[Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Tue Nov 23 00:22:15 EET 2021
Dear Mr. Wouters,
I've tried my luck with IKEv2, and generated the required certs
according to Wiki.
However, I've hit the bug described here:
https://lists.libreswan.org/pipermail/swan/2018/002901.html
To alleviate that, I've installed libreswan-4.5.tar.gz and compiled it.
After the installation of 4.5, I've lost the connectivity of the IKEv1
link, and the IKEv2 link didn't start to work either.
I have temporarily disable IKEv2 conf to make IKEv1 run, but no go. The
error from Windows 10 is here:
The pluto session log is here:
https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log
2. My /etc/ipsec.d/ikev2.conf looks like:
conn ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=161.53.235.3
leftcert=vpn.alu.hr
leftid=@vpn.alu.hr
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if providing
full internet to clients
rightaddresspool=192.168.100.10-192.168.100.253
# optional rightid with restrictions
rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti, OU=*,
CN=*, E=*"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=8.8.8.8,192.168.100.1
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=8.8.8.8
#modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
rekey=no
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement bandwidth quota
# pam-authorize=yes
The connection error is:
The session log is here: https://domac.alu.hr/mtodorov/ikev2-v4.5.log
Please bear with me for a little while longer, I feel we are close to it ...
I hope these messages are helpful. Thank you if you will look into them
and find the problem.
Then I will proceed to the Android setup and keep you posted as you
requested.
Kind regards,
Mirsad Todorovac
On 11/22/2021 9:28 PM, Paul Wouters wrote:
> On Nov 22, 2021, at 15:08, Mirsad Goran Todorovac<mirsad.todorovac at alu.hr> wrote:
>> Dear Mr. Wouters,
>>
>> Your modification works! It was my error, I made a wrong change for left=127.0.0.1 in place of left=%defaultroute
> Awesome !
>
>> Now it works.
>> I have seen that IKEv2 works both in Windows 7 and on my Galaxy Android, so I will set up that too, now that you have encouraged me with this setting working!
> Let us know if it works with the galaxy android natively - I haven’t heard much feedback yet from the new android.
>
> Paul
>
>
>> Thank you very much for your time!
>>
>> Kind regards,
>> Mirsad Todorovac
>>
>>> On 11/22/2021 6:51 PM, Paul Wouters wrote:
>>>> On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
>>>>
>>>> I have made the suggested correction, and now the error message is different:
>>>>
>>>> The new error log is available athttps://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log
>>>
>>>> What strikes at first is the line:
>>>>
>>>> Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode message received on 161.53.235.3:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
>>> Did you not confiure PSK (authby=secret) on the server ?
>>>
>>>
>>>> I will try IKEv2, but does it connect from both Windows 10 and Android just like this old setup?
>>> Old Android's need the strongswan app to use IKEv2. The latest android
>>> should have support for IKEv2 natively.
>>>
>>> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: d7jaZPggtmP2QZ2Z.png
Type: image/png
Size: 40945 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WVQJIa1uDwK70G3H.png
Type: image/png
Size: 26661 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0003.png>
More information about the Swan
mailing list