<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Dear Mr. Wouters,</p>
<p>After trying with our CARNet NOC people, they have changed
something on firewalls and the L2TP-PSK-noNAT<br>
configuration now works! I have filed the Windows 10 error 809
problem, and docs say it was most likely<br>
the firewall or the interim network equipment, and it was ...<br>
</p>
<p>I have waster 5 days on this, it appears that ever since the
connection started working in the café on their wireless<br>
network and your rightsubnet=vhost:%no suggestion.</p>
<p>I apologize for all the inconvenience I caused you. Fortunately,
there are not so many troubled admins on the<br>
planet 😁.</p>
<p>I will now try if the IKEv2 with RSA connection was also bugged
with our firewall. You have suggested that<br>
IKEv1 L2TP with IPSEC and transport mode was deprecated, but I had
to have something working to start with.</p>
<p>Thank you once again for all your help. You have been very
supportive. I seem to have started to really like<br>
libreswan. It has some excellent ideas for network FSAs to work.<br>
</p>
<p>Kind regards,<br>
Mirsad Todorovac<br>
</p>
<div class="moz-cite-prefix">On 11/26/2021 4:10 PM, Mirsad Goran
Todorovac wrote:<br>
</div>
<blockquote type="cite"
cite="mid:84131a79-8910-fc85-95ef-75f1d5641a47@alu.hr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<p>Dear Mr. Wouters,</p>
<p>I have a problem with the setting you have given me, the
rightsubnet=vhost:%no .</p>
<p>Description of the problem: the Windows 10 laptop connects over
wireless provider and my mobile phone<br>
hotspot, but it can't connect when I connect with the ethernet
cable from the same device.</p>
<p>We have previously established that the client was unhappy with
the connection and sent a DELETE payload.<br>
But it happens on the same host, and only on noNAT traversal
link.</p>
<p>I have adjusted the setting in Windows registry to allow for
mod2048p negotiation:</p>
<p><img src="cid:part1.aJXWwa0o.BszrRJij@alu.hr" alt="" class=""></p>
<p>This is from the session log:<br>
</p>
<p>Nov 26 15:17:38.293053: | processing version=1.0 packet with
exchange type=ISAKMP_XCHG_INFO (5)<br>
Nov 26 15:17:38.293065: | peer and cookies match on #2;
msgid=00000000 st_msgid=00000000 st_v1_msgid.phase15=00000000<br>
Nov 26 15:17:38.293083: | p15 state object #2 found, in
STATE_MAIN_R3<br>
Nov 26 15:17:38.293091: | State DB: found IKEv1 state #2 in
MAIN_R3 (find_v1_info_state)<br>
Nov 26 15:17:38.293127: | #2 is idle<br>
Nov 26 15:17:38.293139: | #2 idle<br>
Nov 26 15:17:38.293149: | received encrypted packet from
193.198.186.218:500<br>
Nov 26 15:17:38.293181: | got payload 0x100 (ISAKMP_NEXT_HASH)
needed: 0x100 opt: 0x0<br>
Nov 26 15:17:38.293193: | ***parse ISAKMP Hash Payload:<br>
Nov 26 15:17:38.293203: | next payload type: ISAKMP_NEXT_D
(0xc)<br>
Nov 26 15:17:38.293214: | length: 24 (00 18)<br>
Nov 26 15:17:38.293224: | got payload 0x1000 (ISAKMP_NEXT_D)
needed: 0x0 opt: 0x0<br>
Nov 26 15:17:38.293233: | ***parse ISAKMP Delete Payload:<br>
Nov 26 15:17:38.293242: | next payload type: ISAKMP_NEXT_NONE
(0x0)<br>
Nov 26 15:17:38.293254: | length: 28 (00 1c)<br>
Nov 26 15:17:38.293282: | DOI: ISAKMP_DOI_IPSEC (0x1)<br>
Nov 26 15:17:38.293294: | protocol ID: 1 (01)<br>
Nov 26 15:17:38.293304: | SPI size: 16 (10)<br>
