[Swan] Windows 7/10 ipsec issues
Computerisms Corporation
bob at computerisms.ca
Wed Oct 30 16:50:52 UTC 2019
haven't had to fix l2tp in a while, but:
do your l2tp logs show the connection?
can try setting both right and left protoport to 17/%any.
also check firewall on windows; disable for testing.
On 2019-10-17 2:37 p.m., John Crisp wrote:
> I am trying to help some friends get off Windows PPTP (!!!!) and first
> stage was to L2TP/Ipsec.
>
> If I can get them that far we can move to pure ipsec - little steps !
>
> I have a working Libreswan Ipsec setup on my trusty old CentOS 6 box.
>
> We can connect from Macs, Linux, iOS and Android handsets.
>
> But not Windows.....
>
> It never seems to complete the Ipsec connection so never progresses to
> the L2tp/ppp part.
>
> Any suggestions gratefully received.
>
> B. Rgds
>
> John
>
>
> ipsec verify
> Verifying installed system and configuration files
>
> Version check and ipsec on-path [OK]
> Libreswan 3.29 (netkey) on 2.6.32-754.23.1.el6.x86_64
> Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [OK]
> ICMP default/accept_redirects [OK]
> XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Checking rp_filter [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for IKE/NAT-T on udp 4500 [OK]
> Pluto ipsec.secret syntax [OK]
> Checking 'ip' command [OK]
> Checking 'iptables' command [OK]
> Checking 'prelink' command does not interfere with FIPS [PRESENT]
> Checking for obsolete ipsec.conf options [OK]
>
> config setup
> protostack=netkey
> plutodebug=none
> #klipsdebug=none
> plutostderrlog=/var/log/pluto/pluto.log
> dumpdir=/var/run/pluto/
> virtual_private=%v4:192.168.181.0/24
>
> include /etc/ipsec.d/ipsec.conf
>
> conn L2TPD-PSK
> authby=secret
> pfs=no
> auto=add
> rekey=no
> type=transport
> encapsulation=yes
> right=%any
> rightprotoport=17/%any
> left=%defaultroute
> leftprotoport=17/1701
> ikev2=no
> dpddelay=10
> dpdtimeout=30
> dpdaction=clear
> rightsubnet=192.168.181.0/24
>
>
> Here is a good connection from Android:
>
> Oct 17 14:06:35.841629: "L2TPD-PSK"[1] 1.2.3.4 #1: responding to Main
> Mode from unknown peer 1.2.3.4 on port 500
> Oct 17 14:06:35.841927: "L2TPD-PSK"[1] 1.2.3.4 #1: STATE_MAIN_R1: sent
> MR1, expecting MI2
> Oct 17 14:06:36.199194: "L2TPD-PSK"[1] 1.2.3.4 #1: STATE_MAIN_R2: sent
> MR2, expecting MI3
> Oct 17 14:06:36.435724: "L2TPD-PSK"[1] 1.2.3.4 #1: Peer ID is
> ID_IPV4_ADDR: '192.168.10.65'
> Oct 17 14:06:36.435756: "L2TPD-PSK"[1] 1.2.3.4 #1: switched from
> "L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"
> Oct 17 14:06:36.435776: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting connection
> "L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
> Oct 17 14:06:36.435776: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting connection
> "L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
> Oct 17 14:06:36.435788: "L2TPD-PSK"[2] 1.2.3.4 #1: Peer ID is
> ID_IPV4_ADDR: '192.168.10.65'
> Oct 17 14:06:36.435956: "L2TPD-PSK"[2] 1.2.3.4 #1: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256
> integ=HMAC_SHA2_384 group=MODP1024}
> Oct 17 14:06:36.668159: "L2TPD-PSK"[2] 1.2.3.4 #1: ignoring
> informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Oct 17 14:06:36.668180: | ISAKMP Notification Payload
> Oct 17 14:06:36.668186: | 00 00 00 1c 00 00 00 01 01 10 60 02
> Oct 17 14:06:36.668192: "L2TPD-PSK"[2] 1.2.3.4 #1: received and ignored
> notification payload: IPSEC_INITIAL_CONTACT
> Oct 17 14:06:37.714038: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
> 6.7.8.9/32:17/1701 -> 192.168.10.65/32:17/0
> Oct 17 14:06:37.714166: "L2TPD-PSK"[2] 1.2.3.4 #2: responding to Quick
> Mode proposal {msgid:f2902c17}
> Oct 17 14:06:37.714180: "L2TPD-PSK"[2] 1.2.3.4 #2: us: 6.7.8.9:17/1701
> Oct 17 14:06:37.714189: "L2TPD-PSK"[2] 1.2.3.4 #2: them:
> 1.2.3.4[192.168.10.65]:17/0===192.168.181.0/24
> Oct 17 14:06:37.714359: "L2TPD-PSK"[2] 1.2.3.4 #2: STATE_QUICK_R1: sent
> QR1, inbound IPsec SA installed, expecting QI2 transport mode
> {ESP/NAT=>0x00a00064 <0xa8646d52 xfrm=AES_CBC_256-HMAC_SHA2_512_256
> NATOA=none NATD=1.2.3.4:4500 DPD=active}
> Oct 17 14:06:37.978259: "L2TPD-PSK"[2] 1.2.3.4 #2: STATE_QUICK_R2: IPsec
> SA established transport mode {ESP/NAT=>0x00a00064 <0xa8646d52
> xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD=1.2.3.4:4500 DPD=active}
>
> As soon as that finishes it fires up the xl2tpd connection.
