@swill I believe windows natively support "L2TP” . And I see they negotiated
both encryption and integrity . looks like the difference is this:
On OSX
xl2tpd[2263]: control_finish: Peer requested tunnel 32 twice, ignoring
second one.
On windows it seems it trying to establish ‘child’ session.
charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: CONNECTING => ESTABLISHED
charon: 16[ENC] generating ID_PROT response 0 [ ID HASH ]
charon: 16[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916] (76 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 04[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (444 bytes)
charon: 04[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA
NAT-OA ]
charon: 04[IKE] changing received traffic selectors
172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT
charon: 04[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f]
=== 74.121.xx.yy/32[udp/l2f]
charon: 04[CFG] proposing traffic selectors for us:
Can you post strongSwan configs : ipsec.conf, striongswan.cof, ipsec.secrets ?
On 10/7/16, 10:46 AM, "swill" <[email protected]> wrote:
Github user swill commented on the issue:
https://github.com/apache/cloudstack/pull/872
If anyone has experience with Remote Access VPN on Windows and has any
insight into why the following is failing, please let me know.
**FAILING WINDOWS LOG:**
```
charon: 11[NET] received packet: from 74.121.xx.yy[1011] to
74.121.ff.gg[500]
charon: 11[NET] waiting for data on sockets
charon: 02[NET] received packet: from 74.121.xx.yy[1011] to
74.121.ff.gg[500] (408 bytes)
charon: 02[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
charon: 02[CFG] looking for an ike config for
74.121.ff.gg...74.121.xx.yy
charon: 02[CFG] candidate: 74.121.ff.gg...%any, prio 1052
charon: 02[CFG] found matching ike config: 74.121.ff.gg...%any with
prio 1052
charon: 02[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
charon: 02[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
charon: 02[IKE] received NAT-T (RFC 3947) vendor ID
charon: 02[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 02[IKE] received FRAGMENTATION vendor ID
charon: 02[ENC] received unknown vendor ID:
fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
charon: 02[ENC] received unknown vendor ID:
26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
charon: 02[ENC] received unknown vendor ID:
e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
charon: 02[IKE] 74.121.xx.yy is initiating a Main Mode IKE_SA
charon: 02[IKE] IKE_SA (unnamed)[39] state change: CREATED => CONNECTING
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
charon: 02[CFG] selecting proposal:
charon: 02[CFG] proposal matches
charon: 02[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
charon: 02[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160,
IKE:AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/
PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
charon: 02[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 02[IKE] sending XAuth vendor ID
charon: 02[IKE] sending DPD vendor ID
charon: 02[IKE] sending NAT-T (RFC 3947) vendor ID
charon: 02[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 02[NET] sending packet: from 74.121.ff.gg[500] to
74.121.xx.yy[1011] (136 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[500] to
74.121.xx.yy[1011]
charon: 11[NET] received packet: from 74.121.xx.yy[1011] to
74.121.ff.gg[500]
charon: 11[NET] waiting for data on sockets
charon: 05[NET] received packet: from 74.121.xx.yy[1011] to
74.121.ff.gg[500] (388 bytes)
charon: 05[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 05[IKE] remote host is behind NAT
charon: 05[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 05[NET] sending packet: from 74.121.ff.gg[500] to
74.121.xx.yy[1011] (372 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[500] to
74.121.xx.yy[1011]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 16[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (76 bytes)
