[Swan] Lost IKEv1 connectivity after libreswan upgrade

Wed Nov 24 15:42:17 EET 2021

Dear Mr. Wouters,

I have upgraded libreswan to enable bug fixes from an earlier email I've 
sent.
Now I've lost even the basic IKEv1 L2TP over IPSEC PSK connectivity. 
This is very embarrassing as I've
spent four days and I have nothing to show to superiors.

Please help if you can.

It seems that PSK is accepted and verified, IPSEC session established 
and transport connection brought up,
but I can't seem to realize from the pluto session log what went wrong.

Here is my "/etc/ipsec.d/l2tp-psk.conf":

# conn L2TP-PSK-NAT
#         rightsubnet=vhost:%priv
#         also=L2TP-PSK-common

conn L2TP-PSK-noNAT
         rightsubnet=vhost:%no
        also=L2TP-PSK-common

conn L2TP-PSK-common
         # Use a Preshared Key. Disable Perfect Forward Secrecy.
         authby=secret
         pfs=no
         auto=add
         keyingtries=3
         # we cannot rekey for %any, let client rekey
         rekey=no
         # Apple iOS doesn't send delete notify so we need dead peer 
detection
         # to detect vanishing clients
         dpddelay=10
         dpdtimeout=30
         dpdaction=clear
         # Set ikelifetime and keylife to same defaults windows has
         ikelifetime=8h
         keylife=1h
         ikev2=never
         # l2tp-over-ipsec is transport mode
         type=transport
         #
         # left will be filled in automatically with the local address 
of the default-route interface (as determined at IPsec startup time).
         left=%defaultroute
         #
         # For updated Windows 2000/XP clients,
         # to support old clients as well, use leftprotoport=17/%any
         leftprotoport=17/1701
         #
         # The remote user.
         #
         right=%any
         # Using the magic port of "%any" means "any one single port". 
This is
         # a work around required for Apple OSX clients that use a randomly
         # high port.
         rightprotoport=17/%any

The error reported is:

The pluto session log is: 
https://domac.alu.hr/mtodorov/l2tp-ipsec-psk-noNAT3-20211124.log

Once again, thank you for the previous advice and the VPN connection 
started working.
Then I tried to enable IKEv2 with certificates, and upgraded to 
libreswan-4.5 to get to bug fix.
Now I am trying the latest 3.x version, 3.32, but no luck.

Thank you very much for all help.
I am reading the ipsec.conf.5 manual, but it will take some time before 
my learning curve adapts. :-(

Kind regards,
Mirsad Todorovac

-- 
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211124/c2bad52c/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vaAxE0xA2ETnUKsy.png
Type: image/png
Size: 41646 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20211124/c2bad52c/attachment-0001.png>