Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)

docds

New Member


Messages: 6

Thanks for your reply. But, I still have few misunderstandings.
I can't got my installation work properly with NAT-T, without NAT on my ADSL connections everything work fine, but when I go through my Wi-Fi with NAT it won't work.
I apply patch.
System rebuild with world:
Code:
FreeBSD test 10.1-STABLE FreeBSD 10.1-STABLE #6 r280344M: Sun Mar 22 21:24:06 EET 2015     root@test:/usr/obj/usr/src/sys/current  amd64
My kernel additional options:
Code:
options><------>IPSEC
options><------>IPSEC_DEBUG
device<><------>crypto
options><------>IPSEC_NAT_T
device<><------>enc

device<><------>pf
device<><------>pflog
device<><------>pfsync
options><------>ALTQ
options><------>ALTQ_CBQ # Class Bases Queuing (CBQ)
options><------>ALTQ_RED # Random Early Detection (RED)
options><------>ALTQ_RIO # RED In/Out
options><------>ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options><------>ALTQ_PRIQ # Priority Queuing (PRIQ)
options><------>ALTQ_CDNR
options><------>ALTQ_NOPCC # Required for SMP build
options><------>NETGRAPH
options><------>NETGRAPH_ETHER
options><------>NETGRAPH_SOCKET
options><------>NETGRAPH_TEE
options><------>NETGRAPH_MPPC_ENCRYPTION
options><------>NETGRAPH_MPPC_COMPRESSION
options><------>NETGRAPH_BPF
options><------>NETGRAPH_IFACE
options><------>NETGRAPH_KSOCKET
options><------>NETGRAPH_PPP
options><------>NETGRAPH_PPTPGRE
options><------>NETGRAPH_TCPMSS
options><------>NETGRAPH_VJC
options><------>NETGRAPH_ONE2MANY
options><------>NETGRAPH_RFC1490
options><------>NETGRAPH_TEE
options><------>NETGRAPH_TTY
options><------>NETGRAPH_UI
Code:
Mar 22 17:50:37 14[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
Mar 22 17:50:37 14[CFG] <1> looking for pre-shared key peer configs matching x.x.x.x...y.y.y.y[192.168.1.20]
Mar 22 17:50:37 14[CFG] <1> selected peer config "L2TP/IPsec-PSK"
Mar 22 17:50:37 14[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between x.x.x.x[x.x.x.x]...y.y.y.y[192.168.1.20]
Mar 22 17:50:37 14[IKE] <L2TP/IPsec-PSK|1> scheduling reauthentication in 10240s
Mar 22 17:50:37 14[IKE] <L2TP/IPsec-PSK|1> maximum IKE_SA lifetime 10780s
Mar 22 17:50:37 14[ENC] <L2TP/IPsec-PSK|1> generating ID_PROT response 0 [ ID HASH ]
Mar 22 17:50:37 14[NET] <L2TP/IPsec-PSK|1> sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (76 bytes)
Mar 22 17:50:37 15[NET] <L2TP/IPsec-PSK|1> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (332 bytes)
Mar 22 17:50:37 15[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Mar 22 17:50:37 15[IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
Mar 22 17:50:37 15[ENC] <L2TP/IPsec-PSK|1> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
Mar 22 17:50:37 15[NET] <L2TP/IPsec-PSK|1> sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (204 bytes)
Mar 22 17:50:37 15[NET] <L2TP/IPsec-PSK|1> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (60 bytes)
Mar 22 17:50:37 15[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH ]
Mar 22 17:50:37 15[IKE] <L2TP/IPsec-PSK|1> CHILD_SA L2TP/IPsec-PSK{1} established with SPIs c8f95a4c_i 4bffdc99_o and TS x.x.x.x/32[udp/l2f] === y.y.y.y/32[udp/l2f]
Mar 22 17:51:12 14[NET] <L2TP/IPsec-PSK|1> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes)
Mar 22 17:51:12 14[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 1219894490 [ HASH D ]
Mar 22 17:51:12 14[IKE] <L2TP/IPsec-PSK|1> received DELETE for ESP CHILD_SA with SPI 4bffdc99
Mar 22 17:51:12 14[IKE] <L2TP/IPsec-PSK|1> closing CHILD_SA L2TP/IPsec-PSK{1} with SPIs c8f95a4c_i (774 bytes) 4bffdc99_o (0 bytes) and TS x.x.x.x/32[udp/l2f] === y.y.y.y/32[udp/l2f]
Mar 22 17:51:12 10[NET] <L2TP/IPsec-PSK|1> received packet: from y.y.y.y[4500] to x.x.x.x[4500] (92 bytes)
Mar 22 17:51:12 10[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 1641099219 [ HASH D ]
Mar 22 17:51:12 10[IKE] <L2TP/IPsec-PSK|1> received DELETE for IKE_SA L2TP/IPsec-PSK[1]
Mar 22 17:51:12 10[IKE] <L2TP/IPsec-PSK|1> deleting IKE_SA L2TP/IPsec-PSK[1] between x.x.x.x[x.x.x.x]...y.y.y.y[192.168.1.20]
###################################################
###################################################
Mar 22 18:02:17 10[NET] <2> received packet: from y.y.y.y[500] to x.x.x.x[500] (384 bytes)
Mar 22 18:02:17 10[ENC] <2> parsed ID_PROT request 0 [ SA V V V V V V V ]
Mar 22 18:02:17 10[IKE] <2> received MS NT5 ISAKMPOAKLEY vendor ID
Mar 22 18:02:17 10[IKE] <2> received NAT-T (RFC 3947) vendor ID
Mar 22 18:02:17 10[IKE] <2> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 22 18:02:17 10[IKE] <2> received FRAGMENTATION vendor ID
Mar 22 18:02:17 10[ENC] <2> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Mar 22 18:02:17 10[ENC] <2> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Mar 22 18:02:17 10[ENC] <2> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Mar 22 18:02:17 10[IKE] <2> y.y.y.y is initiating a Main Mode IKE_SA
Mar 22 18:02:17 10[ENC] <2> generating ID_PROT response 0 [ SA V V V ]
Mar 22 18:02:17 10[NET] <2> sending packet: from x.x.x.x[500] to y.y.y.y[500] (136 bytes)
Mar 22 18:02:17 10[NET] <2> received packet: from y.y.y.y[500] to x.x.x.x[500] (228 bytes)
Mar 22 18:02:17 10[ENC] <2> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 22 18:02:17 10[ENC] <2> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 22 18:02:17 10[NET] <2> sending packet: from x.x.x.x[500] to y.y.y.y[500] (212 bytes)
Mar 22 18:02:17 10[NET] <2> received packet: from y.y.y.y[500] to x.x.x.x[500] (76 bytes)
Mar 22 18:02:17 10[ENC] <2> parsed ID_PROT request 0 [ ID HASH ]
Mar 22 18:02:17 10[CFG] <2> looking for pre-shared key peer configs matching x.x.x.x...y.y.y.y[y.y.y.y]
Mar 22 18:02:17 10[CFG] <2> selected peer config "L2TP/IPsec-PSK"
Mar 22 18:02:17 10[IKE] <L2TP/IPsec-PSK|2> IKE_SA L2TP/IPsec-PSK[2] established between x.x.x.x[x.x.x.x]...y.y.y.y[y.y.y.y]
Mar 22 18:02:17 10[IKE] <L2TP/IPsec-PSK|2> scheduling reauthentication in 10161s
Mar 22 18:02:17 10[IKE] <L2TP/IPsec-PSK|2> maximum IKE_SA lifetime 10701s
Mar 22 18:02:17 10[ENC] <L2TP/IPsec-PSK|2> generating ID_PROT response 0 [ ID HASH ]
Mar 22 18:02:17 10[NET] <L2TP/IPsec-PSK|2> sending packet: from x.x.x.x[500] to y.y.y.y[500] (76 bytes)
Mar 22 18:02:17 13[NET] <L2TP/IPsec-PSK|2> received packet: from y.y.y.y[500] to x.x.x.x[500] (316 bytes)
Mar 22 18:02:17 13[ENC] <L2TP/IPsec-PSK|2> parsed QUICK_MODE request 1 [ HASH SA No ID ID ]
Mar 22 18:02:17 13[IKE] <L2TP/IPsec-PSK|2> received 250000000 lifebytes, configured 0
Mar 22 18:02:17 13[ENC] <L2TP/IPsec-PSK|2> generating QUICK_MODE response 1 [ HASH SA No ID ID ]
Mar 22 18:02:17 13[NET] <L2TP/IPsec-PSK|2> sending packet: from x.x.x.x[500] to y.y.y.y[500] (188 bytes)
Mar 22 18:02:17 13[NET] <L2TP/IPsec-PSK|2> received packet: from y.y.y.y[500] to x.x.x.x[500] (60 bytes)
Mar 22 18:02:17 13[ENC] <L2TP/IPsec-PSK|2> parsed QUICK_MODE request 1 [ HASH ]
Mar 22 18:02:17 13[IKE] <L2TP/IPsec-PSK|2> CHILD_SA L2TP/IPsec-PSK{2} established with SPIs c89b837b_i 95b272f6_o and TS x.x.x.x/32[udp/l2f] === y.y.y.y/32[udp/l2f]
Mar 22 18:02:18 13[KNL] interface ng0 appeared
Mar 22 18:02:18 13[IKE] <L2TP/IPsec-PSK|2> old path is not available anymore, try to find another
Mar 22 18:02:18 13[IKE] <L2TP/IPsec-PSK|2> looking for a route to y.y.y.y ...
Mar 22 18:02:18 14[KNL] 192.168.0.7 appeared on ng0
My log file. First part (NAT, NO_NAT) identical, second part (NO_NAT) the connection is established.
I will be glad for any help.
 