charon: 16[ENC] parsed ID_PROT request 0 [ ID HASH ]
charon: 16[CFG] looking for pre-shared key peer configs matching
74.121.ff.gg...74.121.xx.yy[172.16.11.171]
charon: 16[CFG] candidate "L2TP-PSK", match: 1/1/1052 (me/other/ike)
charon: 16[CFG] selected peer config "L2TP-PSK"
charon: 16[IKE] IKE_SA L2TP-PSK[39] established between
74.121.ff.gg[74.121.ff.gg]...74.121.xx.yy[172.16.11.171]
charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: CONNECTING =>
ESTABLISHED
charon: 16[ENC] generating ID_PROT response 0 [ ID HASH ]
charon: 16[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916] (76 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 04[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (444 bytes)
charon: 04[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA
NAT-OA ]
charon: 04[IKE] changing received traffic selectors
172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT
charon: 04[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f]
=== 74.121.xx.yy/32[udp/l2f]
charon: 04[CFG] proposing traffic selectors for us:
charon: 04[CFG] 74.121.ff.gg/32[udp/l2f]
charon: 04[CFG] proposing traffic selectors for other:
charon: 04[CFG] 0.0.0.0/0[udp]
charon: 04[CFG] candidate "L2TP-PSK" with prio 5+1
charon: 04[CFG] found matching child config "L2TP-PSK" with prio 6
charon: 04[CFG] selecting traffic selectors for other:
charon: 04[CFG] config: 0.0.0.0/0[udp], received:
74.121.xx.yy/32[udp/l2f] => match: 74.121.xx.yy/32[udp/l2f]
charon: 04[CFG] selecting traffic selectors for us:
charon: 04[CFG] config: 74.121.ff.gg/32[udp/l2f], received:
74.121.ff.gg/32[udp/l2f] => match: 74.121.ff.gg/32[udp/l2f]
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] proposal matches
charon: 04[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ
charon: 04[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
charon: 04[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 04[IKE] received 3600s lifetime, configured 0s
charon: 04[IKE] received 250000000 lifebytes, configured 0
charon: 04[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID
NAT-OA NAT-OA ]
charon: 04[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916] (204 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 01[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (60 bytes)
charon: 01[ENC] parsed QUICK_MODE request 1 [ HASH ]
charon: 01[CHD] using AES_CBC for encryption
charon: 01[CHD] using HMAC_SHA1_96 for integrity
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 14[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (444 bytes)
charon: 14[ENC] parsed QUICK_MODE request 4 [ HASH SA No ID ID NAT-OA
NAT-OA ]
charon: 14[IKE] changing received traffic selectors
172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT
charon: 14[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f]
=== 74.121.xx.yy/32[udp/l2f]
charon: 14[CFG] proposing traffic selectors for us:
charon: 14[CFG] 74.121.ff.gg/32[udp/l2f]
charon: 14[CFG] proposing traffic selectors for other:
charon: 14[CFG] 0.0.0.0/0[udp]
charon: 14[CFG] candidate "L2TP-PSK" with prio 5+1
charon: 14[CFG] found matching child config "L2TP-PSK" with prio 6
charon: 14[CFG] selecting traffic selectors for other:
charon: 14[CFG] config: 0.0.0.0/0[udp], received:
74.121.xx.yy/32[udp/l2f] => match: 74.121.xx.yy/32[udp/l2f]
charon: 14[CFG] selecting traffic selectors for us:
charon: 14[CFG] config: 74.121.ff.gg/32[udp/l2f], received:
74.121.ff.gg/32[udp/l2f] => match: 74.121.ff.gg/32[udp/l2f]
charon: 14[CFG] selecting proposal:
charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 14[CFG] selecting proposal:
charon: 14[CFG] proposal matches
charon: 14[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ
charon: 14[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
charon: 14[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 14[IKE] received 3600s lifetime, configured 0s
