[Swan] Could not establish IPsec tunnel

Paul Smith phhs80 at gmail.com
Wed Nov 13 21:24:30 UTC 2019


Please, ignore my previous message, as the problem was meanwhile
fixed: It was ill-configuration of the L2TP PPP Options (it was my
fault).

Thank you so much for your help!

Paul




On Wed, Nov 13, 2019 at 8:52 PM Paul Smith <phhs80 at gmail.com> wrote:
>
> Thanks, Paul, for the tremendous help!
>
> By following your advice and disabling PFS (on NetworkManager), I got
> through Phase 2. However, I am now facing another problem. Please, see
> the logs below
>
> Any ideas?
>
> Thanks in advance,
>
> Paul
>
> ------------------------------
> 117 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I1: initiate
> 003 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: ignoring informational
> payload IPSEC_RESPONDER_LIFETIME, msgid=0dbd67ce, length=28
> 004 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I2: sent
> QI2, IPsec SA established transport mode {ESP/NAT=>0xd14c041b
> <0xf224a233 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none
> NATD=193.136.25.122:4500 DPD=passive}
> nm-l2tp[19108] <info>  Libreswan IPsec tunnel is up.
> ** Message: 20:37:59.170: xl2tpd started with pid 19515
> xl2tpd[19515]: Not looking for kernel SAref support.
> xl2tpd[19515]: Using l2tp kernel support.
> xl2tpd[19515]: xl2tpd version xl2tpd-1.3.14 started on xhost PID:19515
> xl2tpd[19515]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
> xl2tpd[19515]: Forked by Scott Balmos and David Stipp, (C) 2001
> xl2tpd[19515]: Inherited by Jeff McAdams, (C) 2002
> xl2tpd[19515]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
> xl2tpd[19515]: Listening on IP address 0.0.0.0, port 1701
> xl2tpd[19515]: get_call: allocating new tunnel for host
> 193.136.25.122, port 1701.
> xl2tpd[19515]: Connecting to host 193.136.25.122, port 1701
> xl2tpd[19515]: control_finish: message type is (null)(0).  Tunnel is
> 0, call is 0.
> xl2tpd[19515]: control_finish: sending SCCRQ
> xl2tpd[19515]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
> xl2tpd[19515]: protocol_version_avp: peer is using version 1, revision 0.
> xl2tpd[19515]: framing_caps_avp: supported peer frames: async sync
> xl2tpd[19515]: hostname_avp: peer reports hostname 'warrior'
> xl2tpd[19515]: assigned_tunnel_avp: using peer's tunnel 43071
> xl2tpd[19515]: vendor_avp: peer reports vendor 'Check Point'
> xl2tpd[19515]: control_finish: message type is
> Start-Control-Connection-Reply(2).  Tunnel is 43071, call is 0.
> xl2tpd[19515]: control_finish: sending SCCCN
> xl2tpd[19515]: Connection established to 193.136.25.122, 1701.  Local:
> 29706, Remote: 43071 (ref=0/0).
> xl2tpd[19515]: Calling on tunnel 29706
> xl2tpd[19515]: control_finish: message type is (null)(0).  Tunnel is
> 43071, call is 0.
> xl2tpd[19515]: control_finish: sending ICRQ
> xl2tpd[19515]: message_type_avp: message type 11 (Incoming-Call-Reply)
> xl2tpd[19515]: assigned_call_avp: using peer's call 35143
> xl2tpd[19515]: control_finish: message type is
> Incoming-Call-Reply(11).  Tunnel is 43071, call is 35143.
> xl2tpd[19515]: control_finish: Sending ICCN
> xl2tpd[19515]: Call established with 193.136.25.122, Local: 65505,
> Remote: 35143, Serial: 1 (ref=0/0)
> nm-l2tp[19108] <info>  Terminated xl2tpd daemon with PID 19515.
> xl2tpd[19515]: death_handler: Fatal signal 15 received
> xl2tpd[19515]: Connection 43071 closed to 193.136.25.122, port 1701
> (Server closing)
> 002 "ec9a3d05-1842-403a-84b5-371af56faa30": terminating SAs using this
> connection
> 002 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: deleting state
> (STATE_QUICK_I2) aged 0.353s and sending notification
> 005 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: ESP traffic
> information: in=382B out=561B
> 002 "ec9a3d05-1842-403a-84b5-371af56faa30" #1: deleting state
> (STATE_MAIN_I4) aged 0.439s and sending notification
> ** Message: 20:37:59.409: ipsec shut down
> nm-l2tp[19108] <warn>  xl2tpd exited with error code 1
> ** Message: 20:37:59.425: ipsec shut down
> ------------------------------
>
>
> On Wed, Nov 13, 2019 at 8:06 PM Paul Wouters <paul at nohats.ca> wrote:
> >
> > On Wed, 13 Nov 2019, Paul Smith wrote:
> >
> > > I am trying to establish a L2TP VPN connection using libreswan on
> > > Fedora 31 to connect to a MS Windows server, but getting the problem
> > > below.
> >
> > > 004 "ec9a3d05-1842-403a-84b5-371af56faa30" #1: STATE_MAIN_I4: ISAKMP
> > > SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1
> > > group=MODP1024}
> >
> > phase 1 established.
> >
> > > 002 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: initiating Quick Mode
> > > PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> > > {using isakmp#1 msgid:b951826e proposal=3DES_CBC-HMAC_SHA1_96
> > > pfsgroup=MODP1024}
> > > 117 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I1: initiate
> > > 010 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I1:
> > > retransmission; will wait 0.5 seconds for response
> >
> > this times out. Usually it means the other end does not like your phase2
> > proposal but did not bother to tell you. Check the esp/phase2alg and pfs
> > settings. Also make sure you have leftprotoport/rightprotoport setup for
> > L2TP. Also check if you are using transport mode, not tunnel mode.
> >
> > Paul


More information about the Swan mailing list