Last edited by a moderator:

obsigna

Daemon

Reaction score: 900
Messages: 1,296

Did you create and configure the AssumeUDPEncapsulationContextOnSendRule registry value on your Windows client(s)? This was discussed in various posts of this thread. The support document of Microsoft is a little bit misleading since it suggests that it is necessary for a Windows 2008 server behind NAT. As a matter of fact, the registry entry needs to be done on any Windows client doing NAT-T with any IPsec server.

see: https://support.microsoft.com/en-us/kb/926179/en-us

You want to set AssumeUDPEncapsulationContextOnSendRule to 2.
 

balgaa

New Member


Messages: 13

Yesterday, I upgraded FreeBSD machine to latest 9.3-stable and after that L2TP client can not get connect to server.
root@vpn:/usr/local/etc/mpd5 # uname -a
Code:
FreeBSD x.x.x.x 9.3-STABLE FreeBSD 9.3-STABLE #5 r286367M: Fri Aug  7 08:45:01 ULAT 2015     dashka@x.x.x.x:/usr/obj/usr/src/sys/VPN  amd64

But PPTP client can connect without any problem. Nothing changed to racoon and mpd.conf. Nothing change to ipsec-tools.

I patched again kernel source using ipsec-patches.diff after SVN FreeBSD source tree. Any suggestion?

below mpd.conf:
==========
Code:
startup:
        # configure mpd users
        # set user super pwSuper admin
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
       load l2tp_server
       load pptp_server

set user test password test

pptp_server:
    set ippool add pptp_pool 192.168.1.170 192.168.1.199
    create bundle template B_pptp
    set iface enable proxy-arp
    set iface idle 1800
    set iface enable tcpmssfix
    #set iface route 192.168.1.1
    set ipcp yes vjcomp
    set ipcp ranges 192.168.1.1/32 ippool pptp_pool
    set ipcp dns 202.180.216.12
    #set ipcp dns 122.254.125.13
    #set ipcp dns 122.254.125.14
    #set ipcp nbns 192.168.0.1
    set bundle enable compression
    set bundle enable encryption
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless
    create link template L_pptp pptp
    set link fsm-timeout 5
    set link action bundle B_pptp
    set link enable multilink
    set link yes acfcomp protocomp
    #set link no pap chap eap chap-msv2
    set link no pap chap
    set link accept eap
    set link enable chap chap-msv2 eap
    set link accept chap-msv2
    #set auth enable system-auth
    #set auth enable internal
    #set bundle authname balgaa
    set link keep-alive 10 60
    set link mtu 1460
    #set pptp self 122.254.125.6
    set pptp self 172.16.2.5
    set pptp enable always-ack
    set link enable incoming


l2tp_server:
# Define dynamic IP address pool - these are the IP addresses which will be
# allocated to our remote clients when they join the LAN
# REPLACE w.x.y.from - w.x.y.to with the IP addresses mpd5 will allocate IP address range.
# e.g.  set ippool add pool_l2tp w.x.y.150 w.x.y.199
        set ippool add pool_l2tp 192.168.1.150 192.168.1.169

# Create clonable bundle template named B_l2tp
        create bundle template B_l2tp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp

# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Specify IP address pool for dynamic assigment.
       # This is the internal IP and netmask of the box
       # REPLACE w.x.y.z with the IP address for your VPN server
        set ipcp ranges 192.168.1.1/24 ippool pool_l2tp
       # an accessible DNS server for clients to use
       # REPLACE w.x.y.dns with the IP address for your DNS server
       # e.g. set ipcp dns w.x.y.50
        set ipcp dns 202.180.216.12

