[Swan] Issue with opening up VPN from iPhone with iOS14
Christian Dürrhauer
christian at duerrhauer.de
Sun Oct 11 21:32:02 UTC 2020
Hello,
I am having difficulties to open a VPN tunnel (L2tP VPN from iOS14).
These are the config files. Many thanks in advance!
ipsec.conf:
Code:
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
protostack=netkey
interfaces=%defaultroute
uniqueids=no
conn shared
left=%defaultroute
leftid=192.168.1.2
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikev2=no
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
#ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
#esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
#esp=aes256-sha256,aes256-sha1,3des-sha1
sha2-truncbug=no
conn L2TP-PSK3
pfs=no
auto=add
ikev2=no
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024
esp=aes256-sha2_512,aes256-sha1,aes256-sha2_256,3des-sha1
authby=secret
type=transport
left=192.168.1.2
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
dpddelay=30
dpdtimeout=120
dpdaction=clear
ipsec.secrets:
Code:
%any %any : PSK "PSK-Passphrase"
xl2tpd.conf:
Code:
[global]
port = 1701
[lns default]
ip range = 192.168.1.220-192.168.1.230
local ip = 192.168.1.2
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
chap-secrets:
Code:
"vpnuser" l2tpd "T0p at s!“ *
log:
Code:
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: responding to Main Mode from unknown peer 192.168.1.135:500
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP2048] refused
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP2048] refused
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP2048] refused
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: WARNING: connection L2TP-PSK3 PSK length of 25 bytes is too short for sha2_512 PRF in FIPS mode (32 bytes required)
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Oakley Transform [AES_CBC (256), HMAC_SHA2_512, MODP2048] refused
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1536] refused
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP1536] refused
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Oakley Transform [AES_CBC (256), HMAC_MD5, MODP1536] refused
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Oakley Transform [AES_CBC (256), HMAC_SHA2_256, MODP1024] refused
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Oct 11 22:36:46 vpnserver pluto[4616]: | ISAKMP Notification Payload
Oct 11 22:36:46 vpnserver pluto[4616]: | 00 00 00 1c 00 00 00 01 01 10 60 02
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: Peer ID is ID_IPV4_ADDR: '192.168.1.135'
Oct 11 22:36:46 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1024}
Oct 11 22:36:47 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: the peer proposed: 192.168.1.2/32:17/1701 -> 192.168.1.135/32:17/0
Oct 11 22:36:47 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #8: responding to Quick Mode proposal {msgid:62c9d168}
Oct 11 22:36:47 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #8: us: 192.168.1.2<192.168.1.2>:17/1701
Oct 11 22:36:47 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #8: them: 192.168.1.135:17/56214
Oct 11 22:36:47 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP=>0x0288310b <0xa712410c xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=active}
Oct 11 22:36:47 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #8: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x0288310b <0xa712410c xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=active}
Oct 11 22:37:07 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: received Delete SA(0x0288310b) payload: deleting IPsec State #8
Oct 11 22:37:07 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #8: deleting other state #8 (STATE_QUICK_R2) aged 20.132s and sending notification
Oct 11 22:37:07 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #8: ESP traffic information: in=623B out=0B
Oct 11 22:37:07 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135 #7: deleting state (STATE_MAIN_R3) aged 21.143s and sending notification
Oct 11 22:37:07 vpnserver pluto[4616]: "L2TP-PSK3"[6] 192.168.1.135: deleting connection "L2TP-PSK3"[6] 192.168.1.135 instance with peer 192.168.1.135 {isakmp=#0/ipsec=#0}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201011/a245c51b/attachment.html>
More information about the Swan
mailing list