strongSwan + xl2tpd VPN server: how to configure several config files?
I set up my VPN server with strongSwan and xl2tpd on Ubuntu server 16.04. After configuring, I tried to connect from a iPad, but got the errors as follows:
Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (788 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V ]
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received NAT-T (RFC 3947) vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received FRAGMENTATION vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] received DPD vendor ID
Mar 26 02:22:13 myname-ubuntu-server charon: 01[IKE] 61.205.5.249 is initiating a Main Mode IKE_SA
Mar 26 02:22:13 myname-ubuntu-server charon: 01[ENC] generating ID_PROT response 0 [ SA V V V ]
Mar 26 02:22:13 myname-ubuntu-server charon: 01[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (136 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] received packet: from 61.205.5.249[44919] to 192.168.193.3[500] (380 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] local host is behind NAT, sending keep alives
Mar 26 02:22:13 myname-ubuntu-server charon: 10[IKE] remote host is behind NAT
Mar 26 02:22:13 myname-ubuntu-server charon: 10[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Mar 26 02:22:13 myname-ubuntu-server charon: 10[NET] sending packet: from 192.168.193.3[500] to 61.205.5.249[44919] (396 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] received packet: from 61.205.5.249[4500] to 192.168.193.3[4500] (108 bytes)
Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[CFG] looking for pre-shared key peer configs matching 192.168.193.3...61.205.5.249[100.75.130.131]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[IKE] found 1 matching config, but none allows pre-shared key authentication using Main Mode
Mar 26 02:22:13 myname-ubuntu-server charon: 06[ENC] generating INFORMATIONAL_V1 request 2960834334 [ HASH N(AUTH_FAILED) ]
Mar 26 02:22:13 myname-ubuntu-server charon: 06[NET] sending packet: from 192.168.193.3[4500] to 61.205.5.249[4500] (108 bytes)
I thought the critical point of the error is "found 1 matching config, but none allows pre-shared key authentication using Main Mode". Do anyone know how to resolve this error?
I found a answer for this problem that suggested to add "aggressiveness=yes" to /etc/ipsec.conf and tried but didn't work... (Maybe I add the line "aggressiveness=yes" in a wrong position... I'm a beginner in Linux...)
I set up config files by following this site: http://qiita.com/namoshika/items/30c348b56474d422ef64 (I'm sorry but it's written in Japanese...I think you can read code parts at least.)
If someone tell me reliable instruction documents for setting up VPN server on Ubuntu16.04 with L2TP/IPsec, I would appreciate it.
Don't use the aggressive mode, the connection will be less secure. Anyway try with this configuration. I use it on a my VPN Server with strongswan-5.3.5 and xl2tpd-1.3.6
ipsec.conf
config setup
cachecrls=yes
uniqueids=yes
charondebug=""
conn %default
keyingtries=%forever
dpddelay=30s
dpdtimeout=120s
conn L2TP
dpdaction=clear
#Server IP
left=192.168.1.130
#Server default gateway
leftnexthop=192.168.1.254
leftprotoport=17/1701
rightprotoport=17/%any
right=%any
rightsubnet=0.0.0.0/0
leftauth=psk
rightauth=psk
leftid="<insert-the-public-ip-here>"
ikelifetime=1h
keylife=8h
ike=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1-modp1536,aes128-sha1-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha1-modp1536,3des-sha1-modp1024,3des-md5-modp1536,3des-md5-modp1024
auto=add
keyexchange=ike
type=transport
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
ipsec.secrets
<insert-the-left-id-here> %any : PSK "<my-password>"
/etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = no
debug tunnel = no
debug avp = no
debug network = no
debug state = no
[lns default]
ip range = 10.0.0.20-10.0.0.30
local ip = 10.0.0.1
require authentication = yes
name = l2tp
pass peer = yes
ppp debug = no
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes
unix authentication = yes
/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 10.0.0.1
auth
idle 1800
mtu 1200
mru 1200
nodefaultroute
lock
proxyarp
connect-delay 5000
name l2tpd
ifname l2tp
login
/etc/ppp/chap-secrets
username * "l2tppassword" *
restart services
sudo service strongswan restart
sudo service xl2tpd restart