[strongSwan] ikev1/psk for l2tp broken in 5.2.1
Lars Mueller
lars at perfect-privacy.com
Fri Oct 31 16:14:08 CET 2014
Hi, I ran into some trouble after updating my ~40 ipsec servers from
5.1.3 and 5.2.0 to 5.2.1.
ikev1 psk for l2tp does no longer work with at least OSX, Windows, IOS
and Android clients. (Did not test others)
I think the relevant part why the connections is dropped is right after
QUICK_MODE request is parsed:
5.2.0 works as expected:
Oct 31 14:15:04 13[ENC] <psk-l2tp|1> parsed QUICK_MODE request
2574745524 [ HASH SA No ID ID NAT-OA NAT-OA ]
Oct 31 14:15:04 13[IKE] <psk-l2tp|1> changing received traffic selectors
192.168.1.11/32[udp/57596]=== 94.242.194.98/32[udp/l2f] due to NAT
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> looking for a child config for
94.242.194.98/32[udp/l2f] === 11.22.33.44/32[udp/57596]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> proposing traffic selectors for us:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> 94.242.194.98/32[udp/l2f]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> proposing traffic selectors for other:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> 0.0.0.0/0[udp]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> candidate "psk-l2tp" with prio 5+1
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> found matching child config
"psk-l2tp" with prio 6
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> selecting traffic selectors for other:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> config: 0.0.0.0/0[udp], received:
11.22.33.44/32[udp/57596] => match: 11.22.33.44/32[udp/57596]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> selecting traffic selectors for us:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> config: 94.242.194.98/32[udp/l2f],
received: 94.242.194.98/32[udp/l2f] => match: 94.242.194.98/32[udp/l2f]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> selecting proposal:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> no acceptable
ENCRYPTION_ALGORITHM found
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> selecting proposal:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> no acceptable ENCRYPTION_ALG
Full log: http://pastebin.com/itL14wKd
5.2.1 client will timeout, server reports "no matching CHILD_SA config
found"
Oct 31 14:01:57 11[ENC] <psk-l2tp|1> parsed QUICK_MODE request
3375080396 [ HASH SA No ID ID NAT-OA NAT-OA ]
Oct 31 14:01:57 11[IKE] <psk-l2tp|1> changing received traffic selectors
192.168.1.11/32[udp/52368]=== 94.242.194.98/32[udp/l2f] due to NAT
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> looking for a child config for
94.242.194.98/32[udp/l2f] === 11.22.33.44/32[udp/52368]
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> proposing traffic selectors for us:
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> 94.242.194.98/32[udp/l2f]
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> proposing traffic selectors for other:
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> 0.0.0.0/0[udp]
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> candidate "psk-l2tp" with prio 5+1
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> found matching child config
"psk-l2tp" with prio 6
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> selecting traffic selectors for other:
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> config: 0.0.0.0/0[udp], received:
11.22.33.44/32[udp/52368] => match: 11.22.33.44/32[udp/52368]
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> selecting traffic selectors for us:
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> config: 94.242.194.98/32[udp/l2f],
received: 94.242.194.98/32[udp/l2f] => match: 94.242.194.98/32[udp/l2f]
Oct 31 14:01:57 11[IKE] <psk-l2tp|1> no matching CHILD_SA config found
Full log: http://pastebin.com/vkUEwgMD
Is this a bug in my config or in strongswan? Should I create an issue or
does some developer on this list feel responsible for that?
conn %default
keyingtries=2
left=94.242.194.98
leftfirewall=no
right=%any
conn psk-l2tp
keyexchange=ikev1
authby=psk
rekey=no
type=tunnel
leftnexthop=%defaultroute
leftprotoport=17/1701
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
Regards
Lars
PS: What is best practice for very long log files and mailing lists?
pastebin, attachment, inline?
More information about the Users
mailing list