[Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working

Mirsad Goran Todorovac mirsad.todorovac at alu.hr
Tue Nov 23 04:39:03 EET 2021 

Dear Mr. Wouters,

I have found this *ipsec barf* command, so I am linking to the output file:
https://domac.alu.hr/mtodorov/xl2tpd-barf-v4.5.txt .

I am trying to first debug L2TP over IPSEC with PSK, so I have something 
to show, then we can move on to
debugging IKEv2 if you're still interested.

I have found that I can't seem to have both at the same time defined, 
despite include schematic allowing for it?

Thank you very much.

Kind regards,
Mirsad

On 11/22/2021 11:22 PM, Mirsad Goran Todorovac wrote:
>
> Dear Mr. Wouters,
>
> I've tried my luck with IKEv2, and generated the required certs 
> according to Wiki.
>
> However, I've hit the bug described here: 
> https://lists.libreswan.org/pipermail/swan/2018/002901.html
>
> To alleviate that, I've installed libreswan-4.5.tar.gz and compiled it.
>
> After the installation of 4.5, I've lost the connectivity of the IKEv1 
> link, and the IKEv2 link didn't start to work either.
>
> I have temporarily disable IKEv2 conf to make IKEv1 run, but no go. 
> The error from Windows 10 is here:
>
> The pluto session log is here: 
> https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log
>
> 2. My /etc/ipsec.d/ikev2.conf looks like:
>
> conn ikev2-cp
>     # The server's actual IP goes here - not elastic IPs
>     left=161.53.235.3
>     leftcert=vpn.alu.hr
> leftid=@vpn.alu.hr
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     leftrsasigkey=%cert
>     # Clients
>     right=%any
>     # your addresspool to use - you might need NAT rules if providing 
> full internet to clients
>     rightaddresspool=192.168.100.10-192.168.100.253
>     # optional rightid with restrictions
>     rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti, OU=*, 
> CN=*, E=*"
>     rightca=%same
>     rightrsasigkey=%cert
>     #
>     # connection configuration
>     # DNS servers for clients to use
>     modecfgdns=8.8.8.8,192.168.100.1
>     # Versions up to 3.22 used modecfgdns1 and modecfgdns2
>     #modecfgdns1=8.8.8.8
>     #modecfgdns2=193.110.157.123
>     narrowing=yes
>     # recommended dpd/liveness to cleanup vanished clients
>     dpddelay=30
>     dpdtimeout=120
>     dpdaction=clear
>     auto=add
>     ikev2=insist
> ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
>     rekey=no
>     # ikev2 fragmentation support requires libreswan 3.14 or newer
>     fragmentation=yes
>     # optional PAM username verification (eg to implement bandwidth quota
>     # pam-authorize=yes
>
> The connection error is:
>
> The session log is here: https://domac.alu.hr/mtodorov/ikev2-v4.5.log
>
> Please bear with me for a little while longer, I feel we are close to 
> it ...
>
> I hope these messages are helpful. Thank you if you will look into 
> them and find the problem.
> Then I will proceed to the Android setup and keep you posted as you 
> requested.
>
> Kind regards,
> Mirsad Todorovac
>
> On 11/22/2021 9:28 PM, Paul Wouters wrote:
>> On Nov 22, 2021, at 15:08, Mirsad Goran Todorovac<mirsad.todorovac at alu.hr>  wrote:
>>> Dear Mr. Wouters,
>>>
>>> Your modification works! It was my error, I made a wrong change for left=127.0.0.1 in place of left=%defaultroute
>> Awesome !
>>
>>> Now it works.
>>> I have seen that IKEv2 works both in Windows 7 and on my Galaxy Android, so I will set up that too, now that you have encouraged me with this setting working!
>> Let us know if it works with the galaxy android natively - I haven’t heard much feedback yet from the new android.
>>
>> Paul
>>
>>
>>> Thank you very much for your time!
>>>
>>> Kind regards,
>>> Mirsad Todorovac
>>>
>>>> On 11/22/2021 6:51 PM, Paul Wouters wrote:
>>>>> On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
>>>>>
>>>>> I have made the suggested correction, and now the error message is different:
>>>>>
>>>>> The new error log is available athttps://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log
>>>>> What strikes at first is the line:
>>>>>
>>>>> Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode message received on 161.53.235.3:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
>>>> Did you not confiure PSK (authby=secret) on the server ?
>>>>
>>>>
>>>>> I will try IKEv2, but does it connect from both Windows 10 and Android just like this old setup?
>>>> Old Android's need the strongswan app to use IKEv2. The latest android
>>>> should have support for IKEv2 natively.
>>>>
>>>> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211123/ef0b36c2/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: d7jaZPggtmP2QZ2Z.png
Type: image/png
Size: 40945 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211123/ef0b36c2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WVQJIa1uDwK70G3H.png
Type: image/png
Size: 26661 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211123/ef0b36c2/attachment-0003.png>

More information about the Swan mailing list