<html dir="ltr"><head></head><body style="text-align:left; direction:ltr;" bgcolor="#ffffff" text="#3d3d3d" link="#535353" vlink="#3d3d3d"><div>Hi,</div><div><br></div><div>I am trying to setup a VPN server on openWRT x86 platform. </div><div>The VPN server will serve both site-to-site and remote access vpn. </div><div><br></div><div>To accomplish this- I am using strongSwan 5.6.3 along with xl2tpd for the remote access vpn part.</div><div><br></div><div>Issue is when I load kmod-libipsec in charon I can't establish the l2tp connection. </div><div><br></div><div>Meanwhile there is ipsec0 interface in the ifconfig and site to site tunnel works. </div><div><br></div><div>If kmod-libipsec is not loaded remote vpn works but cant establish the site to site vpn part.</div><div><br></div><div>Log: loaded (kmod-libipsec)</div><div>-----------------------------------------------------------</div><div><br></div><div>Tue Nov 23 20:43:19 2021 daemon.info : 12[IKE] 192.168.122.1 is initiating a Main Mode IKE_SA</div><div>Tue Nov 23 20:43:19 2021 authpriv.info : 12[IKE] 192.168.122.1 is initiating a Main Mode IKE_SA</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 12[ENC] generating ID_PROT response 0 [ SA V V V V ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 12[NET] sending packet: from 192.168.122.146[500] to 192.168.122.1[500] (160 bytes)</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 13[NET] received packet: from 192.168.122.1[500] to 192.168.122.146[500] (396 bytes)</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 13[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 13[IKE] faking NAT situation to enforce UDP encapsulation</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 13[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 13[NET] sending packet: from 192.168.122.146[500] to 192.168.122.1[500] (396 bytes)</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 14[NET] received packet: from 192.168.122.1[4500] to 192.168.122.146[4500] (92 bytes)</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 14[ENC] parsed ID_PROT request 0 [ ID HASH ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 14[CFG] looking for pre-shared key peer configs matching 192.168.122.146...192.168.122.1[192.168.122.1]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 14[CFG] selected peer config "L2TP-PSK-noNAT"</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 14[IKE] IKE_SA L2TP-PSK-noNAT[2] established between 192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]</div><div>Tue Nov 23 20:43:19 2021 authpriv.info : 14[IKE] IKE_SA L2TP-PSK-noNAT[2] established between 192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 14[ENC] generating ID_PROT response 0 [ ID HASH ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 14[NET] sending packet: from 192.168.122.146[4500] to 192.168.122.1[4500] (92 bytes)</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 16[NET] received packet: from 192.168.122.1[4500] to 192.168.122.146[4500] (268 bytes)</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 16[ENC] parsed QUICK_MODE request 3146332676 [ HASH SA No ID ID NAT-OA NAT-OA ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 16[IKE] received 3600s lifetime, configured 0s</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 16[ENC] generating QUICK_MODE response 3146332676 [ HASH SA No ID ID NAT-OA NAT-OA ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 16[NET] sending packet: from 192.168.122.146[4500] to 192.168.122.1[4500] (204 bytes)</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[NET] received packet: from 192.168.122.1[4500] to 192.168.122.146[4500] (76 bytes)</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[ENC] parsed QUICK_MODE request 3146332676 [ HASH ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] IPsec SA: unsupported mode</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] failed to create SAD entry</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] IPsec SA: unsupported mode</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] failed to create SAD entry</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[IKE] sending DELETE for ESP CHILD_SA with SPI c27f86ad</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[ENC] generating INFORMATIONAL_V1 request 600730204 [ HASH D ]</div><div>Tue Nov 23 20:43:19 2021 daemon.info : 10[NET] sending packet: from 192.168.122.146[4500] to 192.168.122.1[4500] (92 bytes)</div><div>Tue Nov 23 20:43:24 2021 daemon.info : 12[IKE] retransmit 3 of request with message ID 0</div><div>Tue Nov 23 20:43:24 2021 daemon.info : 12[NET] sending packet: from 192.168.122.146[500] to 192.168.122.122[500] (336 bytes)</div><div>Tue Nov 23 20:43:34 2021 daemon.info : 14[NET] received packet: from 192.168.122.1[4500] to 192.168.122.146[4500] (108 bytes)</div><div>Tue Nov 23 20:43:34 2021 daemon.info : 14[ENC] parsed INFORMATIONAL_V1 request 3707351145 [ HASH D ]</div><div>Tue Nov 23 20:43:34 2021 daemon.info : 14[IKE] received DELETE for IKE_SA L2TP-PSK-noNAT[2]</div><div>Tue Nov 23 20:43:34 2021 daemon.info : 14[IKE] deleting IKE_SA L2TP-PSK-noNAT[2] between 192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]</div><div>Tue Nov 23 20:43:34 2021 authpriv.info : 14[IKE] deleting IKE_SA L2TP-PSK-noNAT[2] between 192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]</div><div><br></div><div> </div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>My IPsec Config- </div><div>cat /etc/ipsec.conf>>></div><div>----------------------------</div><div>config setup</div><div> charondebug="all"</div><div> uniqueids=yes</div><div><br></div><div>conn toDHK</div><div> type=tunnel</div><div> auto=start</div><div> keyexchange=ikev2</div><div> authby=secret</div><div> leftauth=psk</div><div> rightauth=psk</div><div> left=192.168.122.222</div><div> leftid=192.168.122.222</div><div> right=192.168.122.146</div><div> rightid=192.168.122.146</div><div> mobike=yes</div><div> ike=aes128-sha256-modp1024!</div><div> aggressive=no</div><div> keyingtries=%forever</div><div> ikelifetime=28080s</div><div> rekey=yes</div><div> margintime=60s</div><div> dpddelay=10s</div><div> dpdtimeout=60</div><div> dpdaction=restart</div><div> forceencaps=no</div><div> leftsubnet=192.168.40.0/24</div><div> rightsubnet=192.168.30.0/24</div><div> esp=aes128gcm16-modp1024!</div><div> lifetime=3600s</div><div><br></div><div>conn L2TP-PSK-noNAT</div><div> keyexchange=ikev1</div><div> authby=secret</div><div> pfs=no</div><div> auto=add</div><div> keyingtries=3</div><div> dpddelay=30</div><div> dpdtimeout=120</div><div> dpdaction=clear</div><div> rekey=no</div><div> ikelifetime=8h</div><div> keylife=1h</div><div> type=transport</div><div> left=192.168.122.222</div><div> leftprotoport=17/1701</div><div> right=%any</div><div> rightprotoport=17/%any</div><div> </div><div> </div><div># /etc/ipsec.secrets - strongSwan IPsec secrets file</div><div>%any %any : PSK "12345678"</div><div><br></div><div><br></div><div> Regards,</div><div>SM Tanjeen</div></body></html>