[Swan] Problems logging into libreswan on debian
Paul Wouters
paul at nohats.ca
Sun Jan 11 16:21:17 EET 2015
You have ipsec saref = yes on netkey, which is wrong. Saref is for "mast" only.
Sent from my iPhone
> On Jan 11, 2015, at 07:16, Subhi S Hashwa <lists at subhi.com> wrote:
>
> Dear All,
>
> I am hoping someone can help me debug this installation of libreswan I
> don't have much hair left on my head to pull.
>
> I recently migrated from openswan as libreswan seems to be more active
> in development.
>
> uname -a
>
> Linux crucible-2 3.2.0-4-686-pae #1 SMP Debian 3.2.63-2+deb7u2 i686 GNU/Linux
>
> ipsec --version
>
> Linux Libreswan 3.12 (netkey) on 3.2.0-4-686-pae
>
> xl2tpd -v
>
> xl2tpd version: xl2tpd-1.3.1
>
> from /etc/ipsec.conf
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> protostack=netkey
> oe=off
> nat_traversal=yes
> force_keepalive=yes
> keep_alive=60
>
> conn L2TP-PSK-NAT
> rightsubnet=vhost:%priv
> also=L2TP-PSK-noNAT
>
> conn L2TP-PSK-noNAT
> #
> # Configuration for one user with any type of IPsec/L2TP client
> # including the updated Windows 2000/XP (MS KB Q818043), but
> # excluding the non-updated Windows 2000/XP.
> #
> #
> # Use a Preshared Key. Disable Perfect Forward Secrecy.
> #
> # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
> # YourIPAddress %any: "sharedsecret"
> authby=secret
> pfs=no
> auto=add
> keyingtries=3
> # we cannot rekey for %any, let client rekey
> rekey=no
> # Apple iOS doesn't send delete notify so we need dead peer detection
> # to detect vanishing clients
> dpddelay=10
> dpdtimeout=90
> dpdaction=clear
> # Set ikelifetime and keylife to same defaults windows has
> ikelifetime=8h
> keylife=1h
> # l2tp-over-ipsec is transport mode
> type=transport
> #
> left=212.159.xxx.xxx
> #
> # For updated Windows 2000/XP clients,
> # to support old clients as well, use leftprotoport=17/%any
> leftprotoport=17/1701
> #
> # The remote user.
> #
> right=%any
> # Using the magic port of "%any" means "any one single port". This is
> # a work around required for Apple OSX clients that use a randomly
> # high port.
> rightprotoport=17/%any
> #%any
>
> # Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
> # connection with. With L2TP clients behind NAT, that's not really what
> # you want. The connection below allows both l2tp/ipsec and plaintext
> # connections from behind the same NAT router.
> # The l2tpd use a leftprotoport, so they are more specific and will be used
> # first. Then, packets for the host on different ports and protocols (eg ssh)
> # will match this passthrough conn.
> conn passthrough-for-non-l2tp
> type=passthrough
> left=212.159.xxx.xxx
> leftnexthop=%defaultroute
> right=%any
> auto=route
>
> from /etc/xl2tpd/xl2tpd.conf
>
> [global]
> ; Global parameters:
>
> port = 1701 ; *
> Bind to port 1701
> ipsec saref = yes
> listen-addr = 212.159.xxx.xxx
>
> [lns default]
>
> ip range = 192.168.101.2-192.168.101.10
> local ip = 192.168.101.1
> refuse chap = yes
> refuse pap = yes
> require authentication = yes
> name=TMP-VPN
> ppp debug = yes
> pppoptfile = /etc/ppp/options.xl2tpd
> length bit = yes
> assign ip = yes
> length bit = yes
> refuse-eap = yes
> refuse-mschap = yes
> require-mschap-v2 = yes
>
>
> from /etc/ppp/options.xl2tpd
>
> require-mschap-v2
> ms-dns 172.18.1.1
> ms-dns 8.8.8.8
> ms-dns 4.2.2.1
> ms-dns 8.8.4.4
> proxyarp
> asyncmap 0
> auth
> crtscts
> lock
> hide-password
> modem
> debug
> refuse-chap
> refuse-eap
> refuse-pap
> refuse-mschap
> require-mschap-v2
> noccp
> mtu 1200
> proxyarp
> lcp-echo-interval 30
> lcp-echo-failure 4
> ipcp-accept-local
> ipcp-accept-remote
> noipx
> idle 1800
> connect-delay 5000
>
> from /etc/ipsec.secrets
>
> 212.159.server.ip %any : PSK "secret-password-goes-here"
>
>
> from /etc/ppp/chap-secrets
>
> * TMP-VPN secret-password-goes-here *
>
> from /var/log/auth.log
>
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down
> Jan 11 11:49:54 crucible-2 pluto[29063]: forgetting secrets
> Jan 11 11:49:54 crucible-2 pluto[29063]: "passthrough-for-non-l2tp":
> deleting connection
> Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-noNAT": deleting connection
> Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-NAT": deleting connection
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo ::1:500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
> 127.0.0.1:4500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
> 127.0.0.1:500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth0/eth0 172.18.1.8:4500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth0/eth0 172.18.1.8:500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth0:0/eth0:0 192.168.101.1:4500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth0:0/eth0:0 192.168.101.1:500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth1/eth1 212.159.XXX.XXX:4500
> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
> eth1/eth1 212.159.XXX.XXX:500
> Jan 11 11:49:54 crucible-2 ipsec__plutorun: pluto killed by SIGTERM,
> terminating without restart
> Jan 11 11:49:54 crucible-2 ipsec__plutorun: Starting Pluto subsystem...
