[strongSwan] ikev1/psk for l2tp broken in 5.2.1

Lars Mueller lars at perfect-privacy.com
Fri Oct 31 16:14:08 CET 2014


Hi, I ran into some trouble after updating my ~40 ipsec servers from
5.1.3 and 5.2.0 to 5.2.1.
ikev1 psk for l2tp does no longer work with at least OSX, Windows, IOS
and Android clients. (Did not test others)

I  think the relevant part why the connections is dropped is right after
QUICK_MODE request is parsed:

5.2.0 works as expected:
Oct 31 14:15:04 13[ENC] <psk-l2tp|1> parsed QUICK_MODE request
2574745524 [ HASH SA No ID ID NAT-OA NAT-OA ]
Oct 31 14:15:04 13[IKE] <psk-l2tp|1> changing received traffic selectors
192.168.1.11/32[udp/57596]=== 94.242.194.98/32[udp/l2f] due to NAT
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> looking for a child config for
94.242.194.98/32[udp/l2f] === 11.22.33.44/32[udp/57596]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> proposing traffic selectors for us:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1>  94.242.194.98/32[udp/l2f]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> proposing traffic selectors for other:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1>  0.0.0.0/0[udp]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1>   candidate "psk-l2tp" with prio 5+1
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> found matching child config
"psk-l2tp" with prio 6
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> selecting traffic selectors for other:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1>  config: 0.0.0.0/0[udp], received:
11.22.33.44/32[udp/57596] => match: 11.22.33.44/32[udp/57596]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> selecting traffic selectors for us:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1>  config: 94.242.194.98/32[udp/l2f],
received: 94.242.194.98/32[udp/l2f] => match: 94.242.194.98/32[udp/l2f]
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> selecting proposal:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1>   no acceptable
ENCRYPTION_ALGORITHM found
Oct 31 14:15:04 13[CFG] <psk-l2tp|1> selecting proposal:
Oct 31 14:15:04 13[CFG] <psk-l2tp|1>   no acceptable ENCRYPTION_ALG
Full log: http://pastebin.com/itL14wKd


5.2.1 client will timeout, server reports "no matching CHILD_SA config
found"
Oct 31 14:01:57 11[ENC] <psk-l2tp|1> parsed QUICK_MODE request
3375080396 [ HASH SA No ID ID NAT-OA NAT-OA ]
Oct 31 14:01:57 11[IKE] <psk-l2tp|1> changing received traffic selectors
192.168.1.11/32[udp/52368]=== 94.242.194.98/32[udp/l2f] due to NAT
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> looking for a child config for
94.242.194.98/32[udp/l2f] === 11.22.33.44/32[udp/52368]
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> proposing traffic selectors for us:
Oct 31 14:01:57 11[CFG] <psk-l2tp|1>  94.242.194.98/32[udp/l2f]
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> proposing traffic selectors for other:
Oct 31 14:01:57 11[CFG] <psk-l2tp|1>  0.0.0.0/0[udp]
Oct 31 14:01:57 11[CFG] <psk-l2tp|1>   candidate "psk-l2tp" with prio 5+1
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> found matching child config
"psk-l2tp" with prio 6
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> selecting traffic selectors for other:
Oct 31 14:01:57 11[CFG] <psk-l2tp|1>  config: 0.0.0.0/0[udp], received:
11.22.33.44/32[udp/52368] => match: 11.22.33.44/32[udp/52368]
Oct 31 14:01:57 11[CFG] <psk-l2tp|1> selecting traffic selectors for us:
Oct 31 14:01:57 11[CFG] <psk-l2tp|1>  config: 94.242.194.98/32[udp/l2f],
received: 94.242.194.98/32[udp/l2f] => match: 94.242.194.98/32[udp/l2f]
Oct 31 14:01:57 11[IKE] <psk-l2tp|1> no matching CHILD_SA config found
Full log: http://pastebin.com/vkUEwgMD


Is this a bug in my config or in strongswan? Should I create an issue or
does some developer on this list feel responsible for that?  


conn %default
        keyingtries=2
        left=94.242.194.98
        leftfirewall=no
        right=%any

conn psk-l2tp
        keyexchange=ikev1
        authby=psk
        rekey=no
        type=tunnel
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        rightprotoport=17/%any
        rightsubnetwithin=0.0.0.0/0
        auto=add


Regards
Lars



PS: What is best practice for very long log files and mailing lists?
pastebin, attachment, inline?





More information about the Users mailing list