Dear Mr. Wouters,
After trying with our CARNet NOC people, they have changed something on
firewalls and the L2TP-PSK-noNAT
configuration now works! I have filed the Windows 10 error 809 problem,
and docs say it was most likely
the firewall or the interim network equipment, and it was ...
I have waster 5 days on this, it appears that ever since the connection
started working in the café on their wireless
network and your rightsubnet=vhost:%no suggestion.
I apologize for all the inconvenience I caused you. Fortunately, there
are not so many troubled admins on the
planet 😁.
I will now try if the IKEv2 with RSA connection was also bugged with our
firewall. You have suggested that
IKEv1 L2TP with IPSEC and transport mode was deprecated, but I had to
have something working to start with.
Thank you once again for all your help. You have been very supportive. I
seem to have started to really like
libreswan. It has some excellent ideas for network FSAs to work.
Kind regards,
Mirsad Todorovac
On 11/26/2021 4:10 PM, Mirsad Goran Todorovac wrote:
Dear Mr. Wouters,
I have a problem with the setting you have given me, the
rightsubnet=vhost:%no .
Description of the problem: the Windows 10 laptop connects over
wireless provider and my mobile phone
hotspot, but it can't connect when I connect with the ethernet cable
from the same device.
We have previously established that the client was unhappy with the
connection and sent a DELETE payload.
But it happens on the same host, and only on noNAT traversal link.
I have adjusted the setting in Windows registry to allow for mod2048p
negotiation:
This is from the session log:
Nov 26 15:17:38.293053: | processing version=1.0 packet with exchange
type=ISAKMP_XCHG_INFO (5)
Nov 26 15:17:38.293065: | peer and cookies match on #2; msgid=00000000
st_msgid=00000000 st_v1_msgid.phase15=00000000
Nov 26 15:17:38.293083: | p15 state object #2 found, in STATE_MAIN_R3
Nov 26 15:17:38.293091: | State DB: found IKEv1 state #2 in MAIN_R3
(find_v1_info_state)
Nov 26 15:17:38.293127: | #2 is idle
Nov 26 15:17:38.293139: | #2 idle
Nov 26 15:17:38.293149: | received encrypted packet from
193.198.186.218:500
Nov 26 15:17:38.293181: | got payload 0x100 (ISAKMP_NEXT_HASH)
needed: 0x100 opt: 0x0
Nov 26 15:17:38.293193: | ***parse ISAKMP Hash Payload:
Nov 26 15:17:38.293203: | next payload type: ISAKMP_NEXT_D (0xc)
Nov 26 15:17:38.293214: | length: 24 (00 18)
Nov 26 15:17:38.293224: | got payload 0x1000 (ISAKMP_NEXT_D) needed:
0x0 opt: 0x0
Nov 26 15:17:38.293233: | ***parse ISAKMP Delete Payload:
Nov 26 15:17:38.293242: | next payload type: ISAKMP_NEXT_NONE (0x0)
Nov 26 15:17:38.293254: | length: 28 (00 1c)
Nov 26 15:17:38.293282: | DOI: ISAKMP_DOI_IPSEC (0x1)
Nov 26 15:17:38.293294: | protocol ID: 1 (01)
Nov 26 15:17:38.293304: | SPI size: 16 (10)
Nov 26 15:17:38.293313: | number of SPIs: 1 (00 01)
Nov 26 15:17:38.293323: | removing 12 bytes of padding
Nov 26 15:17:38.293358: | result: newref clone-key@0x5628841aa950
(20-bytes, SHA_1_HMAC)(init_symkey() +99
lib/libswan/ike_alg_prf_mac_nss_ops.c)
Nov 26 15:17:38.293378: | HASH(1): delref clone-key@0x5628841aa950
Nov 26 15:17:38.293400: | informational HASH(1):
Nov 26 15:17:38.293411: | a3 ae c0 71 e0 09 c1 98 9e ee 6a 45 17
99 2b e1 ...q......jE..+.
Nov 26 15:17:38.293419: | 0e 90 98
b0 ....
Nov 26 15:17:38.293428: | received 'informational' message HASH(1) data ok
Nov 26 15:17:38.293436: | parsing 8 raw bytes of ISAKMP Delete Payload
into iCookie
Nov 26 15:17:38.293445: | iCookie
Nov 26 15:17:38.293452: | 80 e6 13 3b a1 06 0e
bd ...;....
Nov 26 15:17:38.293461: | parsing 8 raw bytes of ISAKMP Delete Payload
into rCookie
Nov 26 15:17:38.293468: | rCookie
Nov 26 15:17:38.293476: | dc c9 09 4a 81 e0 35
55 ...J..5U
Nov 26 15:17:38.293486: | State DB: found IKEv1 state #2 in MAIN_R3
(find_state_ikev1)
Nov 26 15:17:38.293496: | del:
Nov 26 15:17:38.293504: |
Nov 26 15:17:38.293517: "L2TP-PSK-NAT"[1] 193.198.186.218 #2: received
Delete SA payload: self-deleting ISAKMP State #2
My client (right) host is 193.198.186.218 on the subnet
193.198.186.192/27, assigned via DHCP without NAT.
My /etc/ipsec.d/l2tp-psk.conf looks like this:
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-common
conn L2TP-PSK-noNAT
rightsubnet=vhost:%no
also=L2TP-PSK-common
conn L2TP-PSK-common
# Use a Preshared Key. Disable Perfect Forward Secrecy.
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
# Apple iOS doesn't send delete notify so we need dead peer
detection
# to detect vanishing clients
dpddelay=10
dpdtimeout=30
dpdaction=clear
# Set ikelifetime and keylife to same defaults windows has
ikelifetime=8h
keylife=1h
ikev2=never
#ike = aes256-sha1-modp1024!
# l2tp-over-ipsec is transport mode
type=transport
#
# left will be filled in automatically with the local address
of the default-route interface (as determined at IPsec startup time).
left=%defaultroute
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
# Using the magic port of "%any" means "any one single port".
This is
# a work around required for Apple OSX clients that use a randomly
# high port.
rightprotoport=17/%any
This is a progress because people behind home NATs can connect, but I
can't connect from remote location
work computer that is not behind NAT on the 193.198.186.218 address.
Thank you very much if you have an idea.
Kidn regards,
Mirsad Todorovac
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
