<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Dear Mr. Wouters,</p>

    <p>I have found this <font face="monospace"><b>ipsec barf</b></font>

      command, so I am linking to the output file:<br>

      <a class="moz-txt-link-freetext" href="https://domac.alu.hr/mtodorov/xl2tpd-barf-v4.5.txt">https://domac.alu.hr/mtodorov/xl2tpd-barf-v4.5.txt</a> .</p>

    <p>I am trying to first debug L2TP over IPSEC with PSK, so I have

      something to show, then we can move on to<br>

      debugging IKEv2 if you're still interested.</p>

    <p>I have found that I can't seem to have both at the same time

      defined, despite include schematic allowing for it?</p>

    <p>Thank you very much.</p>

    <p>Kind regards,<br>

      Mirsad<br>

    </p>

    <div class="moz-cite-prefix">On 11/22/2021 11:22 PM, Mirsad Goran

      Todorovac wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:27bbb542-0311-be35-1be7-612a219f8c4f@alu.hr">

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

      <p>Dear Mr. Wouters,</p>

      <p>I've tried my luck with IKEv2, and generated the required certs

        according to Wiki.</p>

      <p>However, I've hit the bug described here: <a

          class="moz-txt-link-freetext"

          href="https://lists.libreswan.org/pipermail/swan/2018/002901.html"

          moz-do-not-send="true">https://lists.libreswan.org/pipermail/swan/2018/002901.html</a></p>

      <p>To alleviate that, I've installed libreswan-4.5.tar.gz and

        compiled it.</p>

      <p>After the installation of 4.5, I've lost the connectivity of

        the IKEv1 link, and the IKEv2 link didn't start to work either.</p>

      <p>I have temporarily disable IKEv2 conf to make IKEv1 run, but no

        go. The error from Windows 10 is here:</p>

      <p><img src="cid:part1.CYvGRxVp.LfZMtFQj@alu.hr" alt="" class=""

          width="257" height="150"></p>

      <p>The pluto session log is here: <a

          class="moz-txt-link-freetext"

          href="https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log"

          moz-do-not-send="true">https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log</a></p>

      <p>2. My /etc/ipsec.d/ikev2.conf looks like:</p>

      <p><font face="monospace">conn ikev2-cp<br>

              # The server's actual IP goes here - not elastic IPs<br>

              left=161.53.235.3<br>

              leftcert=vpn.alu.hr<br>

              <a class="moz-txt-link-abbreviated moz-txt-link-freetext"

            href="mailto:leftid=@vpn.alu.hr" moz-do-not-send="true">leftid=@vpn.alu.hr</a><br>

              leftsendcert=always<br>

              leftsubnet=0.0.0.0/0<br>

              leftrsasigkey=%cert<br>

              # Clients<br>

              right=%any<br>

              # your addresspool to use - you might need NAT rules if

          providing full internet to clients<br>

              rightaddresspool=192.168.100.10-192.168.100.253<br>

              # optional rightid with restrictions<br>

              rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti,

          OU=*, CN=*, E=*"<br>

              rightca=%same<br>

              rightrsasigkey=%cert<br>

              #<br>

              # connection configuration<br>

              # DNS servers for clients to use<br>

              modecfgdns=8.8.8.8,192.168.100.1<br>

              # Versions up to 3.22 used modecfgdns1 and modecfgdns2<br>

              #modecfgdns1=8.8.8.8<br>

              #modecfgdns2=193.110.157.123<br>

              narrowing=yes<br>

              # recommended dpd/liveness to cleanup vanished clients<br>

              dpddelay=30<br>

              dpdtimeout=120<br>

              dpdaction=clear<br>

              auto=add<br>

              ikev2=insist<br>

ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024<br>

              rekey=no<br>

              # ikev2 fragmentation support requires libreswan 3.14 or

          newer<br>

              fragmentation=yes<br>

              # optional PAM username verification (eg to implement

          bandwidth quota<br>

              # pam-authorize=yes<br>

        </font></p>

      <p>The connection error is:</p>

      <p><img src="cid:part2.YWRut0WV.269i0fVt@alu.hr" alt="" class=""

          width="366" height="154"></p>

      <p>The session log is here: <a class="moz-txt-link-freetext"

          href="https://domac.alu.hr/mtodorov/ikev2-v4.5.log"

          moz-do-not-send="true">https://domac.alu.hr/mtodorov/ikev2-v4.5.log</a></p>

      <p>Please bear with me for a little while longer, I feel we are

        close to it ...</p>

      <p>I hope these messages are helpful. Thank you if you will look

        into them and find the problem.<br>

        Then I will proceed to the Android setup and keep you posted as

        you requested.</p>

      <p>Kind regards,<br>

        Mirsad Todorovac<br>

      </p>

      <div class="moz-cite-prefix">On 11/22/2021 9:28 PM, Paul Wouters

        wrote:<br>

      </div>

      <blockquote type="cite"

        cite="mid:B73C575B-93B9-4E24-A1BB-F213E64EE726@nohats.ca">

        <pre class="moz-quote-pre" wrap="">On Nov 22, 2021, at 15:08, Mirsad Goran Todorovac <a class="moz-txt-link-rfc2396E" href="mailto:mirsad.todorovac@alu.hr" moz-do-not-send="true"><mirsad.todorovac@alu.hr></a> wrote:

</pre>

        <blockquote type="cite">

          <pre class="moz-quote-pre" wrap="">Dear Mr. Wouters,

Your modification works! It was my error, I made a wrong change for left=127.0.0.1 in place of left=%defaultroute

</pre>

        </blockquote>

        <pre class="moz-quote-pre" wrap="">Awesome !

</pre>

        <blockquote type="cite">

          <pre class="moz-quote-pre" wrap="">Now it works.

I have seen that IKEv2 works both in Windows 7 and on my Galaxy Android, so I will set up that too, now that you have encouraged me with this setting working!

</pre>

        </blockquote>

        <pre class="moz-quote-pre" wrap="">Let us know if it works with the galaxy android natively - I haven’t heard much feedback yet from the new android. 

Paul

</pre>

        <blockquote type="cite">

          <pre class="moz-quote-pre" wrap="">Thank you very much for your time!

Kind regards,

Mirsad Todorovac

</pre>

          <blockquote type="cite">

            <pre class="moz-quote-pre" wrap="">On 11/22/2021 6:51 PM, Paul Wouters wrote:

</pre>

            <blockquote type="cite">

              <pre class="moz-quote-pre" wrap="">On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:

I have made the suggested correction, and now the error message is different:

The new error log is available at <a class="moz-txt-link-freetext" href="https://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log" moz-do-not-send="true">https://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log</a>

</pre>

            </blockquote>

            <blockquote type="cite">

              <pre class="moz-quote-pre" wrap="">What strikes at first is the line:

Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode message received on 161.53.235.3:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW

</pre>

            </blockquote>

            <pre class="moz-quote-pre" wrap="">Did you not confiure PSK (authby=secret) on the server ?

</pre>

            <blockquote type="cite">

              <pre class="moz-quote-pre" wrap="">I will try IKEv2, but does it connect from both Windows 10 and Android just like this old setup?

</pre>

            </blockquote>

            <pre class="moz-quote-pre" wrap="">Old Android's need the strongswan app to use IKEv2. The latest android

should have support for IKEv2 natively.

Paul

</pre>

          </blockquote>

        </blockquote>

      </blockquote>

    </blockquote>

  </body>

</html>