[Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Mon Nov 22 19:14:13 EET 2021


Dear Sir,

I have made the suggested correction, and now the error message is 
different:

The new error log is available at 
https://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log

What strikes at first is the line:

Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode 
message received on 161.53.235.3:500 but no connection has been 
authorized with policy PSK+IKEV1_ALLOW

I will try IKEv2, but does it connect from both Windows 10 and Android 
just like this old setup?

Kind regards,
Mirsad Todorovac

On 11/22/2021 5:51 PM, Paul Wouters wrote:
> On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
>
>> I am having a problem setting up VPN on Debian server 10 for our 
>> Microsoft and Android clients to connect. Our current configuration 
>> is L2TP over IPSEC with PSK, as it is also supported on our UniFi 
>> UDM-Pro device.
>>
>> I have explained the problem here, but I've received no reply yet:
>>
>> https://superuser.com/questions/1688888/vpn-server-on-debian-10-using-l2tp-with-ipsec-psk-not-working 
>>
>>
>> Please help me with this configuration, as it would be very good that 
>> it worked for the "road warriors" now in these COVID situations and 
>> work from home.
>>
>> UniFi UDM configuration worked "out of the box" from the GUI 
>> interface, but I am perplexed with the number of various 
>> configuration options of libreswan, ipsec and xl2tpd. I've used an 
>> example from Github, but it didn't work well with my server (it 
>> stopped postfix local delivery altogether).
>
> You should _really_ try and use IKEv2 instead of 
> IKEv1/L2TP/IPsec/Transport Mode
>
>
> Your logs show:
>
> Nov 22 15:31:34.094161: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: the peer 
> proposed: 161.53.235.3/32:17/1701 -> 193.198.186.218/32:17/0
> Nov 22 15:31:34.094229: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: peer 
> proposal was rejected in a virtual connection policy: a private 
> network virtual IP was required, but the proposed IP did not match our 
> list (virtual-private=), or our list excludes their IP (e.g. %v4!...) 
> since it is in use elsewhere
> Nov 22 15:31:34.095692: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: 
> responding to Quick Mode proposal {msgid:01000000}
> Nov 22 15:31:34.095702: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:     
> us: 161.53.235.3:17/1701
> Nov 22 15:31:34.095710: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: them: 
> 193.198.186.218:17/1701
> Nov 22 15:31:34.096736: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: 
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 
> transport mode {ESP=>0xe23be20c <0x1f9b5bfe 
> xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
> Nov 22 15:31:34.113899: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: 
> Configured DPD (RFC 3706) support not enabled because remote peer did 
> not advertise DPD support
> Nov 22 15:31:34.114077: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: 
> STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xe23be20c 
> <0x1f9b5bfe xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none 
> DPD=active}
> Nov 22 15:32:09.151495: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: received 
> Delete SA(0xe23be20c) payload: deleting IPSEC State #4
>
> It looks like you don't have two connections, one for with-NAT and one
> for without-NAT. Due to Transport Mode, the proposals will be different.
>
> For the non-NAT version to work, add: rightsubnet=vhost:%no to your
> connection L2TP-PSK-noNAT
>
> Paul
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/f720dbe7/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: S0UJls5iZm3S2sM9.png
Type: image/png
Size: 59629 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/f720dbe7/attachment-0001.png>


More information about the Swan mailing list