# Create clonable link template named L_l2tp
        create link template L_l2tp l2tp
# Set bundle template to use
        set link action bundle B_l2tp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
        set link yes acfcomp protocomp
# We reducing link mtu to avoid ESP packet fragmentation.
        set link mtu 1280
# Configure L2TP
       # REPLACE with the IP address racoon will listen on (if behind NAT, this is the INSIDE IP)
       # Unfortunately, you can not specify multiple IPs here, so just comment the next line if you need that
        set l2tp self 0.0.0.0
        set l2tp enable length
        #set l2tp secret testvpn
# Allow to accept calls
        set link enable incoming

below racoon.conf:
============
Code:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
log debug2;

padding {
        maximum_length 20;
        randomize off;
        strict_check off;
        exclusive_tail off;
}

listen
{
        isakmp           172.16.2.5 [500];
        isakmp_natt      172.16.2.5 [4500];

#        isakmp           192.168.1.0/24 [500];
#        isakmp_natt      192.168.1.0/24 [4500];

        strict_address;
}

timer {
        counter 5;
        interval 20 sec;
        persend 1;
        phase1 30 sec;
        phase2 20 sec;
        natt_keepalive 0 sec;
}

remote anonymous
{
        exchange_mode    main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        30;
        doi              ipsec_doi;
        #generate_policy         on;

        proposal
        {
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }

        proposal
        {
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
        }
}

sainfo anonymous
{
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;
}
 

balgaa

New Member


Messages: 13

I found that after update source tree, there no such sysctl(8) parameter.

Code:
root@vpn:/home/dashka # sysctl net.inet.esp.esp_ignore_natt_cksum=1
sysctl: unknown oid 'net.inet.esp.esp_ignore_natt_cksum'

How can I fix it?
 

obsigna

Daemon

Reaction score: 900
Messages: 1,296

I was wondering if this howto aplies to the FreeBSD-10.2.
Thanks.

I am the author of this Howto (at that time my member name was rolfheinrich). Therefore, I guess I may give you the authoritative answer to your question.

If you need Mac OS X and/or iOS connectivity only AND if you don't need more than one client connecting from behind the same NAT, then YES. If you need Windows connectivity and/or multiple clients behind the same NAT connecting at the same time, then NO.

I think we need wait somebody who can do editing patch. Unfortunatly, I don't have developer skills. I tried by classic way:
1. cd /usr/
2. patch -p0 < patch.diff

The net.inet.esp.esp_ignore_natt_cksum kernel patch not only cannot be applied anymore, if it could be, it would no more be effective, because on 10.2 any esp checksum flags are removed at another place in the kernel. That means, simply forget that patch.

As I wrote already sometime ago, I switched from ipsec-tools/mpd5 to strongswan/mpd5.

In addition, for Windows connectivity you want to restore the non-patched original kernel files in sys/netipsec, sys/netinet, and sys/netinet6, and you may want to edit the following kernel file nano +1561 /usr/src/sys/netinet/udp_usrreq.c -- Comment out the two lines #1561 and #1562, leaving the code as follows:
Code:
...

        /*
         * We cannot yet update the cksums so clear any
         * h/w cksum flags as they are no longer valid.
         */
        // if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID)
        //      m->m_pkthdr.csum_flags &= ~(CSUM_DATA_VALID|CSUM_PSEUDO_HDR);

...

Provided that you set AssumeUDPEncapsulationContextOnSendRule in the Windows registry to 2, L2TP/IPsec using the strongswan/mpd5 combo should work perfectly with Windows, Android, Mac OS X, and iOS clients with Multi-NAT-T.

Once again, forget racoon from the security/ipsec-tools, it is a pain in the ass, compared to security/strongswan.
 

Senya88

Member


Messages: 27

As I wrote already sometime ago, I switched from ipsec-tools/mpd5 to strongswan/mpd5.
In addition, for Windows connectivity you want to restore the non-patched original kernel files in sys/netipsec, sys/netinet, and sys/netinet6, and you may want to edit the following kernel file nano +1561 /usr/src/sys/netinet/udp_usrreq.c -- Comment out the two lines #1561 and #1562, leaving the code as follows:

Thanks for the detailed answer. However, I didn't find good guide about strongswan + FreeBSD. I found one article about http://blog.obsigna.net/?p=520 on German. I tried to deploy this on my server,
but it didn't work.

