[strongSwan] L2TP help

Troy Telford ttelford.groups at gmail.com
Wed Sep 22 20:20:44 CEST 2010 

I've got a working Openswan setup (backed up, of course).  I decided to give 
strongSwan a try, and choose whichever I liked better...

It also gives me confidence the certificates, etc. working properly.  (Though 
logfiles help that too...)

For the moment, my clients are mainly L2TP clients - having the built-in 
client for Windows, OS X, and iOS devices helps...  So getting that working 
properly is the highest priority (and since that's in the IKEv1 realm, 
Openswan fits the need nicely already...)  I'm also a bit curious about which 
handles the L2TP connections better with regards to clients behind NAT, etc...

With strongSwan, however, I'm having trouble getting connected.

I've used 'plutodebug="control controlmore" to get more debugging info, and 
here's the bits I think are interesting:  (I can send more if needed, 
though...)

All the certs and CA validate:
Sep 22 11:40:13 pilot pluto[8140]: | certificate is valid
Sep 22 11:40:13 pilot pluto[8140]: | issuer cacert found
Sep 22 11:40:13 pilot pluto[8140]: | certificate signature is valid
Sep 22 11:40:13 pilot pluto[8140]: | crl signature is valid
Sep 22 11:40:13 pilot pluto[8140]: | crl is valid: until Oct 06 13:04:05 2010
Sep 22 11:40:13 pilot pluto[8140]: | certificate is good

Phase I seems to complete:
Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior"[2] 72.254.127.191:4500 #3: 
sent MR3, ISAKMP SA established

And next, the part that I think is the problem:
Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior-l2tp"[2] 72.254.127.191:4500 
#4: NAT-Traversal: Transport mode disabled due to security concerns
Sep 22 11:40:13 pilot pluto[8140]: "roadwarrior-l2tp"[2] 72.254.127.191:4500 
#4: sending encrypted notification BAD_PROPOSAL_SYNTAX to 72.254.127.191:4500

The "BAD_PROPOSAL_SYNTAX" and Transport mode error happens with both the 
certificate-based 'roadwarrior-l2tp' connection, and with the PSK-based 
'roadwarrior-l2tp-psk' connections.

(Note, some coments are not in the actual file, but are there for your 
benefit...)

I'm using packages from Debian (sid), kernel 2.6.32, and strongSwan 4.4.1.

My config:

config setup
    # plutodebug=all
    # plutodebug="control controlmore"
    crlcheckinterval="30"
    strictcrlpolicy=yes
    cachecrls=yes
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!
192.168.1.0/26,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
    interfaces=%defaultroute
    charonstart=yes
    plutostart=yes

conn %default
    keyingtries=1
    type=tunnel
    ike=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
    esp=aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536
    compress=yes
    left=%defaultroute
    leftsubnet=my_hostname.net/32  # This is dyndns assigned, so it's not
                                   # static :(
    right=%any
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    pfs=yes

conn roadwarrior-l2tp
    type=transport
    leftprotoport=17/1701
    rightprotoport=17/%any
    rightsubnet=vhost:%no,%priv
    pfs=no
    also=roadwarrior

conn roadwarrior
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    leftcert=pilotCert.pem
    leftid=@my_hostname
    rightid="C=CO, ST=State, O=My Organization, OU=My OrgUnit, CN=*, E=*"
    rightca=%same
    auto=add

# for iOS VPNs...
conn roadwarrior-l2tp-psk
    type=transport
    authby=secret
    leftprotoport=17/1701
    rightprotoport=17/%any
    rightsubnet=vhost:%no,%priv
    pfs=no
    auto=add

More information about the Users mailing list