You have ipsec saref = yes on netkey, which is wrong. Saref is for "mast" only.
Sent from my iPhone > On Jan 11, 2015, at 07:16, Subhi S Hashwa <[email protected]> wrote: > > Dear All, > > I am hoping someone can help me debug this installation of libreswan I > don't have much hair left on my head to pull. > > I recently migrated from openswan as libreswan seems to be more active > in development. > > uname -a > > Linux crucible-2 3.2.0-4-686-pae #1 SMP Debian 3.2.63-2+deb7u2 i686 GNU/Linux > > ipsec --version > > Linux Libreswan 3.12 (netkey) on 3.2.0-4-686-pae > > xl2tpd -v > > xl2tpd version: xl2tpd-1.3.1 > > from /etc/ipsec.conf > > version 2.0 # conforms to second version of ipsec.conf specification > > config setup > protostack=netkey > oe=off > nat_traversal=yes > force_keepalive=yes > keep_alive=60 > > conn L2TP-PSK-NAT > rightsubnet=vhost:%priv > also=L2TP-PSK-noNAT > > conn L2TP-PSK-noNAT > # > # Configuration for one user with any type of IPsec/L2TP client > # including the updated Windows 2000/XP (MS KB Q818043), but > # excluding the non-updated Windows 2000/XP. > # > # > # Use a Preshared Key. Disable Perfect Forward Secrecy. > # > # PreSharedSecret needs to be specified in /etc/ipsec.secrets as > # YourIPAddress %any: "sharedsecret" > authby=secret > pfs=no > auto=add > keyingtries=3 > # we cannot rekey for %any, let client rekey > rekey=no > # Apple iOS doesn't send delete notify so we need dead peer detection > # to detect vanishing clients > dpddelay=10 > dpdtimeout=90 > dpdaction=clear > # Set ikelifetime and keylife to same defaults windows has > ikelifetime=8h > keylife=1h > # l2tp-over-ipsec is transport mode > type=transport > # > left=212.159.xxx.xxx > # > # For updated Windows 2000/XP clients, > # to support old clients as well, use leftprotoport=17/%any > leftprotoport=17/1701 > # > # The remote user. > # > right=%any > # Using the magic port of "%any" means "any one single port". This is > # a work around required for Apple OSX clients that use a randomly > # high port. > rightprotoport=17/%any > #%any > > # Normally, KLIPS drops all plaintext traffic from IP's it has a crypted > # connection with. With L2TP clients behind NAT, that's not really what > # you want. The connection below allows both l2tp/ipsec and plaintext > # connections from behind the same NAT router. > # The l2tpd use a leftprotoport, so they are more specific and will be used > # first. Then, packets for the host on different ports and protocols (eg ssh) > # will match this passthrough conn. > conn passthrough-for-non-l2tp > type=passthrough > left=212.159.xxx.xxx > leftnexthop=%defaultroute > right=%any > auto=route > > from /etc/xl2tpd/xl2tpd.conf > > [global] > ; Global parameters: > > port = 1701 ; * > Bind to port 1701 > ipsec saref = yes > listen-addr = 212.159.xxx.xxx > > [lns default] > > ip range = 192.168.101.2-192.168.101.10 > local ip = 192.168.101.1 > refuse chap = yes > refuse pap = yes > require authentication = yes > name=TMP-VPN > ppp debug = yes > pppoptfile = /etc/ppp/options.xl2tpd > length bit = yes > assign ip = yes > length bit = yes > refuse-eap = yes > refuse-mschap = yes > require-mschap-v2 = yes > > > from /etc/ppp/options.xl2tpd > > require-mschap-v2 > ms-dns 172.18.1.1 > ms-dns 8.8.8.8 > ms-dns 4.2.2.1 > ms-dns 8.8.4.4 > proxyarp > asyncmap 0 > auth > crtscts > lock > hide-password > modem > debug > refuse-chap > refuse-eap > refuse-pap > refuse-mschap > require-mschap-v2 > noccp > mtu 1200 > proxyarp > lcp-echo-interval 30 > lcp-echo-failure 4 > ipcp-accept-local > ipcp-accept-remote > noipx > idle 1800 > connect-delay 5000 > > from /etc/ipsec.secrets > > 212.159.server.ip %any : PSK "secret-password-goes-here" > > > from /etc/ppp/chap-secrets > > * TMP-VPN secret-password-goes-here * > > from /var/log/auth.log > > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down > Jan 11 11:49:54 crucible-2 pluto[29063]: forgetting secrets > Jan 11 11:49:54 crucible-2 pluto[29063]: "passthrough-for-non-l2tp": > deleting connection > Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-noNAT": deleting connection > Jan 11 11:49:54 crucible-2 pluto[29063]: "L2TP-PSK-NAT": deleting connection > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo ::1:500 > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo > 127.0.0.1:4500 > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface lo/lo > 127.0.0.1:500 > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface > eth0/eth0 172.18.1.8:4500 > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface > eth0/eth0 172.18.1.8:500 > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface > eth0:0/eth0:0 192.168.101.1:4500 > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface > eth0:0/eth0:0 192.168.101.1:500 > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface > eth1/eth1 212.159.XXX.XXX:4500 > Jan 11 11:49:54 crucible-2 pluto[29063]: shutting down interface > eth1/eth1 212.159.XXX.XXX:500 > Jan 11 11:49:54 crucible-2 ipsec__plutorun: pluto killed by SIGTERM, > terminating without restart > Jan 11 11:49:54 crucible-2 ipsec__plutorun: Starting Pluto subsystem... > Jan 11 11:49:54 crucible-2 pluto[29287]: nss directory plutomain: /etc/ipsec.d > Jan 11 11:49:54 crucible-2 pluto[29287]: NSS Initialized > Jan 11 11:49:54 crucible-2 pluto[29287]: libcap-ng support [enabled] > Jan 11 11:49:54 crucible-2 pluto[29287]: FIPS HMAC integrity support > [disabled] > Jan 11 11:49:54 crucible-2 pluto[29287]: Linux audit support [disabled] > Jan 11 11:49:54 crucible-2 pluto[29287]: Starting Pluto (Libreswan > Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC LIBCAP_NG XAUTH_PAM > NETWORKMANAGER KLIPS_MAST CURL(non-NSS)) pid:29287 > Jan 11 11:49:54 crucible-2 pluto[29287]: core dump dir: /var/run/pluto > Jan 11 11:49:54 crucible-2 pluto[29287]: secrets file: /etc/ipsec.secrets > Jan 11 11:49:54 crucible-2 pluto[29287]: leak-detective disabled > Jan 11 11:49:54 crucible-2 pluto[29287]: SAref support [disabled]: > Protocol not available > Jan 11 11:49:54 crucible-2 pluto[29287]: SAbind support [disabled]: > Protocol not available > Jan 11 11:49:54 crucible-2 pluto[29287]: NSS crypto [enabled] > Jan 11 11:49:54 crucible-2 pluto[29287]: XAUTH PAM support [enabled] > Jan 11 11:49:54 crucible-2 pluto[29287]: NAT-Traversal support [enabled] > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating OAKLEY_TWOFISH_CBC_SSH: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating OAKLEY_TWOFISH_CBC: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating OAKLEY_SERPENT_CBC: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating OAKLEY_AES_CBC: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating DISABLED-OAKLEY_AES_CTR: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash(): > Activating DISABLED-OAKLEY_AES_XCBC: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating OAKLEY_CAMELLIA_CTR: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash(): > Activating OAKLEY_SHA2_512: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash(): > Activating OAKLEY_SHA2_384: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_hash(): > Activating OAKLEY_SHA2_256: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: starting up 1 crypto helpers > Jan 11 11:49:54 crucible-2 pluto[29287]: started thread for crypto > helper 0 (master fd 6) > Jan 11 11:49:54 crucible-2 pluto[29287]: Using Linux XFRM/NETKEY IPsec > interface code on 3.2.0-4-686-pae > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating aes_ccm_8: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating aes_ccm_12: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating aes_ccm_16: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating aes_gcm_8: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating aes_gcm_12: Ok > Jan 11 11:49:54 crucible-2 pluto[29287]: ike_alg_register_enc(): > Activating aes_gcm_16: Ok > Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description > "L2TP-PSK-NAT" > Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description > "L2TP-PSK-noNAT" > Jan 11 11:49:55 crucible-2 pluto[29287]: added connection description > "passthrough-for-non-l2tp" > Jan 11 11:49:55 crucible-2 pluto[29287]: listening for IKE messages > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1 > 212.159.XXX.XXX:500 > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth1/eth1 > 212.159.XXX.XXX:4500 > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface > eth0:0/eth0:0 192.168.101.1:500 > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface > eth0:0/eth0:0 192.168.101.1:4500 > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0 > 172.18.1.8:500 > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface eth0/eth0 > 172.18.1.8:4500 > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:500 > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo 127.0.0.1:4500 > Jan 11 11:49:55 crucible-2 pluto[29287]: adding interface lo/lo ::1:500 > Jan 11 11:49:55 crucible-2 pluto[29287]: loading secrets from > "/etc/ipsec.secrets" > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: received Vendor ID payload [FRAGMENTATION > 80000000] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: received Vendor ID payload [RFC 3947] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-08] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-07] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-06] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-05] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-04] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-03] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-02] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: ignoring Vendor ID payload > [draft-ietf-ipsec-nat-t-ike-02_n] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: received Vendor ID payload [Dead Peer > Detection] > Jan 11 11:51:44 crucible-2 pluto[29287]: packet from > 87.112.client.ip:50534: initial Aggressive Mode message from > 87.112.client.ip but no (wildcard) connection has been configured with > policy=PSK+AGGRESSIVE > > Client is a Mac OSX default client on Yosemite 10.10.1 (14B25) > > Any thoughts on how I should get this working ? > > Many thanks > > -- > Subhi S Hashwa > When everything is heading your way, you're in the wrong lane. > > Are you on LinkedIn ? Connect with me! http://linkedin.com/in/subhi > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