Code:
2015-09-06 21:43:07 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.2-RELEASE-p2, i386)
2015-09-06 21:43:07 00[LIB] arbitrary naming of TUN devices is not supported
2015-09-06 21:43:07 00[LIB] failed to open : Device busy
2015-09-06 21:43:07 00[LIB] failed to open : Device busy
2015-09-06 21:43:07 00[LIB] created TUN device: tun2
2015-09-06 21:43:07 00[NET] unable to bind socket: Address already in use
2015-09-06 21:43:07 00[NET] could not open IPv4 socket, IPv4 disabled
2015-09-06 21:43:07 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-09-06 21:43:07 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-09-06 21:43:07 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-09-06 21:43:07 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-09-06 21:43:07 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-09-06 21:43:07 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-09-06 21:43:07 00[CFG] loaded IKE secret for %any
2015-09-06 21:43:07 00[LIB] loaded plugins: charon aes kernel-libipsec des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-09-06 21:43:07 00[JOB] spawning 16 worker threads
2015-09-06 21:43:07 09[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-09-06 21:43:07 09[CFG] left nor right host is our side, assuming left=local
2015-09-06 21:43:07 09[CFG] added configuration 'L2TP/IPsec-PSK'
2015-09-06 21:43:28 09[NET] <1> received packet: from ::ffff:2.94.9.220[500] to ::ffff:85.113.221.175[500] (384 bytes)
2015-09-06 21:43:28 09[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V ]
2015-09-06 21:43:28 09[IKE] <1> received MS NT5 ISAKMPOAKLEY vendor ID
2015-09-06 21:43:28 09[IKE] <1> received NAT-T (RFC 3947) vendor ID
2015-09-06 21:43:28 09[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2015-09-06 21:43:28 09[IKE] <1> received FRAGMENTATION vendor ID
2015-09-06 21:43:28 09[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2015-09-06 21:43:28 09[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2015-09-06 21:43:28 09[ENC] <1> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2015-09-06 21:43:28 09[IKE] <1> ::ffff:2.94.9.220 is initiating a Main Mode IKE_SA
2015-09-06 21:43:28 09[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
2015-09-06 21:43:28 09[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.94.9.220[500] (136 bytes)
2015-09-06 21:43:28 09[NET] <1> received packet: from ::ffff:2.94.9.220[500] to ::ffff:85.113.221.175[500] (228 bytes)
2015-09-06 21:43:28 09[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-09-06 21:43:28 09[IKE] <1> local host is behind NAT, sending keep alives
2015-09-06 21:43:28 09[IKE] <1> remote host is behind NAT
2015-09-06 21:43:28 09[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2015-09-06 21:43:28 09[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.94.9.220[500] (212 bytes)
2015-09-06 21:43:28 09[NET] <1> received packet: from ::ffff:2.94.9.220[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
2015-09-06 21:43:28 09[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
2015-09-06 21:43:28 09[CFG] <1> looking for pre-shared key peer configs matching ::ffff:85.113.221.175...::ffff:2.94.9.220[192.168.42.198]
2015-09-06 21:43:28 09[CFG] <1> selected peer config "L2TP/IPsec-PSK"
2015-09-06 21:43:28 09[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.94.9.220[192.168.42.198]
2015-09-06 21:43:28 09[IKE] <L2TP/IPsec-PSK|1> scheduling reauthentication in 10152s
2015-09-06 21:43:28 09[IKE] <L2TP/IPsec-PSK|1> maximum IKE_SA lifetime 10692s
2015-09-06 21:43:28 09[ENC] <L2TP/IPsec-PSK|1> generating ID_PROT response 0 [ ID HASH ]
2015-09-06 21:43:28 09[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.94.9.220[4500] (92 bytes)
2015-09-06 21:43:28 11[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.94.9.220[4500] to ::ffff:85.113.221.175[4500] (332 bytes)
2015-09-06 21:43:28 11[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-09-06 21:43:28 11[IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
2015-09-06 21:43:28 11[ENC] <L2TP/IPsec-PSK|1> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-09-06 21:43:28 11[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.94.9.220[4500] (252 bytes)
2015-09-06 21:43:28 11[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.94.9.220[4500] to ::ffff:85.113.221.175[4500] (92 bytes)
2015-09-06 21:43:28 11[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 3811068122 [ HASH D ]
2015-09-06 21:43:28 11[IKE] <L2TP/IPsec-PSK|1> received DELETE for IKE_SA L2TP/IPsec-PSK[1]
2015-09-06 21:43:28 11[IKE] <L2TP/IPsec-PSK|1> deleting IKE_SA L2TP/IPsec-PSK[1] between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.94.9.220[192.168.42.198]
2015-09-06 22:09:52 00[DMN] signal of type SIGTERM received. Shutting down

May be I missed patch from article. I need check it once again, but main problem for me this is:
Code:
2015-09-06 21:43:07 00[NET] unable to bind socket: Address already in use
2015-09-06 21:43:07 00[NET] could not open IPv4 socket, IPv4 disabled
 

obsigna

Daemon

Reaction score: 900
Messages: 1,296

...
Code:
2015-09-06 21:43:07 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.2-RELEASE-p2, i386)
2015-09-06 21:43:07 00[LIB] arbitrary naming of TUN devices is not supported
2015-09-06 21:43:07 00[LIB] failed to open : Device busy
2015-09-06 21:43:07 00[LIB] failed to open : Device busy
2015-09-06 21:43:07 00[LIB] created TUN device: tun2
2015-09-06 21:43:07 00[NET] unable to bind socket: Address already in use
2015-09-06 21:43:07 00[NET] could not open IPv4 socket, IPv4 disabled
...
...
You built strongSwan with the option KERNELLIBIPSEC. That was wrong. Do the following:
  1. # service strongswan stop
  2. # cd /usr/ports/security/strongswan
  3. # make rmconfig
  4. # make deinstall clean distclean
  5. Finally, install a plainly configured strongSwan, i.e. one without all the bells and whistles: # pkg install strongswan
  6. # service strongswan start
  7. Try again!
 

Senya88

Member


Messages: 27

You built strongSwan with the option KERNELLIBIPSEC. That was wrong. Do the following:
  1. # service strongswan stop
  2. # cd /usr/ports/security/strongswan
  3. # make rmconfig
  4. # make deinstall clean distclean
  5. Finally, install a plainly configured strongSwan, i.e. one without all the bells and whistles: # pkg install strongswan
  6. # service strongswan start
  7. Try again!

Thank you for help!
I did it. Before this, I recompiled kernel with patch http://blog.obsigna.net/downloads/IPsec-NATT-Win_v10.2.patch.

Code:
(pts/2)[root@server:~]# uname -a
FreeBSD server 10.2-RELEASE-p3 FreeBSD 10.2-RELEASE-p3 #1 r288274M: Sat Sep 26 23:09:17 MSK 2015     root@server:/usr/obj/usr/src/sys/SERVER  i386

I added key AssumeUDPEncapsulationContextOnSendRule=2 in my Windows registry.

My configs:
strongswan.conf:
Code:
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        install_routes = no
        process_route = no

        filelog
        {
            /var/log/strongswan.log
            {
            flush_line = yes
            ike_name = yes
            time_format = "%Y-%m-%d %H:%M:%S"
            }
                ike_name = yes
        }
}

ipsec.conf:
Code:
conn L2TP/IPsec-PSK
    keyexchange = ikev1
    type = transport
    leftauth = psk
    rightauth = psk
    left = %defaultroute
    right = %any
    auto = add

ipsec.secrets:
Code:
: PSK "mykey"

