[Swan] Problems logging into libreswan on debian
Subhi S Hashwa
lists at subhi.com
Sun Jan 11 17:25:37 EET 2015
Hi Paul,
Thanks for that, I removed the setting without any change in behaviour.
here is more debug information hoping it may help
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.12 (netkey) on 3.2.0-4-686-pae
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPSChecking for
obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec showhostkey --list
ipsec showhostkey loading secrets from "/etc/ipsec.secrets"
10(1): PSK keyid: %any
10(2): PSK keyid: 212.159.XXX.XXX
Thanks
Subhi
On Sun, Jan 11, 2015 at 2:21 PM, Paul Wouters <paul at nohats.ca> wrote:
> You have ipsec saref = yes on netkey, which is wrong. Saref is for "mast" only.
>
> Sent from my iPhone
>
>> On Jan 11, 2015, at 07:16, Subhi S Hashwa <lists at subhi.com> wrote:
>>
>> Dear All,
>>
>> I am hoping someone can help me debug this installation of libreswan I
>> don't have much hair left on my head to pull.
>>
>> I recently migrated from openswan as libreswan seems to be more active
>> in development.
>>
>> uname -a
>>
>> Linux crucible-2 3.2.0-4-686-pae #1 SMP Debian 3.2.63-2+deb7u2 i686 GNU/Linux
>>
>> ipsec --version
>>
>> Linux Libreswan 3.12 (netkey) on 3.2.0-4-686-pae
>>
>> xl2tpd -v
>>
>> xl2tpd version: xl2tpd-1.3.1
>>
>> from /etc/ipsec.conf
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> config setup
>> protostack=netkey
>> oe=off
>> nat_traversal=yes
>> force_keepalive=yes
>> keep_alive=60
>>
>> conn L2TP-PSK-NAT
>> rightsubnet=vhost:%priv
>> also=L2TP-PSK-noNAT
>>
>> conn L2TP-PSK-noNAT
>> #
>> # Configuration for one user with any type of IPsec/L2TP client
>> # including the updated Windows 2000/XP (MS KB Q818043), but
>> # excluding the non-updated Windows 2000/XP.
>> #
>> #
>> # Use a Preshared Key. Disable Perfect Forward Secrecy.
>> #
>> # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
>> # YourIPAddress %any: "sharedsecret"
>> authby=secret
>> pfs=no
>> auto=add
>> keyingtries=3
>> # we cannot rekey for %any, let client rekey
>> rekey=no
>> # Apple iOS doesn't send delete notify so we need dead peer detection
>> # to detect vanishing clients
>> dpddelay=10
>> dpdtimeout=90
>> dpdaction=clear
>> # Set ikelifetime and keylife to same defaults windows has
>> ikelifetime=8h
>> keylife=1h
>> # l2tp-over-ipsec is transport mode
>> type=transport
>> #
>> left=212.159.xxx.xxx
>> #
>> # For updated Windows 2000/XP clients,
>> # to support old clients as well, use leftprotoport=17/%any
>> leftprotoport=17/1701
>> #
>> # The remote user.
>> #
>> right=%any
>> # Using the magic port of "%any" means "any one single port". This is
>> # a work around required for Apple OSX clients that use a randomly
>> # high port.
>> rightprotoport=17/%any
>> #%any
>>
>> # Normally, KLIPS drops all plaintext traffic from IP's it has a crypted
>> # connection with. With L2TP clients behind NAT, that's not really what
>> # you want. The connection below allows both l2tp/ipsec and plaintext
>> # connections from behind the same NAT router.
>> # The l2tpd use a leftprotoport, so they are more specific and will be used
>> # first. Then, packets for the host on different ports and protocols (eg ssh)
>> # will match this passthrough conn.
>> conn passthrough-for-non-l2tp
>> type=passthrough
>> left=212.159.xxx.xxx
>> leftnexthop=%defaultroute
>> right=%any
>> auto=route
>>
>> from /etc/xl2tpd/xl2tpd.conf
>>
>> [global]
>> ; Global parameters:
>>
>> port = 1701 ; *
>> Bind to port 1701
>> ipsec saref = yes
>> listen-addr = 212.159.xxx.xxx
>>
>> [lns default]
>>
>> ip range = 192.168.101.2-192.168.101.10
>> local ip = 192.168.101.1
>> refuse chap = yes
>> refuse pap = yes
>> require authentication = yes
>> name=TMP-VPN
>> ppp debug = yes
>> pppoptfile = /etc/ppp/options.xl2tpd
>> length bit = yes
>> assign ip = yes
>> length bit = yes
>> refuse-eap = yes
>> refuse-mschap = yes
>> require-mschap-v2 = yes
>>
>>
>> from /etc/ppp/options.xl2tpd
>>
>> require-mschap-v2
>> ms-dns 172.18.1.1
>> ms-dns 8.8.8.8
>> ms-dns 4.2.2.1
>> ms-dns 8.8.4.4
>> proxyarp
>> asyncmap 0
>> auth
>> crtscts
>> lock
>> hide-password
>> modem
>> debug
>> refuse-chap
>> refuse-eap
>> refuse-pap
>> refuse-mschap
>> require-mschap-v2
>> noccp
>> mtu 1200
>> proxyarp
>> lcp-echo-interval 30
>> lcp-echo-failure 4
>> ipcp-accept-local
>> ipcp-accept-remote
>> noipx
>> idle 1800
>> connect-delay 5000
>>
>> from /etc/ipsec.secrets
>>
>> 212.159.server.ip %any : PSK "secret-password-goes-here"
>>
>>
>> from /etc/ppp/chap-secrets
>>
>> * TMP-VPN secret-password-goes-here *
>>
>> from /var/log/auth.log
>>
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down
>> Jan 11 11:49:54 crucible-2 pluto[29063]: forgetting secrets
>> Jan 11 11:49:54 crucible-2 pluto[29063]: "passthrough-for-non-l2tp":
>> deleting connection
>> Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-noNAT": deleting connection
>> Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-NAT": deleting connection
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo ::1:500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
>> 127.0.0.1:4500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo
>> 127.0.0.1:500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth0/eth0 172.18.1.8:4500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth0/eth0 172.18.1.8:500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth0:0/eth0:0 192.168.101.1:4500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth0:0/eth0:0 192.168.101.1:500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth1/eth1 212.159.XXX.XXX:4500
>> Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface
>> eth1/eth1 212.159.XXX.XXX:500
>> Jan 11 11:49:54 crucible-2 ipsec__plutorun: pluto killed by SIGTERM,
>> terminating without restart
>> Jan 11 11:49:54 crucible-2 ipsec__plutorun: Starting Pluto subsystem...
