[Swan] upgrade to 3.18 broke roadwarrior connection

Discussion:

Charles D. Van Dusen

2016-11-25 14:31:31 UTC

Hi All,

I have recently upgraded libreswan from 3.13 to 3.18 on my raspberry pi3.

I am now getting the following message when I try to connect a roadwarrior vpn:

"031 "L2TP-PSK": cannot initiate connection with narrowing=no and (kind=CK_TEMPLATE)"

Here is my /etc/ipsec.d/l2tp-psk.conf file:

***@raspberrypi:/etc/ipsec.d# more l2tp-psk.conf
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3nect
dpddelay=30
dpdtimeout=120
dpdaction=clear
narrowing=no
rekey=yes
ike=3des-sha1;modp2048
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/%any
rightprotoport=17/1701
right=A.B.C.D

The vpn server is a ubiquiti edge router to which I have successfully connected this same rpi3 with an earlier version of libreswan. I also connect laptops, phones, and tablets of all varieties to this same VPN server using ipsec/l2tp.

Can anyone help me figure out what I need to do to get this tunnel to connect for this rpi3?

TIA

Paul Wouters

2016-11-25 15:03:00 UTC

Permalink

Swap your leftprotoport and rightprotoport values.

So use 17/1701 for the libreswan end and 17/%any for the other end.

Paul

Sent from my iPhone

Post by Charles D. Van Dusen
Hi All,
I have recently upgraded libreswan from 3.13 to 3.18 on my raspberry pi3.
â031 "L2TP-PSK": cannot initiate connection with narrowing=no and (kind=CK_TEMPLATE)â
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3nect
dpddelay=30
dpdtimeout=120
dpdaction=clear
narrowing=no
rekey=yes
ike=3des-sha1;modp2048
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftnexthop=%defaultroute
leftprotoport=17/%any
rightprotoport=17/1701
right=A.B.C.D
The vpn server is a ubiquiti edge router to which I have successfully connected this same rpi3 with an earlier version of libreswan. I also connect laptops, phones, and tablets of all varieties to this same VPN server using ipsec/l2tp.
Can anyone help me figure out what I need to do to get this tunnel to connect for this rpi3?
TIA
_______________________________________________
Swan mailing list
https://lists.libreswan.org/mailman/listinfo/swan

Charles D. Van Dusen

2016-11-28 13:45:29 UTC

Permalink

Hi Paul,

Again thanks for the speedy response.

This really helped. I used 17/1701 for both leftprotoport and rightprotoport. That allowed the ipsec command to get past the error.

Thanks Again,

Charlie

-----Original Message-----
From: Paul Wouters [mailto:***@nohats.ca]
Sent: Friday, November 25, 2016 10:32 AM
To: Charles D. Van Dusen <***@im-design.net>
Subject: RE: [Swan] upgrade to 3.18 broke roadwarrior connection

Subject: RE: [Swan] upgrade to 3.18 broke roadwarrior connection
Thanks for the quick response.
So I tried swapping the leftprotoport and rightprotoport settings but I am getting the same error.

That seems not possible because the error happens because you are trying to initiate a "template conn" instead of a "static conn" and the only thing that causes a conn to become a "template" in your conn section is the 17/%any ?

You can try using 17/1701 for both ends if libreswan is the initiator?

You can also mail me a plutodebug=all log to see if i can find anything else?

Paul