[Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Tue Nov 23 00:22:15 EET 2021 

Dear Mr. Wouters,

I've tried my luck with IKEv2, and generated the required certs 
according to Wiki.

However, I've hit the bug described here: 
https://lists.libreswan.org/pipermail/swan/2018/002901.html

To alleviate that, I've installed libreswan-4.5.tar.gz and compiled it.

After the installation of 4.5, I've lost the connectivity of the IKEv1 
link, and the IKEv2 link didn't start to work either.

I have temporarily disable IKEv2 conf to make IKEv1 run, but no go. The 
error from Windows 10 is here:

The pluto session log is here: 
https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log

2. My /etc/ipsec.d/ikev2.conf looks like:

conn ikev2-cp
     # The server's actual IP goes here - not elastic IPs
     left=161.53.235.3
     leftcert=vpn.alu.hr
leftid=@vpn.alu.hr
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     leftrsasigkey=%cert
     # Clients
     right=%any
     # your addresspool to use - you might need NAT rules if providing 
full internet to clients
     rightaddresspool=192.168.100.10-192.168.100.253
     # optional rightid with restrictions
     rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti, OU=*, 
CN=*, E=*"
     rightca=%same
     rightrsasigkey=%cert
     #
     # connection configuration
     # DNS servers for clients to use
     modecfgdns=8.8.8.8,192.168.100.1
     # Versions up to 3.22 used modecfgdns1 and modecfgdns2
     #modecfgdns1=8.8.8.8
     #modecfgdns2=193.110.157.123
     narrowing=yes
     # recommended dpd/liveness to cleanup vanished clients
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     auto=add
     ikev2=insist
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
     rekey=no
     # ikev2 fragmentation support requires libreswan 3.14 or newer
     fragmentation=yes
     # optional PAM username verification (eg to implement bandwidth quota
     # pam-authorize=yes

The connection error is:

The session log is here: https://domac.alu.hr/mtodorov/ikev2-v4.5.log

Please bear with me for a little while longer, I feel we are close to it ...

I hope these messages are helpful. Thank you if you will look into them 
and find the problem.
Then I will proceed to the Android setup and keep you posted as you 
requested.

Kind regards,
Mirsad Todorovac

On 11/22/2021 9:28 PM, Paul Wouters wrote:
> On Nov 22, 2021, at 15:08, Mirsad Goran Todorovac<mirsad.todorovac at alu.hr>  wrote:
>> Dear Mr. Wouters,
>>
>> Your modification works! It was my error, I made a wrong change for left=127.0.0.1 in place of left=%defaultroute
> Awesome !
>
>> Now it works.
>> I have seen that IKEv2 works both in Windows 7 and on my Galaxy Android, so I will set up that too, now that you have encouraged me with this setting working!
> Let us know if it works with the galaxy android natively - I haven’t heard much feedback yet from the new android.
>
> Paul
>
>
>> Thank you very much for your time!
>>
>> Kind regards,
>> Mirsad Todorovac
>>
>>> On 11/22/2021 6:51 PM, Paul Wouters wrote:
>>>> On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
>>>>
>>>> I have made the suggested correction, and now the error message is different:
>>>>
>>>> The new error log is available athttps://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log
>>>
>>>> What strikes at first is the line:
>>>>
>>>> Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode message received on 161.53.235.3:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
>>> Did you not confiure PSK (authby=secret) on the server ?
>>>
>>>
>>>> I will try IKEv2, but does it connect from both Windows 10 and Android just like this old setup?
>>> Old Android's need the strongswan app to use IKEv2. The latest android
>>> should have support for IKEv2 natively.
>>>
>>> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: d7jaZPggtmP2QZ2Z.png
Type: image/png
Size: 40945 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WVQJIa1uDwK70G3H.png
Type: image/png
Size: 26661 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211122/50869fd8/attachment-0003.png>

More information about the Swan mailing list