Stuck setting up an ipsec/l2tp psk tunnel as client

Installing and Using OpenWrt
1

Hi,

We've been trying to set up an ipsec/l2tp tunnel on 18.06.

We've got it working on ubuntu using libreswan and xl2tpd. Translating the options used to openwrt we got the following:

# cat /etc/ipsec.conf
config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=3
    keyexchange=ikev1
    authby=secret
    ike=3des-sha1-modp1024!
    esp=3des-sha1-modp1024!

conn myvpn
    keyexchange=ikev1
    left=%defaultroute
    auto=start
    authby=secret
    type=tunnel
    leftprotoport=17/1701
    rightprotoport=17/1701
    right=REMOTE_IP
    rightsubnet=REMOTE_LAN/24

# cat /etc/ipsec.secrets
: PSK "SHARED_SECRET"

# cat /etc/xl2tpd/xl2tpd.conf
[lac myvpn]
lns = thuus-kbrgthgptq.dynamic-m.com
ppp debug = yes
pppoptfile = /tmp/l2tp/options.ipsec0
length bit = yes

# /etc/config/network
[...]
config interface 'ipsec0'
    option auto '0'
    option ifname 'ipsec0'
    option proto 'l2tp'
    option server 'REMOTE_IP'
    option username 'USERNAME'
    option password 'PASSWORD'
    option ipv6 '0'
    option mtu '1280'
    option checkup_interval '6'
    option pppd_options 'noccp refuse-eap require-chap debug'

# cat /tmp/l2tp/options.ipsec0
usepeerdns
nodefaultroute
ipparam "ipsec0"
ifname "l2tp-ipsec0"
ip-up-script /lib/netifd/ppp-up
ipv6-up-script /lib/netifd/ppp-up
ip-down-script /lib/netifd/ppp-down
ipv6-down-script /lib/netifd/ppp-down
# Don't wait for LCP term responses; exit immediately when killed.
lcp-max-terminate 0
user "USERNAME" password "PASSWORD"
mtu 1280 mru 1280
noccp refuse-eap require-chap debug

With all that, we are stuck at this:

