search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
24.9k stars 6.28k forks source link

Problem to Connect with l2tp windows and android #1538

Closed ppeyman closed 6 months ago

ppeyman commented 6 months ago

i have installed repo all step successfully but i dont know why doesnt connect to vpn

Log

Mar  9 17:09:57 ownvpn sudo:     lvpn : TTY=pts/0 ; PWD=/home/lvpn ; USER=root ; COMMAND=/usr/bin/grep pluto /var/log/auth.log
Mar  9 17:09:59 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: responding to Main Mode from unknown peer 5.71.52.111:500
Mar  9 17:09:59 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: WARNING: connection l2tp-psk PSK length of 9 bytes is too short for HMAC_SHA1 PRF in FIPS mode (10 bytes required)
Mar  9 17:09:59 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: Oakley Transform [AES_CBC (256), HMAC_SHA1, DH20] refused
Mar  9 17:09:59 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: WARNING: connection l2tp-psk PSK length of 9 bytes is too short for HMAC_SHA1 PRF in FIPS mode (10 bytes required)
Mar  9 17:09:59 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: Oakley Transform [AES_CBC (128), HMAC_SHA1, DH19] refused
Mar  9 17:09:59 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: WARNING: connection l2tp-psk PSK length of 9 bytes is too short for HMAC_SHA1 PRF in FIPS mode (10 bytes required)
Mar  9 17:09:59 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: sent Main Mode R1
Mar  9 17:09:59 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: sent Main Mode R2
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: Peer ID is ID_IPV4_ADDR: '172.28.1.221'
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111 #3: switched to "l2tp-psk"[4] 5.71.52.111
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[3] 5.71.52.111: deleting connection instance with peer 5.71.52.111 {isakmp=#0/ipsec=#0}
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #3: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #3: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #3: the peer proposed: 23.88.123.130/32:1701 -UDP-> 172.28.1.221/32:1701
Mar  9 17:10:00 ownvpn pluto[2740]: |   checking hostpair 23.88.123.130/32:1701 -> 5.71.52.111/32:0
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #3: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #4: responding to Quick Mode proposal {msgid:00000001}
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #4:     us: 23.88.123.130/32:UDP/1701===23.88.123.130  them: 5.71.52.111[172.28.1.221]===5.71.52.111/32:UDP/1701
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #4: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0xdfbacc56 <0x20207edc xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=172.28.1.221 NATD=5.71.52.111:4500 DPD=unsupported}
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #4: IPsec SA established transport mode {ESPinUDP=>0xdfbacc56 <0x20207edc xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=172.28.1.221 NATD=5.71.52.111:4500 DPD=unsupported}
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #3: the peer proposed: 23.88.123.130/32:1701 -UDP-> 172.28.1.221/32:1701
Mar  9 17:10:00 ownvpn pluto[2740]: |   checking hostpair 23.88.123.130/32:1701 -> 5.71.52.111/32:1701
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #3: NAT-Traversal: received 2 NAT-OA. Using first; ignoring others
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #5: responding to Quick Mode proposal {msgid:00000002}
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #5:     us: 23.88.123.130/32:UDP/1701===23.88.123.130  them: 5.71.52.111[172.28.1.221]===5.71.52.111/32:UDP/1701
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #5: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation transport mode {ESPinUDP=>0xb247cbf8 <0xd5de2ade xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=172.28.1.221 NATD=5.71.52.111:4500 DPD=unsupported}
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #5: IPsec SA established transport mode {ESPinUDP=>0xb247cbf8 <0xd5de2ade xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=172.28.1.221 NATD=5.71.52.111:4500 DPD=unsupported}
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #3: received Delete SA(0xdfbacc56) payload: deleting IPsec State #4
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #4: deleting state (STATE_QUICK_R2) aged 0.277701s and sending notification
Mar  9 17:10:00 ownvpn pluto[2740]: "l2tp-psk"[4] 5.71.52.111 #4: ESP traffic information: in=0B out=0B
Mar  9 17:10:01 ownvpn sudo:     lvpn : TTY=pts/0 ; PWD=/home/lvpn ; USER=root ; COMMAND=/usr/bin/grep pluto /var/log/auth.log

