[strongSwan] Problem with windows 7 connecting with strongswan and xl2tpd

Brad Johnson bjohnson at ecessa.com
Thu May 15 16:29:30 CEST 2014 

We are migrating to strongswan from openswan, where we use xl2tpd to 
handle road-warrior connections from Windows and Mac clients. This 
worked fine with openswan but I can't get it to work with strongswan. 
When trying to connect from a Windows 7 client (set up to use ipsec/l2tp 
with pre-shared key) the SA gets established but xl2tpd times out and 
closes its tunnels.

Here's part of the log output (# all IP addresses redacted with "xxx"):

charon: 14[IKE] CHILD_SA l2tp{21} established with SPIs c774b885_i 
443ddb1c_o and TS 173.160.xxx.xxx/32[udp/l2tp] === 66.41.xxx.xx/32[udp/l2tp]

xl2tpd[12145]: control_finish: Peer requested tunnel 7 twice, ignoring 
second one. (repeats 2 more times)
xl2tpd[12145]: Maximum retries exceeded for tunnel 32034.  Closing.
xl2tpd[12145]: Connection 7 closed to 66.41.xxx.xx, port 1701 (Timeout)
xl2tpd[12145]: Unable to deliver closing message for tunnel 32034. 
Destroying anyway.
(above repeats for another tunnel)

My question is, can this work with strongswan? Is anyone else doing 
this? I know according to the documentation that Windows 7 clients can 
use IKEv2 and avoid using l2tp altogether, but we still need to support 
Mac and older Windows clients and need this to work.

#/etc/ipsec.conf:

conn l2tp
     left=173.160.xxx.xxx
     right=%any
     auto=add
     rekey=no
     leftprotoport=17/1701
     rightprotoport=17/%any
     keyingtries=2
     keyexchange=ikev1
     leftauth=psk
     rightauth=psk
     ikelifetime=8h
     ike=aes128-sha1-modp1536
     esp=aes128-sha1

# /etc/ipsec.secrets - strongSwan IPsec secrets file
173.160.xxx.xxx %any : PSK "whatever"

# /etc/xl2tpd/xl2tpd.conf:
[lns road-warrior]
ppp debug = yes
lac = 0.0.0.0-255.255.255.255
local ip = 10.100.10.1
ip range = 10.100.10.2-10.100.10.50
require authentication = yes
pppoptfile = /etc/ppp/road-warrior.options

# /etc/ppp/road-warrior.options:
lock
maxfail 0
persist
debug
linkname vpn-road-warrior
ipparam road-warrior
auth
require-chap
require-mschap-v2
require-mschap
refuse-pap
ipcp-accept-remote
nodefaultroute
proxyarp

Thanks in advance for any help,
Brad Johnson

More information about the Users mailing list