Logs:
Code:
pts/4)[root@server:/usr/local/etc]# /usr/local/etc/rc.d/strongswan onerestart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
(pts/4)[root@server:/usr/local/etc]# tail -f /var/log/strongswan.log
2015-09-27 17:03:33 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-09-27 17:03:33 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-09-27 17:03:33 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-09-27 17:03:33 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-09-27 17:03:33 00[CFG]   loaded IKE secret for %any
2015-09-27 17:03:33 00[LIB] loaded plugins: charon aes kernel-libipsec des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-09-27 17:03:33 00[JOB] spawning 16 worker threads
2015-09-27 17:03:33 16[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-09-27 17:03:33 16[CFG] left nor right host is our side, assuming left=local
2015-09-27 17:03:33 16[CFG] added configuration 'L2TP/IPsec-PSK'
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (384 bytes)
2015-09-27 17:04:03 16[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V ]
2015-09-27 17:04:03 16[IKE] <1> received MS NT5 ISAKMPOAKLEY vendor ID
2015-09-27 17:04:03 16[IKE] <1> received NAT-T (RFC 3947) vendor ID
2015-09-27 17:04:03 16[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2015-09-27 17:04:03 16[IKE] <1> received FRAGMENTATION vendor ID
2015-09-27 17:04:03 16[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2015-09-27 17:04:03 16[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2015-09-27 17:04:03 16[ENC] <1> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2015-09-27 17:04:03 16[IKE] <1> ::ffff:2.93.190.121 is initiating a Main Mode IKE_SA
2015-09-27 17:04:03 16[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
2015-09-27 17:04:03 16[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (136 bytes)
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (228 bytes)
2015-09-27 17:04:03 16[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-09-27 17:04:03 16[IKE] <1> local host is behind NAT, sending keep alives
2015-09-27 17:04:03 16[IKE] <1> remote host is behind NAT
2015-09-27 17:04:03 16[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2015-09-27 17:04:03 16[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (212 bytes)
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
2015-09-27 17:04:03 16[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
2015-09-27 17:04:03 16[CFG] <1> looking for pre-shared key peer configs matching ::ffff:85.113.221.175...::ffff:2.93.190.121[192.168.42.145]
2015-09-27 17:04:03 16[CFG] <1> selected peer config "L2TP/IPsec-PSK"
2015-09-27 17:04:03 16[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]
2015-09-27 17:04:03 16[IKE] <L2TP/IPsec-PSK|1> scheduling reauthentication in 9845s
2015-09-27 17:04:03 16[IKE] <L2TP/IPsec-PSK|1> maximum IKE_SA lifetime 10385s
2015-09-27 17:04:03 16[ENC] <L2TP/IPsec-PSK|1> generating ID_PROT response 0 [ ID HASH ]
2015-09-27 17:04:03 16[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.93.190.121[4500] (92 bytes)
2015-09-27 17:04:03 09[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (380 bytes)
2015-09-27 17:04:03 09[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-09-27 17:04:03 09[IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
2015-09-27 17:04:03 09[ENC] <L2TP/IPsec-PSK|1> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-09-27 17:04:03 09[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.93.190.121[4500] (252 bytes)
2015-09-27 17:04:03 09[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (92 bytes)
2015-09-27 17:04:03 09[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 515713003 [ HASH D ]
2015-09-27 17:04:03 09[IKE] <L2TP/IPsec-PSK|1> received DELETE for IKE_SA L2TP/IPsec-PSK[1]
2015-09-27 17:04:03 09[IKE] <L2TP/IPsec-PSK|1> deleting IKE_SA L2TP/IPsec-PSK[1] between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]

Unfortunately, It doesn't works.

PS Sorry, I did not pay attention that you are the author of the article http://blog.obsigna.net/?p=520. Thanks for article. This is the only good article on the Internet entitled FreeBSD + Strongswan
 

obsigna

Daemon

Reaction score: 900
Messages: 1,296

Sorry, I didn't pay attention that you are using IPv6.

For Windows 7 connectivity I patched the function udp4_espdecap(), which as the name indicates clearly, is for IPv4 only. I had a quick look at the sources and there is no function udp6_espdecap() that could be patched as well.

Perhaps the more coarse solution of the post L2TP/IPSec VPN problems would work with IPv6.
 

obsigna

Daemon

Reaction score: 900
Messages: 1,296

Sorry, I didn't pay attention that you are using IPv6. ...

... I had a quick look at the sources and there is no function udp6_espdecap() that could be patched as well

...

In the meantime I went out for the morning tour with my dog, and the fresh clean air brushed my brain. Of course there is no function udp6_espdecap() because there is no NAT for IPv6, at least no one in FreeBSD that I know of. Some IETF members are thinking loud about it, however, I did not know that there is a working implementation yet.

Code:
...
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
...

Without NAT, there is no reason to NAT-T encapsulate the IPsec packets (port 4500), so why your setup does it nonetheless?

You might want to rework your concept. NAT is generally not needed for IPv6 and without NAT in the middle, Windows would not have any problems at all to make connections to L2TP/IPsec , e.g., no hassle with kernel patching and registry hacks.
 

Senya88

Member


Messages: 27

Sorry, I didn't pay attention that you are using IPv6.
For Windows 7 connectivity I patched the function udp4_espdecap(), which as the name indicates clearly, is for IPv4 only. I had a quick look at the sources and there is no function udp6_espdecap() that could be patched as well.
Perhaps the more coarse solution of the post L2TP/IPSec VPN problems would work with IPv6.

Unfortunately, I didn't use IPv6. I turn off IPv6 in Windows connection settings. I installed strongswan via pkg install strongswan, but my trouble is actual yet:

(pts/1)[root@server:~]# /usr/local/etc/rc.d/strongswan onerestart
Code:
Stopping strongSwan IPsec...
Starting strongSwan 5.3.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
(pts/1)[root@server:~]#

Code:
2015-09-27 21:12:46 00[DMN] signal of type SIGINT received. Shutting down
2015-09-27 21:12:49 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.2-RELEASE-p3, i386)
2015-09-27 21:12:49 00[LIB] arbitrary naming of TUN devices is not supported
2015-09-27 21:12:49 00[LIB] failed to open : Device busy
2015-09-27 21:12:49 00[LIB] failed to open : Device busy
2015-09-27 21:12:49 00[LIB] created TUN device: tun2
2015-09-27 21:12:49 00[NET] unable to bind socket: Address already in use
2015-09-27 21:12:49 00[NET] could not open IPv4 socket, IPv4 disabled

(pts/2)[root@server:~]# sockstat | grep 500
Code:
root     charon     7392  11 udp4 6 *:500                 *:*
root     charon     7392  12 udp4 6 *:4500                *:*

Maybe strongswan wants tun0 or tun1 (they are used by OpenVPN). However, this is unlikely.
 

obsigna

Daemon

Reaction score: 900
Messages: 1,296

Unfortunaltly, I didn't use IPv6. I turn off IPv6 in Windows connection settings.

Well, the IP addresses of your previous log don't look quite like IPv4 addresses.
Code:
...
2015-09-27 17:04:03 16[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
...

I installed strongswan via pkg install strongswan, but my trouble is actual yet:
[root@server:~]# /usr/local/etc/rc.d/strongswan onerestart
Code:
Stopping strongSwan IPsec...
Starting strongSwan 5.3.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
[root@server:~]#

This is not a trouble, this is normal on non-Linux machines. I see this also.

Code:
2015-09-27 21:12:49 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.2-RELEASE-p3, i386)
2015-09-27 21:12:49 00[LIB] arbitrary naming of TUN devices is not supported
2015-09-27 21:12:49 00[LIB] failed to open : Device busy
2015-09-27 21:12:49 00[LIB] failed to open : Device busy
2015-09-27 21:12:49 00[LIB] created TUN device: tun2
2015-09-27 21:12:49 00[NET] unable to bind socket: Address already in use
2015-09-27 21:12:49 00[NET] could not open IPv4 socket, IPv4 disabled

This is troublesome. DO NOT ACTIVATE the option KERNELLIBIPSEC! This will NOT WORK!!
 

