dkosovic
commented
5 years ago You seem to be using strongSwan 5.3.5 which was released in 2015. My experience with nm-l2tp-service and older versions of strongswan (like what you are using), ipsec up would incorrectly claim a connection was established, when in fact it wasn't, then xl2tpd would connect in plain text. As a workaround I added some code to explicitly check the output of ipsec status conn-name had the string ESTABLISHED to determine the connection was okay, see:
strongswan bug# 1449 :
Ubuntu strongswan 5.3.5 isn't the same as vanilla strongswan 5.3.5, I remember earlier revisions of Ubuntu strongswan 5.3.5 were really broken. Differences in kernel versions can also have an impact on L2TP/IPsec connections. I'm not sure if the 3.x kernels had major problems, like there were with kernels 4.14 and 4.15.
junixwu
ipset statusall is normal and same as ubuntu。
Hi all, Sorry for posting my question here since I can't find anyway to contact xl2tpd team. This problem has been bothering me for more than ten days. I set up the server in IPSEC/L2TP PSK mode.
My 2 clients environment (1)ubuntu 16.04 wujun@wujun-vbox:~$ sudo ipsec --version Linux strongSwan U5.3.5/K4.13.0-36-generic wujun@wujun-vbox:~$ xl2tpd -v xl2tpd version: xl2tpd-1.3.6
(2)Embedded system root@mdm9607-perf:/usrdata# ipsec --version Linux strongSwan U5.3.5/K3.18.20 root@mdm9607-perf:/usrdata# xl2tpd -v xl2tpd version: xl2tpd-1.3.6
Software versions are consistent. Configuration files are the same too。 Ubuntu can connect to the server normally, but embedded system can't. I use tcpdump to capture data packets for analysis.
After the tunnel has been successfully established, xl2tpd still uses plaintext to communicate with the server.The normal connection should be a packet encrypted with ESP. Is there a problem with the configuration? How does xl2tpd know that an IPSec channel is available? How can we solve this problem?
Thanks and best regards, Junix.