Re: [strongSwan] Problem with IPsec/L2TP VPN!

[A P]

I've added

rightsubnet=0.0.0.0/0
leftsubnet=0.0.0.0/0

to ipsec.conf and now get
connection 'myvpn' established successfully

still no ip addess for the connection (just keep-alives), but that's next I 
suppose (need username/password probably)




From: Users  on behalf of A P 

Sent: Monday, 8 April 2019 22:08
To: users@lists.strongswan.org
Subject: Re: [strongSwan] Problem with IPsec/L2TP VPN!

Ok, I have enabled all the logs to level 4. Here is what I get around the 
error. Is this any more helpful? Perhaps, I need to set left/rightsubmask? Is 
the problem that it used my public ip rather than router internal? I don't 
think there is anything else missing from config (I don't have access to server 
log unfortunately)


LOG
Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] changing received traffic 
selectors /32[udp]=== /32[udp/l2f] due to NAT
Apr 08 21:19:45 cosmic charon[3199]: 04[CHD] CHILD_SA myvpn{1} state change: 
CREATED => INSTALLING
Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] no acceptable traffic selectors 
found
Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] queueing INFORMATIONAL task
Apr 08 21:19:45 cosmic charon[3199]: 04[CHD] CHILD_SA myvpn{1} state change: 
INSTALLING => DESTROYING
Apr 08 21:19:45 cosmic charon[3199]: 04[KNL] deleting SAD entry with SPI 
cb524fd7


later there's also stuff like

Apr 08 21:47:49 cosmic ipsec[3798]: 03[IKE] received retransmit of response 
with ID 2810990975, but next request already sent



CONFIGS

ipsec.conf (I don't think the others really mater at this point)

conn myvpn
  type=transport
  authby=secret
  pfs=no
  rekey=no
  keyingtries=1
  left=%defaultroute
  leftprotoport=udp/l2tp
  right=
  rightprotoport=udp/%any
  auto=add
  ike=3des-sha1-modp1536!
  esp=3des-sha1!
  keyexchange=ikev1



xl2tpd.conf (tried with lac section as well)

[global]
port = 1701
access control = no

[lns default]
local ip = 192.168.1.2
require authentication = yes
name = myvpn
pppoptfile = /etc/ppp/options.l2tpd



options.l2tp (tried many others, with username/password, too)

noccp
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
silent


also there a secrets file obviously

Re: [strongSwan] Problem with IPsec/L2TP VPN!

[Kostya Vasilyev]

I think you got the proto's backwards which explain the "no acceptable traffic 
selectors found".

conn myvpn
 type=transport
 authby=secret
 pfs=no
 rekey=no
 keyingtries=1
 left=%defaultroute
 leftprotoport=udp/l2tp
 right=
 rightprotoport=udp/%any
 auto=add
 ike=3des-sha1-modp1536!
 esp=3des-sha1!
 keyexchange=ikev1

L2TP uses port 1701 *on the server* - but on the client the port can be anything

Try this instead - on the client:

 leftprotoport=udp/%any
 rightprotoport=udp/l2tp

On the server, assuming it has "left=%defaultroute" or "left=" 
you will want

 leftprotoport=udp/l2tp
 rightprotoport=udp/%any

In other words, for the server:

left = server IP, UDP, port 1701
right = any client IP, UDP, any port

For the client:

left = client IP, UDP, any port
right = server IP, UDP, 1701

*swan will switch left / right as appropriate - but I don't think it can sort 
out the proto's automatically (don't see how it would know to do that).