Senya88

Member


Messages: 27

This is troublesome. DO NOT ACTIVATE the option KERNELLIBIPSEC! This will NOT WORK!!

Thank you for help.

I tried both solutions:
1. As you recommended install from pkg:
  1. # service strongswan stop
  2. # cd /usr/ports/security/strongswan
  3. # make rmconfig
  4. # make deinstall clean distclean
  5. Finally, install a plainly configured strongSwan, i.e. one without all the bells and whistles: # pkg install strongswan
  6. # service strongswan start
  7. Try again!
Look please my attempt:
Code:
(pts/1)[root@server:/usr/ports/security/strongswan]# cd /usr/ports/security/strongswan/
(pts/1)[root@server:/usr/ports/security/strongswan]# make rmconfig
===> Removing user-configured options for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]# make deinstall clean distclean
===>  Deinstalling for strongswan
===>   Deinstalling strongswan-5.3.2
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        strongswan-5.3.2

The operation will free 4 MiB.
[1/1] Deinstalling strongswan-5.3.2...
You may need to manually remove /usr/local/etc/ipsec.conf if it's no longer needed.
You may need to manually remove /usr/local/etc/strongswan.conf if it's no longer needed.
[1/1] Deleting files for strongswan-5.3.2: 100%
===>  Cleaning for strongswan-5.3.3
===>  Deleting distfiles for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]# pkg install strongswan
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01
Fetching packagesite.txz: 100%    5 MiB   1.4MB/s    00:04
Processing entries: 100%
FreeBSD repository update completed. 24333 packages processed.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        strongswan: 5.3.2

The process will require 4 MiB more space.

Proceed with this action? [y/N]: y
[1/1] Installing strongswan-5.3.2...
[1/1] Extracting strongswan-5.3.2: 100%
(pts/1)[root@server:/usr/ports/security/strongswan]#

(pts/1)[root@server:/usr/ports/security/strongswan]# /usr/local/etc/rc.d/strongswan onestart
Starting strongSwan 5.3.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

(pts/2)[root@server:~]# tail -f /var/log/strongswan.log
2015-10-01 20:37:06 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, FreeBSD 10.1-RELEASE-p14, i386)
2015-10-01 20:37:06 00[LIB] arbitrary naming of TUN devices is not supported
2015-10-01 20:37:06 00[LIB] failed to open : Device busy
2015-10-01 20:37:06 00[LIB] failed to open : Device busy
2015-10-01 20:37:06 00[LIB] created TUN device: tun2
2015-10-01 20:37:06 00[NET] unable to bind socket: Address already in use
2015-10-01 20:37:06 00[NET] could not open IPv4 socket, IPv4 disabled
2015-10-01 20:37:06 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-10-01 20:37:06 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-10-01 20:37:06 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-10-01 20:37:06 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-10-01 20:37:06 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-10-01 20:37:06 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-10-01 20:37:06 00[CFG]   loaded IKE secret for %any
2015-10-01 20:37:06 00[LIB] loaded plugins: charon aes kernel-libipsec des blowfish rc2 sha1 sha2 md4 md5 ran                          dom nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf                           xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap                          -mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-10-01 20:37:06 00[JOB] spawning 16 worker threads
2015-10-01 20:37:06 11[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-10-01 20:37:06 11[CFG] left nor right host is our side, assuming left=local
2015-10-01 20:37:06 11[CFG] added configuration 'L2TP/IPsec-PSK'

2. Install from ports without KERNELLIBIPSEC:
Code:
(pts/1)[root@server:/usr/ports/security/strongswan]# service strongswan onestop
Stopping strongSwan IPsec...
(pts/1)[root@server:/usr/ports/security/strongswan]# make rmconfig
===> No user-specified options configured for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]# make deinstall clean distclean
===>  Deinstalling for strongswan
===>   Deinstalling strongswan-5.3.2
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        strongswan-5.3.2

The operation will free 4 MiB.
[1/1] Deinstalling strongswan-5.3.2...
You may need to manually remove /usr/local/etc/ipsec.conf if it's no longer needed.
You may need to manually remove /usr/local/etc/strongswan.conf if it's no longer needed.
[1/1] Deleting files for strongswan-5.3.2: 100%
===>  Cleaning for strongswan-5.3.3
===>  Deleting distfiles for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]# make config
                                                                             strongswan-5.3.3 qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
                                                      x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
                                                      x x+[ ] CURL            Enable CURL to fetch CRL/OCSP                        x x
                                                      x x+[ ] EAPAKA3GPP2     Enable EAP AKA with 3gpp2 backend                    x x
                                                      x x+[ ] EAPDYNAMIC      Enable EAP dynamic proxy module                      x x
                                                      x x+[ ] EAPRADIUS       Enable EAP Radius proxy authentication               x x
                                                      x x+[ ] EAPSIMFILE      Enable EAP SIM with file backend                     x x
                                                      x x+[ ] GCM             Enable GCM AEAD wrapper crypto plugin                x x
                                                      x x+[x] IKEv1           Enable IKEv1 support                                 x x
                                                      x x+[ ] IPSECKEY        Enable authentication with IPSECKEY resource records x x
                                                      x x+[ ] KERNELLIBIPSEC  Enable IPSec userland backend                        x x
                                                      x x+[ ] LDAP            LDAP protocol support                                x x
                                                      x x+[ ] LOADTESTER      Enable load testing plugin                           x x
                                                      x x+[ ] MYSQL           MySQL database support                               x x
                                                      x x+[x] PKI             Enable PKI tools                                     x x
                                                      x x+[ ] SCEP            Enable Simple Certificate Enrollment Protocol        x x
                                                      x x+[ ] SMP             Enable XML-based management protocol                 x x
                                                      x x+[ ] SQLITE          SQLite database support                              x x
                                                      x x+[ ] TESTVECTOR      Enable crypto test vectors                           x x
                                                      x x+[ ] UNBOUND         Enable DNSSEC-enabled resolver                       x x
                                                      x x+[ ] UNITY           Enable Cisco Unity extension plugin                  x x
                                                      x x+[ ] XAUTH           Enable XAuth password verification                   x x
                                                      x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
                                                      tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
                                                      x                       <  OK  >            <Cancel>
(pts/1)[root@server:/usr/ports/security/strongswan]# make reinstall clean

[skipped]
Installing strongswan-5.3.3...
===> SECURITY REPORT:
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/lib/ipsec/libstrongswan.so.0.0.0
/usr/local/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/strongswan

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
http://www.strongswan.org
===>  Cleaning for strongswan-5.3.3
(pts/1)[root@server:/usr/ports/security/strongswan]#

