[Swan] Windows 7/10 ipsec issues

Computerisms Corporation bob at computerisms.ca
Thu Oct 31 18:35:33 UTC 2019


 >> do your l2tp logs show the connection?
 >>
 >
 >Nope. It always fails on the ipsec connection.

hm, not sure that this is true; in the logs you posted, you do get a 
IPsec SA established which, in my experience, means that the tunnel is 
successfully established.  However, it is immediately followed by :

received Delete SA(0x1728294a) payload: deleting IPsec State

which means something is telling it to un-establish, which might be a 
failure to connect to the l2tp daemon, for example because your iptables 
rules are not correct or the roadwarrior has a firewall blocking it. 
might be something else too, I suppose.

The only l2tp unit I have that is still in production is using version 
3.12 of libreswan and has 17/%any on both sides, so maybe you will need 
an older version.  fwiw, here is the config:

conn rw-l2tp-ugl-withnat
    rightsubnet=vhost:%no,%priv
    also=rw-l2tp-ugl-nonat

conn rw-l2tp-ugl-nonat
    left=x.x.x.x
    leftnexthop=x.x.x.y
    leftprotoport=17/%any
    leftcert=firewall.ugl
    right=%any
    rightprotoport=17/%any
    rightca=%same
    pfs=no
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add


On 2019-10-30 12:14 p.m., John Crisp wrote:
> On 30/10/19 19:41, John Crisp wrote:
> 
>>
>>> can try setting both right and left protoport to 17/%any.
>>>
> 
> Failed to add connection "L2TPD-PSK": cannot have protoport with %any on
> both sides
> 
> :-)
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
> 


More information about the Swan mailing list