[Swan] Windows 7/10 ipsec issues
John Crisp
jcrisp at safeandsoundit.co.uk
Thu Oct 17 21:37:50 UTC 2019
I am trying to help some friends get off Windows PPTP (!!!!) and first
stage was to L2TP/Ipsec.
If I can get them that far we can move to pure ipsec - little steps !
I have a working Libreswan Ipsec setup on my trusty old CentOS 6 box.
We can connect from Macs, Linux, iOS and Android handsets.
But not Windows.....
It never seems to complete the Ipsec connection so never progresses to
the L2tp/ppp part.
Any suggestions gratefully received.
B. Rgds
John
ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.29 (netkey) on 2.6.32-754.23.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
config setup
protostack=netkey
plutodebug=none
#klipsdebug=none
plutostderrlog=/var/log/pluto/pluto.log
dumpdir=/var/run/pluto/
virtual_private=%v4:192.168.181.0/24
include /etc/ipsec.d/ipsec.conf
conn L2TPD-PSK
authby=secret
pfs=no
auto=add
rekey=no
type=transport
encapsulation=yes
right=%any
rightprotoport=17/%any
left=%defaultroute
leftprotoport=17/1701
ikev2=no
dpddelay=10
dpdtimeout=30
dpdaction=clear
rightsubnet=192.168.181.0/24
Here is a good connection from Android:
Oct 17 14:06:35.841629: "L2TPD-PSK"[1] 1.2.3.4 #1: responding to Main
Mode from unknown peer 1.2.3.4 on port 500
Oct 17 14:06:35.841927: "L2TPD-PSK"[1] 1.2.3.4 #1: STATE_MAIN_R1: sent
MR1, expecting MI2
Oct 17 14:06:36.199194: "L2TPD-PSK"[1] 1.2.3.4 #1: STATE_MAIN_R2: sent
MR2, expecting MI3
Oct 17 14:06:36.435724: "L2TPD-PSK"[1] 1.2.3.4 #1: Peer ID is
ID_IPV4_ADDR: '192.168.10.65'
Oct 17 14:06:36.435756: "L2TPD-PSK"[1] 1.2.3.4 #1: switched from
"L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"
Oct 17 14:06:36.435776: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting connection
"L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Oct 17 14:06:36.435776: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting connection
"L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Oct 17 14:06:36.435788: "L2TPD-PSK"[2] 1.2.3.4 #1: Peer ID is
ID_IPV4_ADDR: '192.168.10.65'
Oct 17 14:06:36.435956: "L2TPD-PSK"[2] 1.2.3.4 #1: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256
integ=HMAC_SHA2_384 group=MODP1024}
Oct 17 14:06:36.668159: "L2TPD-PSK"[2] 1.2.3.4 #1: ignoring
informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Oct 17 14:06:36.668180: | ISAKMP Notification Payload
Oct 17 14:06:36.668186: | 00 00 00 1c 00 00 00 01 01 10 60 02
Oct 17 14:06:36.668192: "L2TPD-PSK"[2] 1.2.3.4 #1: received and ignored
notification payload: IPSEC_INITIAL_CONTACT
Oct 17 14:06:37.714038: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
6.7.8.9/32:17/1701 -> 192.168.10.65/32:17/0
Oct 17 14:06:37.714166: "L2TPD-PSK"[2] 1.2.3.4 #2: responding to Quick
Mode proposal {msgid:f2902c17}
Oct 17 14:06:37.714180: "L2TPD-PSK"[2] 1.2.3.4 #2: us: 6.7.8.9:17/1701
Oct 17 14:06:37.714189: "L2TPD-PSK"[2] 1.2.3.4 #2: them:
1.2.3.4[192.168.10.65]:17/0===192.168.181.0/24
Oct 17 14:06:37.714359: "L2TPD-PSK"[2] 1.2.3.4 #2: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 transport mode
{ESP/NAT=>0x00a00064 <0xa8646d52 xfrm=AES_CBC_256-HMAC_SHA2_512_256
NATOA=none NATD=1.2.3.4:4500 DPD=active}
Oct 17 14:06:37.978259: "L2TPD-PSK"[2] 1.2.3.4 #2: STATE_QUICK_R2: IPsec
SA established transport mode {ESP/NAT=>0x00a00064 <0xa8646d52
xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=1.2.3.4:4500 DPD=active}
As soon as that finishes it fires up the xl2tpd connection.
