0

I'm trying to install L2TP over IPsec using strognswan and xl2tp daemon.

this is my config :

 conn L2TP-PSK-NAT
        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
        authby=secret
        auto=add
        keyingtries=3
        rekey=no
        type=transport
        left=someIP
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any


conn twister_L2TP
        type=transport
        authby=secret
        rekey=no
        keyingtries=1
        left=%any
        leftprotoport=udp/l2tp
        leftid=@*.somedomain.com
        right=%any
        rightprotoport=udp/%any
        auto=add

this is the error i get :

IPsec SA: unsupported mode
May 24 06:40:52 ikev2 charon: 13[ESP] failed to create SAD entry
May 24 06:40:52 ikev2 charon: 13[ESP]   IPsec SA: unsupported mode
May 24 06:40:52 ikev2 charon: 13[ESP] failed to create SAD entry
May 24 06:40:52 ikev2 charon: 13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
May 24 06:40:52 ikev2 charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI 0e64dbdf
Vitalik Jimbei
  • 125
  • 2
  • 7
  • Are you using [kernel-libipsec](https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec) and not the default _kernel-netlink_ on purpose? – ecdsa May 24 '17 at 09:35
  • how do i change / or switch that ? – Vitalik Jimbei May 24 '17 at 13:52
  • [PluginLoad](https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad) – ecdsa May 24 '17 at 13:54
  • ` ipsec statusall Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.10.0-21-generic, x86_64): uptime: 8 minutes, since May 24 13:46:22 2017 malloc: sbrk 2170880, mmap 532480, used 1068448, free 1102432 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: ....kernel-libipsec kernel-netlink ... ` seems like i have both modules enabled at start up – Vitalik Jimbei May 24 '17 at 13:57
  • So I guess you don't use it on purpose, try disabling the _kernel-libipsec_ plugin (see link above). – ecdsa May 24 '17 at 15:43
  • how to remove plugin from loading ? i tried kernel-libipsec { enable=no } in strongswan config – Vitalik Jimbei May 25 '17 at 06:26
  • also tried in charon/kernel-libipsec "load = no" – Vitalik Jimbei May 25 '17 at 06:41
  • same thing, stuck – Vitalik Jimbei May 25 '17 at 10:39
  • What do you mean? It still gets loaded? Then your config is wrong (perhaps your strongswan.conf doesn't include the config snippets in the strongswan.d directory - you can also configure all of it there but you have to use the correct syntax). – ecdsa May 26 '17 at 06:29
  • i load all modules, it includes the snippets but "load=no" option doesnt work . i'll try to compile it again – Vitalik Jimbei May 26 '17 at 07:34

0 Answers0