>> Jan 11 11:49:54 crucible-2 pluto[29287]: nss directory plutomain: /etc/ipsec.d
>> Jan 11 11:49:54 crucible-2 pluto[29287]: NSS Initialized
>> Jan 11 11:49:54 crucible-2 pluto[29287]: libcap-ng support [enabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: FIPS HMAC integrity support [disabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: Linux audit support [disabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: Starting Pluto (Libreswan
>> Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM
>> NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:29287
>> Jan 11 11:49:54 crucible-2 pluto[29287]: core dump dir: /var/run/pluto
>> Jan 11 11:49:54 crucible-2 pluto[29287]: secrets file: /etc/ipsec.secrets
>> Jan 11 11:49:54 crucible-2 pluto[29287]: leak-detective disabled
>> Jan 11 11:49:54 crucible-2 pluto[29287]: SAref support [disabled]:
>> Protocol not available
>> Jan 11 11:49:54 crucible-2 pluto[29287]: SAbind support [disabled]:
>> Protocol not available
>> Jan 11 11:49:54 crucible-2 pluto[29287]: NSS crypto [enabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: XAUTH PAM support [enabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: NAT-Traversal support [enabled]
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_TWOFISH_CBC_SSH: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_TWOFISH_CBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_SERPENT_CBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_AES_CBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating DISABLED-OAKLEY_AES_CTR: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
>> Activating DISABLED-OAKLEY_AES_XCBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating OAKLEY_CAMELLIA_CTR: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
>> Activating OAKLEY_SHA2_512: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
>> Activating OAKLEY_SHA2_384: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash():
>> Activating OAKLEY_SHA2_256: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: starting up 1 crypto helpers
>> Jan 11 11:49:54 crucible-2 pluto[29287]: started thread for crypto
>> helper 0 (master fd 6)
>> Jan 11 11:49:54 crucible-2 pluto[29287]: Using Linux XFRM/NETKEY IPsec
>> interface code on 3.2.0-4-686-pae
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_ccm_8: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_ccm_12: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_ccm_16: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_gcm_8: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_gcm_12: Ok
>> Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc():
>> Activating aes_gcm_16: Ok
>> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
>> "L2TP-PSK-NAT"
>> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
>> "L2TP-PSK-noNAT"
>> Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description
>> "passthrough-for-non-l2tp"
>> Jan 11 11:49:55 crucible-2 pluto[29287]: listening for IKE messages
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
>> 212.159.XXX.XXX:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1
>> 212.159.XXX.XXX:4500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
>> eth0:0/eth0:0 192.168.101.1:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface
>> eth0:0/eth0:0 192.168.101.1:4500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
>> 172.18.1.8:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0
>> 172.18.1.8:4500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:4500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo ::1:500
>> Jan 11 11:49:55 crucible-2 pluto[29287]: loading secrets from
>> "/etc/ipsec.secrets"
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: received Vendor ID payload [FRAGMENTATION
>> 80000000]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: received Vendor ID payload [RFC 3947]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-08]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-07]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-06]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-05]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-04]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: received Vendor ID payload [Dead Peer
>> Detection]
>> Jan 11 11:51:44 crucible-2 pluto[29287]: packet from
>> 87.112.client.ip:50534: initial Aggressive Mode message from
>> 87.112.client.ip but no (wildcard) connection has been configured with
>> policy=PSK+AGGRESSIVE
>>
>> Client is a Mac OSX default client on Yosemite 10.10.1 (14B25)
>>
>> Any thoughts on how I should get this working ?
>>
>> Many thanks
>>
>> --
>> Subhi S Hashwa
>> When everything is heading your way, you're in the wrong lane.
>>
>> Are you on LinkedIn ? Connect with me! http://linkedin.com/in/subhi
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
--
Subhi S Hashwa
When everything is heading your way, you're in the wrong lane.
Are you on LinkedIn ? Connect with me! http://linkedin.com/in/subhi
More information about the Swan
mailing list