charon: 14[IKE] received 250000000 lifebytes, configured 0
charon: 14[IKE] detected rekeying of CHILD_SA L2TP-PSK{31}
charon: 14[ENC] generating QUICK_MODE response 4 [ HASH SA No ID ID
NAT-OA NAT-OA ]
charon: 14[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916] (204 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 04[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (60 bytes)
charon: 04[ENC] parsed QUICK_MODE request 4 [ HASH ]
charon: 04[CHD] using AES_CBC for encryption
charon: 04[CHD] using HMAC_SHA1_96 for integrity
charon: 04[CHD] adding inbound ESP SA
charon: 04[CHD] SPI 0xcb67a786, src 74.121.xx.yy dst 74.121.ff.gg
charon: 04[CHD] adding outbound ESP SA
charon: 04[CHD] SPI 0xf47c9bd6, src 74.121.ff.gg dst 74.121.xx.yy
charon: 04[IKE] CHILD_SA L2TP-PSK{31} established with SPIs cb67a786_i
f47c9bd6_o and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 01[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (76 bytes)
charon: 01[ENC] parsed INFORMATIONAL_V1 request 713875247 [ HASH D ]
charon: 01[IKE] received DELETE for ESP CHILD_SA with SPI 7cab1502
charon: 01[IKE] closing CHILD_SA L2TP-PSK{31} with SPIs ca86fad4_i (0
bytes) 7cab1502_o (0 bytes) and TS 74.121.ff.gg/32[udp/l2f] ===
74.121.xx.yy/32[udp/l2f]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 05[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (444 bytes)
charon: 05[ENC] parsed QUICK_MODE request 5 [ HASH SA No ID ID NAT-OA
NAT-OA ]
charon: 05[IKE] changing received traffic selectors
172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT
charon: 05[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f]
=== 74.121.xx.yy/32[udp/l2f]
charon: 05[CFG] proposing traffic selectors for us:
charon: 05[CFG] 74.121.ff.gg/32[udp/l2f]
charon: 05[CFG] proposing traffic selectors for other:
charon: 05[CFG] 0.0.0.0/0[udp]
charon: 05[CFG] candidate "L2TP-PSK" with prio 5+1
charon: 05[CFG] found matching child config "L2TP-PSK" with prio 6
charon: 05[CFG] selecting traffic selectors for other:
charon: 05[CFG] config: 0.0.0.0/0[udp], received:
74.121.xx.yy/32[udp/l2f] => match: 74.121.xx.yy/32[udp/l2f]
charon: 05[CFG] selecting traffic selectors for us:
charon: 05[CFG] config: 74.121.ff.gg/32[udp/l2f], received:
74.121.ff.gg/32[udp/l2f] => match: 74.121.ff.gg/32[udp/l2f]
charon: 05[CFG] selecting proposal:
charon: 05[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 05[CFG] selecting proposal:
charon: 05[CFG] proposal matches
charon: 05[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ
charon: 05[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
charon: 05[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 05[IKE] received 3600s lifetime, configured 0s
charon: 05[IKE] received 250000000 lifebytes, configured 0
charon: 05[IKE] detected rekeying of CHILD_SA L2TP-PSK{31}
charon: 05[ENC] generating QUICK_MODE response 5 [ HASH SA No ID ID
NAT-OA NAT-OA ]
charon: 05[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916] (204 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 16[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (60 bytes)
charon: 16[ENC] parsed QUICK_MODE request 5 [ HASH ]
charon: 16[CHD] using AES_CBC for encryption
charon: 16[CHD] using HMAC_SHA1_96 for integrity
charon: 16[CHD] adding inbound ESP SA
charon: 16[CHD] SPI 0xc5ee1900, src 74.121.xx.yy dst 74.121.ff.gg
charon: 16[CHD] adding outbound ESP SA
charon: 16[CHD] SPI 0x4c3a16f0, src 74.121.ff.gg dst 74.121.xx.yy
charon: 16[IKE] CHILD_SA L2TP-PSK{31} established with SPIs c5ee1900_i
4c3a16f0_o and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 14[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (76 bytes)
charon: 14[ENC] parsed INFORMATIONAL_V1 request 4253829990 [ HASH D ]
charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI f47c9bd6
charon: 14[IKE] closing CHILD_SA L2TP-PSK{31} with SPIs cb67a786_i (0
bytes) f47c9bd6_o (0 bytes) and TS 74.121.ff.gg/32[udp/l2f] ===
