29287]: NSS crypto [enabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: XAUTH PAM support [enabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]:    NAT-Traversal support  [enabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating DISABLED-OAKLEY_AES_CTR: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
> Activating DISABLED-OAKLEY_AES_XCBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_CAMELLIA_CTR: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_384: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: starting up 1 crypto helpers
> Jan 11 11:49:54 crucible-2 pluto[29287]: started thread for crypto
> helper 0 (master fd 6)
> Jan 11 11:49:54 crucible-2 pluto[29287]: Using Linux XFRM/NETKEY IPsec
> interface code on 3.2.0-4-686-pae
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_ccm_8: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_ccm_12: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_ccm_16: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_gcm_8: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_gcm_12: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_gcm_16: Ok
> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
> "L2TP-PSK-NAT"
> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
> "L2TP-PSK-noNAT"
> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
> "passthrough-for-non-l2tp"
> Jan 11 11:49:55 crucible-2 pluto[29287]: listening for IKE messages
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
> 212.159.XXX.XXX:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
> 212.159.XXX.XXX:4500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
> eth0:0/eth0:0 192.168.101.1:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
> eth0:0/eth0:0 192.168.101.1:4500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
> 172.18.1.8:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
> 172.18.1.8:4500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:4500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo ::1:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: loading secrets from
> "/etc/ipsec.secrets"
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: received Vendor ID payload [FRAGMENTATION
> 80000000]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: received Vendor ID payload [RFC 3947]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-08]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-07]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-06]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-05]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-04]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: received Vendor ID payload [Dead Peer
> Detection]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: initial Aggressive Mode message from
> 87.112.client.ip but no (wildcard) connection has been configured with
> policy=PSK+AGGRESSIVE
> 
> Client is a Mac OSX default client on Yosemite 10.10.1 (14B25)
> 
> Any thoughts on how I should get this working ?
> 
> Many thanks
> 
> -- 
> Subhi S Hashwa
> When everything is heading your way, you're in the wrong lane.
> 
> Are you on LinkedIn ? Connect with me! http://linkedin.com/in/subhi
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list