-- K

--
Kostya Vasilyev
k...@fastmail.com



On Mon, Apr 8, 2019, at 3:08 PM, A P wrote:
> Ok, I have enabled all the logs to level 4. Here is what I get around the 
> error. Is this any more helpful? Perhaps, I need to set left/rightsubmask? Is 
> the problem that it used my public ip rather than router internal? I don't 
> think there is anything else missing from config (I don't have access to 
> server log unfortunately)
> 
> 
> *LOG*
> Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] changing received traffic 
> selectors /32[udp]=== /32[udp/l2f] due to NAT
> Apr 08 21:19:45 cosmic charon[3199]: 04[CHD] CHILD_SA myvpn{1} state change: 
> CREATED => INSTALLING
> Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] no acceptable traffic selectors 
> found
> Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] queueing INFORMATIONAL task
> Apr 08 21:19:45 cosmic charon[3199]: 04[CHD] CHILD_SA myvpn{1} state change: 
> INSTALLING => DESTROYING
> Apr 08 21:19:45 cosmic charon[3199]: 04[KNL] deleting SAD entry with SPI 
> cb524fd7
> 
> 
> *later there's also stuff like*
> 
> Apr 08 21:47:49 cosmic ipsec[3798]: 03[IKE] received retransmit of response 
> with ID 2810990975, but next request already sent
> 
> 
> 
> *CONFIGS*
> 
> *ipsec.conf (I don't think the others really mater at this point)*
> 
> conn myvpn
>  type=transport
>  authby=secret
>  pfs=no
>  rekey=no
>  keyingtries=1
>  left=%defaultroute
>  leftprotoport=udp/l2tp
>  right=
>  rightprotoport=udp/%any
>  auto=add
>  ike=3des-sha1-modp1536!
>  esp=3des-sha1!
>  keyexchange=ikev1
> 
> 
> 
> *xl2tpd.conf (tried with lac section as well)*
> 
> [global]
> port = 1701
> access control = no
> 
> [lns default]
> local ip = 192.168.1.2
> require authentication = yes
> name = myvpn
> pppoptfile = /etc/ppp/options.l2tpd
> 
> 
> 
> *options.l2tp (tried many others, with username/password, too)*
> **
> noccp
> auth
> crtscts
> mtu 1410
> mru 1410
> nodefaultroute
> lock
> proxyarp
> silent
> 
> 
> also there a secrets file obviously
> 
> 
> 

Re: [strongSwan] VPN connection to Remote Fortigate Client

[MOSES KARIUKI]

Thanks a lot Noel. The connection is up and stable. Very helpful.
One more thing, the remote client is able to ping my private IP, but i am
unable to ping his private IP address. I have checked and my routes seem
OK. What do you suggest?

Below is my status:

*sudo ipsec statusall*
Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.18.0-1008-gcp,
x86_64):
  uptime: 28 seconds, since Apr 08 12:14:39 2019
  malloc: sbrk 1622016, mmap 0, used 629024, free 992992
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink
resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
counters
Listening IP addresses:
  10.138.0.4
Connections:
televida:  10.138.0.4...200.**.***.***  IKEv2, dpddelay=30s
televida:   local:  [35.1**.2**.***] uses pre-shared key authentication
televida:   remote: [200.**.***.***] uses pre-shared key authentication
televida:   child:  10.138.0.0/20 === 10.28.2.0/24 TUNNEL,
dpdaction=clear

Security Associations (1 up, 0 connecting):
televida[1]: ESTABLISHED 23 seconds ago,
10.138.0.4[35.1**.2**.***]...200.**.***.***[200.**.***.***]
televida[1]: IKEv2 SPIs: 055627d3eb2f_i 081a1b696be14ad2_r*,
pre-shared key reauthentication in 23 hours
televida[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_521
televida{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c5fb101f_i
82900426_o
televida{2}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
rekeying in 41 minutes
televida{2}:   10.138.0.4/32 === 10.28.2.0/24
kariukims@klick-001:~$ ping 10.28.2.9
PING 10.28.2.9 (10.28.2.9) 56(84) bytes of data.
^C
--- 10.28.2.9 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 56ms


Kind regards,
Moses K

On Mon, Apr 8, 2019 at 3:09 PM MOSES KARIUKI  wrote:

> Thanks a lot Noel. The connection is up and stable. Very helpful.
> One more thing, the remote client is able to ping my private IP, but i am
> unable to ping his private IP address. I have checked and my routes seem
> OK. What do you suggest?
>
> Kind regards,
> Moses K
>
>
> On Thu, Apr 4, 2019 at 9:50 PM Noel Kuntze
>  wrote:
>
>> Hi,
>>
>> You configured "rightsourceip=10.10.10.0/24" but that's supposed to be a
>> site-to-site connection. Use rightsubnet instead.
>> rightsourceip is for assigning and requesting virtual IPs. The best way
>> for you would be to migrate to swanctl instead.
>> Its configuration format is a lot clearer.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 02.04.19 um 11:27 schrieb MOSES KARIUKI:
>> > Dear Tobias,
>> >
>> > :) :)
>> > I read the message. But I can't really interpret what setting is needed
>> to make it work. I have listed my current configuration. I am still finding
>> my way with Linux networking and Strongswan.
>> >
>> > Please assist. I will really appreciate and also offer assist others.
>> >
>> > regards,
>> > Moses
>> >
>> >
>> >
>> > On Tue, Apr 2, 2019 at 11:23 AM Tobias Brunner > > wrote:
>> >
>> > Hi Moses,
>> >
>> > > Apr  1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP
>> > > request, sending FAILED_CP_REQUIRED
>> >
>> > I guess reading is hard.  Or is that message (that you explicitly
>> marked
>> > in your email) really that unclear?
>> >
>> > Regards,
>> > Tobias
>> >
>>
>>

