Issue #3620
L2TP/IPSEC ipsec.conf setting
Description
I want to establish L2TP/IPSEC
Use the ipsec.conf:
config setup conn L2TP-PSK-NAT rightsubnet =vhost:%priv also =test conn test aggressive=no authby=secret also=any_wan0 rekey=no type=transport leftprotoport=17/1701 rightprotoport=17/%any rekeymargin=9m rekeyfuzz=100% keyingtries=%forever keyexchange=ikev1 ikelifetime=1h keylife=480m ike=3des-sha1-modp1024 auto=add dpddelay=30 dpdtimeout=120 dpdaction=clear conn any_wan0 left=10.10.10.10 leftsourceip=10.10.10.10 right=%any
The client os is windows 10 and establish fail.But when add "leftsourceip=192.168.127.254" it can establish success
windows(10.10.10.15)<---->DUT
When i use the "openswan" with same ipsec.conf setting no add leftsourceip but it can establish l2tp/ipsec success:
config setup nat_traversal=no nhelpers=0 virtual_private = %v4:0.0.0.0/0 conn L2TP-PSK-NAT rightsubnet =vhost:%priv also =test conn test authby=secret also=any_wan0 rekey=no type=transport leftprotoport=17/1701 rightprotoport=17/%any rekeymargin=9m rekeyfuzz=100% keyingtries=%forever keyexchange=ike ikelifetime=1h keylife=480m ike=aes128-sha2_256-modp1024 auto=add pfs=no dpddelay=30 dpdtimeout=120 dpdaction=clear
Whether to use strongswan to establish a l2tp/ipsec connection, need to add leftsourceip parameter?
History
#1 Updated by Tobias Brunner 3 months ago
- Category set to configuration
- Status changed from New to Feedback
Some of these settings/values are invalid for strongSwan (see ipsec.conf). Also, why would you use IKEv1/L2TP with Windows 10 clients?
#2 Updated by ray chao 2 months ago
Hi Tobias,
I have read the [ipsec.conf[https://wiki.strongswan.org/projects/strongswan/wiki/Ipsecconf]],and I have followed the content mentioned in the above link>
So which part of the invalid setting you mentioned is?
The original config file hopes that conn L2TP-PSK-NAT can inherit the leftsourceip=10.10.10.10 inherited from conn test from _*conn any_wan0*
But not as I expected.
So i try to add also=any_wan0 to conn L2TP-PSK-NAT it's work.
But this config seems not a correct configuration. I would like to ask why conn L2TP-PSK-NAT cannot inherit the leftsourceip setting in conn any_wan0 from conn test
How should i set up the l2tp/ipsec?
Why would you use IKEv1/L2TP with Windows 10 clients?
Because i change keyexchange from ikev1 to ikev2 the windows 10 client always can't establish success.
Maybe have any example configuration for strongswan l2tp/ipsec?
config setup conn L2TP-PSK-NAT rightsubnet =vhost:%priv also=test also=any_wan0 conn test aggressive=no authby=secret #also=any_wan0 rekey=no type=transport leftprotoport=17/1701 rightprotoport=17/%any rekeymargin=9m rekeyfuzz=100% keyingtries=%forever keyexchange=ikev1 ikelifetime=1h keylife=480m ike=3des-sha1-modp1024 auto=add dpddelay=30 dpdtimeout=120 dpdaction=clear conn any_wan0 left=10.10.10.10 leftsourceip=10.10.10.10 right=%any
I would appreciate it if you could take a moment to explain something to me,thanks.
#3 Updated by Tobias Brunner 2 months ago
How should i set up the l2tp/ipsec?
I've absolutely no idea, never used it, never will.
Why would you use IKEv1/L2TP with Windows 10 clients?
Because i change keyexchange from ikev1 to ikev2 the windows 10 client always can't establish success.
Then fix it (see WindowsClients for pointers). Using IKEv1/L2TP because of that is just wrong.
Maybe have any example configuration for strongswan l2tp/ipsec?
No.