> Jan 11 11:49:54 crucible-2 pluto[29287]: nss directory plutomain: /etc/ipsec.d
> Jan 11 11:49:54 crucible-2 pluto[29287]: NSS Initialized
> Jan 11 11:49:54 crucible-2 pluto[29287]: libcap-ng support [enabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: FIPS HMAC integrity support [disabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: Linux audit support [disabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: Starting Pluto (Libreswan
> Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
> NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:29287
> Jan 11 11:49:54 crucible-2 pluto[29287]: core dump dir: /var/run/pluto
> Jan 11 11:49:54 crucible-2 pluto[29287]: secrets file: /etc/ipsec.secrets
> Jan 11 11:49:54 crucible-2 pluto[29287]: leak-detective disabled
> Jan 11 11:49:54 crucible-2 pluto[29287]: SAref support [disabled]:
> Protocol not available
> Jan 11 11:49:54 crucible-2 pluto[29287]: SAbind support [disabled]:
> Protocol not available
> Jan 11 11:49:54 crucible-2 pluto[29287]: NSS crypto [enabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: XAUTH PAM support [enabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: NAT-Traversal support [enabled]
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC_SSH: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_TWOFISH_CBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_SERPENT_CBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating DISABLED-OAKLEY_AES_CTR: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
> Activating DISABLED-OAKLEY_AES_XCBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating OAKLEY_CAMELLIA_CTR: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_512: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_384: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
> Activating OAKLEY_SHA2_256: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: starting up 1 crypto helpers
> Jan 11 11:49:54 crucible-2 pluto[29287]: started thread for crypto
> helper 0 (master fd 6)
> Jan 11 11:49:54 crucible-2 pluto[29287]: Using Linux XFRM/NETKEY IPsec
> interface code on 3.2.0-4-686-pae
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_ccm_8: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_ccm_12: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_ccm_16: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_gcm_8: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_gcm_12: Ok
> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
> Activating aes_gcm_16: Ok
> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
> "L2TP-PSK-NAT"
> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
> "L2TP-PSK-noNAT"
> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
> "passthrough-for-non-l2tp"
> Jan 11 11:49:55 crucible-2 pluto[29287]: listening for IKE messages
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
> 212.159.XXX.XXX:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
> 212.159.XXX.XXX:4500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
> eth0:0/eth0:0 192.168.101.1:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
> eth0:0/eth0:0 192.168.101.1:4500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
> 172.18.1.8:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
> 172.18.1.8:4500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:4500
> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo ::1:500
> Jan 11 11:49:55 crucible-2 pluto[29287]: loading secrets from
> "/etc/ipsec.secrets"
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: received Vendor ID payload [FRAGMENTATION
> 80000000]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: received Vendor ID payload [RFC 3947]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-08]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-07]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-06]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-05]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-04]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: received Vendor ID payload [Dead Peer
> Detection]
> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
> 87.112.client.ip:50534: initial Aggressive Mode message from
> 87.112.client.ip but no (wildcard) connection has been configured with
> policy=PSK+AGGRESSIVE
>
> Client is a Mac OSX default client on Yosemite 10.10.1 (14B25)
>
> Any thoughts on how I should get this working ?
>
> Many thanks
>
> --
> Subhi S Hashwa
> When everything is heading your way, you're in the wrong lane.
>
> Are you on LinkedIn ? Connect with me! http://linkedin.com/in/subhi
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list