Re: [strongSwan] VPN connection to Remote Fortigate Client

[MOSES KARIUKI]

Thanks a lot Noel. The connection is up and stable. Very helpful.
One more thing, the remote client is able to ping my private IP, but i am
unable to ping his private IP address. I have checked and my routes seem
OK. What do you suggest?

Kind regards,
Moses K


On Thu, Apr 4, 2019 at 9:50 PM Noel Kuntze
 wrote:

> Hi,
>
> You configured "rightsourceip=10.10.10.0/24" but that's supposed to be a
> site-to-site connection. Use rightsubnet instead.
> rightsourceip is for assigning and requesting virtual IPs. The best way
> for you would be to migrate to swanctl instead.
> Its configuration format is a lot clearer.
>
> Kind regards
>
> Noel
>
> Am 02.04.19 um 11:27 schrieb MOSES KARIUKI:
> > Dear Tobias,
> >
> > :) :)
> > I read the message. But I can't really interpret what setting is needed
> to make it work. I have listed my current configuration. I am still finding
> my way with Linux networking and Strongswan.
> >
> > Please assist. I will really appreciate and also offer assist others.
> >
> > regards,
> > Moses
> >
> >
> >
> > On Tue, Apr 2, 2019 at 11:23 AM Tobias Brunner  > wrote:
> >
> > Hi Moses,
> >
> > > Apr  1 20:57:58 klick-001 charon: 11[IKE] expected a virtual IP
> > > request, sending FAILED_CP_REQUIRED
> >
> > I guess reading is hard.  Or is that message (that you explicitly
> marked
> > in your email) really that unclear?
> >
> > Regards,
> > Tobias
> >
>
>

Re: [strongSwan] Problem with IPsec/L2TP VPN!

[A P]

Ok, I have enabled all the logs to level 4. Here is what I get around the 
error. Is this any more helpful? Perhaps, I need to set left/rightsubmask? Is 
the problem that it used my public ip rather than router internal? I don't 
think there is anything else missing from config (I don't have access to server 
log unfortunately)


LOG
Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] changing received traffic 
selectors /32[udp]=== /32[udp/l2f] due to NAT
Apr 08 21:19:45 cosmic charon[3199]: 04[CHD] CHILD_SA myvpn{1} state change: 
CREATED => INSTALLING
Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] no acceptable traffic selectors 
found
Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] queueing INFORMATIONAL task
Apr 08 21:19:45 cosmic charon[3199]: 04[CHD] CHILD_SA myvpn{1} state change: 
INSTALLING => DESTROYING
Apr 08 21:19:45 cosmic charon[3199]: 04[KNL] deleting SAD entry with SPI 
cb524fd7


later there's also stuff like

Apr 08 21:47:49 cosmic ipsec[3798]: 03[IKE] received retransmit of response 
with ID 2810990975, but next request already sent



CONFIGS

ipsec.conf (I don't think the others really mater at this point)

conn myvpn
  type=transport
  authby=secret
  pfs=no
  rekey=no
  keyingtries=1
  left=%defaultroute
  leftprotoport=udp/l2tp
  right=
  rightprotoport=udp/%any
  auto=add
  ike=3des-sha1-modp1536!
  esp=3des-sha1!
  keyexchange=ikev1



xl2tpd.conf (tried with lac section as well)

[global]
port = 1701
access control = no

[lns default]
local ip = 192.168.1.2
require authentication = yes
name = myvpn
pppoptfile = /etc/ppp/options.l2tpd



options.l2tp (tried many others, with username/password, too)

noccp
auth
crtscts
mtu 1410
mru 1410
nodefaultroute
lock
proxyarp
silent


also there a secrets file obviously