[strongSwan] kmod-libipsec issue with L2TP/IPSEC

S. M. Tanjeen tanjeensarkar at gmail.com
Tue Nov 23 13:56:53 CET 2021


Hi,

I am trying to setup a VPN server on openWRT x86 platform. 
The VPN server will serve both site-to-site and remote access vpn. 

To accomplish this- I am using strongSwan 5.6.3 along with xl2tpd for
the remote access vpn part.

Issue is when I load kmod-libipsec in charon I can't establish the l2tp
connection. 

Meanwhile there is ipsec0 interface in the ifconfig and site to site
tunnel works. 

If kmod-libipsec is not loaded remote vpn works but cant establish the
site to site vpn part.

Log: loaded (kmod-libipsec)
-----------------------------------------------------------

Tue Nov 23 20:43:19 2021 daemon.info : 12[IKE] 192.168.122.1 is
initiating a Main Mode IKE_SA
Tue Nov 23 20:43:19 2021 authpriv.info : 12[IKE] 192.168.122.1 is
initiating a Main Mode IKE_SA
Tue Nov 23 20:43:19 2021 daemon.info : 12[ENC] generating ID_PROT
response 0 [ SA V V V V ]
Tue Nov 23 20:43:19 2021 daemon.info : 12[NET] sending packet: from
192.168.122.146[500] to 192.168.122.1[500] (160 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 13[NET] received packet: from
192.168.122.1[500] to 192.168.122.146[500] (396 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 13[ENC] parsed ID_PROT request 0
[ KE No NAT-D NAT-D ]
Tue Nov 23 20:43:19 2021 daemon.info : 13[IKE] faking NAT situation to
enforce UDP encapsulation
Tue Nov 23 20:43:19 2021 daemon.info : 13[ENC] generating ID_PROT
response 0 [ KE No NAT-D NAT-D ]
Tue Nov 23 20:43:19 2021 daemon.info : 13[NET] sending packet: from
192.168.122.146[500] to 192.168.122.1[500] (396 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 14[NET] received packet: from
192.168.122.1[4500] to 192.168.122.146[4500] (92 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 14[ENC] parsed ID_PROT request 0
[ ID HASH ]
Tue Nov 23 20:43:19 2021 daemon.info : 14[CFG] looking for pre-shared
key peer configs matching
192.168.122.146...192.168.122.1[192.168.122.1]
Tue Nov 23 20:43:19 2021 daemon.info : 14[CFG] selected peer config
"L2TP-PSK-noNAT"
Tue Nov 23 20:43:19 2021 daemon.info : 14[IKE] IKE_SA L2TP-PSK-noNAT[2] 
established between
192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]
Tue Nov 23 20:43:19 2021 authpriv.info : 14[IKE] IKE_SA L2TP-PSK-
noNAT[2] established between
192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]
Tue Nov 23 20:43:19 2021 daemon.info : 14[ENC] generating ID_PROT
response 0 [ ID HASH ]
Tue Nov 23 20:43:19 2021 daemon.info : 14[NET] sending packet: from
192.168.122.146[4500] to 192.168.122.1[4500] (92 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 16[NET] received packet: from
192.168.122.1[4500] to 192.168.122.146[4500] (268 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 16[ENC] parsed QUICK_MODE
request 3146332676 [ HASH SA No ID ID NAT-OA NAT-OA ]
Tue Nov 23 20:43:19 2021 daemon.info : 16[IKE] received 3600s lifetime,
configured 0s
Tue Nov 23 20:43:19 2021 daemon.info : 16[ENC] generating QUICK_MODE
response 3146332676 [ HASH SA No ID ID NAT-OA NAT-OA ]
Tue Nov 23 20:43:19 2021 daemon.info : 16[NET] sending packet: from
192.168.122.146[4500] to 192.168.122.1[4500] (204 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 10[NET] received packet: from
192.168.122.1[4500] to 192.168.122.146[4500] (76 bytes)
Tue Nov 23 20:43:19 2021 daemon.info : 10[ENC] parsed QUICK_MODE
request 3146332676 [ HASH ]
Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP]   IPsec SA: unsupported
mode
Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] failed to create SAD
entry
Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP]   IPsec SA: unsupported
mode
Tue Nov 23 20:43:19 2021 daemon.info : 10[ESP] failed to create SAD
entry
Tue Nov 23 20:43:19 2021 daemon.info : 10[IKE] unable to install
inbound and outbound IPsec SA (SAD) in kernel
Tue Nov 23 20:43:19 2021 daemon.info : 10[IKE] sending DELETE for ESP
CHILD_SA with SPI c27f86ad
Tue Nov 23 20:43:19 2021 daemon.info : 10[ENC] generating
INFORMATIONAL_V1 request 600730204 [ HASH D ]
Tue Nov 23 20:43:19 2021 daemon.info : 10[NET] sending packet: from
192.168.122.146[4500] to 192.168.122.1[4500] (92 bytes)
Tue Nov 23 20:43:24 2021 daemon.info : 12[IKE] retransmit 3 of request
with message ID 0
Tue Nov 23 20:43:24 2021 daemon.info : 12[NET] sending packet: from
192.168.122.146[500] to 192.168.122.122[500] (336 bytes)
Tue Nov 23 20:43:34 2021 daemon.info : 14[NET] received packet: from
192.168.122.1[4500] to 192.168.122.146[4500] (108 bytes)
Tue Nov 23 20:43:34 2021 daemon.info : 14[ENC] parsed INFORMATIONAL_V1
request 3707351145 [ HASH D ]
Tue Nov 23 20:43:34 2021 daemon.info : 14[IKE] received DELETE for
IKE_SA L2TP-PSK-noNAT[2]
Tue Nov 23 20:43:34 2021 daemon.info : 14[IKE] deleting IKE_SA L2TP-
PSK-noNAT[2] between
192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]
Tue Nov 23 20:43:34 2021 authpriv.info : 14[IKE] deleting IKE_SA L2TP-
PSK-noNAT[2] between
192.168.122.146[192.168.122.146]...192.168.122.1[192.168.122.1]

   





My IPsec Config- 
cat /etc/ipsec.conf>>>
----------------------------
config setup
        charondebug="all"
        uniqueids=yes

conn toDHK
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        leftauth=psk
        rightauth=psk
        left=192.168.122.222
        leftid=192.168.122.222
        right=192.168.122.146
        rightid=192.168.122.146
        mobike=yes
        ike=aes128-sha256-modp1024!
        aggressive=no
        keyingtries=%forever
        ikelifetime=28080s
        rekey=yes
        margintime=60s
        dpddelay=10s
        dpdtimeout=60
        dpdaction=restart
        forceencaps=no
        leftsubnet=192.168.40.0/24
        rightsubnet=192.168.30.0/24
	esp=aes128gcm16-modp1024!
        lifetime=3600s

conn L2TP-PSK-noNAT
        keyexchange=ikev1
        authby=secret
        pfs=no
        auto=add
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        rekey=no
        ikelifetime=8h
        keylife=1h
        type=transport
        left=192.168.122.222
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        
        
# /etc/ipsec.secrets - strongSwan IPsec secrets file
%any %any : PSK "12345678"


  Regards,
SM Tanjeen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20211123/ef0ce23a/attachment.html>


More information about the Users mailing list