[Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Tue Nov 23 00:22:15 EET 2021

Dear Mr. Wouters,

I've tried my luck with IKEv2, and generated the required certs 
according to Wiki.

However, I've hit the bug described here: 

To alleviate that, I've installed libreswan-4.5.tar.gz and compiled it.

After the installation of 4.5, I've lost the connectivity of the IKEv1 
link, and the IKEv2 link didn't start to work either.

I have temporarily disable IKEv2 conf to make IKEv1 run, but no go. The 
error from Windows 10 is here:

The pluto session log is here: 

2. My /etc/ipsec.d/ikev2.conf looks like:

conn ikev2-cp
     # The server's actual IP goes here - not elastic IPs
     # Clients
     # your addresspool to use - you might need NAT rules if providing 
full internet to clients
     # optional rightid with restrictions
     rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti, OU=*, 
CN=*, E=*"
     # connection configuration
     # DNS servers for clients to use
     # Versions up to 3.22 used modecfgdns1 and modecfgdns2
     # recommended dpd/liveness to cleanup vanished clients
     # ikev2 fragmentation support requires libreswan 3.14 or newer
     # optional PAM username verification (eg to implement bandwidth quota
     # pam-authorize=yes

The connection error is:

The session log is here: https://domac.alu.hr/mtodorov/ikev2-v4.5.log

Please bear with me for a little while longer, I feel we are close to it ...

I hope these messages are helpful. Thank you if you will look into them 
and find the problem.
Then I will proceed to the Android setup and keep you posted as you 

Kind regards,
Mirsad Todorovac

On 11/22/2021 9:28 PM, Paul Wouters wrote:
> On Nov 22, 2021, at 15:08, Mirsad Goran Todorovac<mirsad.todorovac at alu.hr>  wrote:
>> Dear Mr. Wouters,
>> Your modification works! It was my error, I made a wrong change for left= in place of left=%defaultroute
> Awesome !
>> Now it works.
>> I have seen that IKEv2 works both in Windows 7 and on my Galaxy Android, so I will set up that too, now that you have encouraged me with this setting working!
> Let us know if it works with the galaxy android natively - I haven’t heard much feedback yet from the new android.
> Paul
>> Thank you very much for your time!
>> Kind regards,
>> Mirsad Todorovac
>>> On 11/22/2021 6:51 PM, Paul Wouters wrote:
>>>> On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
>>>> I have made the suggested correction, and now the error message is different:
>>>> The new error log is available athttps://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log
>>>> What strikes at first is the line:
>>>> Nov 22 18:06:09.628375: packet from initial Main Mode message received on but no connection has been authorized with policy PSK+IKEV1_ALLOW
>>> Did you not confiure PSK (authby=secret) on the server ?
>>>> I will try IKEv2, but does it connect from both Windows 10 and Android just like this old setup?
>>> Old Android's need the strongswan app to use IKEv2. The latest android
>>> should have support for IKEv2 natively.
>>> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: d7jaZPggtmP2QZ2Z.png
Type: image/png
Size: 40945 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WVQJIa1uDwK70G3H.png
Type: image/png
Size: 26661 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0003.png>

More information about the Swan mailing list