[Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working
Mirsad Goran Todorovac
mirsad.todorovac at alu.hr
Tue Nov 23 04:39:03 EET 2021
Dear Mr. Wouters,
I have found this *ipsec barf* command, so I am linking to the output file:
https://domac.alu.hr/mtodorov/xl2tpd-barf-v4.5.txt .
I am trying to first debug L2TP over IPSEC with PSK, so I have something
to show, then we can move on to
debugging IKEv2 if you're still interested.
I have found that I can't seem to have both at the same time defined,
despite include schematic allowing for it?
Thank you very much.
Kind regards,
Mirsad
On 11/22/2021 11:22 PM, Mirsad Goran Todorovac wrote:
>
> Dear Mr. Wouters,
>
> I've tried my luck with IKEv2, and generated the required certs
> according to Wiki.
>
> However, I've hit the bug described here:
> https://lists.libreswan.org/pipermail/swan/2018/002901.html
>
> To alleviate that, I've installed libreswan-4.5.tar.gz and compiled it.
>
> After the installation of 4.5, I've lost the connectivity of the IKEv1
> link, and the IKEv2 link didn't start to work either.
>
> I have temporarily disable IKEv2 conf to make IKEv1 run, but no go.
> The error from Windows 10 is here:
>
> The pluto session log is here:
> https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log
>
> 2. My /etc/ipsec.d/ikev2.conf looks like:
>
> conn ikev2-cp
> # The server's actual IP goes here - not elastic IPs
> left=161.53.235.3
> leftcert=vpn.alu.hr
> leftid=@vpn.alu.hr
> leftsendcert=always
> leftsubnet=0.0.0.0/0
> leftrsasigkey=%cert
> # Clients
> right=%any
> # your addresspool to use - you might need NAT rules if providing
> full internet to clients
> rightaddresspool=192.168.100.10-192.168.100.253
> # optional rightid with restrictions
> rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti, OU=*,
> CN=*, E=*"
> rightca=%same
> rightrsasigkey=%cert
> #
> # connection configuration
> # DNS servers for clients to use
> modecfgdns=8.8.8.8,192.168.100.1
> # Versions up to 3.22 used modecfgdns1 and modecfgdns2
> #modecfgdns1=8.8.8.8
> #modecfgdns2=193.110.157.123
> narrowing=yes
> # recommended dpd/liveness to cleanup vanished clients
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> auto=add
> ikev2=insist
> ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
> rekey=no
> # ikev2 fragmentation support requires libreswan 3.14 or newer
> fragmentation=yes
> # optional PAM username verification (eg to implement bandwidth quota
> # pam-authorize=yes
>
> The connection error is:
>
> The session log is here: https://domac.alu.hr/mtodorov/ikev2-v4.5.log
>
> Please bear with me for a little while longer, I feel we are close to
> it ...
>
> I hope these messages are helpful. Thank you if you will look into
> them and find the problem.
> Then I will proceed to the Android setup and keep you posted as you
> requested.
>
> Kind regards,
> Mirsad Todorovac
>
> On 11/22/2021 9:28 PM, Paul Wouters wrote:
>> On Nov 22, 2021, at 15:08, Mirsad Goran Todorovac<mirsad.todorovac at alu.hr> wrote:
>>> Dear Mr. Wouters,
>>>
>>> Your modification works! It was my error, I made a wrong change for left=127.0.0.1 in place of left=%defaultroute
>> Awesome !
>>
>>> Now it works.
>>> I have seen that IKEv2 works both in Windows 7 and on my Galaxy Android, so I will set up that too, now that you have encouraged me with this setting working!
>> Let us know if it works with the galaxy android natively - I haven’t heard much feedback yet from the new android.
>>
>> Paul
>>
>>
>>> Thank you very much for your time!
>>>
>>> Kind regards,
>>> Mirsad Todorovac
>>>
>>>> On 11/22/2021 6:51 PM, Paul Wouters wrote:
>>>>> On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
>>>>>
>>>>> I have made the suggested correction, and now the error message is different:
>>>>>
>>>>> The new error log is available athttps://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log
>>>>> What strikes at first is the line:
>>>>>
>>>>> Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode message received on 161.53.235.3:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
>>>> Did you not confiure PSK (authby=secret) on the server ?
>>>>
>>>>
>>>>> I will try IKEv2, but does it connect from both Windows 10 and Android just like this old setup?
>>>> Old Android's need the strongswan app to use IKEv2. The latest android
>>>> should have support for IKEv2 natively.
>>>>
>>>> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211123/ef0b36c2/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: d7jaZPggtmP2QZ2Z.png
Type: image/png
Size: 40945 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211123/ef0b36c2/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WVQJIa1uDwK70G3H.png
Type: image/png
Size: 26661 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211123/ef0b36c2/attachment-0003.png>
More information about the Swan
mailing list