Failure from Win 7 (and same from Win 10):
Oct 17 13:58:19.228480: "L2TPD-PSK"[1] 1.2.3.4 #1: responding to Main
Mode from unknown peer 1.2.3.4 on port 500
Oct 17 13:58:19.228826: "L2TPD-PSK"[1] 1.2.3.4 #1: STATE_MAIN_R1: sent
MR1, expecting MI2
Oct 17 13:58:19.476285: "L2TPD-PSK"[1] 1.2.3.4 #1: STATE_MAIN_R2: sent
MR2, expecting MI3
Oct 17 13:58:19.709093: "L2TPD-PSK"[1] 1.2.3.4 #1: Peer ID is
ID_IPV4_ADDR: '192.168.10.28'
Oct 17 13:58:19.709216: "L2TPD-PSK"[1] 1.2.3.4 #1: switched from
"L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"
Oct 17 13:58:19.709216: "L2TPD-PSK"[1] 1.2.3.4 #1: switched from
"L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"
Oct 17 13:58:19.709298: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting connection
"L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
Oct 17 13:58:19.709365: "L2TPD-PSK"[2] 1.2.3.4 #1: Peer ID is
ID_IPV4_ADDR: '192.168.10.28'
Oct 17 13:58:19.709925: "L2TPD-PSK"[2] 1.2.3.4 #1: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256
integ=HMAC_SHA1 group=DH20}
Oct 17 13:58:19.709983: "L2TPD-PSK"[2] 1.2.3.4 #1: Configured DPD (RFC
3706) support not enabled because remote peer did not advertise DPD support
Oct 17 13:58:19.709983: "L2TPD-PSK"[2] 1.2.3.4 #1: Configured DPD (RFC
3706) support not enabled because remote peer did not advertise DPD support
Oct 17 13:58:19.941532: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/0
Oct 17 13:58:19.941635: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:19.941635: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:19.942065: "L2TPD-PSK"[2] 1.2.3.4 #2: responding to Quick
Mode proposal {msgid:00000001}
Oct 17 13:58:19.942136: "L2TPD-PSK"[2] 1.2.3.4 #2: us: 6.7.8.9:17/1701
Oct 17 13:58:19.942136: "L2TPD-PSK"[2] 1.2.3.4 #2: us: 6.7.8.9:17/1701
Oct 17 13:58:19.942200: "L2TPD-PSK"[2] 1.2.3.4 #2: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
Oct 17 13:58:19.942896: "L2TPD-PSK"[2] 1.2.3.4 #2: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 transport mode
{ESP/NAT=>0xd2f84fcd <0x3812889c xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
Oct 17 13:58:20.206460: "L2TPD-PSK"[2] 1.2.3.4 #2: STATE_QUICK_R2: IPsec
SA established transport mode {ESP/NAT=>0xd2f84fcd <0x3812889c
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
DPD=unsupported}
Oct 17 13:58:20.206606: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701
Oct 17 13:58:20.206639: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:20.206639: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:20.206802: "L2TPD-PSK"[2] 1.2.3.4 #3: responding to Quick
Mode proposal {msgid:00000002}
Oct 17 13:58:20.206818: "L2TPD-PSK"[2] 1.2.3.4 #3: us: 6.7.8.9:17/1701
Oct 17 13:58:20.206818: "L2TPD-PSK"[2] 1.2.3.4 #3: us: 6.7.8.9:17/1701
Oct 17 13:58:20.206835: "L2TPD-PSK"[2] 1.2.3.4 #3: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
Oct 17 13:58:20.206835: "L2TPD-PSK"[2] 1.2.3.4 #3: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
Oct 17 13:58:20.206924: "L2TPD-PSK"[2] 1.2.3.4 #3: keeping refhim=0
during rekey
Oct 17 13:58:20.207066: "L2TPD-PSK"[2] 1.2.3.4 #3: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 transport mode
{ESP/NAT=>0x1eeea96c <0x321e2207 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
Oct 17 13:58:20.438199: "L2TPD-PSK"[2] 1.2.3.4 #3: STATE_QUICK_R2: IPsec
SA established transport mode {ESP/NAT=>0x1eeea96c <0x321e2207
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
DPD=unsupported}
Oct 17 13:58:20.440171: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
SA(0xd2f84fcd) payload: deleting IPsec State #2
Oct 17 13:58:20.440236: "L2TPD-PSK"[2] 1.2.3.4 #2: deleting other state
#2 (STATE_QUICK_R2) aged 0.498s and sending notification
Oct 17 13:58:20.440351: "L2TPD-PSK"[2] 1.2.3.4 #2: ESP traffic
information: in=0B out=0B
Oct 17 13:58:23.164977: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701
Oct 17 13:58:23.165084: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:23.165084: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:23.165407: "L2TPD-PSK"[2] 1.2.3.4 #4: responding to Quick
Mode proposal {msgid:00000003}
Oct 17 13:58:23.165467: "L2TPD-PSK"[2] 1.2.3.4 #4: us: 6.7.8.9:17/1701
Oct 17 13:58:23.165467: "L2TPD-PSK"[2] 1.2.3.4 #4: us: 6.7.8.9:17/1701
Oct 17 13:58:23.165528: "L2TPD-PSK"[2] 1.2.3.4 #4: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
Oct 17 13:58:23.165528: "L2TPD-PSK"[2] 1.2.3.4 #4: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
Oct 17 13:58:23.165823: "L2TPD-PSK"[2] 1.2.3.4 #4: keeping refhim=0
during rekey