>
> Failure from Win 7 (and same from Win 10):
>
> Oct 17 13:58:19.228480: "L2TPD-PSK"[1] 1.2.3.4 #1: responding to Main
> Mode from unknown peer 1.2.3.4 on port 500
> Oct 17 13:58:19.228826: "L2TPD-PSK"[1] 1.2.3.4 #1: STATE_MAIN_R1: sent
> MR1, expecting MI2
> Oct 17 13:58:19.476285: "L2TPD-PSK"[1] 1.2.3.4 #1: STATE_MAIN_R2: sent
> MR2, expecting MI3
> Oct 17 13:58:19.709093: "L2TPD-PSK"[1] 1.2.3.4 #1: Peer ID is
> ID_IPV4_ADDR: '192.168.10.28'
> Oct 17 13:58:19.709216: "L2TPD-PSK"[1] 1.2.3.4 #1: switched from
> "L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"
> Oct 17 13:58:19.709216: "L2TPD-PSK"[1] 1.2.3.4 #1: switched from
> "L2TPD-PSK"[1] 1.2.3.4 to "L2TPD-PSK"
> Oct 17 13:58:19.709298: "L2TPD-PSK"[2] 1.2.3.4 #1: deleting connection
> "L2TPD-PSK"[1] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
> Oct 17 13:58:19.709365: "L2TPD-PSK"[2] 1.2.3.4 #1: Peer ID is
> ID_IPV4_ADDR: '192.168.10.28'
> Oct 17 13:58:19.709925: "L2TPD-PSK"[2] 1.2.3.4 #1: STATE_MAIN_R3: sent
> MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256
> integ=HMAC_SHA1 group=DH20}
> Oct 17 13:58:19.709983: "L2TPD-PSK"[2] 1.2.3.4 #1: Configured DPD (RFC
> 3706) support not enabled because remote peer did not advertise DPD support
> Oct 17 13:58:19.709983: "L2TPD-PSK"[2] 1.2.3.4 #1: Configured DPD (RFC
> 3706) support not enabled because remote peer did not advertise DPD support
> Oct 17 13:58:19.941532: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
> 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/0
> Oct 17 13:58:19.941635: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:19.941635: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:19.942065: "L2TPD-PSK"[2] 1.2.3.4 #2: responding to Quick
> Mode proposal {msgid:00000001}
> Oct 17 13:58:19.942136: "L2TPD-PSK"[2] 1.2.3.4 #2: us: 6.7.8.9:17/1701
> Oct 17 13:58:19.942136: "L2TPD-PSK"[2] 1.2.3.4 #2: us: 6.7.8.9:17/1701
> Oct 17 13:58:19.942200: "L2TPD-PSK"[2] 1.2.3.4 #2: them:
> 1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
> Oct 17 13:58:19.942896: "L2TPD-PSK"[2] 1.2.3.4 #2: STATE_QUICK_R1: sent
> QR1, inbound IPsec SA installed, expecting QI2 transport mode
> {ESP/NAT=>0xd2f84fcd <0x3812889c xfrm=AES_CBC_256-HMAC_SHA1_96
> NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
> Oct 17 13:58:20.206460: "L2TPD-PSK"[2] 1.2.3.4 #2: STATE_QUICK_R2: IPsec
> SA established transport mode {ESP/NAT=>0xd2f84fcd <0x3812889c
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
> DPD=unsupported}
> Oct 17 13:58:20.206606: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
> 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701
> Oct 17 13:58:20.206639: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:20.206639: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:20.206802: "L2TPD-PSK"[2] 1.2.3.4 #3: responding to Quick
> Mode proposal {msgid:00000002}
> Oct 17 13:58:20.206818: "L2TPD-PSK"[2] 1.2.3.4 #3: us: 6.7.8.9:17/1701
> Oct 17 13:58:20.206818: "L2TPD-PSK"[2] 1.2.3.4 #3: us: 6.7.8.9:17/1701
> Oct 17 13:58:20.206835: "L2TPD-PSK"[2] 1.2.3.4 #3: them:
> 1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
> Oct 17 13:58:20.206835: "L2TPD-PSK"[2] 1.2.3.4 #3: them:
> 1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
> Oct 17 13:58:20.206924: "L2TPD-PSK"[2] 1.2.3.4 #3: keeping refhim=0
