[Swan] Problems logging into libreswan on debian

Subhi S Hashwa lists at subhi.com
Sun Jan 11 17:25:37 EET 2015


Hi Paul,

Thanks for that, I removed the setting without any change in behaviour.

here is more debug information hoping it may help

ipsec verify

Verifying installed system and configuration files
Version check and ipsec on-path                   [OK]
Libreswan 3.12 (netkey) on 3.2.0-4-686-pae
Checking for IPsec support in kernel              [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              [OK]
         ICMP default/accept_redirects            [OK]
         XFRM larval drop                         [OK]
Pluto ipsec.conf syntax                           [OK]
Hardware random device                            [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter                                [OK]
Checking that pluto is running                    [OK]
 Pluto listening for IKE on udp 500               [OK]
 Pluto listening for IKE/NAT-T on udp 4500        [OK]
 Pluto ipsec.secret syntax                        [OK]
Checking 'ip' command                             [OK]
Checking 'iptables' command                       [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options          [OK]
Opportunistic Encryption                          [DISABLED]


ipsec showhostkey --list

ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
10(1): PSK keyid: %any
10(2): PSK keyid: 212.159.XXX.XXX

Thanks

Subhi




On Sun, Jan 11, 2015 at 2:21 PM, Paul Wouters <paul at nohats.ca> wrote:
> You have ipsec saref = yes on netkey, which is wrong. Saref is for "mast" only.
>
> Sent from my iPhone
>
>> On Jan 11, 2015, at 07:16, Subhi S Hashwa <lists at subhi.com> wrote:
>>
>> Dear All,
>>
>> I am hoping someone can help me debug this installation of libreswan I
>> don't have much hair left on my head to pull.
>>
>> I recently migrated from openswan as libreswan seems to be more active
>> in development.
>>
>> uname -a
>>
>> Linux crucible-2 3.2.0-4-686-pae #1 SMP Debian 3.2.63-2+deb7u2 i686 GNU/Linux
>>
>> ipsec --version
>>
>> Linux Libreswan 3.12 (netkey) on 3.2.0-4-686-pae
>>
>> xl2tpd -v
>>
>> xl2tpd version:  xl2tpd-1.3.1
>>
>> from /etc/ipsec.conf
>>
>> version 2.0     # conforms to second version of ipsec.conf specification
>>
>> config setup
>>        protostack=netkey
>>        oe=off
>>        nat_traversal=yes
>>        force_keepalive=yes
>>        keep_alive=60
>>
>> conn L2TP-PSK-NAT
>>        rightsubnet=vhost:%priv
>>        also=L2TP-PSK-noNAT
>>
>> conn L2TP-PSK-noNAT
>>        #
>>        # Configuration for one user with any type of IPsec/L2TP client
>>        # including the updated Windows 2000/XP (MS KB Q818043), but
>>        # excluding the non-updated Windows 2000/XP.
>>        #
>>        #
>>        # Use a Preshared Key. Disable Perfect Forward Secrecy.
>>        #
>>        # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
>>        # YourIPAddress  %any: "sharedsecret"
>>        authby=secret
>>        pfs=no
>>        auto=add
>>        keyingtries=3
>>        # we cannot rekey for %any, let client rekey
>>        rekey=no
>>        # Apple iOS doesn't send delete notify so we need dead peer detection
>>        # to detect vanishing clients
>>        dpddelay=10
>>        dpdtimeout=90
>>        dpdaction=clear
>>        # Set ikelifetime and keylife to same defaults windows has
>>        ikelifetime=8h
>>        keylife=1h
>>        # l2tp-over-ipsec is transport mode
>>        type=transport
>>        #
>>        left=212.159.xxx.xxx
>>        #
>>        # For updated Windows 2000/XP clients,
>>        # to support old clients as well, use leftprotoport=17/%any
>>        leftprotoport=17/1701
>>        #
>>        # The remote user.
>>        #
>>        right=%any
>>        # Using the magic port of "%any" means "any one single port". This is
>>        # a work around required for Apple OSX clients that use a randomly
>>        # high port.
>>        rightprotoport=17/%any
>>        #%any
>>
>> # Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
>> # connection with. With L2TP clients behind NAT, that's not really what
>> # you want. The connection below allows both l2tp/ipsec and plaintext
>> # connections from behind the same NAT router.
>> # The l2tpd use a leftprotoport, so they are more specific and will be used
>> # first. Then, packets for the host on different ports and protocols (eg ssh)
>> # will match this passthrough conn.
>> conn passthrough-for-non-l2tp
>>        type=passthrough
>>        left=212.159.xxx.xxx
>>        leftnexthop=%defaultroute
>>        right=%any
>>        auto=route
>>
>> from /etc/xl2tpd/xl2tpd.conf
>>
>> [global]
>> ; Global parameters:
>>
>> port = 1701                                                     ; *
>> Bind to port 1701
>> ipsec saref = yes
>> listen-addr = 212.159.xxx.xxx
>>
>> [lns default]
>>
>> ip range = 192.168.101.2-192.168.101.10
>> local ip = 192.168.101.1
>> refuse chap = yes
>> refuse pap = yes
>> require authentication = yes
>> name=TMP-VPN
>> ppp debug = yes
>> pppoptfile = /etc/ppp/options.xl2tpd
>> length bit = yes
>> assign ip = yes
>> length bit = yes
>> refuse-eap = yes
>> refuse-mschap = yes
>> require-mschap-v2 = yes
>>
>>
>> from /etc/ppp/options.xl2tpd
>>
>> require-mschap-v2
>> ms-dns 172.18.1.1
>> ms-dns 8.8.8.8
>> ms-dns 4.2.2.1
>> ms-dns 8.8.4.4
>> proxyarp
>> asyncmap 0
>> auth
>> crtscts
>> lock
>> hide-password
>> modem
>> debug
>> refuse-chap
>> refuse-eap
>> refuse-pap
>> refuse-mschap
>> require-mschap-v2
>> noccp
>> mtu 1200
>> proxyarp
>> lcp-echo-interval 30
>> lcp-echo-failure 4
>> ipcp-accept-local
>> ipcp-accept-remote
>> noipx
>> idle 1800
>> connect-delay 5000
>>
>> from /etc/ipsec.secrets
>>
>> 212.159.server.ip %any : PSK "secret-password-goes-here"
>>
>>
>> from /etc/ppp/chap-secrets
>>
>> *       TMP-VPN secret-password-goes-here   *
>>
>> from /var/log/auth.log
>>
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down
>> Jan 11 11:49:54 crucible-2 pluto[29063]: forgetting secrets
