Re: [Swan] VPN server on Debian 10 using L2TP with IPSEC PSK not working

Mon, 22 Nov 2021 09:01:41 -0800 

On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
I am having a problem setting up VPN on Debian server 10 for our Microsoft and Android clients to connect. Our current configuration is L2TP over IPSEC with PSK, as it is also supported on our UniFi UDM-Pro device. 

I have explained the problem here, but I've received no reply yet:

https://superuser.com/questions/1688888/vpn-server-on-debian-10-using-l2tp-with-ipsec-psk-not-working


Please help me with this configuration, as it would be very good that it 
worked for the "road warriors" now in these COVID situations and work from 
home.



UniFi UDM configuration worked "out of the box" from the GUI interface, but I 
am perplexed with the number of various configuration options of libreswan, 
ipsec and xl2tpd. I've used an example from Github, but it didn't work well 
with my server (it stopped postfix local delivery altogether).


You should _really_ try and use IKEv2 instead of IKEv1/L2TP/IPsec/Transport Mode


Your logs show:

Nov 22 15:31:34.094161: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: the peer proposed: 
161.53.235.3/32:17/1701 -> 193.198.186.218/32:17/0
Nov 22 15:31:34.094229: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: peer proposal was 
rejected in a virtual connection policy: a private network virtual IP was required, but 
the proposed IP did not match our list (virtual-private=), or our list excludes their IP 
(e.g. %v4!...) since it is in use elsewhere
Nov 22 15:31:34.095692: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: responding to 
Quick Mode proposal {msgid:01000000}
Nov 22 15:31:34.095702: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:     us: 
161.53.235.3:17/1701
Nov 22 15:31:34.095710: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4:   them: 
193.198.186.218:17/1701
Nov 22 15:31:34.096736: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: STATE_QUICK_R1: sent 
QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP=>0xe23be20c 
<0x1f9b5bfe xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=none DPD=active}
Nov 22 15:31:34.113899: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: Configured DPD 
(RFC 3706) support not enabled because remote peer did not advertise DPD support
Nov 22 15:31:34.114077: "L2TP-PSK-noNAT"[2] 193.198.186.218 #4: STATE_QUICK_R2: IPsec 
SA established transport mode {ESP=>0xe23be20c <0x1f9b5bfe xfrm=AES_CBC_256-HMAC_SHA1_96 
NATOA=none NATD=none DPD=active}
Nov 22 15:32:09.151495: "L2TP-PSK-NAT"[2] 193.198.186.218 #3: received Delete 
SA(0xe23be20c) payload: deleting IPSEC State #4

It looks like you don't have two connections, one for with-NAT and one
for without-NAT. Due to Transport Mode, the proposals will be different.

For the non-NAT version to work, add: rightsubnet=vhost:%no to your
connection L2TP-PSK-noNAT

Paul

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to