[strongSwan] Problem with IPsec/L2TP VPN!

Kostya Vasilyev kman at fastmail.com
Sun Apr 7 17:57:12 CEST 2019 

Your log says it's a problem with traffic selectors. Not encryption.

- What is your overall setup?

strongSwan / libreSwan on server / client?

- What are you trying to do?

An L2TP / IPSec connection?

- What are your configs?

Please show config files from both sides (feel free to obfuscate IP addresses).

When using NetworkManager to create an L2TP / IPSec connection, the *swan config should be under /var/run/nm-l2tp-*

Re: strong / libre settings

If you use the "old" config format in strongSwan (it has two) it's same (more or less) as libreSwan. Definitely for encryption / proposals.

-- K


On Sun, Apr 7, 2019, at 6:51 PM, A P wrote:
> Ok, it just does not work, no matter what I try and what I read...
> 
> Perhaps, I am using wrong Phase1 and Phase2 settings. What should these entries be for Strongswan and also for Libreswan?
> 
> Here is what ike-scan returned:
> ... SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 ...
> 
> Spasibo for your help!
> 
> 
> 
> *From:* Users <users-bounces at lists.strongswan.org> on behalf of Kostya Vasilyev <kman at fastmail.com>
> *Sent:* Sunday, 7 April 2019 02:08
> *To:* users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Problem with IPsec/L2TP VPN!
> 
> Hi,
> 
> On Sat, Apr 6, 2019, at 5:21 PM, A P wrote:
>> I have tried and tried and tried... With NetworkManager and totally manually, and I get the same error, with nothing much about it on the web... I get "*no acceptable traffic selectors found*"
>> 
>> Thank in advance for your help!
>> 
>> 
>> Here is the log:
>> 
>> initiating Main Mode IKE_SA myvpn[1] to 180.235.156.4
>> generating ID_PROT request 0 [ SA V V V V V ]
>> sending packet: from 192.168.1.2[500] to 180.235.156.4[500] (176 bytes)
>> received packet: from 180.235.156.4[500] to 192.168.1.2[500] (124 bytes)
>> parsed ID_PROT response 0 [ SA V V ]
>> received NAT-T (RFC 3947) vendor ID
>> received FRAGMENTATION vendor ID
>> selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> sending packet: from 192.168.1.2[500] to 180.235.156.4[500] (244 bytes)
>> received packet: from 180.235.156.4[500] to 192.168.1.2[500] (304 bytes)
>> parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
>> received Cisco Unity vendor ID
>> received XAuth vendor ID
>> received unknown vendor ID: 65:83:ea:08:11:06:75:21:d2:51:cd:44:16:26:47:73
>> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
>> local host is behind NAT, sending keep alives
>> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
>> sending packet: from 192.168.1.2[4500] to 180.235.156.4[4500] (100 bytes)
>> received packet: from 180.235.156.4[4500] to 192.168.1.2[4500] (84 bytes)
>> parsed ID_PROT response 0 [ ID HASH V ]
>> received DPD vendor ID
>> IKE_SA myvpn[1] established between 192.168.1.2[192.168.1.2]...180.235.156.4[180.235.156.4]
>> scheduling reauthentication in 3390s
>> maximum IKE_SA lifetime 3570s
>> generating QUICK_MODE request 3689125877 [ HASH SA No ID ID NAT-OA NAT-OA ]
>> sending packet: from 192.168.1.2[4500] to 180.235.156.4[4500] (188 bytes)
>> received packet: from 180.235.156.4[4500] to 192.168.1.2[4500] (204 bytes)
>> parsed QUICK_MODE response 3689125877 [ HASH SA No ID ID N((24576)) NAT-OA NAT-OA ]
>> selected proposal: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ
>> *no acceptable traffic selectors found*
>> establishing connection 'myvpn' failed
> 
> l2tp works over UDP and it's a fixed port 1701 on the server.
> 
> You need to have "traffic selectors" that match that - so that IPSec knows what exactly (what *traffic*) you want to encrypt - and they need to agree between the server and the client.
> 
> I assume that Network Manager has set this up correctly on your "local" side.
> 
> Let's check your server config. Please post your tunnel config file - i.e. the file where you have "left=", "right=", and all that fun stuff.
> 
> And please check that you have items like these
> 
> leftprotoport=17/1701
> rightprotoport=17/%any
> 
> Protocol 17 is UDP and we need port number 1701 on the server.
> 
> Or use names
> 
> leftprotoport=udp/l2tp
> rightprotoport=udp/%any
> 
> This is for "legacy" config file format (which it seems is used more often, because of tutorials on the web).
> 
> PS - this seems like a good tutorial
> 
> https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server
> 
> PPS - 3DES and MD5 are not considered good enough these days...
> 
> -- K
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190407/8e05f0af/attachment.html>

More information about the Users mailing list