[strongSwan] Problem with IPsec/L2TP VPN!

Kostya Vasilyev kman at fastmail.com
Mon Apr 8 15:07:08 CEST 2019 

I think you got the proto's backwards which explain the "no acceptable traffic selectors found".

conn myvpn
 type=transport
 authby=secret
 pfs=no
 rekey=no
 keyingtries=1
 left=%defaultroute
 leftprotoport=udp/l2tp
 right=<vpn-server-ip>
 rightprotoport=udp/%any
 auto=add
 ike=3des-sha1-modp1536!
 esp=3des-sha1!
 keyexchange=ikev1

L2TP uses port 1701 *on the server* - but on the client the port can be anything

Try this instead - on the client:

 leftprotoport=udp/%any
 rightprotoport=udp/l2tp

On the server, assuming it has "left=%defaultroute" or "left=<vpn server ip>" you will want

 leftprotoport=udp/l2tp
 rightprotoport=udp/%any

In other words, for the server:

left = server IP, UDP, port 1701
right = any client IP, UDP, any port

For the client:

left = client IP, UDP, any port
right = server IP, UDP, 1701

*swan will switch left / right as appropriate - but I don't think it can sort out the proto's automatically (don't see how it would know to do that).

-- K

--
Kostya Vasilyev
kman at fastmail.com



On Mon, Apr 8, 2019, at 3:08 PM, A P wrote:
> Ok, I have enabled all the logs to level 4. Here is what I get around the error. Is this any more helpful? Perhaps, I need to set left/rightsubmask? Is the problem that it used my public ip rather than router internal? I don't think there is anything else missing from config (I don't have access to server log unfortunately)
> 
> 
> *LOG*
> Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] changing received traffic selectors <my-public-ip>/32[udp]=== <vpn-server-ip>/32[udp/l2f] due to NAT
> Apr 08 21:19:45 cosmic charon[3199]: 04[CHD] CHILD_SA myvpn{1} state change: CREATED => INSTALLING
> Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] no acceptable traffic selectors found
> Apr 08 21:19:45 cosmic charon[3199]: 04[IKE] queueing INFORMATIONAL task
> Apr 08 21:19:45 cosmic charon[3199]: 04[CHD] CHILD_SA myvpn{1} state change: INSTALLING => DESTROYING
> Apr 08 21:19:45 cosmic charon[3199]: 04[KNL] deleting SAD entry with SPI cb524fd7
> 
> 
> *later there's also stuff like*
> 
> Apr 08 21:47:49 cosmic ipsec[3798]: 03[IKE] received retransmit of response with ID 2810990975, but next request already sent
> 
> 
> 
> *CONFIGS*
> 
> *ipsec.conf (I don't think the others really mater at this point)*
> 
> conn myvpn
>  type=transport
>  authby=secret
>  pfs=no
>  rekey=no
>  keyingtries=1
>  left=%defaultroute
>  leftprotoport=udp/l2tp
>  right=<vpn-server-ip>
>  rightprotoport=udp/%any
>  auto=add
>  ike=3des-sha1-modp1536!
>  esp=3des-sha1!
>  keyexchange=ikev1
> 
> 
> 
> *xl2tpd.conf (tried with lac section as well)*
> 
> [global]
> port = 1701
> access control = no
> 
> [lns default]
> local ip = 192.168.1.2
> require authentication = yes
> name = myvpn
> pppoptfile = /etc/ppp/options.l2tpd
> 
> 
> 
> *options.l2tp (tried many others, with username/password, too)*
> **
> noccp
> auth
> crtscts
> mtu 1410
> mru 1410
> nodefaultroute
> lock
> proxyarp
> silent
> 
> 
> also there a secrets file obviously
> 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190408/af12f895/attachment-0001.html>

More information about the Users mailing list