<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear Mr. Wouters,</p>
<p>I have upgraded libreswan to enable bug fixes from an earlier
email I've sent.<br>
Now I've lost even the basic IKEv1 L2TP over IPSEC PSK
connectivity. This is very embarrassing as I've<br>
spent four days and I have nothing to show to superiors.</p>
<p>Please help if you can.</p>
<p>It seems that PSK is accepted and verified, IPSEC session
established and transport connection brought up,<br>
but I can't seem to realize from the pluto session log what went
wrong.<br>
</p>
<p>Here is my "/etc/ipsec.d/l2tp-psk.conf":<br>
</p>
<p><font face="monospace"># conn L2TP-PSK-NAT<br>
# rightsubnet=vhost:%priv<br>
# also=L2TP-PSK-common<br>
<br>
conn L2TP-PSK-noNAT<br>
rightsubnet=vhost:%no<br>
also=L2TP-PSK-common<br>
<br>
conn L2TP-PSK-common<br>
# Use a Preshared Key. Disable Perfect Forward Secrecy.<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
keyingtries=3<br>
# we cannot rekey for %any, let client rekey<br>
rekey=no<br>
# Apple iOS doesn't send delete notify so we need dead
peer detection<br>
# to detect vanishing clients<br>
dpddelay=10<br>
dpdtimeout=30<br>
dpdaction=clear<br>
# Set ikelifetime and keylife to same defaults windows
has<br>
ikelifetime=8h<br>
keylife=1h<br>
ikev2=never<br>
# l2tp-over-ipsec is transport mode<br>
type=transport<br>
#<br>
# left will be filled in automatically with the local
address of the default-route interface (as determined at IPsec
startup time).<br>
left=%defaultroute<br>
#<br>
# For updated Windows 2000/XP clients,<br>
# to support old clients as well, use
leftprotoport=17/%any<br>
leftprotoport=17/1701<br>
#<br>
# The remote user.<br>
#<br>
right=%any<br>
# Using the magic port of "%any" means "any one single
port". This is<br>
# a work around required for Apple OSX clients that use
a randomly<br>
# high port.<br>
rightprotoport=17/%any<br>
</font></p>
<p>The error reported is:</p>
<p><img src="cid:part1.2BE0FlUi.7BNJPYDC@alu.hr" alt=""></p>
<p>The pluto session log is:
<a class="moz-txt-link-freetext" href="https://domac.alu.hr/mtodorov/l2tp-ipsec-psk-noNAT3-20211124.log">https://domac.alu.hr/mtodorov/l2tp-ipsec-psk-noNAT3-20211124.log</a></p>
<p>Once again, thank you for the previous advice and the VPN
connection started working.<br>
Then I tried to enable IKEv2 with certificates, and upgraded to
libreswan-4.5 to get to bug fix.<br>
Now I am trying the latest 3.x version, 3.32, but no luck.</p>
<p>Thank you very much for all help.<br>
I am reading the ipsec.conf.5 manual, but it will take some time
before my learning curve adapts. :-(</p>
<p>Kind regards,<br>
Mirsad Todorovac<br>
</p>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
</body>
</html>