<!DOCTYPE html><html><head><title></title><style type="text/css">#fastmail-quoted p{margin-top:0px;margin-bottom:0px;}
#fastmail-quoted #fastmail-quoted-x_fastmail-quoted p{margin-top:0px;margin-bottom:0px;}
#fastmail-quoted p.fastmail-quoted-x_MsoNormal,#fastmail-quoted p.fastmail-quoted-x_MsoNoSpacing{margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;}
p.MsoNormal,p.MsoNoSpacing{margin:0}
p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div>Your log says it's a problem with traffic selectors. Not encryption.<br></div><div><br></div><div>- What is your overall setup?<br></div><div><br></div><div>strongSwan / libreSwan on server / client?<br></div><div><br></div><div>- What are you trying to do?<br></div><div><br></div><div>An L2TP / IPSec connection?<br></div><div><br></div><div>- What are your configs?<br></div><div><br></div><div>Please show config files from both sides (feel free to obfuscate IP addresses).<br></div><div><br></div><div>When using NetworkManager to create an L2TP / IPSec connection, the *swan config should be under /var/run/nm-l2tp-*<br></div><div><br></div><div>Re: strong / libre settings<br></div><div><br></div><div>If you use the "old" config format in strongSwan (it has two) it's same (more or less) as libreSwan. Definitely for encryption / proposals.<br></div><div><br></div><div>-- K<br></div><div><br></div><div><br></div><div>On Sun, Apr 7, 2019, at 6:51 PM, A P wrote:<br></div><blockquote id="fastmail-quoted" type="cite"><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);">Ok, it just does not work, no matter what I try and what I read...<br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);"><br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);">Perhaps, I am using wrong Phase1 and Phase2 settings. What should these entries be for Strongswan and also for Libreswan?<br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);"><br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);">Here is what ike-scan returned:<br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);">... SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 ...<br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);"><br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);">Spasibo for your help!<br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);"><br></div><div id="fastmail-quoted-appendonsend"><br></div><div><hr style="display:inline-block;width:98%;"><br></div><div id="fastmail-quoted-divRplyFwdMsg" dir="ltr"><div><span style="font-family:Calibri, sans-serif" class="font"><span style="color:rgb(0, 0, 0)" class="colour"><b>From:</b> Users <users-bounces@lists.strongswan.org> on behalf of Kostya Vasilyev <kman@fastmail.com><br> <b>Sent:</b> Sunday, 7 April 2019 02:08<br> <b>To:</b> users@lists.strongswan.org<br> <b>Subject:</b> Re: [strongSwan] Problem with IPsec/L2TP VPN!</span></span></div><div> <br></div></div><div><div>Hi,<br></div><div><br></div><div>On Sat, Apr 6, 2019, at 5:21 PM, A P wrote:<br></div><blockquote type="cite" id="fastmail-quoted-x_fastmail-quoted"><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);">I have tried and tried and tried... With NetworkManager and totally manually, and I get the same error, with nothing much about it on the web... I get "<b><span style="font-size:10pt" class="size">no acceptable traffic selectors found</span></b>"<br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);"><br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);">Thank in advance for your help!<br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);"><br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);"><br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);">Here is the log:<br></div><div style="font-family:Calibri, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);"><div><span style="font-size:10pt" class="size"> </span><span></span><br></div><div><span style="font-size:10pt" class="size">initiating Main Mode IKE_SA myvpn[1] to 180.235.156.4</span><br></div><div><span style="font-size:10pt" class="size">generating ID_PROT request 0 [ SA V V V V V ]</span><br></div><div><span style="font-size:10pt" class="size">sending packet: from 192.168.1.2[500] to 180.235.156.4[500] (176 bytes)</span><br></div><div><span style="font-size:10pt" class="size">received packet: from 180.235.156.4[500] to 192.168.1.2[500] (124 bytes)</span><br></div><div><span style="font-size:10pt" class="size">parsed ID_PROT response 0 [ SA V V ]</span><br></div><div><span style="font-size:10pt" class="size">received NAT-T (RFC 3947) vendor ID</span><br></div><div><span style="font-size:10pt" class="size">received