[Swan] Could not establish IPsec tunnel

Paul Smith phhs80 at gmail.com
Wed Nov 13 20:52:43 UTC 2019 

Thanks, Paul, for the tremendous help!

By following your advice and disabling PFS (on NetworkManager), I got
through Phase 2. However, I am now facing another problem. Please, see
the logs below

Any ideas?

Thanks in advance,

Paul

------------------------------
117 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I1: initiate
003 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: ignoring informational
payload IPSEC_RESPONDER_LIFETIME, msgid=0dbd67ce, length=28
004 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I2: sent
QI2, IPsec SA established transport mode {ESP/NAT=>0xd14c041b
<0xf224a233 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none
NATD=193.136.25.122:4500 DPD=passive}
nm-l2tp[19108] <info>  Libreswan IPsec tunnel is up.
** Message: 20:37:59.170: xl2tpd started with pid 19515
xl2tpd[19515]: Not looking for kernel SAref support.
xl2tpd[19515]: Using l2tp kernel support.
xl2tpd[19515]: xl2tpd version xl2tpd-1.3.14 started on xhost PID:19515
xl2tpd[19515]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[19515]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[19515]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[19515]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[19515]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[19515]: get_call: allocating new tunnel for host
193.136.25.122, port 1701.
xl2tpd[19515]: Connecting to host 193.136.25.122, port 1701
xl2tpd[19515]: control_finish: message type is (null)(0).  Tunnel is
0, call is 0.
xl2tpd[19515]: control_finish: sending SCCRQ
xl2tpd[19515]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[19515]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[19515]: framing_caps_avp: supported peer frames: async sync
xl2tpd[19515]: hostname_avp: peer reports hostname 'warrior'
xl2tpd[19515]: assigned_tunnel_avp: using peer's tunnel 43071
xl2tpd[19515]: vendor_avp: peer reports vendor 'Check Point'
xl2tpd[19515]: control_finish: message type is
Start-Control-Connection-Reply(2).  Tunnel is 43071, call is 0.
xl2tpd[19515]: control_finish: sending SCCCN
xl2tpd[19515]: Connection established to 193.136.25.122, 1701.  Local:
29706, Remote: 43071 (ref=0/0).
xl2tpd[19515]: Calling on tunnel 29706
xl2tpd[19515]: control_finish: message type is (null)(0).  Tunnel is
43071, call is 0.
xl2tpd[19515]: control_finish: sending ICRQ
xl2tpd[19515]: message_type_avp: message type 11 (Incoming-Call-Reply)
xl2tpd[19515]: assigned_call_avp: using peer's call 35143
xl2tpd[19515]: control_finish: message type is
Incoming-Call-Reply(11).  Tunnel is 43071, call is 35143.
xl2tpd[19515]: control_finish: Sending ICCN
xl2tpd[19515]: Call established with 193.136.25.122, Local: 65505,
Remote: 35143, Serial: 1 (ref=0/0)
nm-l2tp[19108] <info>  Terminated xl2tpd daemon with PID 19515.
xl2tpd[19515]: death_handler: Fatal signal 15 received
xl2tpd[19515]: Connection 43071 closed to 193.136.25.122, port 1701
(Server closing)
002 "ec9a3d05-1842-403a-84b5-371af56faa30": terminating SAs using this
connection
002 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: deleting state
(STATE_QUICK_I2) aged 0.353s and sending notification
005 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: ESP traffic
information: in=382B out=561B
002 "ec9a3d05-1842-403a-84b5-371af56faa30" #1: deleting state
(STATE_MAIN_I4) aged 0.439s and sending notification
** Message: 20:37:59.409: ipsec shut down
nm-l2tp[19108] <warn>  xl2tpd exited with error code 1
** Message: 20:37:59.425: ipsec shut down
------------------------------


On Wed, Nov 13, 2019 at 8:06 PM Paul Wouters <paul at nohats.ca> wrote:
>
> On Wed, 13 Nov 2019, Paul Smith wrote:
>
> > I am trying to establish a L2TP VPN connection using libreswan on
> > Fedora 31 to connect to a MS Windows server, but getting the problem
> > below.
>
> > 004 "ec9a3d05-1842-403a-84b5-371af56faa30" #1: STATE_MAIN_I4: ISAKMP
> > SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1
> > group=MODP1024}
>
> phase 1 established.
>
> > 002 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: initiating Quick Mode
> > PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> > {using isakmp#1 msgid:b951826e proposal=3DES_CBC-HMAC_SHA1_96
> > pfsgroup=MODP1024}
> > 117 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I1: initiate
> > 010 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I1:
> > retransmission; will wait 0.5 seconds for response
>
> this times out. Usually it means the other end does not like your phase2
> proposal but did not bother to tell you. Check the esp/phase2alg and pfs
> settings. Also make sure you have leftprotoport/rightprotoport setup for
> L2TP. Also check if you are using transport mode, not tunnel mode.
>
> Paul

More information about the Swan mailing list