[Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Mon Nov 22 19:14:13 EET 2021
Dear Sir,
I have made the suggested correction, and now the error message is
different:
The new error log is available at
https://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log
What strikes at first is the line:
Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode
message received on 161.53.235.3:500 but no connection has been
authorized with policy PSK+IKEV1_ALLOW
I will try IKEv2, but does it connect from both Windows 10 and Android
just like this old setup?
Kind regards,
Mirsad Todorovac
On 11/22/2021 5:51 PM, Paul Wouters wrote:
> On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
>
>> I am having a problem setting up VPN on Debian server 10 for our
>> Microsoft and Android clients to connect. Our current configuration
>> is L2TP over IPSEC with PSK, as it is also supported on our UniFi
>> UDM-Pro device.
>>
>> I have explained the problem here, but I've received no reply yet:
>>
>> https://superuser.com/questions/1688888/vpn-server-on-debian-10-using-l2tp-with-ipsec-psk-not-working
>>
>>
>> Please help me with this configuration, as it would be very good that
>> it worked for the "road warriors" now in these COVID situations and
>> work from home.
>>
>> UniFi UDM configuration worked "out of the box" from the GUI
>> interface, but I am perplexed with the number of various
>> configuration options of libreswan, ipsec and xl2tpd. I've used an
>> example from Github, but it didn't work well with my server (it
>> stopped postfix local delivery altogether).
>
> You should _really_ try and use IKEv2 instead of
> IKEv1/L2TP/IPsec/Transport Mode
>
>
> Your logs show:
>
> Nov 22 15:31:34.094161: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: the peer
> proposed: 161.53.235.3/32:17/1701 -> 193.198.186.218/32:17/0
> Nov 22 15:31:34.094229: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: peer
> proposal was rejected in a virtual connection policy: a private
> network virtual IP was required, but the proposed IP did not match our
> list (virtual-private=), or our list excludes their IP (e.g. %v4!...)
> since it is in use elsewhere
> Nov 22 15:31:34.095692: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
> responding to Quick Mode proposal {msgid:01000000}
> Nov 22 15:31:34.095702: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
> us: 161.53.235.3:17/1701
> Nov 22 15:31:34.095710: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: them:
> 193.198.186.218:17/1701
> Nov 22 15:31:34.096736: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> transport mode {ESP=>0xe23be20c <0x1f9b5bfe
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
> Nov 22 15:31:34.113899: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
> Configured DPD (RFC 3706) support not enabled because remote peer did
> not advertise DPD support
> Nov 22 15:31:34.114077: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe23be20c
> <0x1f9b5bfe xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none
> DPD=active}
> Nov 22 15:32:09.151495: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: received
> Delete SA(0xe23be20c) payload: deleting IPSEC State #4
>
> It looks like you don't have two connections, one for with-NAT and one
> for without-NAT. Due to Transport Mode, the proposals will be different.
>
> For the non-NAT version to work, add: rightsubnet=vhost:%no to your
> connection L2TP-PSK-noNAT
>
> Paul
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/f720dbe7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: S0UJls5iZm3S2sM9.png
Type: image/png
Size: 59629 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/f720dbe7/attachment-0001.png>
More information about the Swan
mailing list