FRAGMENTATION vendor ID</span><br></div><div><span style="font-size:10pt" class="size">selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</span><br></div><div><span style="font-size:10pt" class="size">generating ID_PROT request 0 [ KE No NAT-D NAT-D ]</span><br></div><div><span style="font-size:10pt" class="size">sending packet: from 192.168.1.2[500] to 180.235.156.4[500] (244 bytes)</span><br></div><div><span style="font-size:10pt" class="size">received packet: from 180.235.156.4[500] to 192.168.1.2[500] (304 bytes)</span><br></div><div><span style="font-size:10pt" class="size">parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]</span><br></div><div><span style="font-size:10pt" class="size">received Cisco Unity vendor ID</span><br></div><div><span style="font-size:10pt" class="size">received XAuth vendor ID</span><br></div><div><span style="font-size:10pt" class="size">received unknown vendor ID: 65:83:ea:08:11:06:75:21:d2:51:cd:44:16:26:47:73</span><br></div><div><span style="font-size:10pt" class="size">received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00</span><br></div><div><span style="font-size:10pt" class="size">local host is behind NAT, sending keep alives</span><br></div><div><span style="font-size:10pt" class="size">generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]</span><br></div><div><span style="font-size:10pt" class="size">sending packet: from 192.168.1.2[4500] to 180.235.156.4[4500] (100 bytes)</span><br></div><div><span style="font-size:10pt" class="size">received packet: from 180.235.156.4[4500] to 192.168.1.2[4500] (84 bytes)</span><br></div><div><span style="font-size:10pt" class="size">parsed ID_PROT response 0 [ ID HASH V ]</span><br></div><div><span style="font-size:10pt" class="size">received DPD vendor ID</span><br></div><div><span style="font-size:10pt" class="size">IKE_SA myvpn[1] established between 192.168.1.2[192.168.1.2]...180.235.156.4[180.235.156.4]</span><br></div><div><span style="font-size:10pt" class="size">scheduling reauthentication in 3390s</span><br></div><div><span style="font-size:10pt" class="size">maximum IKE_SA lifetime 3570s</span><br></div><div><span style="font-size:10pt" class="size">generating QUICK_MODE request 3689125877 [ HASH SA No ID ID NAT-OA NAT-OA ]</span><br></div><div><span style="font-size:10pt" class="size">sending packet: from 192.168.1.2[4500] to 180.235.156.4[4500] (188 bytes)</span><br></div><div><span style="font-size:10pt" class="size">received packet: from 180.235.156.4[4500] to 192.168.1.2[4500] (204 bytes)</span><br></div><div><span style="font-size:10pt" class="size">parsed QUICK_MODE response 3689125877 [ HASH SA No ID ID N((24576)) NAT-OA NAT-OA ]</span><br></div><div><span style="font-size:10pt" class="size">selected proposal: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ</span><br></div><div><b><span style="font-size:10pt" class="size">no acceptable traffic selectors found</span></b><br></div><div><span style="font-size:10pt" class="size">establishing connection 'myvpn' failed</span><br></div></div></blockquote><div><br></div><div>l2tp works over UDP and it's a fixed port 1701 on the server.<br></div><div><br></div><div>You need to have "traffic selectors" that match that - so that IPSec knows what exactly (what *traffic*) you want to encrypt - and they need to agree between the server and the client.<br></div><div><br></div><div>I assume that Network Manager has set this up correctly on your "local" side.<br></div><div><br></div><div>Let's check your server config. Please post your tunnel config file - i.e. the file where you have "left=", "right=", and all that fun stuff.<br></div><div><br></div><div>And please check that you have items like these<br></div><div><br></div><div>leftprotoport=17/1701<br></div><div>rightprotoport=17/%any<br></div><div><br></div><div>Protocol 17 is UDP and we need port number 1701 on the server.<br></div><div><br></div><div>Or use names<br></div><div><br></div><div>leftprotoport=udp/l2tp<br></div><div>rightprotoport=udp/%any<br></div><div><br></div><div>This is for "legacy" config file format (which it seems is used more often, because of tutorials on the web).<br></div><div><br></div><div>PS - this seems like a good tutorial<br></div><div><br></div><div><a href="https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server">https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server</a><br></div><div><br></div><div>PPS - 3DES and MD5 are not considered good enough these days...<br></div><div><br></div><div>-- K<br></div><div><br></div></div></blockquote><div><br></div></body></html>