Project

General

Profile

Issue #3620

L2TP/IPSEC ipsec.conf setting

Added by ray chao 12 months ago. Updated 12 months ago.

Status:
Feedback
Priority:
Normal
Category:
configuration
Affected version:
5.9.0
Resolution:

Description

I want to establish L2TP/IPSEC

Use the ipsec.conf:

config setup
conn L2TP-PSK-NAT
 rightsubnet =vhost:%priv
 also =test
conn test
 aggressive=no
 authby=secret
 also=any_wan0
 rekey=no
 type=transport
 leftprotoport=17/1701
 rightprotoport=17/%any
 rekeymargin=9m
 rekeyfuzz=100%
 keyingtries=%forever
 keyexchange=ikev1
 ikelifetime=1h
 keylife=480m
 ike=3des-sha1-modp1024
 auto=add
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear
conn any_wan0
 left=10.10.10.10
 leftsourceip=10.10.10.10
 right=%any

The client os is windows 10 and establish fail.But when add "leftsourceip=192.168.127.254" it can establish success
windows(10.10.10.15)<---->DUT

When i use the "openswan" with same ipsec.conf setting no add leftsourceip but it can establish l2tp/ipsec success:

config setup
 nat_traversal=no
 nhelpers=0
 virtual_private = %v4:0.0.0.0/0
conn L2TP-PSK-NAT
 rightsubnet =vhost:%priv
 also =test
conn test
 authby=secret
 also=any_wan0
 rekey=no
 type=transport
 leftprotoport=17/1701
 rightprotoport=17/%any
 rekeymargin=9m
 rekeyfuzz=100%
 keyingtries=%forever
 keyexchange=ike
 ikelifetime=1h
 keylife=480m
 ike=aes128-sha2_256-modp1024
 auto=add
 pfs=no
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear

Whether to use strongswan to establish a l2tp/ipsec connection, need to add leftsourceip parameter?

History

#1 Updated by Tobias Brunner 12 months ago

  • Category set to configuration
  • Status changed from New to Feedback

Some of these settings/values are invalid for strongSwan (see ipsec.conf). Also, why would you use IKEv1/L2TP with Windows 10 clients?

#2 Updated by ray chao 12 months ago

Hi Tobias,

I have read the [ipsec.conf[https://wiki.strongswan.org/projects/strongswan/wiki/Ipsecconf]],and I have followed the content mentioned in the above link>

So which part of the invalid setting you mentioned is?
The original config file hopes that conn L2TP-PSK-NAT can inherit the leftsourceip=10.10.10.10 inherited from conn test from _*conn any_wan0*
But not as I expected.
So i try to add also=any_wan0 to conn L2TP-PSK-NAT it's work.

But this config seems not a correct configuration. I would like to ask why conn L2TP-PSK-NAT cannot inherit the leftsourceip setting in conn any_wan0 from conn test

How should i set up the l2tp/ipsec?

Why would you use IKEv1/L2TP with Windows 10 clients?
Because i change keyexchange from ikev1 to ikev2 the windows 10 client always can't establish success.
Maybe have any example configuration for strongswan l2tp/ipsec?

config setup
conn L2TP-PSK-NAT
 rightsubnet =vhost:%priv
 also=test
 also=any_wan0
conn test
 aggressive=no
 authby=secret
 #also=any_wan0
 rekey=no
 type=transport
 leftprotoport=17/1701
 rightprotoport=17/%any
 rekeymargin=9m
 rekeyfuzz=100%
 keyingtries=%forever
 keyexchange=ikev1
 ikelifetime=1h
 keylife=480m
 ike=3des-sha1-modp1024
 auto=add
 dpddelay=30
 dpdtimeout=120
 dpdaction=clear
conn any_wan0
 left=10.10.10.10
 leftsourceip=10.10.10.10
 right=%any

I would appreciate it if you could take a moment to explain something to me,thanks.

#3 Updated by Tobias Brunner 12 months ago

How should i set up the l2tp/ipsec?

I've absolutely no idea, never used it, never will.

Why would you use IKEv1/L2TP with Windows 10 clients?

Because i change keyexchange from ikev1 to ikev2 the windows 10 client always can't establish success.

Then fix it (see WindowsClients for pointers). Using IKEv1/L2TP because of that is just wrong.

Maybe have any example configuration for strongswan l2tp/ipsec?

No.

Also available in: Atom PDF