I have been trying to setup a libreswan VPN client on a CentOS machine to connect to a libreswan VPN server (also CentOS) for the past few days but without success.
The problem is as follows:
– VPN server is up and running, I can connect to it from a Windows machine, everything works as intended
– Libreswan VPN client authenticates with the server, but after that nothing. Neither the client nor the server have a running vpn interface, logs don't show any activity on either side after IPSEC.
My ultimate goal is connecting to a VPN with outdated configurations that I have no control over, so all I can do is configure a libreswan client. The VPN server I am now trying to connect to is something I set up to test the client.
Both server and client are CentOS 7 KVMs, sharing the same physical host.
Because I suspect the problem to be on the side of the client I'll only post the configurations of the client and not the server, but if it's requested I'll post everything.
Client ipsec.conf:
config setup
conn vpnpsk
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=<ServerIP>
rightprotoport=17/1701
rightid=<ServerIP>
Client ipsec.secrets:
[root@localhost ~]# vim /etc/ipsec.secrets
%any <ServerIP> : PSK "SECRET"
Client xl2tpd.conf:
[lac vpn-connection]
lns = <ServerIP>
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
/etc/ppp/options.l2tpd.client:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name <user>
password <password>
When starting the connection this is the output:
[root@localhost ~]# ipsec auto --up vpnpsk
002 "vpnpsk" #1: initiating Main Mode
104 "vpnpsk" #1: STATE_MAIN_I1: initiate
003 "vpnpsk" #1: received Vendor ID payload [Dead Peer Detection]
003 "vpnpsk" #1: received Vendor ID payload [FRAGMENTATION]
003 "vpnpsk" #1: received Vendor ID payload [RFC 3947]
002 "vpnpsk" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "vpnpsk" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "vpnpsk" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpnpsk" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "vpnpsk" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "vpnpsk" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vpnpsk" #1: Main mode peer ID is ID_IPV4_ADDR: '<ServerIP>'
002 "vpnpsk" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "vpnpsk" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "vpnpsk" #1: Dead Peer Detection (RFC 3706): enabled
002 "vpnpsk" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:6305f4b0 proposal=defaults pfsgroup=no-pfs}
117 "vpnpsk" #2: STATE_QUICK_I1: initiate
002 "vpnpsk" #2: Dead Peer Detection (RFC 3706): enabled
002 "vpnpsk" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "vpnpsk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xad2a86a6 <0xcf8adbd0 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
No more output after this. ip addr:
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether a6:6a:06:d0:03:80 brd ff:ff:ff:ff:ff:ff
inet <ClientIP>/24 brd <broadcast> scope global ens18
valid_lft forever preferred_lft forever
inet6 fe80::eb5b:83d6:e0aa:940e/64 scope link
valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
On the server side:
Mar 22 17:17:28 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received and ignored empty informational notification payload
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [Dead Peer Detection]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [FRAGMENTATION]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [RFC 3947]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: responding to Main Mode from unknown peer <ClientIP>
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: Main mode peer ID is ID_IPV4_ADDR: '<ClientIP>'
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: Dead Peer Detection (RFC 3706): enabled
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: the peer proposed: <ServerIP>/32:17/1701 -> <ClientIP>/32:17/0
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: responding to Quick Mode proposal {msgid:6305f4b0}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: us: <ServerIP><<ServerIP>>:17/1701
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: them: <ClientIP>:17/1701
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP=>0xcf8adbd0 <0xad2a86a6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: Dead Peer Detection (RFC 3706): enabled
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xcf8adbd0 <0xad2a86a6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
And no more logging.
Client iptables -L:
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- <ServerIP> anywhere
ACCEPT udp -- <ServerIP> anywhere
ACCEPT tcp -- 10.0.0.0/24 anywhere
ACCEPT udp -- 10.0.0.0/24 anywhere
ACCEPT tcp -- <other_peer> anywhere
ACCEPT udp -- <other_peer> anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere <ServerIP>
ACCEPT udp -- anywhere <ServerIP>
ACCEPT tcp -- anywhere 10.0.0.0/24
ACCEPT udp -- anywhere 10.0.0.0/24
ACCEPT tcp -- anywhere <other_peer>
ACCEPT udp -- anywhere <other_peer>
10.0.0.0/24 is the VPN network.
Thank you for reading all of that.
Best Answer
You probably miss ESP accept rule in your input chain on client. Also add L2TP ports to the rule list.
And, if I'm reading that right, you have a REJECT rule in your INPUT chain preceding ACCEPT rules - remove that one!