Nov 26 15:17:38.293313: | number of SPIs: 1 (00 01)<br>
Nov 26 15:17:38.293323: | removing 12 bytes of padding<br>
Nov 26 15:17:38.293358: | result: newref
clone-key@0x5628841aa950 (20-bytes, SHA_1_HMAC)(init_symkey()
+99 lib/libswan/ike_alg_prf_mac_nss_ops.c)<br>
Nov 26 15:17:38.293378: | HASH(1): delref
clone-key@0x5628841aa950<br>
Nov 26 15:17:38.293400: | informational HASH(1):<br>
Nov 26 15:17:38.293411: | a3 ae c0 71 e0 09 c1 98 9e ee 6a
45 17 99 2b e1 ...q......jE..+.<br>
Nov 26 15:17:38.293419: | 0e 90 98
b0 ....<br>
Nov 26 15:17:38.293428: | received 'informational' message
HASH(1) data ok<br>
Nov 26 15:17:38.293436: | parsing 8 raw bytes of ISAKMP Delete
Payload into iCookie<br>
Nov 26 15:17:38.293445: | iCookie<br>
Nov 26 15:17:38.293452: | 80 e6 13 3b a1 06 0e
bd ...;....<br>
Nov 26 15:17:38.293461: | parsing 8 raw bytes of ISAKMP Delete
Payload into rCookie<br>
Nov 26 15:17:38.293468: | rCookie<br>
Nov 26 15:17:38.293476: | dc c9 09 4a 81 e0 35
55 ...J..5U<br>
Nov 26 15:17:38.293486: | State DB: found IKEv1 state #2 in
MAIN_R3 (find_state_ikev1)<br>
Nov 26 15:17:38.293496: | del:<br>
Nov 26 15:17:38.293504: |<br>
Nov 26 15:17:38.293517: "L2TP-PSK-NAT"[1] 193.198.186.218 #2:
received Delete SA payload: self-deleting ISAKMP State #2<br>
<br>
</p>
<p>My client (right) host is 193.198.186.218 on the subnet
193.198.186.192/27, assigned via DHCP without NAT.<br>
</p>
<p>My /etc/ipsec.d/l2tp-psk.conf looks like this:<br>
</p>
<p><font face="monospace">conn L2TP-PSK-NAT<br>
rightsubnet=vhost:%priv<br>
also=L2TP-PSK-common<br>
<br>
conn L2TP-PSK-noNAT<br>
rightsubnet=vhost:%no<br>
also=L2TP-PSK-common<br>
<br>
conn L2TP-PSK-common<br>
# Use a Preshared Key. Disable Perfect Forward
Secrecy.<br>
authby=secret<br>
pfs=no<br>
auto=add<br>
keyingtries=3<br>
# we cannot rekey for %any, let client rekey<br>
rekey=no<br>
# Apple iOS doesn't send delete notify so we need dead
peer detection<br>
# to detect vanishing clients<br>
dpddelay=10<br>
dpdtimeout=30<br>
dpdaction=clear<br>
# Set ikelifetime and keylife to same defaults windows
has<br>
ikelifetime=8h<br>
keylife=1h<br>
ikev2=never<br>
#ike = aes256-sha1-modp1024!<br>
# l2tp-over-ipsec is transport mode<br>
type=transport<br>
#<br>
# left will be filled in automatically with the local
address of the default-route interface (as determined at IPsec
startup time).<br>
left=%defaultroute<br>
#<br>
# For updated Windows 2000/XP clients,<br>
# to support old clients as well, use
leftprotoport=17/%any<br>
leftprotoport=17/1701<br>
#<br>
# The remote user.<br>
#<br>
right=%any<br>
# Using the magic port of "%any" means "any one single
port". This is<br>
# a work around required for Apple OSX clients that
use a randomly<br>
# high port.<br>
rightprotoport=17/%any<br>
</font></p>
<p>This is a progress because people behind home NATs can connect,
but I can't connect from remote location<br>
work computer that is not behind NAT on the 193.198.186.218
address.</p>
<p>Thank you very much if you have an idea.</p>
<p>Kidn regards,<br>
Mirsad Todorovac<br>
</p>
<pre class="moz-signature" cols="72">--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355</pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Swan mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
</body>
</html>