74.121.xx.yy/32[udp/l2f]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 13[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (444 bytes)
charon: 13[ENC] parsed QUICK_MODE request 6 [ HASH SA No ID ID NAT-OA
NAT-OA ]
charon: 13[IKE] changing received traffic selectors
172.16.11.171/32[udp/l2f]=== 74.121.ff.gg/32[udp/l2f] due to NAT
charon: 13[CFG] looking for a child config for 74.121.ff.gg/32[udp/l2f]
=== 74.121.xx.yy/32[udp/l2f]
charon: 13[CFG] proposing traffic selectors for us:
charon: 13[CFG] 74.121.ff.gg/32[udp/l2f]
charon: 13[CFG] proposing traffic selectors for other:
charon: 13[CFG] 0.0.0.0/0[udp]
charon: 13[CFG] candidate "L2TP-PSK" with prio 5+1
charon: 13[CFG] found matching child config "L2TP-PSK" with prio 6
charon: 13[CFG] selecting traffic selectors for other:
charon: 13[CFG] config: 0.0.0.0/0[udp], received:
74.121.xx.yy/32[udp/l2f] => match: 74.121.xx.yy/32[udp/l2f]
charon: 13[CFG] selecting traffic selectors for us:
charon: 13[CFG] config: 74.121.ff.gg/32[udp/l2f], received:
74.121.ff.gg/32[udp/l2f] => match: 74.121.ff.gg/32[udp/l2f]
charon: 13[CFG] selecting proposal:
charon: 13[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 13[CFG] selecting proposal:
charon: 13[CFG] proposal matches
charon: 13[CFG] received proposals:
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ
charon: 13[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
charon: 13[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
charon: 13[IKE] received 3600s lifetime, configured 0s
charon: 13[IKE] received 250000000 lifebytes, configured 0
charon: 13[IKE] detected rekeying of CHILD_SA L2TP-PSK{31}
charon: 13[ENC] generating QUICK_MODE response 6 [ HASH SA No ID ID
NAT-OA NAT-OA ]
charon: 13[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916] (204 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[4500] to
74.121.xx.yy[64916]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 12[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (60 bytes)
charon: 12[ENC] parsed QUICK_MODE request 6 [ HASH ]
charon: 12[CHD] using AES_CBC for encryption
charon: 12[CHD] using HMAC_SHA1_96 for integrity
charon: 12[CHD] adding inbound ESP SA
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 12[CHD] SPI 0xc5f602ad, src 74.121.xx.yy dst 74.121.ff.gg
charon: 11[NET] waiting for data on sockets
charon: 12[CHD] adding outbound ESP SA
charon: 12[CHD] SPI 0x09b7ea2c, src 74.121.ff.gg dst 74.121.xx.yy
charon: 12[IKE] CHILD_SA L2TP-PSK{31} established with SPIs c5f602ad_i
09b7ea2c_o and TS 74.121.ff.gg/32[udp/l2f] === 74.121.xx.yy/32[udp/l2f]
charon: 09[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (76 bytes)
charon: 09[ENC] parsed INFORMATIONAL_V1 request 1167094233 [ HASH D ]
charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 4c3a16f0
charon: 09[IKE] closing CHILD_SA L2TP-PSK{31} with SPIs c5ee1900_i (0
bytes) 4c3a16f0_o (0 bytes) and TS 74.121.ff.gg/32[udp/l2f] ===
74.121.xx.yy/32[udp/l2f]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 05[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (76 bytes)
charon: 05[ENC] parsed INFORMATIONAL_V1 request 3486435093 [ HASH D ]
charon: 05[IKE] received DELETE for ESP CHILD_SA with SPI 09b7ea2c
charon: 05[IKE] closing CHILD_SA L2TP-PSK{31} with SPIs c5f602ad_i (0
bytes) 09b7ea2c_o (0 bytes) and TS 74.121.ff.gg/32[udp/l2f] ===
74.121.xx.yy/32[udp/l2f]
charon: 16[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (92 bytes)
charon: 16[ENC] parsed INFORMATIONAL_V1 request 3988841069 [ HASH D ]
charon: 16[IKE] received DELETE for IKE_SA L2TP-PSK[39]
charon: 16[IKE] deleting IKE_SA L2TP-PSK[39] between
74.121.ff.gg[74.121.ff.gg]...74.121.xx.yy[172.16.11.171]
charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: ESTABLISHED =>
DELETING
charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: DELETING => DELETING
charon: 16[IKE] IKE_SA L2TP-PSK[39] state change: DELETING => DESTROYING
```
The same config works for Mac OSX.
