Dear Mr. Wouters,
I have found this *ipsec barf* command, so I am linking to the output file:
https://domac.alu.hr/mtodorov/xl2tpd-barf-v4.5.txt .
I am trying to first debug L2TP over IPSEC with PSK, so I have something
to show, then we can move on to
debugging IKEv2 if you're still interested.
I have found that I can't seem to have both at the same time defined,
despite include schematic allowing for it?
Thank you very much.
Kind regards,
Mirsad
On 11/22/2021 11:22 PM, Mirsad Goran Todorovac wrote:
Dear Mr. Wouters,
I've tried my luck with IKEv2, and generated the required certs
according to Wiki.
However, I've hit the bug described here:
https://lists.libreswan.org/pipermail/swan/2018/002901.html
To alleviate that, I've installed libreswan-4.5.tar.gz and compiled it.
After the installation of 4.5, I've lost the connectivity of the IKEv1
link, and the IKEv2 link didn't start to work either.
I have temporarily disable IKEv2 conf to make IKEv1 run, but no go.
The error from Windows 10 is here:
The pluto session log is here:
https://domac.alu.hr/mtodorov/xl2tpd-ipsec-v4.5.log
2. My /etc/ipsec.d/ikev2.conf looks like:
conn ikev2-cp
# The server's actual IP goes here - not elastic IPs
left=161.53.235.3
leftcert=vpn.alu.hr
[email protected]
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
# Clients
right=%any
# your addresspool to use - you might need NAT rules if providing
full internet to clients
rightaddresspool=192.168.100.10-192.168.100.253
# optional rightid with restrictions
rightid="C=HR, L=Zagreb, O=Akademija likovnih umjetnosti, OU=*,
CN=*, E=*"
rightca=%same
rightrsasigkey=%cert
#
# connection configuration
# DNS servers for clients to use
modecfgdns=8.8.8.8,192.168.100.1
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=8.8.8.8
#modecfgdns2=193.110.157.123
narrowing=yes
# recommended dpd/liveness to cleanup vanished clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
ike=aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
rekey=no
# ikev2 fragmentation support requires libreswan 3.14 or newer
fragmentation=yes
# optional PAM username verification (eg to implement bandwidth quota
# pam-authorize=yes
The connection error is:
The session log is here: https://domac.alu.hr/mtodorov/ikev2-v4.5.log
Please bear with me for a little while longer, I feel we are close to
it ...
I hope these messages are helpful. Thank you if you will look into
them and find the problem.
Then I will proceed to the Android setup and keep you posted as you
requested.
Kind regards,
Mirsad Todorovac
On 11/22/2021 9:28 PM, Paul Wouters wrote:
On Nov 22, 2021, at 15:08, Mirsad Goran Todorovac<[email protected]>
wrote:
Dear Mr. Wouters,
Your modification works! It was my error, I made a wrong change for
left=127.0.0.1 in place of left=%defaultroute
Awesome !
Now it works.
I have seen that IKEv2 works both in Windows 7 and on my Galaxy Android, so I
will set up that too, now that you have encouraged me with this setting working!
Let us know if it works with the galaxy android natively - I haven’t heard much
feedback yet from the new android.
Paul
Thank you very much for your time!
Kind regards,
Mirsad Todorovac
On 11/22/2021 6:51 PM, Paul Wouters wrote:
On Mon, 22 Nov 2021, Mirsad Goran Todorovac wrote:
I have made the suggested correction, and now the error message is different:
The new error log is available
athttps://domac.alu.hr/mtodorov/xl2tpd-ipsec-20211122-3.log
What strikes at first is the line:
Nov 22 18:06:09.628375: packet from 89.172.45.78:500: initial Main Mode message
received on 161.53.235.3:500 but no connection has been authorized with policy
PSK+IKEV1_ALLOW
Did you not confiure PSK (authby=secret) on the server ?
I will try IKEv2, but does it connect from both Windows 10 and Android just
like this old setup?
Old Android's need the strongswan app to use IKEv2. The latest android
should have support for IKEv2 natively.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
