Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
krotish2014-07-13 15:29:16
Debian
krotish, 2014-07-13 15:29:16

How to resolve L2TP IPSec (PSK) issues after replacing openswan with strongSwan?

I will describe the essence of the issue, there is an instance on Amazon EC2 (Debian wheezy), it has an l2tp vpn server in IPsec binding.
used by xl2tpd and strongswan. The problems started just after the replacement of openswan (due to a glitch in the latest version in debian with mac os and ios) with strongswan.
With a seemingly absolutely elementary configuration, I see errors in the authorization log (client from a poppy, l2tp connection):

<b>#</b> tail -f /var/log/auth.log
Jul 12 16:10:19 ip-172-31-x-x pluto[2289]: packet from 109.187.x.x:500: initial Main Mode message received on 172.31.x.x:500 but no connection has been authorized with policy=PSK

Ports, you need to understand, are open:
UDP 4500 0.0.0.0/0
UDP 500 0.0.0.0/0
UDP 1701 0.0.0.0/0
TCP 500 0.0.0.0/0 (although the tcp port is even superfluous here).
However, if you connect from under Mac OS with a connection configured as pure IPSec, everything works.
Further, if you write a line in the ipsec config,
keyexchange=ikev1
then the error in the authorization log changes, but still the l2tp client cannot connect:
cannot respond to IPsec SA request because no connection is known for
sending encrypted notification INVALID_MESSAGE_ID to

Configs are banal to disgrace:
/etc/ipsec.conf
config setup
strictcrlpolicy=no
nat_traversal=yes
charonstart=yes
plutostart=yes

conn roadwarrior
       left= 172.31.x.x
       leftsubnet= 172.31.x.x/32
       right=%any
       rightsourceip=10.8.0.0/24
xauth=server
authby=xauthpsk
keyexchange=ikev1
compress=yes
pfs=no
forceencaps=yes
lifetime=1h
margintime=15m
rekeyfuzz=100%
auto=add

/etc/ipsec.secrets
172.31.x.x %any : PSK "11111111"
krotish : XAUTH "1111111"

/etc/xl2tpd/xl2tpd.conf
[global]
 ipsec saref = no
 listen-addr =172.31.x.x 
[lns default]
length bit=yes
ip range=10.8.0.1-5
ppp debug=no
require authentication=yes
local ip=10.8.0.0
pppoptfile=/etc/ppp/options.xl2tpd

/etc/ppp/options.xl2tpd
require-mschap-v2
refuse-mschap
refuse-chap
refuse-pap
name l2tpd
ms-dns 4.2.2.2
mtu 1400
mru 1400
connect-delay 5000
noccp
auth
crtscts
lock
debug
proxyarp

/etc/ppp/chap-secrets
# client	server	secret			IP addresses
krotish l2tpd 11111111 *

Please help me figure it out, I want to make l2tp still work with strong.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
T
Thund3rHabr, 2015-07-24
@Thund3rHabr

Now I'm just figuring it out and reading mana, but I got an idea ... Or rather, I read in the article in the ipsec.conf config: leftprotoport=17/%any # before that it was 1701, but iOS did not connect. Changed it to %any and lo and behold: now my iPad was also online for monitoring terminals!
Hope it helps...

Similar questions
N
Nikolai Lazarev2018-10-08 14:13:20
Debian Encrypted Boot and LVM, how to configure on install? 0Reply
K
Kiki552018-10-09 09:52:02
Disable device in linux? What are the ways? 2Reply
K
Konstantin2020-08-27 21:41:55
Collected sources with a patch. I'm putting together a package. Who is the maintainer of a package in debian/control? 1Reply
T
Tirenka6295112018-10-11 13:07:47
Linux switch from monit to systemd? 2Reply
N
nano_e_t_42016-05-14 16:41:04
How to find out current debian memory configuration? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question