Wed Oct 24 14:50:13 2018 user.notice hotplug: iface 80-wan: starting vpn ipsec
Wed Oct 24 14:50:13 2018 user.notice DEBUG: /sbin/hotplug-call iface: action='ifup' devicename='' devname='' devpath='' product='' type='' interface='wan'
Wed Oct 24 14:50:13 2018 authpriv.info ipsec_starter[4765]: Starting strongSwan 5.6.3 IPsec [starter]...
Wed Oct 24 14:50:13 2018 daemon.err modprobe: ah4 is already loaded
Wed Oct 24 14:50:13 2018 daemon.err modprobe: esp4 is already loaded
Wed Oct 24 14:50:13 2018 daemon.err modprobe: ipcomp is already loaded
Wed Oct 24 14:50:13 2018 daemon.err modprobe: xfrm4_tunnel is already loaded
Wed Oct 24 14:50:13 2018 daemon.err modprobe: xfrm_user is already loaded
Wed Oct 24 14:50:13 2018 daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.78, armv7l)
Wed Oct 24 14:50:13 2018 daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path
Wed Oct 24 14:50:17 2018 daemon.info : 00[LIB] created TUN device: ipsec0
Wed Oct 24 14:50:17 2018 daemon.info : 00[LIB] plugin 'uci' failed to load: Error relocating /usr/lib/ipsec/plugins/libstrongswan-uci.so: uci_lookup: symbol not found
Wed Oct 24 14:50:17 2018 daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Wed Oct 24 14:50:17 2018 daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Wed Oct 24 14:50:17 2018 daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Wed Oct 24 14:50:17 2018 daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Wed Oct 24 14:50:17 2018 daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Wed Oct 24 14:50:17 2018 daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Wed Oct 24 14:50:17 2018 daemon.info : 00[CFG]   loaded IKE secret for %any
Wed Oct 24 14:50:17 2018 daemon.info : 00[CFG] coupling file path unspecified
Wed Oct 24 14:50:17 2018 daemon.info : 00[LIB] loaded plugins: charon pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 xcbc cmac hmac ccm gcm curl attr kernel-libipsec kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls xauth-generic xauth-eap dhcp addrblock unity
Wed Oct 24 14:50:17 2018 daemon.info : 00[JOB] spawning 16 worker threads
Wed Oct 24 14:50:17 2018 authpriv.info ipsec_starter[4765]: charon (4817) started after 3760 ms
Wed Oct 24 14:50:17 2018 daemon.info : 09[CFG] received stroke: add connection 'myvpn'
Wed Oct 24 14:50:17 2018 daemon.info : 09[CFG] added configuration 'myvpn'
Wed Oct 24 14:50:17 2018 daemon.info : 11[CFG] received stroke: initiate 'myvpn'
Wed Oct 24 14:50:17 2018 daemon.info : 11[IKE] initiating Main Mode IKE_SA myvpn[1] to 86.93.145.28
Wed Oct 24 14:50:17 2018 authpriv.info : 11[IKE] initiating Main Mode IKE_SA myvpn[1] to 86.93.145.28
Wed Oct 24 14:50:17 2018 daemon.info : 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Wed Oct 24 14:50:17 2018 daemon.info : 11[NET] sending packet: from 10.7.0.151[500] to 86.93.145.28[500] (236 bytes)
Wed Oct 24 14:50:17 2018 daemon.info : 13[NET] received packet: from 86.93.145.28[500] to 10.7.0.151[500] (156 bytes)
Wed Oct 24 14:50:17 2018 daemon.info : 13[ENC] parsed ID_PROT response 0 [ SA V V V V ]
Wed Oct 24 14:50:17 2018 daemon.info : 13[IKE] received XAuth vendor ID
Wed Oct 24 14:50:17 2018 daemon.info : 13[IKE] received NAT-T (RFC 3947) vendor ID
Wed Oct 24 14:50:17 2018 daemon.info : 13[IKE] received DPD vendor ID
Wed Oct 24 14:50:17 2018 daemon.info : 13[IKE] received FRAGMENTATION vendor ID
Wed Oct 24 14:50:17 2018 daemon.info : 13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Wed Oct 24 14:50:17 2018 daemon.info : 13[NET] sending packet: from 10.7.0.151[500] to 86.93.145.28[500] (244 bytes)
Wed Oct 24 14:50:17 2018 daemon.notice netifd: Interface 'ipsec0' is setting up now
Wed Oct 24 14:50:17 2018 daemon.info : 14[NET] received packet: from 86.93.145.28[500] to 10.7.0.151[500] (228 bytes)
Wed Oct 24 14:50:17 2018 daemon.info : 14[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Wed Oct 24 14:50:17 2018 daemon.info : 14[IKE] local host is behind NAT, sending keep alives
Wed Oct 24 14:50:17 2018 daemon.info : 14[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Wed Oct 24 14:50:17 2018 daemon.info : 14[NET] sending packet: from 10.7.0.151[4500] to 86.93.145.28[4500] (100 bytes)
Wed Oct 24 14:50:18 2018 daemon.info xl2tpd[5153]: Not looking for kernel SAref support.
Wed Oct 24 14:50:18 2018 daemon.info xl2tpd[5153]: Using l2tp kernel support.
Wed Oct 24 14:50:18 2018 daemon.info xl2tpd[5153]: xl2tpd version xl2tpd-1.3.12 started on keezel PID:5153
Wed Oct 24 14:50:18 2018 daemon.info xl2tpd[5153]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Wed Oct 24 14:50:18 2018 daemon.info xl2tpd[5153]: Forked by Scott Balmos and David Stipp, (C) 2001
Wed Oct 24 14:50:18 2018 daemon.info xl2tpd[5153]: Inherited by Jeff McAdams, (C) 2002
Wed Oct 24 14:50:18 2018 daemon.info xl2tpd[5153]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Wed Oct 24 14:50:18 2018 daemon.info xl2tpd[5153]: Listening on IP address 0.0.0.0, port 1701
Wed Oct 24 14:50:18 2018 daemon.info : 15[NET] received packet: from 86.93.145.28[4500] to 10.7.0.151[4500] (92 bytes)
Wed Oct 24 14:50:18 2018 daemon.info : 15[ENC] parsed ID_PROT response 0 [ ID HASH V ]
Wed Oct 24 14:50:18 2018 daemon.info : 15[IKE] received DPD vendor ID
Wed Oct 24 14:50:18 2018 daemon.info : 15[IKE] IKE_SA myvpn[1] established between 10.7.0.151[10.7.0.151]...86.93.145.28[86.93.145.28]
Wed Oct 24 14:50:18 2018 authpriv.info : 15[IKE] IKE_SA myvpn[1] established between 10.7.0.151[10.7.0.151]...86.93.145.28[86.93.145.28]
Wed Oct 24 14:50:18 2018 daemon.info : 15[IKE] scheduling reauthentication in 3260s
Wed Oct 24 14:50:18 2018 daemon.info : 15[IKE] maximum IKE_SA lifetime 3440s
Wed Oct 24 14:50:18 2018 daemon.info : 15[ENC] generating QUICK_MODE request 1977067488 [ HASH SA No KE ID ID ]
Wed Oct 24 14:50:18 2018 daemon.info : 15[NET] sending packet: from 10.7.0.151[4500] to 86.93.145.28[4500] (308 bytes)
Wed Oct 24 14:50:18 2018 daemon.info : 10[NET] received packet: from 86.93.145.28[4500] to 10.7.0.151[4500] (68 bytes)
Wed Oct 24 14:50:18 2018 daemon.info : 10[ENC] parsed INFORMATIONAL_V1 request 3343079160 [ HASH N(NO_PROP) ]
Wed Oct 24 14:50:18 2018 daemon.info : 10[IKE] received NO_PROPOSAL_CHOSEN error notify
Wed Oct 24 14:50:18 2018 daemon.notice netifd: ipsec0 (5101): Command failed: Not found
Wed Oct 24 14:50:19 2018 daemon.notice xl2tpd[5153]: Connecting to host 86.93.145.28, port 1701
Wed Oct 24 14:50:20 2018 user.notice BANDWIDTH: IP Tables: Reset counters
Wed Oct 24 14:50:20 2018 user.notice BANDWIDTH: IP Tables: Add RRDIPT CHAIN
Wed Oct 24 14:50:20 2018 user.notice BANDWIDTH: IP Tables: Add rules
Wed Oct 24 14:50:22 2018 kern.warn kernel: [   59.609795] RTL8192DU: set group key camid:1, addr:00:00:00:00:00:00, kid:1, type:AES
Wed Oct 24 14:50:22 2018 daemon.notice hostapd: wlan1: AP-STA-CONNECTED 6c:60:eb:13:19:04
Wed Oct 24 14:50:22 2018 kern.warn kernel: [   59.631720] RTL8192DU: set pairwise key camid:6, addr:6c:60:eb:13:19:04, kid:0, type:AES
Wed Oct 24 14:50:25 2018 daemon.info xl2tpd[5153]: Disconnecting from 86.93.145.28, Local: 48199, Remote: 0
Wed Oct 24 14:50:25 2018 daemon.info xl2tpd[5153]: Connection 0 closed to 86.93.145.28, port 1701 (Goodbye!)
Wed Oct 24 14:50:25 2018 daemon.notice netifd: Interface 'ipsec0' is now down
Wed Oct 24 14:50:25 2018 daemon.notice netifd: Interface 'ipsec0' is setting up now
Wed Oct 24 14:50:25 2018 daemon.notice xl2tpd[5153]: Connecting to host 86.93.145.28, port 1701


# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.14.78, armv7l):
uptime: 4 minutes, since Oct 24 14:50:17 2018
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp gmpdh curve25519 xcbc cmac hmac ccm gcm curl attr kernel-libipsec kernel-netlink resolve socket-default connmark stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls xauth-generic xauth-eap dhcp addrblock unity
Listening IP addresses:
10.7.0.151
192.168.11.1
Connections:
    myvpn:  %any...86.93.145.28  IKEv1
    myvpn:   local:  [10.7.0.151] uses pre-shared key authentication
    myvpn:   remote: [86.93.145.28] uses pre-shared key authentication
    myvpn:   child:  dynamic[udp/l2f] === 10.6.89.0/24[udp/l2f] TUNNEL
Security Associations (1 up, 0 connecting):
    myvpn[1]: ESTABLISHED 4 minutes ago, 10.7.0.151[10.7.0.151]...86.93.145.28[86.93.145.28]
    myvpn[1]: IKEv1 SPIs: 64432aa2e151dde9_i* c451aa92a85365b6_r, pre-shared key reauthentication in 50 minutes
    myvpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

We never see a pppd being launched, a ppp0 or a l2tp-ipsec0 iface, nor is the ip assigned to any iface. The last error seems to be

daemon.info : 10[IKE] received NO_PROPOSAL_CHOSEN error notify

The proposals in /etc/ipsec.conf are exactly what ipsec-scan detects and changing the values makes everything fail way sooner;

Any idea what might be wrong? Or what else to try to find out?

Thanks!

2

please help me
how to configure xl2tpd with ipsec on openwrt as client i have searched all over the internet but nothing got

3

https://openwrt.org/docs/guide-user/services/vpn/ipsec/start

4

That's an empty page...

5

@nullr0ute, welcome to the community?

One year later...did you utilize the search feature?

1 Like
6

The search function is what led me to this page. But if I search for things like 'L2TP' on openwrt.org give me pages and pages of unusable results.

7

OpenWrt supports Libreswan and strongSwan IPsec implementations:

1 Like
8

Assuming you are not after chinese and russian pages, there are not that many pages left:

grafik

1 Like