<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear Sir,</p>
<p>I have made the suggested correction, and now the error message
is different:</p>
<p><img src="cid:part1.hSEGIN5b.CVdXUvAr@alu.hr" alt=""></p>
<p>The new error log is available at
<a class="moz-txt-link-freetext" href="https://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log">https://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log</a></p>
<p>What strikes at first is the line:</p>
<p>Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial
Main Mode message received on 161.53.235.3:500 but no connection
has been authorized with policy PSK+IKEV1_ALLOW<br>
</p>
<p>I will try IKEv2, but does it connect from both Windows 10 and
Android just like this old setup?</p>
<p>Kind regards,<br>
Mirsad Todorovac<br>
</p>
<div class="moz-cite-prefix">On 11/22/2021 5:51 PM, Paul Wouters
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ac981750-1d11-2b5a-5daf-2192be5da69@nohats.ca">On Mon,
22 Nov 2021, Mirsad Goran Todorovac wrote:
<br>
<br>
<blockquote type="cite">I am having a problem setting up VPN on
Debian server 10 for our Microsoft and Android clients to
connect. Our current configuration is L2TP over IPSEC with PSK,
as it is also supported on our UniFi UDM-Pro device.
<br>
<br>
I have explained the problem here, but I've received no reply
yet:
<br>
<br>
<a class="moz-txt-link-freetext" href="https://superuser.com/questions/1688888/vpn-server-on-debian-10-using-l2tp-with-ipsec-psk-not-working">https://superuser.com/questions/1688888/vpn-server-on-debian-10-using-l2tp-with-ipsec-psk-not-working</a>
<br>
<br>
Please help me with this configuration, as it would be very good
that it worked for the "road warriors" now in these COVID
situations and work from home.
<br>
<br>
UniFi UDM configuration worked "out of the box" from the GUI
interface, but I am perplexed with the number of various
configuration options of libreswan, ipsec and xl2tpd. I've used
an example from Github, but it didn't work well with my server
(it stopped postfix local delivery altogether).
<br>
</blockquote>
<br>
You should _really_ try and use IKEv2 instead of
IKEv1/L2TP/IPsec/Transport Mode
<br>
<br>
<br>
Your logs show:
<br>
<br>
Nov 22 15:31:34.094161: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: the
peer proposed: 161.53.235.3/32:17/1701 ->
193.198.186.218/32:17/0
<br>
Nov 22 15:31:34.094229: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: peer
proposal was rejected in a virtual connection policy: a private
network virtual IP was required, but the proposed IP did not match
our list (virtual-private=), or our list excludes their IP (e.g.
%v4!...) since it is in use elsewhere
<br>
Nov 22 15:31:34.095692: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
responding to Quick Mode proposal {msgid:01000000}
<br>
Nov 22 15:31:34.095702: "L2TP-PSK-noNAT"[2] 193.198.186.218
#4: us: 161.53.235.3:17/1701
<br>
Nov 22 15:31:34.095710: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
them: 193.198.186.218:17/1701
<br>
Nov 22 15:31:34.096736: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2 transport mode {ESP=>0xe23be20c <0x1f9b5bfe
xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
<br>
Nov 22 15:31:34.113899: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
Configured DPD (RFC 3706) support not enabled because remote peer
did not advertise DPD support
<br>
Nov 22 15:31:34.114077: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:
STATE_QUICK_R2: IPsec SA established transport mode
{ESP=>0xe23be20c <0x1f9b5bfe xfrm=AES_CBC_256-HMAC_SHA1_96
NATOA=none NATD=none DPD=active}
<br>
Nov 22 15:32:09.151495: "L2TP-PSK-NAT"[2] 193.198.186.218 #3:
received Delete SA(0xe23be20c) payload: deleting IPSEC State #4
<br>
<br>
It looks like you don't have two connections, one for with-NAT and
one
<br>
for without-NAT. Due to Transport Mode, the proposals will be
different.
<br>
<br>
For the non-NAT version to work, add: rightsubnet=vhost:%no to
your
<br>
connection L2TP-PSK-noNAT
<br>
<br>
Paul
<br>
<br>
_______________________________________________
<br>
Swan mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
<br>
</blockquote>
</body>
</html>