Dear all,
I have set up an L2TP server using mpd5, and it works fine. However, when I switch IPSec (ipsec-tools) on, the client doesn't seem to be able to connect to the server: it looks like the server doesn't get any packets from the client.
The IPSec configs follow:
Client setkey.conf:
Server setkey.conf:
Client racoon.conf:
Server racoon.conf:
I tried switching NAT Traversal on and off without any effect. What am I missing here? I guess I've misconfigured IPSec. However, here's what
At the server,
Oh, and the client is behind a NAT, but as I've told before, switching NAT Traversal on and off doesn't help.
I have set up an L2TP server using mpd5, and it works fine. However, when I switch IPSec (ipsec-tools) on, the client doesn't seem to be able to connect to the server: it looks like the server doesn't get any packets from the client.
The IPSec configs follow:
Client setkey.conf:
Code:
flush;
spdflush;
spdadd 0.0.0.0/0 <server IP>[1701] udp -P out ipsec esp/transport//require;
spdadd <server IP>[1701] 0.0.0.0/0 udp -P in ipsec esp/transport//require;
Code:
flush;
spdflush;
spdadd 0.0.0.0/0[any] <server IP>[1701] udp -P in ipsec esp/transport//require;
spdadd <server IP>[1701] 0.0.0.0/0[any] udp -P out ipsec esp/transport//require;
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log info;
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen {
isakmp <client local IP>;
strict_address;
adminsock "/var/db/racoon/racoon.sock";
}
timer {
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
remote <server IP> {
exchange_mode aggressive,main;
lifetime time 24 hour;
my_identifier address;
peers_identifier address;
passive off;
generate_policy off;
# nat_traversal on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm 3des;
authentication_algorithm hmac_md5, hmac_sha1;
lifetime time 1 hour ;
compression_algorithm deflate;
}
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log info;
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
}
listen {
isakmp <server IP>;
}
timer {
counter 5;
interval 20 sec;
persend 1;
phase1 30 sec;
phase2 15 sec;
}
remote anonymous {
exchange_mode aggressive,main;
lifetime time 24 hour;
passive off;
generate_policy on;
proposal_check obey;
ike_frag on;
proposal {
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm 3des;
authentication_algorithm hmac_md5, hmac_sha1;
lifetime time 1 hour ;
compression_algorithm deflate;
}
I tried switching NAT Traversal on and off without any effect. What am I missing here? I guess I've misconfigured IPSec. However, here's what
setkey -D
shows at the client while the IPSec connection is on:
Code:
% sudo setkey -D
<local client IP> <server IP>
esp mode=transport spi=50815713(0x030762e1) reqid=0(0x00000000)
E: 3des-cbc 96862cbd fc81562a 1558e323 450ab7b4 e1e0c588 8fa7dc3d
A: hmac-md5 3ca7b767 b29bba44 f4044ccf ab795005
seq=0x00000042 replay=4 flags=0x00000000 state=mature
created: Oct 25 01:11:57 2015 current: Oct 25 01:27:44 2015
diff: 947(s) hard: 3600(s) soft: 2880(s)
last: Oct 25 01:18:48 2015 hard: 0(s) soft: 0(s)
current: 10560(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 66 hard: 0 soft: 0
sadb_seq=1 pid=67500 refcnt=2
<server IP> <local client IP>
esp mode=transport spi=227125489(0x0d89a8f1) reqid=0(0x00000000)
E: 3des-cbc 1f7dde64 8338c675 956bf667 68e850d8 1a953563 cd7ac898
A: hmac-md5 16574733 c6e7ce84 47d195b4 2c8bd45f
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Oct 25 01:11:57 2015 current: Oct 25 01:27:44 2015
diff: 947(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=67500 refcnt=1
setkey -D
shows something like this.Oh, and the client is behind a NAT, but as I've told before, switching NAT Traversal on and off doesn't help.