> during rekey
> Oct 17 13:58:20.207066: "L2TPD-PSK"[2] 1.2.3.4 #3: STATE_QUICK_R1: sent
> QR1, inbound IPsec SA installed, expecting QI2 transport mode
> {ESP/NAT=>0x1eeea96c <0x321e2207 xfrm=AES_CBC_256-HMAC_SHA1_96
> NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
> Oct 17 13:58:20.438199: "L2TPD-PSK"[2] 1.2.3.4 #3: STATE_QUICK_R2: IPsec
> SA established transport mode {ESP/NAT=>0x1eeea96c <0x321e2207
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
> DPD=unsupported}
> Oct 17 13:58:20.440171: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
> SA(0xd2f84fcd) payload: deleting IPsec State #2
> Oct 17 13:58:20.440236: "L2TPD-PSK"[2] 1.2.3.4 #2: deleting other state
> #2 (STATE_QUICK_R2) aged 0.498s and sending notification
> Oct 17 13:58:20.440351: "L2TPD-PSK"[2] 1.2.3.4 #2: ESP traffic
> information: in=0B out=0B
> Oct 17 13:58:23.164977: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
> 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701
> Oct 17 13:58:23.165084: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:23.165084: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:23.165407: "L2TPD-PSK"[2] 1.2.3.4 #4: responding to Quick
> Mode proposal {msgid:00000003}
> Oct 17 13:58:23.165467: "L2TPD-PSK"[2] 1.2.3.4 #4: us: 6.7.8.9:17/1701
> Oct 17 13:58:23.165467: "L2TPD-PSK"[2] 1.2.3.4 #4: us: 6.7.8.9:17/1701
> Oct 17 13:58:23.165528: "L2TPD-PSK"[2] 1.2.3.4 #4: them:
> 1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
> Oct 17 13:58:23.165528: "L2TPD-PSK"[2] 1.2.3.4 #4: them:
> 1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
> Oct 17 13:58:23.165823: "L2TPD-PSK"[2] 1.2.3.4 #4: keeping refhim=0
> during rekey
> Oct 17 13:58:23.166343: "L2TPD-PSK"[2] 1.2.3.4 #4: STATE_QUICK_R1: sent
> QR1, inbound IPsec SA installed, expecting QI2 transport mode
> {ESP/NAT=>0x1c609c4b <0x2cf88fd0 xfrm=AES_CBC_256-HMAC_SHA1_96
> NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
> Oct 17 13:58:23.398271: "L2TPD-PSK"[2] 1.2.3.4 #4: STATE_QUICK_R2: IPsec
> SA established transport mode {ESP/NAT=>0x1c609c4b <0x2cf88fd0
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
> DPD=unsupported}
> Oct 17 13:58:23.399418: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
> SA(0x1eeea96c) payload: deleting IPsec State #3
> Oct 17 13:58:23.399483: "L2TPD-PSK"[2] 1.2.3.4 #3: deleting other state
> #3 (STATE_QUICK_R2) aged 3.192s and sending notification
> Oct 17 13:58:23.399587: "L2TPD-PSK"[2] 1.2.3.4 #3: ESP traffic
> information: in=0B out=0B
> Oct 17 13:58:27.164013: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
> 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701
> Oct 17 13:58:27.164146: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:27.164146: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:27.164492: "L2TPD-PSK"[2] 1.2.3.4 #5: responding to Quick
> Mode proposal {msgid:00000004}
> Oct 17 13:58:27.164551: "L2TPD-PSK"[2] 1.2.3.4 #5: us: 6.7.8.9:17/1701
> Oct 17 13:58:27.164551: "L2TPD-PSK"[2] 1.2.3.4 #5: us: 6.7.8.9:17/1701
> Oct 17 13:58:27.164612: "L2TPD-PSK"[2] 1.2.3.4 #5: them:
> 1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
> Oct 17 13:58:27.164921: "L2TPD-PSK"[2] 1.2.3.4 #5: keeping refhim=0
> during rekey
> Oct 17 13:58:27.165391: "L2TPD-PSK"[2] 1.2.3.4 #5: STATE_QUICK_R1: sent
