<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>P.S.</p>
<p>It seems that IPSEC is established, and a transport connection:</p>
<p>Nov 24 15:16:18.322599: | pstats #14 ikev1.ipsec established<br>
Nov 24 15:16:18.322609: | NAT-T: encaps is 'auto'<br>
Nov 24 15:16:18.322617: "L2TP-PSK-noNAT"[7] 193.198.186.218 #14:
STATE_QUICK_R2: IPsec SA established transport mode
{ESP=>0xbd9d07f4 <0x935a0ca5 xfrm=AES_CBC_128-HMAC_SHA1_96
NATOA=none NATD=none DPD</p>
<p>but then, after receiving first encrypted packet, pluto
spuriously decides to delete, "down" the connection and "unroute"
it:</p>
<p>Nov 24 15:16:53.359857: | State DB: found IKEv1 state #13 in
MAIN_R3 (find_v1_info_state)<br>
Nov 24 15:16:53.359876: | start processing: state #13 connection
"L2TP-PSK-noNAT"[7] 193.198.186.218 from 193.198.186.218:500 (in
process_v1_packet() at ikev1.c:1347)<br>
Nov 24 15:16:53.359946: | #13 is idle<br>
Nov 24 15:16:53.359963: | #13 idle<br>
Nov 24 15:16:53.359977: | received encrypted packet from
193.198.186.218:500<br>
Nov 24 15:16:53.360029: | got payload 0x100 (ISAKMP_NEXT_HASH)
needed: 0x100 opt: 0x0<br>
Nov 24 15:16:53.360046: | ***parse ISAKMP Hash Payload:<br>
Nov 24 15:16:53.360056: | next payload type: ISAKMP_NEXT_D
(0xc)<br>
Nov 24 15:16:53.360067: | length: 24 (00 18)<br>
Nov 24 15:16:53.360080: | got payload 0x1000 (ISAKMP_NEXT_D)
needed: 0x0 opt: 0x0<br>
Nov 24 15:16:53.360090: | ***parse ISAKMP Delete Payload:<br>
Nov 24 15:16:53.360103: | next payload type: ISAKMP_NEXT_NONE
(0x0)<br>
Nov 24 15:16:53.360113: | length: 16 (00 10)<br>
Nov 24 15:16:53.360122: | DOI: ISAKMP_DOI_IPSEC (0x1)<br>
Nov 24 15:16:53.360133: | protocol ID: 3 (03)<br>
Nov 24 15:16:53.360145: | SPI size: 4 (04)<br>
Nov 24 15:16:53.360156: | number of SPIs: 1 (00 01)<br>
Nov 24 15:16:53.360168: | removing 8 bytes of padding<br>
Nov 24 15:16:53.360246: | informational HASH(1):<br>
Nov 24 15:16:53.360263: | 2d d3 57 39 ab 57 ef 6d 30 6a 00 36
cc 47 23 57<br>
Nov 24 15:16:53.360274: | 88 1e 35 78<br>
Nov 24 15:16:53.360284: | received 'informational' message HASH(1)
data ok<br>
Nov 24 15:16:53.360295: | parsing 4 raw bytes of ISAKMP Delete
Payload into SPI<br>
Nov 24 15:16:53.360303: | SPI<br>
Nov 24 15:16:53.360330: | bd 9d 07 f4<br>
Nov 24 15:16:53.360339: | FOR_EACH_STATE_... in
find_phase2_state_to_delete<br>
Nov 24 15:16:53.360358: | start processing: connection
"L2TP-PSK-noNAT"[7] 193.198.186.218 (BACKGROUND) (in
accept_delete() at ikev1_main.c:2488)<br>
Nov 24 15:16:53.360377: "L2TP-PSK-noNAT"[7] 193.198.186.218 #13:
received Delete SA(0xbd9d07f4) payload: deleting IPsec State #14<br>
Nov 24 15:16:53.360393: | pstats #14 ikev1.ipsec deleted completed<br>
</p>
<p>I seem to be stuck here, I don't know how to debug connection.</p>
<p>Please help.</p>
<p>Kind regards,</p>
<p>Mirsad Todorovac<br>
</p>
<div class="moz-cite-prefix">On 11/24/2021 2:42 PM, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8adfd6b8-b2df-4736-0145-f964e9045657@alu.hr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Dear Mr. Wouters,</p>
<p>I have upgraded libreswan to enable bug fixes from an earlier
email I've sent.<br>
Now I've lost even the basic IKEv1 L2TP over IPSEC PSK
connectivity. This is very embarrassing as I've<br>
spent four days and I have nothing to show to superiors.</p>
<p>Please help if you can.</p>
<p>It seems that PSK is accepted and verified, IPSEC session
established and transport connection brought up,<br>
but I can't seem to realize from the pluto session log what went
wrong.<br>
</p>
<p>Here is my "/etc/ipsec.d/l2tp-psk.conf":<br>
</p>
<p><font face="monospace"># conn L2TP-PSK-NAT<br>
# rightsubnet=vhost:%priv<br>
# also=L2TP-PSK-common<br>
<br>
conn L2TP-PSK-noNAT<br>
rightsubnet=vhost:%no<br>
also=L2TP-PSK-common<br>
<br>
conn L2TP-PSK-common<br>
# Use a Preshared Key. Disable Perfect Forward
Secrecy.<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
keyingtries=3<br>
# we cannot rekey for %any, let client rekey<br>
rekey=no<br>
# Apple iOS doesn't send delete notify so we need dead
peer detection<br>
# to detect vanishing clients<br>
dpddelay=10<br>
dpdtimeout=30<br>
dpdaction=clear<br>
# Set ikelifetime and keylife to same defaults windows
has<br>
ikelifetime=8h<br>
keylife=1h<br>
ikev2=never<br>
# l2tp-over-ipsec is transport mode<br>
type=transport<br>
#<br>
# left will be filled in automatically with the local
address of the default-route interface (as determined at IPsec
startup time).<br>
left=%defaultroute<br>
#<br>
# For updated Windows 2000/XP clients,<br>
# to support old clients as well, use
leftprotoport=17/%any<br>
leftprotoport=17/1701<br>
#<br>
# The remote user.<br>
#<br>
right=%any<br>
# Using the magic port of "%any" means "any one single
port". This is<br>
# a work around required for Apple OSX clients that
use a randomly<br>
# high port.<br>
rightprotoport=17/%any<br>
</font></p>
<p>The error reported is:</p>
<p><img src="cid:part1.B0f5SnNl.ZZDzKBGO@alu.hr" alt="" class=""></p>
<p>The pluto session log is: <a class="moz-txt-link-freetext"
href="https://domac.alu.hr/mtodorov/l2tp-ipsec-psk-noNAT3-20211124.log"
moz-do-not-send="true">https://domac.alu.hr/mtodorov/l2tp-ipsec-psk-noNAT3-20211124.log</a></p>
<p>Once again, thank you for the previous advice and the VPN
connection started working.<br>
Then I tried to enable IKEv2 with certificates, and upgraded to
libreswan-4.5 to get to bug fix.<br>
Now I am trying the latest 3.x version, 3.32, but no luck.</p>
<p>Thank you very much for all help.<br>
I am reading the ipsec.conf.5 manual, but it will take some time
before my learning curve adapts. :-(</p>
<p>Kind regards,<br>
Mirsad Todorovac<br>
</p>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</body>
</html>