[Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working

Mon Nov 22 18:51:43 EET 2021

On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:

> I am having a problem setting up VPN on Debian server 10 for our Microsoft 
> and Android clients to connect. Our current configuration is L2TP over IPSEC 
> with PSK, as it is also supported on our UniFi UDM-Pro device.
>
> I have explained the problem here, but I've received no reply yet:
>
> https://superuser.com/questions/1688888/vpn-server-on-debian-10-using-l2tp-with-ipsec-psk-not-working
>
> Please help me with this configuration, as it would be very good that it 
> worked for the "road warriors" now in these COVID situations and work from 
> home.
>
> UniFi UDM configuration worked "out of the box" from the GUI interface, but I 
> am perplexed with the number of various configuration options of libreswan, 
> ipsec and xl2tpd. I've used an example from Github, but it didn't work well 
> with my server (it stopped postfix local delivery altogether).

You should _really_ try and use IKEv2 instead of IKEv1/L2TP/IPsec/Transport Mode

Your logs show:

Nov 22 15:31:34.094161: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: the peer proposed: 161.53.235.3/32:17/1701 -> 193.198.186.218/32:17/0
Nov 22 15:31:34.094229: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: peer proposal was rejected in a virtual connection policy: a private network virtual IP was required, but the proposed IP did not match our list (virtual-private=), or our list excludes their IP (e.g. %v4!...) since it is in use elsewhere
Nov 22 15:31:34.095692: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: responding to Quick Mode proposal {msgid:01000000}
Nov 22 15:31:34.095702: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:     us: 161.53.235.3:17/1701
Nov 22 15:31:34.095710: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:   them: 193.198.186.218:17/1701
Nov 22 15:31:34.096736: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP=>0xe23be20c <0x1f9b5bfe xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
Nov 22 15:31:34.113899: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Nov 22 15:31:34.114077: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe23be20c <0x1f9b5bfe xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
Nov 22 15:32:09.151495: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: received Delete SA(0xe23be20c) payload: deleting IPSEC State #4

It looks like you don't have two connections, one for with-NAT and one
for without-NAT. Due to Transport Mode, the proposals will be different.

For the non-NAT version to work, add: rightsubnet=vhost:%no to your
connection L2TP-PSK-noNAT

Paul