[strongSwan] Problem with windows 7 connecting with strongswan and xl2tpd

Ali Masoudi masoudi1983 at gmail.com
Sun May 18 07:02:14 CEST 2014 

Hi Brad

It worked for me with windows 7 ipsec/l2tp. I think nothing is wrong with
your configuration.

I think microsoft L2TP proposal is as follows:


IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

Best wishes
Ali


On Thu, May 15, 2014 at 5:59 PM, Brad Johnson <bjohnson at ecessa.com> wrote:

> We are migrating to strongswan from openswan, where we use xl2tpd to
> handle road-warrior connections from Windows and Mac clients. This worked
> fine with openswan but I can't get it to work with strongswan. When trying
> to connect from a Windows 7 client (set up to use ipsec/l2tp with
> pre-shared key) the SA gets established but xl2tpd times out and closes its
> tunnels.
>
> Here's part of the log output (# all IP addresses redacted with "xxx"):
>
> charon: 14[IKE] CHILD_SA l2tp{21} established with SPIs c774b885_i
> 443ddb1c_o and TS 173.160.xxx.xxx/32[udp/l2tp] === 66.41.xxx.xx/32[udp/l2tp]
>
> xl2tpd[12145]: control_finish: Peer requested tunnel 7 twice, ignoring
> second one. (repeats 2 more times)
> xl2tpd[12145]: Maximum retries exceeded for tunnel 32034.  Closing.
> xl2tpd[12145]: Connection 7 closed to 66.41.xxx.xx, port 1701 (Timeout)
> xl2tpd[12145]: Unable to deliver closing message for tunnel 32034.
> Destroying anyway.
> (above repeats for another tunnel)
>
> My question is, can this work with strongswan? Is anyone else doing this?
> I know according to the documentation that Windows 7 clients can use IKEv2
> and avoid using l2tp altogether, but we still need to support Mac and older
> Windows clients and need this to work.
>
> #/etc/ipsec.conf:
>
> conn l2tp
>     left=173.160.xxx.xxx
>     right=%any
>     auto=add
>     rekey=no
>     leftprotoport=17/1701
>     rightprotoport=17/%any
>     keyingtries=2
>     keyexchange=ikev1
>     leftauth=psk
>     rightauth=psk
>     ikelifetime=8h
>     ike=aes128-sha1-modp1536
>     esp=aes128-sha1
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
> 173.160.xxx.xxx %any : PSK "whatever"
>
> # /etc/xl2tpd/xl2tpd.conf:
> [lns road-warrior]
> ppp debug = yes
> lac = 0.0.0.0-255.255.255.255
> local ip = 10.100.10.1
> ip range = 10.100.10.2-10.100.10.50
> require authentication = yes
> pppoptfile = /etc/ppp/road-warrior.options
>
> # /etc/ppp/road-warrior.options:
> lock
> maxfail 0
> persist
> debug
> linkname vpn-road-warrior
> ipparam road-warrior
> auth
> require-chap
> require-mschap-v2
> require-mschap
> refuse-pap
> ipcp-accept-remote
> nodefaultroute
> proxyarp
>
> Thanks in advance for any help,
> Brad Johnson
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140518/f6a24135/attachment.html>

More information about the Users mailing list