Oct 17 13:58:23.166343: "L2TPD-PSK"[2] 1.2.3.4 #4: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 transport mode
{ESP/NAT=>0x1c609c4b <0x2cf88fd0 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
Oct 17 13:58:23.398271: "L2TPD-PSK"[2] 1.2.3.4 #4: STATE_QUICK_R2: IPsec
SA established transport mode {ESP/NAT=>0x1c609c4b <0x2cf88fd0
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
DPD=unsupported}
Oct 17 13:58:23.399418: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
SA(0x1eeea96c) payload: deleting IPsec State #3
Oct 17 13:58:23.399483: "L2TPD-PSK"[2] 1.2.3.4 #3: deleting other state
#3 (STATE_QUICK_R2) aged 3.192s and sending notification
Oct 17 13:58:23.399587: "L2TPD-PSK"[2] 1.2.3.4 #3: ESP traffic
information: in=0B out=0B
Oct 17 13:58:27.164013: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701
Oct 17 13:58:27.164146: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:27.164146: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:27.164492: "L2TPD-PSK"[2] 1.2.3.4 #5: responding to Quick
Mode proposal {msgid:00000004}
Oct 17 13:58:27.164551: "L2TPD-PSK"[2] 1.2.3.4 #5: us: 6.7.8.9:17/1701
Oct 17 13:58:27.164551: "L2TPD-PSK"[2] 1.2.3.4 #5: us: 6.7.8.9:17/1701
Oct 17 13:58:27.164612: "L2TPD-PSK"[2] 1.2.3.4 #5: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
Oct 17 13:58:27.164921: "L2TPD-PSK"[2] 1.2.3.4 #5: keeping refhim=0
during rekey
Oct 17 13:58:27.165391: "L2TPD-PSK"[2] 1.2.3.4 #5: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 transport mode
{ESP/NAT=>0x1728294a <0x94e2fb05 xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
Oct 17 13:58:27.395591: "L2TPD-PSK"[2] 1.2.3.4 #5: STATE_QUICK_R2: IPsec
SA established transport mode {ESP/NAT=>0x1728294a <0x94e2fb05
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
DPD=unsupported}
Oct 17 13:58:27.398147: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
SA(0x1c609c4b) payload: deleting IPsec State #4
Oct 17 13:58:27.398194: "L2TPD-PSK"[2] 1.2.3.4 #4: deleting other state
#4 (STATE_QUICK_R2) aged 4.233s and sending notification
Oct 17 13:58:27.398228: "L2TPD-PSK"[2] 1.2.3.4 #4: ESP traffic
information: in=0B out=0B
Oct 17 13:58:35.163934: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701
Oct 17 13:58:35.164036: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:35.164036: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
received 2 NAT-OA. Using first; ignoring others
Oct 17 13:58:35.164414: "L2TPD-PSK"[2] 1.2.3.4 #6: responding to Quick
Mode proposal {msgid:00000005}
Oct 17 13:58:35.164485: "L2TPD-PSK"[2] 1.2.3.4 #6: us: 6.7.8.9:17/1701
Oct 17 13:58:35.164485: "L2TPD-PSK"[2] 1.2.3.4 #6: us: 6.7.8.9:17/1701
Oct 17 13:58:35.164549: "L2TPD-PSK"[2] 1.2.3.4 #6: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
Oct 17 13:58:35.164549: "L2TPD-PSK"[2] 1.2.3.4 #6: them:
1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
Oct 17 13:58:35.164844: "L2TPD-PSK"[2] 1.2.3.4 #6: keeping refhim=0
during rekey
Oct 17 13:58:35.165377: "L2TPD-PSK"[2] 1.2.3.4 #6: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2 transport mode
{ESP/NAT=>0xdf8c3b8d <0xc0ba362d xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
Oct 17 13:58:35.396346: "L2TPD-PSK"[2] 1.2.3.4 #6: STATE_QUICK_R2: IPsec
SA established transport mode {ESP/NAT=>0xdf8c3b8d <0xc0ba362d
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
DPD=unsupported}
Oct 17 13:58:35.398667: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
SA(0x1728294a) payload: deleting IPsec State #5
Oct 17 13:58:35.398752: "L2TPD-PSK"[2] 1.2.3.4 #5: deleting other state
#5 (STATE_QUICK_R2) aged 8.234s and sending notification
Oct 17 13:58:35.398752: "L2TPD-PSK"[2] 1.2.3.4 #5: deleting other state
#5 (STATE_QUICK_R2) aged 8.234s and sending notification
Oct 17 13:58:35.398869: "L2TPD-PSK"[2] 1.2.3.4 #5: ESP traffic
information: in=0B out=0B
Oct 17 13:58:38.725287: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
SA(0xdf8c3b8d) payload: deleting IPsec State #6
Oct 17 13:58:38.725373: "L2TPD-PSK"[2] 1.2.3.4 #6: deleting other state
#6 (STATE_QUICK_R2) aged 3.561s and sending notification
Oct 17 13:58:38.725480: "L2TPD-PSK"[2] 1.2.3.4 #6: ESP traffic
information: in=0B out=0B
Oct 17 13:58:38.751378: "L2TPD-PSK" #1: deleting state (STATE_MAIN_R3)
aged 19.522s and sending notification
Oct 17 13:58:38.751619: "L2TPD-PSK"[2] 1.2.3.4: deleting connection
"L2TPD-PSK"[2] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191017/a4b3585f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20191017/a4b3585f/attachment-0001.sig>
More information about the Swan
mailing list