Setup L2TP/IPSEC VPN client using StrongSwan on OpenWrt x86

Leo5117 · March 13, 2020, 3:58am

Hi, everyone!

I'm Leo come from China, because our GOV we can't vist Internet as wish as you like, but we have other way to do it so I can meet you here!!!

I'm just a new guy come here, I want to thank you very much if you can give me a hand with StrongSwan on OpenWRT. Because I try many many days and work hard but still can't connect it success!

I want to setup a l2tp over ipsec client on openwrt use strongswan, I install every thing to a desktop and it can work well as a router.

My environment is:
1.OpenWrt 19.07.1, r10911-c155900f66
2.Starting strongSwan 5.8.2
3.xl2tpd 1.3.15-2

I setup router as this link said http://villasyslog.net/openwrt-pptp-l2tp-ikev2-setup-strongswan-vpn-client/
But it can't work, so I change some parameter and test again and aging......
Still can't connect success, so I come here ask for help and show your about detail.

**file1: /etc/ipsec.conf**

basic configuration

config setup
strictcrlpolicy=yes
uniqueids = no
charondebug=all

Add connections here.

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1 (I try ikev2 first but can't work, then I use google that a lot of people use ikev1 for this, but still can't connect)

Sample VPN connections

conn L2TP-PSK
authby=secret
leftauth=psk
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
[right=xx.xx.com](http://right%3Dxx.xx.com/) (It can't use IP to setup because the server IP change everyday)
rightauth=psk
[rightid=xx.xx.com](http://rightid%3Dxx.xx.com/)
rightprotoport=17/1701
auto=start
dpddelay=40
dpdtimeout=130
dpdaction=clear

**file2:/etc/ipsec.secrets**

/etc/ipsec.secrets - strongSwan IPsec secrets file

[xx.xx.com](http://xx.xx.com/) : PSK "xxxxxx"

**file3:/etc/xl2tpd/xl2tpd.conf**

[global]
port = 1701
auth file = /etc/xl2tpd/xl2tp-secrets
access control = no

[lac strong-vpn]
lns = [xx.xx.com](http://xx.xx.com/)
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
bps = 1000000

**file4:/etc/ppp/options.l2tpd.client**

ipcp-accept-local
ipcp-accept-remote
require-pap  (I try to setup vpn client  on my TPLINK router and I see log is PAP Aut, but it can't show me more for detail)
noccp
noauth
idle 1800
mtu 1400 (See this value from TPLINK log too)
mru 1400
defaultroute
replacedefaultroute
usepeerdns
debug
connect-delay 5000
name "user"
password "password"
lcp-echo-interval 20
lcp-echo-failure 5

Leo5117 · March 13, 2020, 4:04am

Here is IPsec statusall

root@OpenWrt:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 4.14.167, x86_64):
  uptime: 19 minutes, since Mar 12 19:41:43 2020
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
  192.168.1.1
  fdb4:2533:309c::1
  192.168.3.1
  172.17.17.157
Connections:
    L2TP-PSK:  %any...xx.xx.com  IKEv1, dpddelay=40s
    L2TP-PSK:   local:  uses pre-shared key authentication
    L2TP-PSK:   remote: [xx.xx.com] uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp/l2f] === dynamic[udp/l2f] TRANSPORT, dpdaction=clear
Security Associations (0 up, 0 connecting):

