Hi,
I am trying to setup a VPN server on openWRT x86 platform.
The VPN server will serve both site-to-site and remote access vpn.
To accomplish this- I am using strongSwan 5.6.3 along with xl2tpd for
the remote access vpn part.
Issue is when I load kmod-libipsec in charon I can't establish the l2tp
connection.
Meanwhile there is ipsec0 interface in the ifconfig and site to site
tunnel works.
If kmod-libipsec is not loaded remote vpn works but cant establish the
site to site vpn part.
Log: loaded (kmod-libipsec)
-----------------------------------------------------------
Tue Nov 23 20:43:19 2021 daemon.info : 12[IKE] 192.168.122.1 is
initiating a Main Mode IKE_SA
Tue Nov 23 20:43:19 2021 authpriv.info : 12[IKE] 192.168.122.1 is
initiating a Main Mode IKE_SA
Tue Nov 23 20:43:19 2021 daemon.info : 12[ENC] generating ID_PROT
response 0 [ SA V V V V ]
Tue Nov 23 20:43:19 2021 daemon.info : 12[NET] sending packet: from
192.168.122.146[500] to 192.168.122.1[500] (160 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 13[NET] received packet: from
192.168.122.1[500] to 192.168.122.146[500] (396 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 13[ENC] parsed ID_PROT request 0
[ KE No NAT-D NAT-D ]
Tue Nov 23 20:43:19 2021 daemon.info : 13[IKE] faking NAT situation to
enforce UDP encapsulation
Tue Nov 23 20:43:19 2021 daemon.info : 13[ENC] generating ID_PROT
response 0 [ KE No NAT-D NAT-D ]
Tue Nov 23 20:43:19 2021 daemon.info : 13[NET] sending packet: from
192.168.122.146[500] to 192.168.122.1[500] (396 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 14[NET] received packet: from
192.168.122.1[4500] to 192.168.122.146[4500] (92 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 14[ENC] parsed ID_PROT request 0
[ ID HASH ]
Tue Nov 23 20:43:19 2021 daemon.info : 14[CFG] looking for pre-shared
key peer configs matching
192.168.122.146...192.168.122.1[192.168.122.1]
Tue Nov 23 20:43:19 2021 daemon.info : 14[CFG] selected peer config
"L2TP-PSK-noNAT"
Tue Nov 23 20:43:19 2021 daemon.info : 14[IKE] IKE_SA L2TP-PSK-noNAT[2]
established between
192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]
Tue Nov 23 20:43:19 2021 authpriv.info : 14[IKE] IKE_SA L2TP-PSK-
noNAT[2] established between
192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]
Tue Nov 23 20:43:19 2021 daemon.info : 14[ENC] generating ID_PROT
response 0 [ ID HASH ]
Tue Nov 23 20:43:19 2021 daemon.info : 14[NET] sending packet: from
192.168.122.146[4500] to 192.168.122.1[4500] (92 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 16[NET] received packet: from
192.168.122.1[4500] to 192.168.122.146[4500] (268 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 16[ENC] parsed QUICK_MODE
request 3146332676 [ HASH SA No ID ID NAT-OA NAT-OA ]
Tue Nov 23 20:43:19 2021 daemon.info : 16[IKE] received 3600s lifetime,
configured 0s
Tue Nov 23 20:43:19 2021 daemon.info : 16[ENC] generating QUICK_MODE
response 3146332676 [ HASH SA No ID ID NAT-OA NAT-OA ]
Tue Nov 23 20:43:19 2021 daemon.info : 16[NET] sending packet: from
192.168.122.146[4500] to 192.168.122.1[4500] (204 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 10[NET] received packet: from
192.168.122.1[4500] to 192.168.122.146[4500] (76 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 10[ENC] parsed QUICK_MODE
request 3146332676 [ HASH ]
Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] IPsec SA: unsupported
mode
Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] failed to create SAD
entry
Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] IPsec SA: unsupported
mode
Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] failed to create SAD
entry
Tue Nov 23 20:43:19 2021 daemon.info : 10[IKE] unable to install
inbound and outbound IPsec SA (SAD) in kernel
Tue Nov 23 20:43:19 2021 daemon.info : 10[IKE] sending DELETE for ESP
CHILD_SA with SPI c27f86ad
Tue Nov 23 20:43:19 2021 daemon.info : 10[ENC] generating
INFORMATIONAL_V1 request 600730204 [ HASH D ]
Tue Nov 23 20:43:19 2021 daemon.info : 10[NET] sending packet: from
192.168.122.146[4500] to 192.168.122.1[4500] (92 bytes)
Tue Nov 23 20:43:24 2021 daemon.info : 12[IKE] retransmit 3 of request
with message ID 0
Tue Nov 23 20:43:24 2021 daemon.info : 12[NET] sending packet: from
192.168.122.146[500] to 192.168.122.122[500] (336 bytes)
Tue Nov 23 20:43:34 2021 daemon.info : 14[NET] received packet: from
192.168.122.1[4500] to 192.168.122.146[4500] (108 bytes)
Tue Nov 23 20:43:34 2021 daemon.info : 14[ENC] parsed INFORMATIONAL_V1
request 3707351145 [ HASH D ]
Tue Nov 23 20:43:34 2021 daemon.info : 14[IKE] received DELETE for
IKE_SA L2TP-PSK-noNAT[2]
Tue Nov 23 20:43:34 2021 daemon.info : 14[IKE] deleting IKE_SA L2TP-
PSK-noNAT[2] between
192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]
Tue Nov 23 20:43:34 2021 authpriv.info : 14[IKE] deleting IKE_SA L2TP-
PSK-noNAT[2] between
192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]
My IPsec Config-
cat /etc/ipsec.conf>>>
----------------------------
config setup
charondebug="all"
uniqueids=yes
conn toDHK
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
leftauth=psk
rightauth=psk
left=192.168.122.222
leftid=192.168.122.222
right=192.168.122.146
rightid=192.168.122.146
mobike=yes
ike=aes128-sha256-modp1024!
aggressive=no
keyingtries=%forever
ikelifetime=28080s
rekey=yes
margintime=60s
dpddelay=10s
dpdtimeout=60
dpdaction=restart
forceencaps=no
leftsubnet=192.168.40.0/24
rightsubnet=192.168.30.0/24
esp=aes128gcm16-modp1024!
lifetime=3600s
conn L2TP-PSK-noNAT
keyexchange=ikev1
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=192.168.122.222
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
# /etc/ipsec.secrets - strongSwan IPsec secrets file
%any %any : PSK "12345678"
Regards,
SM Tanjeen
