[strongSwan] Problem with IPsec/L2TP VPN!

Kostya Vasilyev kman at fastmail.com
Sat Apr 6 17:08:00 CEST 2019 

Hi,

On Sat, Apr 6, 2019, at 5:21 PM, A P wrote:
> I have tried and tried and tried... With NetworkManager and totally manually, and I get the same error, with nothing much about it on the web... I get "*no acceptable traffic selectors found*"
> 
> Thank in advance for your help!
> 
> 
> Here is the log:
> 
> initiating Main Mode IKE_SA myvpn[1] to 180.235.156.4
> generating ID_PROT request 0 [ SA V V V V V ]
> sending packet: from 192.168.1.2[500] to 180.235.156.4[500] (176 bytes)
> received packet: from 180.235.156.4[500] to 192.168.1.2[500] (124 bytes)
> parsed ID_PROT response 0 [ SA V V ]
> received NAT-T (RFC 3947) vendor ID
> received FRAGMENTATION vendor ID
> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
> sending packet: from 192.168.1.2[500] to 180.235.156.4[500] (244 bytes)
> received packet: from 180.235.156.4[500] to 192.168.1.2[500] (304 bytes)
> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
> received Cisco Unity vendor ID
> received XAuth vendor ID
> received unknown vendor ID: 65:83:ea:08:11:06:75:21:d2:51:cd:44:16:26:47:73
> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> local host is behind NAT, sending keep alives
> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
> sending packet: from 192.168.1.2[4500] to 180.235.156.4[4500] (100 bytes)
> received packet: from 180.235.156.4[4500] to 192.168.1.2[4500] (84 bytes)
> parsed ID_PROT response 0 [ ID HASH V ]
> received DPD vendor ID
> IKE_SA myvpn[1] established between 192.168.1.2[192.168.1.2]...180.235.156.4[180.235.156.4]
> scheduling reauthentication in 3390s
> maximum IKE_SA lifetime 3570s
> generating QUICK_MODE request 3689125877 [ HASH SA No ID ID NAT-OA NAT-OA ]
> sending packet: from 192.168.1.2[4500] to 180.235.156.4[4500] (188 bytes)
> received packet: from 180.235.156.4[4500] to 192.168.1.2[4500] (204 bytes)
> parsed QUICK_MODE response 3689125877 [ HASH SA No ID ID N((24576)) NAT-OA NAT-OA ]
> selected proposal: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
> *no acceptable traffic selectors found*
> establishing connection 'myvpn' failed

l2tp works over UDP and it's a fixed port 1701 on the server.

You need to have "traffic selectors" that match that - so that IPSec knows what exactly (what *traffic*) you want to encrypt - and they need to agree between the server and the client.

I assume that Network Manager has set this up correctly on your "local" side.

Let's check your server config. Please post your tunnel config file - i.e. the file where you have "left=", "right=", and all that fun stuff.

And please check that you have items like these

leftprotoport=17/1701
rightprotoport=17/%any

Protocol 17 is UDP and we need port number 1701 on the server.

Or use names

leftprotoport=udp/l2tp
rightprotoport=udp/%any

This is for "legacy" config file format (which it seems is used more often, because of tutorials on the web).

PS - this seems like a good tutorial

https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server

PPS - 3DES and MD5 are not considered good enough these days...

-- K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190406/957bf060/attachment.html>

More information about the Users mailing list