(pts/1)[root@server:/usr/ports/security/strongswan]# /usr/local/etc/rc.d/strongswan onestart
Starting strongSwan 5.3.3 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
(pts/1)[root@server:/usr/ports/security/strongswan]#

(pts/3)[root@server:/usr/local/etc/strongswan.d/charon]# tail -f /var/log/strongswan.log
2015-10-01 20:49:02 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, FreeBSD 10.1-RELEASE-p14, i386)
2015-10-01 20:49:02 00[LIB] arbitrary naming of TUN devices is not supported
2015-10-01 20:49:02 00[LIB] failed to open : Device busy
2015-10-01 20:49:02 00[LIB] failed to open : Device busy
2015-10-01 20:49:02 00[LIB] created TUN device: tun2
2015-10-01 20:49:02 00[NET] unable to bind socket: Address already in use
2015-10-01 20:49:02 00[NET] could not open IPv4 socket, IPv4 disabled
2015-10-01 20:49:02 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-10-01 20:49:02 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-10-01 20:49:02 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-10-01 20:49:02 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-10-01 20:49:02 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-10-01 20:49:02 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-10-01 20:49:02 00[CFG]   loaded IKE secret for %any
2015-10-01 20:49:02 00[LIB] loaded plugins: charon aes kernel-libipsec des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-10-01 20:49:02 00[JOB] spawning 16 worker threads
2015-10-01 20:49:02 07[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-10-01 20:49:02 07[CFG] added configuration 'L2TP/IPsec-PSK'

What I'm not so I do?

Unfortunately, the result was similar.
 

Senya88

Member


Messages: 27

This is troublesome. DO NOT ACTIVATE the option KERNELLIBIPSEC! This will NOT WORK!!

Solved!
Code:
cat /usr/local/etc/strongswan.d/charon/kernel-libipsec.conf
kernel-libipsec {

    # Allow that the remote traffic selector equals the IKE peer.
    # allow_peer_ts = no

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = no

}
I put "load = no". May be it's default of new version port?

Code:
(pts/1)[root@server:/usr/ports/security/strongswan]# sockstat | grep 500
root     charon     45327 11 udp4 6 *:500                 *:*
root     charon     45327 12 udp4 6 *:4500                *:*
[skipped]
 

Senya88

Member


Messages: 27

Unfortunately, it doesn't works:

Code:
2015-10-01 21:17:08 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, FreeBSD 10.2-RELEASE-p3, i386)
2015-10-01 21:17:08 00[KNL] unable to set UDP_ENCAP: Invalid argument
2015-10-01 21:17:08 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2015-10-01 21:17:08 00[NET] unable to bind socket: Address already in use
2015-10-01 21:17:08 00[NET] could not open IPv4 socket, IPv4 disabled
2015-10-01 21:17:08 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-10-01 21:17:08 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-10-01 21:17:08 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-10-01 21:17:08 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-10-01 21:17:08 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-10-01 21:17:08 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-10-01 21:17:08 00[CFG]   loaded IKE secret for %any
2015-10-01 21:17:08 00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-10-01 21:17:08 00[JOB] spawning 16 worker threads
2015-10-01 21:17:08 03[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-10-01 21:17:08 03[CFG] added configuration 'L2TP/IPsec-PSK'
2015-10-01 21:17:17 03[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (384 bytes)
2015-10-01 21:17:17 03[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V ]
2015-10-01 21:17:17 03[IKE] <1> received MS NT5 ISAKMPOAKLEY vendor ID
2015-10-01 21:17:17 03[IKE] <1> received NAT-T (RFC 3947) vendor ID
2015-10-01 21:17:17 03[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2015-10-01 21:17:17 03[IKE] <1> received FRAGMENTATION vendor ID
2015-10-01 21:17:17 03[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2015-10-01 21:17:17 03[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2015-10-01 21:17:17 03[ENC] <1> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2015-10-01 21:17:17 03[IKE] <1> ::ffff:2.93.190.121 is initiating a Main Mode IKE_SA
2015-10-01 21:17:17 03[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
2015-10-01 21:17:17 03[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (136 bytes)
2015-10-01 21:17:17 03[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (228 bytes)
2015-10-01 21:17:17 03[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-10-01 21:17:17 03[IKE] <1> local host is behind NAT, sending keep alives
2015-10-01 21:17:17 03[IKE] <1> remote host is behind NAT
2015-10-01 21:17:17 03[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2015-10-01 21:17:17 03[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (212 bytes)
2015-10-01 21:17:17 02[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
2015-10-01 21:17:17 02[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
2015-10-01 21:17:17 02[CFG] <1> looking for pre-shared key peer configs matching ::ffff:85.113.221.175...::ffff:2.93.190.121[192.168.42.145]
2015-10-01 21:17:17 02[CFG] <1> selected peer config "L2TP/IPsec-PSK"
2015-10-01 21:17:17 02[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]
2015-10-01 21:17:17 02[IKE] <L2TP/IPsec-PSK|1> scheduling reauthentication in 9873s
2015-10-01 21:17:17 02[IKE] <L2TP/IPsec-PSK|1> maximum IKE_SA lifetime 10413s
2015-10-01 21:17:17 02[ENC] <L2TP/IPsec-PSK|1> generating ID_PROT response 0 [ ID HASH ]
2015-10-01 21:17:17 02[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.93.190.121[4500] (92 bytes)
2015-10-01 21:17:17 15[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (332 bytes)
2015-10-01 21:17:17 15[ENC] <L2TP/IPsec-PSK|1> parsed QUICK_MODE request 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-10-01 21:17:17 15[IKE] <L2TP/IPsec-PSK|1> received 250000000 lifebytes, configured 0
2015-10-01 21:17:17 15[ENC] <L2TP/IPsec-PSK|1> generating QUICK_MODE response 1 [ HASH SA No ID ID NAT-OA NAT-OA ]
2015-10-01 21:17:17 15[NET] <L2TP/IPsec-PSK|1> sending packet: from ::ffff:85.113.221.175[4500] to ::ffff:2.93.190.121[4500] (252 bytes)
2015-10-01 21:17:17 15[NET] <L2TP/IPsec-PSK|1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (92 bytes)
2015-10-01 21:17:17 15[ENC] <L2TP/IPsec-PSK|1> parsed INFORMATIONAL_V1 request 3018828040 [ HASH D ]
2015-10-01 21:17:17 15[IKE] <L2TP/IPsec-PSK|1> received DELETE for IKE_SA L2TP/IPsec-PSK[1]
2015-10-01 21:17:17 15[IKE] <L2TP/IPsec-PSK|1> deleting IKE_SA L2TP/IPsec-PSK[1] between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]
 

obsigna

Daemon

Reaction score: 900
Messages: 1,296

Code:
kernel-libipsec {...  load = no ...}
I put "load = no". May be it's default of new version port?

