[Swan] Windows 10 client to libreswan VPN server: CHILD SA: no local proposal matches remote proposals

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Sun Jan 9 20:17:11 EET 2022 

Hello Paul,

On 1/6/2022 4:02 PM, Paul Wouters wrote:
> On Wed, 5 Jan 2022, Mirsad Goran Todorovac wrote:
>
>> If I am allowed, I could also assert that I have been positively 
>> surprised by the positive change in speed with IKEv2 VPN: while IKEv1 
>> L2TP over IPSec scored about 50 Mbps download on our server, the 
>> IKEv2 showed 138 Mbps in Ookla speedtest benchmark :) , over the 
>> Faculty's 1 Gbps link and my 150 Mbps home connection.
>
> That's because most likely your l2tp layer went through userland xl2tpd.
> it can be configured to use kernel l2tp.ko but that usually has issues.

I have tried to deploy kernel mode L2TP, but I failed. What I get from 
xl2tpd is:

Jan  9 19:02:47 domac systemd[1]: xl2tpd.service: Succeeded.
Jan  9 19:02:47 domac xl2tpd[22946]: IPsec SAref does not work with L2TP 
kernel mode yet, enabling force userspace=yes
Jan  9 19:02:47 domac xl2tpd[22946]: Not looking for kernel SAref support.
Jan  9 19:02:47 domac xl2tpd[22943]: Starting xl2tpd: xl2tpd.
Jan  9 19:02:47 domac xl2tpd[22946]: Not looking for kernel support.
Jan  9 19:02:47 domac xl2tpd[22947]: xl2tpd version xl2tpd-1.3.12 
started on domac PID:22947
Jan  9 19:02:47 domac xl2tpd[22947]: Written by Mark Spencer, Copyright 
(C) 1998, Adtran, Inc.
Jan  9 19:02:47 domac xl2tpd[22947]: Forked by Scott Balmos and David 
Stipp, (C) 2001
Jan  9 19:02:47 domac xl2tpd[22947]: Inherited by Jeff McAdams, (C) 2002
Jan  9 19:02:47 domac xl2tpd[22947]: Forked again by Xelerance 
(www.xelerance.com) (C) 2006-2016
Jan  9 19:02:47 domac xl2tpd[22947]: Listening on IP address 
161.53.235.3, port 1701

I have turned off ipsec saref, but I still can't get xl2tpd to use 
kernel support.

I think I could write a paper on this comparison if I manage to get both 
protocols IKEv1 and IKEv2 running under same conditions?

It would be for our local conference, and it would serve mostly for 
popularizing IKEv2, as many people only know of L2TP or even only of 
OpenVPN ... I would compare security and performance of the protocols on 
our VPN server and 1 Gbps link shouldn't be a bottleneck.

Thank you very much for all help, again.

Kind regards,
Mirsad Todorovac

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355

More information about the Swan mailing list