> QR1, inbound IPsec SA installed, expecting QI2 transport mode
> {ESP/NAT=>0x1728294a <0x94e2fb05 xfrm=AES_CBC_256-HMAC_SHA1_96
> NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
> Oct 17 13:58:27.395591: "L2TPD-PSK"[2] 1.2.3.4 #5: STATE_QUICK_R2: IPsec
> SA established transport mode {ESP/NAT=>0x1728294a <0x94e2fb05
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
> DPD=unsupported}
> Oct 17 13:58:27.398147: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
> SA(0x1c609c4b) payload: deleting IPsec State #4
> Oct 17 13:58:27.398194: "L2TPD-PSK"[2] 1.2.3.4 #4: deleting other state
> #4 (STATE_QUICK_R2) aged 4.233s and sending notification
> Oct 17 13:58:27.398228: "L2TPD-PSK"[2] 1.2.3.4 #4: ESP traffic
> information: in=0B out=0B
> Oct 17 13:58:35.163934: "L2TPD-PSK"[2] 1.2.3.4 #1: the peer proposed:
> 6.7.8.9/32:17/1701 -> 192.168.10.28/32:17/1701
> Oct 17 13:58:35.164036: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:35.164036: "L2TPD-PSK"[2] 1.2.3.4 #1: NAT-Traversal:
> received 2 NAT-OA. Using first; ignoring others
> Oct 17 13:58:35.164414: "L2TPD-PSK"[2] 1.2.3.4 #6: responding to Quick
> Mode proposal {msgid:00000005}
> Oct 17 13:58:35.164485: "L2TPD-PSK"[2] 1.2.3.4 #6: us: 6.7.8.9:17/1701
> Oct 17 13:58:35.164485: "L2TPD-PSK"[2] 1.2.3.4 #6: us: 6.7.8.9:17/1701
> Oct 17 13:58:35.164549: "L2TPD-PSK"[2] 1.2.3.4 #6: them:
> 1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
> Oct 17 13:58:35.164549: "L2TPD-PSK"[2] 1.2.3.4 #6: them:
> 1.2.3.4[192.168.10.28]:17/1701===192.168.181.0/24
> Oct 17 13:58:35.164844: "L2TPD-PSK"[2] 1.2.3.4 #6: keeping refhim=0
> during rekey
> Oct 17 13:58:35.165377: "L2TPD-PSK"[2] 1.2.3.4 #6: STATE_QUICK_R1: sent
> QR1, inbound IPsec SA installed, expecting QI2 transport mode
> {ESP/NAT=>0xdf8c3b8d <0xc0ba362d xfrm=AES_CBC_256-HMAC_SHA1_96
> NATOA=192.168.10.28 NATD=1.2.3.4:4500 DPD=unsupported}
> Oct 17 13:58:35.396346: "L2TPD-PSK"[2] 1.2.3.4 #6: STATE_QUICK_R2: IPsec
> SA established transport mode {ESP/NAT=>0xdf8c3b8d <0xc0ba362d
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=192.168.10.28 NATD=1.2.3.4:4500
> DPD=unsupported}
> Oct 17 13:58:35.398667: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
> SA(0x1728294a) payload: deleting IPsec State #5
> Oct 17 13:58:35.398752: "L2TPD-PSK"[2] 1.2.3.4 #5: deleting other state
> #5 (STATE_QUICK_R2) aged 8.234s and sending notification
> Oct 17 13:58:35.398752: "L2TPD-PSK"[2] 1.2.3.4 #5: deleting other state
> #5 (STATE_QUICK_R2) aged 8.234s and sending notification
> Oct 17 13:58:35.398869: "L2TPD-PSK"[2] 1.2.3.4 #5: ESP traffic
> information: in=0B out=0B
> Oct 17 13:58:38.725287: "L2TPD-PSK"[2] 1.2.3.4 #1: received Delete
> SA(0xdf8c3b8d) payload: deleting IPsec State #6
> Oct 17 13:58:38.725373: "L2TPD-PSK"[2] 1.2.3.4 #6: deleting other state
> #6 (STATE_QUICK_R2) aged 3.561s and sending notification
> Oct 17 13:58:38.725480: "L2TPD-PSK"[2] 1.2.3.4 #6: ESP traffic
> information: in=0B out=0B
> Oct 17 13:58:38.751378: "L2TPD-PSK" #1: deleting state (STATE_MAIN_R3)
> aged 19.522s and sending notification
> Oct 17 13:58:38.751619: "L2TPD-PSK"[2] 1.2.3.4: deleting connection
> "L2TPD-PSK"[2] 1.2.3.4 instance with peer 1.2.3.4 {isakmp=#0/ipsec=#0}
>
>
>
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
More information about the Swan
mailing list