ipsec verify 

Verifying installed system and configuration files

Version check and ipsec on-path                     [OK]
Libreswan 4.12
Checking for IPsec support in kernel                [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                [OK]
         ICMP default/accept_redirects              [OK]
         XFRM larval drop                           [OK]
Pluto ipsec.conf syntax                             [OK]
Checking rp_filter                                  [OK]
Checking that pluto is running                      [OK]
 Pluto listening for IKE on udp 500                 [OK]
 Pluto listening for IKE/NAT-T on udp 4500          [OK]
 Pluto ipsec.secret syntax                          [OK]
Checking 'ip' command                               [OK]
Checking 'iptables' command                         [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options            [OK]

ipsec conf

version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  uniqueids=no

conn shared
  left=%defaultroute
  leftid=23.88.123.130
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=300
  dpdaction=clear
  ikev2=never
  ike=aes256-sha2;modp2048,aes128-sha2;modp2048,aes256-sha1;modp2048,aes128-sha1;modp2048
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  sha2-truncbug=no

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.10-192.168.43.250
  modecfgdns="8.8.8.8 8.8.4.4 "
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  cisco-unity=yes
  also=shared

include /etc/ipsec.d/*.conf

client Pc on ubuntu 

Mar  9 20:54:44 peyman-Veriton-S680G NetworkManager[57163]: xl2tpd[57163]: death_handler: Fatal signal 15 received
Mar  9 20:54:44 peyman-Veriton-S680G NetworkManager[57163]: xl2tpd[57163]: Connection 0 closed to 23.88.123.130, port 1701 (Server closing)
Mar  9 20:54:44 peyman-Veriton-S680G NetworkManager[720]: <warn>  [1710005084.6714] vpn[0x556f86cf06b0,f22646a6-9513-4649-b08b-4c22579173a8,"OwnVpn"]: dbus: failure: connect-failed (1)
Mar  9 20:54:44 peyman-Veriton-S680G NetworkManager[720]: <warn>  [1710005084.6718] vpn[0x556f86cf06b0,f22646a6-9513-4649-b08b-4c22579173a8,"OwnVpn"]: dbus: failure: connect-failed (1)
Mar  9 20:54:44 peyman-Veriton-S680G NetworkManager[57171]: Stopping strongSwan IPsec...
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[DMN] SIGINT received, shutting down
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[IKE] closing CHILD_SA f22646a6-9513-4649-b08b-4c22579173a8{1} with SPIs ca4c7169_i (114 bytes) e4c27fd8_o (685 bytes) and TS 172.28.1.237/32 === 23.88.123.130/32[udp/l2f]
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[IKE] sending DELETE for ESP CHILD_SA with SPI ca4c7169
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[ENC] generating INFORMATIONAL_V1 request 688142176 [ HASH D ]
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[NET] sending packet: from 172.28.1.237[4500] to 23.88.123.130[4500] (76 bytes)
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[IKE] deleting IKE_SA f22646a6-9513-4649-b08b-4c22579173a8[1] between 172.28.1.237[172.28.1.237]...23.88.123.130[23.88.123.130]
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[IKE] sending DELETE for IKE_SA f22646a6-9513-4649-b08b-4c22579173a8[1]
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[ENC] generating INFORMATIONAL_V1 request 2100540409 [ HASH D ]
Mar  9 20:54:44 peyman-Veriton-S680G charon: 00[NET] sending packet: from 172.28.1.237[4500] to 23.88.123.130[4500] (92 bytes)
Mar  9 20:54:44 peyman-Veriton-S680G nm-l2tp-service[57079]: ipsec shut down
Mar  9 20:54:47 peyman-Veriton-S680G dbus-daemon[1832]: apparmor="DENIED" operation="dbus_signal"  bus="session" path="/com/canonical/unity/launcherentry/TelegramDesktop" interface="com.canonical.Unity.LauncherEntry" member="Update" mask="send" name="org.freedesktop.DBus" pid=3895 label="snap.telegram-desktop.telegram-desktop" peer_pid=2127 peer_label="unconfined"

client pc On windows

image

please Help me How can solve that problem

hwdsl2 commented 6 months ago

@ppeyman Hello! For Windows, please follow the instructions in Windows error 809 troubleshooting. For Linux, you may have encountered this xl2tpd bug or this network manager bug. Try upgrading your Linux client's xl2tpd package to the latest version. Alternatively, it is recommended to try IKEv2 mode.