<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear Mr. Wouters,</p>
<p>I've tried my luck with IKEv2, and generated the required certs
according to Wiki.</p>
<p>However, I've hit the bug described here:
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/pipermail/swan/2018/002901.html">https://lists.libreswan.org/pipermail/swan/2018/002901.html</a></p>
<p>To alleviate that, I've installed libreswan-4.5.tar.gz and
compiled it.</p>
<p>After the installation of 4.5, I've lost the connectivity of the
IKEv1 link, and the IKEv2 link didn't start to work either.</p>
<p>I have temporarily disable IKEv2 conf to make IKEv1 run, but no
go. The error from Windows 10 is here:</p>
<p><img src="cid:part1.O0Vwxaux.70bFqPSt@alu.hr" alt="" width="257"
height="150"></p>
<p>The pluto session log is here:
<a class="moz-txt-link-freetext" href="https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log">https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log</a></p>
<p>2. My /etc/ipsec.d/ikev2.conf looks like:</p>
<p><font face="monospace">conn ikev2-cp<br>
# The server's actual IP goes here - not elastic IPs<br>
left=161.53.235.3<br>
leftcert=vpn.alu.hr<br>
<a class="moz-txt-link-abbreviated" href="mailto:leftid=@vpn.alu.hr">leftid=@vpn.alu.hr</a><br>
leftsendcert=always<br>
leftsubnet=0.0.0.0/0<br>
leftrsasigkey=%cert<br>
# Clients<br>
right=%any<br>
# your addresspool to use - you might need NAT rules if
providing full internet to clients<br>
rightaddresspool=192.168.100.10-192.168.100.253<br>
# optional rightid with restrictions<br>
rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti,
OU=*, CN=*, E=*"<br>
rightca=%same<br>
rightrsasigkey=%cert<br>
#<br>
# connection configuration<br>
# DNS servers for clients to use<br>
modecfgdns=8.8.8.8,192.168.100.1<br>
# Versions up to 3.22 used modecfgdns1 and modecfgdns2<br>
#modecfgdns1=8.8.8.8<br>
#modecfgdns2=193.110.157.123<br>
narrowing=yes<br>
# recommended dpd/liveness to cleanup vanished clients<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
auto=add<br>
ikev2=insist<br>
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024<br>
rekey=no<br>
# ikev2 fragmentation support requires libreswan 3.14 or
newer<br>
fragmentation=yes<br>
# optional PAM username verification (eg to implement
bandwidth quota<br>
# pam-authorize=yes<br>
</font></p>
<p>The connection error is:</p>
<p><img src="cid:part2.6fpRhmeB.rpXJPiWJ@alu.hr" alt="" width="366"
height="154"></p>
<p>The session log is here:
<a class="moz-txt-link-freetext" href="https://domac.alu.hr/mtodorov/ikev2-v4.5.log">https://domac.alu.hr/mtodorov/ikev2-v4.5.log</a></p>
<p>Please bear with me for a little while longer, I feel we are
close to it ...</p>
<p>I hope these messages are helpful. Thank you if you will look
into them and find the problem.<br>
Then I will proceed to the Android setup and keep you posted as
you requested.</p>
<p>Kind regards,<br>
Mirsad Todorovac<br>
</p>
<div class="moz-cite-prefix">On 11/22/2021 9:28 PM, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:B73C575B-93B9-4E24-A1BB-F213E64EE726@nohats.ca">
<pre class="moz-quote-pre" wrap="">On Nov 22, 2021, at 15:08, Mirsad Goran Todorovac <a class="moz-txt-link-rfc2396E" href="mailto:mirsad.todorovac@alu.hr"><mirsad.todorovac@alu.hr></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Dear Mr. Wouters,
Your modification works! It was my error, I made a wrong change for left=127.0.0.1 in place of left=%defaultroute
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Awesome !
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Now it works.
I have seen that IKEv2 works both in Windows 7 and on my Galaxy Android, so I will set up that too, now that you have encouraged me with this setting working!
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Let us know if it works with the galaxy android natively - I haven’t heard much feedback yet from the new android.
Paul
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">
Thank you very much for your time!
Kind regards,
Mirsad Todorovac
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On 11/22/2021 6:51 PM, Paul Wouters wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
I have made the suggested correction, and now the error message is different:
The new error log is available at <a class="moz-txt-link-freetext" href="https://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log">https://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">What strikes at first is the line:
Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode message received on 161.53.235.3:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Did you not confiure PSK (authby=secret) on the server ?
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">I will try IKEv2, but does it connect from both Windows 10 and Android just like this old setup?
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Old Android's need the strongswan app to use IKEv2. The latest android
should have support for IKEv2 natively.
Paul
</pre>
</blockquote>
</blockquote>
</blockquote>
</body>
</html>