>> Jan 11 11:49:54 crucible-2 pluto[29063]: "passthrough-for-non-l2tp":
>> deleting connection
>> Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-noNAT": deleting connection
>> Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-NAT": deleting connection
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo ::1:500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
>> 127.0.0.1:4500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
>> 127.0.0.1:500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth0/eth0 172.18.1.8:4500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth0/eth0 172.18.1.8:500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth0:0/eth0:0 192.168.101.1:4500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth0:0/eth0:0 192.168.101.1:500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth1/eth1 212.159.XXX.XXX:4500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth1/eth1 212.159.XXX.XXX:500
>> Jan 11 11:49:54 crucible-2 ipsec__plutorun: pluto killed by SIGTERM,
>> terminating without restart
>> Jan 11 11:49:54 crucible-2 ipsec__plutorun: Starting Pluto subsystem...
>> Jan 11 11:49:54 crucible-2 pluto[29287]: nss directory plutomain: /etc/ipsec.d
>> Jan 11 11:49:54 crucible-2 pluto[29287]: NSS Initialized
>> Jan 11 11:49:54 crucible-2 pluto[29287]: libcap-ng support [enabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: FIPS HMAC integrity support [disabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: Linux audit support [disabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: Starting Pluto (Libreswan
>> Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
>> NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:29287
>> Jan 11 11:49:54 crucible-2 pluto[29287]: core dump dir: /var/run/pluto
>> Jan 11 11:49:54 crucible-2 pluto[29287]: secrets file: /etc/ipsec.secrets
>> Jan 11 11:49:54 crucible-2 pluto[29287]: leak-detective disabled
>> Jan 11 11:49:54 crucible-2 pluto[29287]: SAref support [disabled]:
>> Protocol not available
>> Jan 11 11:49:54 crucible-2 pluto[29287]: SAbind support [disabled]:
>> Protocol not available
>> Jan 11 11:49:54 crucible-2 pluto[29287]: NSS crypto [enabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: XAUTH PAM support [enabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]:    NAT-Traversal support  [enabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_TWOFISH_CBC_SSH: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_TWOFISH_CBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_SERPENT_CBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_AES_CBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating DISABLED-OAKLEY_AES_CTR: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
>> Activating DISABLED-OAKLEY_AES_XCBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_CAMELLIA_CTR: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
>> Activating OAKLEY_SHA2_512: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
>> Activating OAKLEY_SHA2_384: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
>> Activating OAKLEY_SHA2_256: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: starting up 1 crypto helpers
>> Jan 11 11:49:54 crucible-2 pluto[29287]: started thread for crypto
>> helper 0 (master fd 6)
>> Jan 11 11:49:54 crucible-2 pluto[29287]: Using Linux XFRM/NETKEY IPsec
>> interface code on 3.2.0-4-686-pae
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_ccm_8: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_ccm_12: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_ccm_16: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_gcm_8: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_gcm_12: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_gcm_16: Ok
>> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
>> "L2TP-PSK-NAT"
>> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
>> "L2TP-PSK-noNAT"
>> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
>> "passthrough-for-non-l2tp"
>> Jan 11 11:49:55 crucible-2 pluto[29287]: listening for IKE messages
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
>> 212.159.XXX.XXX:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
>> 212.159.XXX.XXX:4500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
>> eth0:0/eth0:0 192.168.101.1:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
>> eth0:0/eth0:0 192.168.101.1:4500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
>> 172.18.1.8:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
>> 172.18.1.8:4500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:4500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo ::1:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: loading secrets from
>> "/etc/ipsec.secrets"
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: received Vendor ID payload [FRAGMENTATION
>> 80000000]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: received Vendor ID payload [RFC 3947]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-08]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-07]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-06]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-05]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-04]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: received Vendor ID payload [Dead Peer
>> Detection]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: initial Aggressive Mode message from
>> 87.112.client.ip but no (wildcard) connection has been configured with
>> policy=PSK+AGGRESSIVE
>>
>> Client is a Mac OSX default client on Yosemite 10.10.1 (14B25)
>>
>> Any thoughts on how I should get this working ?
>>
>> Many thanks
>>
>> --
>> Subhi S Hashwa
>> When everything is heading your way, you're in the wrong lane.
>>
>> Are you on LinkedIn ? Connect with me! http://linkedin.com/in/subhi
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan



-- 
Subhi S Hashwa
When everything is heading your way, you're in the wrong lane.

Are you on LinkedIn ? Connect with me! http://linkedin.com/in/subhi


More information about the Swan mailing list