SUCCESSFUL MAC LOG:
```
charon: 11[NET] received packet: from 74.121.xx.yy[1011] to
74.121.ff.gg[500]
charon: 11[NET] waiting for data on sockets
charon: 04[NET] received packet: from 74.121.xx.yy[1011] to
74.121.ff.gg[500] (788 bytes)
charon: 04[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
charon: 04[CFG] looking for an ike config for
74.121.ff.gg...74.121.xx.yy
charon: 04[CFG] candidate: 74.121.ff.gg...%any, prio 1052
charon: 04[CFG] found matching ike config: 74.121.ff.gg...%any with
prio 1052
charon: 04[IKE] received NAT-T (RFC 3947) vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 04[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 04[IKE] received FRAGMENTATION vendor ID
charon: 04[IKE] received DPD vendor ID
charon: 04[IKE] 74.121.xx.yy is initiating a Main Mode IKE_SA
charon: 04[IKE] IKE_SA (unnamed)[40] state change: CREATED => CONNECTING
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable ENCRYPTION_ALGORITHM found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable DIFFIE_HELLMAN_GROUP found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
charon: 04[CFG] selecting proposal:
charon: 04[CFG] proposal matches
charon: 04[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
charon: 04[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160,
IKE:AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/
PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
charon: 04[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
charon: 04[IKE] sending XAuth vendor ID
charon: 04[IKE] sending DPD vendor ID
charon: 04[IKE] sending NAT-T (RFC 3947) vendor ID
charon: 04[ENC] generating ID_PROT response 0 [ SA V V V ]
charon: 04[NET] sending packet: from 74.121.ff.gg[500] to
74.121.xx.yy[1011] (136 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[500] to
74.121.xx.yy[1011]
charon: 11[NET] received packet: from 74.121.xx.yy[1011] to
74.121.ff.gg[500]
charon: 11[NET] waiting for data on sockets
charon: 01[NET] received packet: from 74.121.xx.yy[1011] to
74.121.ff.gg[500] (380 bytes)
charon: 01[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 01[IKE] remote host is behind NAT
charon: 01[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 01[NET] sending packet: from 74.121.ff.gg[500] to
74.121.xx.yy[1011] (396 bytes)
charon: 08[NET] sending packet: from 74.121.ff.gg[500] to
74.121.xx.yy[1011]
charon: 11[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500]
charon: 11[NET] waiting for data on sockets
charon: 06[NET] received packet: from 74.121.xx.yy[64916] to
74.121.ff.gg[4500] (108 bytes)
charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
charon: 06[CFG] looking for pre-shared key peer configs matching
74.121.ff.gg...74.121.xx.yy[172.16.11.144]
charon: 06[CFG] candidate "L2TP-PSK", match: 1/1/1052 (me/other/ike)
xl2tpd[2263]: control_finish: Peer requested tunnel 32 twice, ignoring
second one.
xl2tpd[2263]: Connection established to 74.121.xx.yy, 55281. Local:
16822, Remote: 32 (ref=0/0). LNS session is 'default'
xl2tpd[2263]: start_pppd: I'm running:
xl2tpd[2263]: "/usr/sbin/pppd"
xl2tpd[2263]: "passive"
xl2tpd[2263]: "nodetach"
xl2tpd[2263]: "10.10.2.1:10.10.2.2"
xl2tpd[2263]: "refuse-pap"
xl2tpd[2263]: "file"
xl2tpd[2263]: "/etc/ppp/options.xl2tpd"
xl2tpd[2263]: "ipparam"
xl2tpd[2263]: "74.121.xx.yy"
xl2tpd[2263]: "/dev/pts/1"
xl2tpd[2263]: Call established with 74.121.xx.yy, Local: 22684, Remote:
32335, Serial: 1
charon: 04[KNL] 10.10.2.1 appeared on ppp0
charon: 06[KNL] 10.10.2.1 disappeared from ppp0
charon: 12[KNL] 10.10.2.1 appeared on ppp0
charon: 03[KNL] interface ppp0 activated
charon: 02[IKE] keeping connection path 74.121.ff.gg - 74.121.xx.yy
charon: 02[IKE] keeping connection path 74.121.ff.gg - 74.121.xx.yy
ntpd[3211]: Listen normally on 12 ppp0 10.10.2.1 UDP 123
ntpd[3211]: peers refreshed
```
Any insights welcome. :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