Here is logread

Thu Mar 12 19:41:55 2020 authpriv.info ipsec_starter[11386]: Starting strongSwan 5.8.2 IPsec [starter]...
Thu Mar 12 19:41:55 2020 authpriv.info ipsec_starter[11386]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Thu Mar 12 19:41:55 2020 authpriv.info ipsec_starter[11386]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Thu Mar 12 19:42:00 2020 authpriv.info ipsec_starter[11387]: Starting strongSwan 5.8.2 IPsec [starter]...
Thu Mar 12 19:42:00 2020 authpriv.info ipsec_starter[11387]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Thu Mar 12 19:42:00 2020 authpriv.info ipsec_starter[11387]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Thu Mar 12 19:42:05 2020 authpriv.info ipsec_starter[11388]: Starting strongSwan 5.8.2 IPsec [starter]...
Thu Mar 12 19:42:05 2020 authpriv.info ipsec_starter[11388]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Thu Mar 12 19:42:05 2020 authpriv.info ipsec_starter[11388]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Thu Mar 12 19:42:06 2020 daemon.info : 13[CFG] received stroke: initiate 'L2TP-PSK'
Thu Mar 12 19:42:06 2020 daemon.info : 14[IKE] initiating Main Mode IKE_SA L2TP-PSK[2] to 122.100.136.178
Thu Mar 12 19:42:06 2020 authpriv.info : 14[IKE] initiating Main Mode IKE_SA L2TP-PSK[2] to 122.100.136.178
Thu Mar 12 19:42:06 2020 daemon.info : 14[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Thu Mar 12 19:42:06 2020 daemon.info : 14[NET] sending packet: from 172.17.17.157[500] to 122.100.136.178[500] (180 bytes)
Thu Mar 12 19:42:06 2020 daemon.info : 15[NET] received packet: from 122.100.136.178[500] to 172.17.17.157[500] (64 bytes)
Thu Mar 12 19:42:06 2020 daemon.info : 15[ENC] parsed INFORMATIONAL_V1 request 1207850331 [ N(NO_PROP) ]
# Thu Mar 12 19:42:06 2020 daemon.info : 15[IKE] received NO_PROPOSAL_CHOSEN error notify (I think this is error but I don't know what this means)
Thu Mar 12 19:42:10 2020 authpriv.info ipsec_starter[11393]: Starting strongSwan 5.8.2 IPsec [starter]...
Thu Mar 12 19:42:10 2020 authpriv.info ipsec_starter[11393]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Thu Mar 12 19:42:10 2020 authpriv.info ipsec_starter[11393]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done
Thu Mar 12 19:42:10 2020 daemon.info procd: Instance ipsec::instance1 s in a crash loop 6 crashes, 0 seconds since last crash

tmomas · March 13, 2020, 6:50am

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your posting(s) accordingly.
Thanks!

Leo5117 · March 13, 2020, 7:41am

Thanks for remind! I hope this time looks better!!!

Leo5117 · March 14, 2020, 3:25am

Please give me some help!!!

ulmwind · March 14, 2020, 9:32am

I don't understand, so it works on PC, and doesn't work on router?

Leo5117 · March 16, 2020, 1:49am

yes, this vpn I can setup and work with Win7&10, Iphone X, and it can work on the TPLINK WAR302 router too.
But it can't use with strongswan on the openwrt......

ulmwind · March 16, 2020, 11:39am

Please, give configuration steps on Windows machine. Do you really need xl2tp package?

Leo5117 · March 17, 2020, 2:37am

Hi, many thanks for your reply!
The windows 7 log is here, I see a lot of people said need install xl2tp package, because the basic protocol is l2tp!

Log Name:      Application
Source:        RasClient
Date:          2020-03-17 10:18:33
Event ID:      20221
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      LEO
Description:
CoId={16EF5E97-B288-4556-9C8B-BB5D25A67D5A}: The user LEO\leo has started dialing a VPN connection using a per-user connection profile named VPN. 
The connection settings are: 

Dial-in User = XXX@XXX.com

VpnStrategy = L2TP

DataEncryption = Requested

PrerequisiteEntry = 

AutoLogon = No

UseRasCredentials = Yes

Authentication Type = PAP/CHAP/MS-CHAPv2 

Ipv4DefaultGateway = Yes

Ipv4AddressAssignment = By Server

Ipv4DNSServerAssignment = By Server

Ipv6DefaultGateway = Yes

Ipv6AddressAssignment = By Server

Ipv6DNSServerAssignment = By Server

IpDnsFlags = 

IpNBTEnabled = Yes

UseFlags = Private Connection

ConnectOnWinlogon = No

IPsec authentication for L2TP = Pre-shared key.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="RasClient" />
    <EventID Qualifiers="0">20221</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2020-03-17T02:18:33.000000000Z" />
    <EventRecordID>6376147</EventRecordID>
    <Channel>Application</Channel>
    <Computer>LEO</Computer>
    <Security />
  </System>
  <EventData>
    <Data>{16EF5E97-B288-4556-9C8B-BB5D25A67D5A}</Data>
    <Data>LEO\leo</Data>
    <Data>VPN</Data>
    <Data>per-user</Data>
    <Data>VPN</Data>
    <Data>
Dial-in User = XXX@XXX.com
VpnStrategy = L2TP
DataEncryption = Requested
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = PAP/CHAP/MS-CHAPv2 
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = 
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
IPsec authentication for L2TP = Pre-shared key</Data>
  </EventData>
</Event>

ulmwind · March 17, 2020, 5:13pm

OK, I recommend you to configure Ubuntu initially, and after that try to configure OpenWRT: https://support.strongvpn.com/hc/en-us/articles/360003656534-L2TP-Setup-Ubuntu-Command-Line

Leo5117 · March 18, 2020, 3:58am

Thank you very much!
I didn't see this before when I try search in google, Maybe I use bad keyword...
I will try to do it like this!
Thanks again!

oskreso · September 10, 2021, 7:27am

have you solved it?