No, it's not the default of strongSwan from the ports nor from the packages. I don't know how this is possible, but it must be somehow a left over from one of your previous installations. Maybe because you asked for re-installation [ make reinstall clean] instead of a fresh install.

Regarding the other issue, Windows starting to talk on the NAT-T channel (port 4500), even when there can't be any NAT because it is IPv6, it came to my mind that the Windows registry hack AssumeUDPEncapsulationContextOnSendRule is nonsense for IPv6. It might be a good idea to remove that value from the Windows registry, and see whether Windows starts again with communication on port 4500.
 

Senya88

Member


Messages: 27

No, it's not the default of strongSwan from the ports nor from the packages. I don't know how this is possible, but it must be somehow a left over from one of your previous installations.

I think yes. Maybe first installation was with KERNELLIBIPSEC. I did
rm ./strongswan.d
after this strongswan can listen ports 500 and 4500.

Regarding the other issue, Windows starting to talk on the NAT-T channel (port 4500), even when there can't be any NAT because it is IPv6, it came to my mind that the Windows registry hack AssumeUDPEncapsulationContextOnSendRule is nonsense for IPv6. It might be a good idea to remove that value from the Windows registry, and see whether Windows starts again with communication on port 4500.

If I'm understood correctly, I need remove AssumeUDPEncapsulationContextOnSendRule, isn't it?

I remove this key, then reboot my computer:

Code:
2015-10-01 22:33:42 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, FreeBSD 10.2-RELEASE-p3, i386)
2015-10-01 22:33:42 00[KNL] unable to set UDP_ENCAP: Invalid argument
2015-10-01 22:33:42 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2015-10-01 22:33:42 00[NET] unable to bind socket: Address already in use
2015-10-01 22:33:42 00[NET] could not open IPv4 socket, IPv4 disabled
2015-10-01 22:33:42 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
2015-10-01 22:33:43 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
2015-10-01 22:33:43 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
2015-10-01 22:33:43 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
2015-10-01 22:33:43 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
2015-10-01 22:33:43 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
2015-10-01 22:33:43 00[CFG]   loaded IKE secret for %any
2015-10-01 22:33:43 00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock
2015-10-01 22:33:43 00[JOB] spawning 16 worker threads
2015-10-01 22:33:43 14[CFG] received stroke: add connection 'L2TP/IPsec-PSK'
2015-10-01 22:33:43 14[CFG] added configuration 'L2TP/IPsec-PSK'
2015-10-01 22:33:51 14[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (384 bytes)
2015-10-01 22:33:51 14[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V V ]
2015-10-01 22:33:51 14[IKE] <1> received MS NT5 ISAKMPOAKLEY vendor ID
2015-10-01 22:33:51 14[IKE] <1> received NAT-T (RFC 3947) vendor ID
2015-10-01 22:33:51 14[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2015-10-01 22:33:51 14[IKE] <1> received FRAGMENTATION vendor ID
2015-10-01 22:33:51 14[ENC] <1> received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
2015-10-01 22:33:51 14[ENC] <1> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
2015-10-01 22:33:51 14[ENC] <1> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
2015-10-01 22:33:51 14[IKE] <1> ::ffff:2.93.190.121 is initiating a Main Mode IKE_SA
2015-10-01 22:33:51 14[ENC] <1> generating ID_PROT response 0 [ SA V V V ]
2015-10-01 22:33:51 14[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (136 bytes)
2015-10-01 22:33:51 14[NET] <1> received packet: from ::ffff:2.93.190.121[500] to ::ffff:85.113.221.175[500] (228 bytes)
2015-10-01 22:33:51 14[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-10-01 22:33:51 14[IKE] <1> local host is behind NAT, sending keep alives
2015-10-01 22:33:51 14[IKE] <1> remote host is behind NAT
2015-10-01 22:33:51 14[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
2015-10-01 22:33:51 14[NET] <1> sending packet: from ::ffff:85.113.221.175[500] to ::ffff:2.93.190.121[500] (212 bytes)
2015-10-01 22:33:51 16[NET] <1> received packet: from ::ffff:2.93.190.121[4500] to ::ffff:85.113.221.175[4500] (76 bytes)
2015-10-01 22:33:51 16[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
2015-10-01 22:33:51 16[CFG] <1> looking for pre-shared key peer configs matching ::ffff:85.113.221.175...::ffff:2.93.190.121[192.168.42.145]
2015-10-01 22:33:51 16[CFG] <1> selected peer config "L2TP/IPsec-PSK"
2015-10-01 22:33:51 16[IKE] <L2TP/IPsec-PSK|1> IKE_SA L2TP/IPsec-PSK[1] established between ::ffff:85.113.221.175[::ffff:85.113.221.175]...::ffff:2.93.190.121[192.168.42.145]

Win7 gave me 789 error code.
 

obsigna

Daemon

Reaction score: 900
Messages: 1,296

...
If I'm understood correctly, I need remove AssumeUDPEncapsulationContextOnSendRule, isn't it?

Yes, either remove it, or set the value to 0, the default behaviour of Windows, see https://support.microsoft.com/en-us/kb/926179.

Clearly you are on IPv6, and for sure IPv6 UDP decapsulation won't work by no means on your server, for this to know, we need only to read the initial section of your last connection log:
Code:
2015-10-01 21:17:08 00[DMN] Starting IKE charon daemon (strongSwan 5.3.3, FreeBSD 10.2-RELEASE-p3, i386)
2015-10-01 21:17:08 00[KNL] unable to set UDP_ENCAP: Invalid argument
2015-10-01 21:17:08 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2015-10-01 21:17:08 00[NET] unable to bind socket: Address already in use
2015-10-01 21:17:08 00[NET] could not open IPv4 socket, IPv4 disabled
...
In addition, something is occupying already the IPv4 port 500 and/or 4500, and for this reason IPv4 has been disabled.

On the other hand, strongSwan detects that your server and the remote client are both sitting behind NAT:
Code:
...
2015-10-01 21:17:17 03[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
2015-10-01 21:17:17 03[IKE] <1> local host is behind NAT, sending keep alives
2015-10-01 21:17:17 03[IKE] <1> remote host is behind NAT
2015-10-01 21:17:17 03[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
...
Are you connected via DS-Lite, or do you have a real IPv6 address? If you can't disable NAT then you will be on a dead end here. FreeBSD is not able to do IPv6 UDP decapsulation.

Your options are getting rid of DS-Lite, by switching either to pure IPv6 without NAT or to IPv4 (with or without NAT).
 
Top