[FrancYescO]

no. sto solo riportando un minimo di quello che sto cercando di capire sul perchè non funziona.
Inizio a pensare sia qualche flag di compilazione e/o qualche configurazione di default che non gli va giu' con la nuova versione di stronswan

[LuKePicci]

@satigno se il metodo "con GUI" per L2TP/IPsec non funziona hai due alternative:
- configurare comunque una L2TP/IPsec a mano
- configurare una IKEv2 a mano come spiegato nell'altro topic

Se non hai particolari esigenze tecniche per voler usare L2TP/IPsec e decidi di configurare tutto a mano, secondo me non ti conviene puntare ancora su L2TP/Ipsec

[FrancYescO]

Prova che ti riprova mi son ritrovato su questo bug report e almeno sono arrivato a capire cosa non fa caricare la config sulle nuove versioni di strongswan:
di default tch ha usato questi valori nella config ipsec di uci:

Codice: [Seleziona]

ipsec.l2tp.crypto_proposal='g_3des_sha1_modp1024 g_aes128_sha1'
ipsec.g_aes128_sha1=crypto_proposal
ipsec.g_aes128_sha1.encryption_algorithm='aes128'
ipsec.g_aes128_sha1.hash_algorithm='sha1'
ipsec.g_3des_sha1_modp1024=crypto_proposal
ipsec.g_3des_sha1_modp1024.encryption_algorithm='3des'
ipsec.g_3des_sha1_modp1024.hash_algorithm='sha1'
ipsec.g_3des_sha1_modp1024.dh_group='modp1024'che si traducono in un file di config /var/ipsec/ipsec.conf con questa riga che fa fallire il caricamento dato che a quanto pare nelle nuove versioni non gli piace il crypto_proposal aes128-sha1

Codice: [Seleziona]

ike=3des-sha1-modp1024,aes128-sha1
@LuKePicci non sono andato a cercare oltre per le best practices, hai consigli con cosa sostituirli che sia un buon compromesso tra (retro)compatibilità e sicurezza?

PS. Si son davvero impegnati a farla per bene questa storia della conversione da uci alle config

[LuKePicci]

aes256 con sha1 (hmac) per ike, aes128 con sha1 (hmac) per esp, e vai bene sia in compatibilità che performance
con aes256 per esp perdi performance, con sha256 su ike o esp perdi compatibilità

3des va elimiinato

[FrancYescO]

Dovrei avercela fatta, in effetti il problema era ancora piu' semplice, ovvero che nel blocco "aes128_sha1" non era definito il dh_group e a quanto pare nelle nuove versioni è obbligatorio specificarlo per ike

Comunque ne ho approfittato per innalzare un po il livello di sicurezza mettendo 3des_sha256_modp3072 e aes128_sha256_modp3072 come prioritari rispetto lo sha1 messo da tch

Sperando che le modifiche non spacchino niente su vecchi device, ho rifatto un test su 789 (fw UNO 17.2) e 4130 (fw 18.3) e mi sembra tutto funzionante, ora la ciliegina sulla torta sarebbe @roleo che ci fa il favore di aggiungere ai feed per fw TIM <18.3 xl2tpd

in breve, per tutti: ora funziona anche su 413x, disinstallate e reinstallate come da primo post.

[lorenzocanalelc]

Ottimo! Si può introdurre nella GUI di Ansuel o quanto meno renderlo compatibile? Per evitare che ad ogni aggiornamento venga spazzato via...

[satigno]

Ho ritentato l'installazione: continua a darmi problemi quando do il comando /etc/init.d/ipsec restart. Non riesco a connettermi alla VPN.

[FrancYescO]

@lorenzocanalelc si, prima o poi
fregatene di quello, continua a non farlo quel restart nemmeno a me sul 4130 ma funziona.
posta il risultato di ipsec statusall

[satigno]

Eccolo

Codice: [Seleziona]

ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.3, Linux 4.1.38, armv7l):
  uptime: 22 minutes, since Mar 19 10:12:31 2020
  malloc: sbrk 638976, mmap 0, used 139872, free 499104
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Listening IP addresses:
  MIO IP PUBBLICO
Connections:
 l2tp-server:  %any...%any  IKEv1/2
 l2tp-server:   local:  uses pre-shared key authentication
 l2tp-server:   remote: uses pre-shared key authentication
 l2tp-server:   child:  0.0.0.0/0[udp/l2f] === 0.0.0.0/0[udp] TRANSPORT
Security Associations (0 up, 0 connecting):
  none
root@modemtim:~#


[FrancYescO]

infatti ora è tutto ok... logread -f mentre ti colleghi

[satigno]

Te lo stavo giusto incollando

Codice: [Seleziona]


root@modemtim:~# logread -f
Thu Mar 19 10:36:11 2020 authpriv.info ipsec: 06[NET] received packet: from IP TELEFONO[23037] to IP CASA[4500] (76 bytes)
Thu Mar 19 10:36:11 2020 daemon.info ipsec: 06[NET] received packet: from IP TELEFONO[23037] to IP CASA[4500] (76 bytes)
Thu Mar 19 10:36:11 2020 authpriv.info ipsec: 06[ENC] invalid ID_V1 payload length, decryption failed?
Thu Mar 19 10:36:11 2020 daemon.info ipsec: 06[ENC] invalid ID_V1 payload length, decryption failed?
Thu Mar 19 10:36:11 2020 authpriv.info ipsec: 06[ENC] could not decrypt payloads
Thu Mar 19 10:36:11 2020 daemon.info ipsec: 06[ENC] could not decrypt payloads
Thu Mar 19 10:36:11 2020 authpriv.info ipsec: 06[IKE] message parsing failed
Thu Mar 19 10:36:11 2020 daemon.info ipsec: 06[IKE] message parsing failed
Thu Mar 19 10:36:11 2020 authpriv.info ipsec: 06[ENC] generating INFORMATIONAL_V1 request 734986945 [ HASH N(PLD_MAL) ]
Thu Mar 19 10:36:11 2020 daemon.info ipsec: 06[ENC] generating INFORMATIONAL_V1 request 734986945 [ HASH N(PLD_MAL) ]
Thu Mar 19 10:36:11 2020 authpriv.info ipsec: 06[NET] sending packet: from IP CASA[500] to IP TELEFONO[22273] (68 bytes)
Thu Mar 19 10:36:11 2020 daemon.info ipsec: 06[NET] sending packet: from IP CASA[500] to IP TELEFONO[22273] (68 bytes)
Thu Mar 19 10:36:11 2020 authpriv.info ipsec: 06[IKE] ID_PROT request with message ID 0 processing failed
Thu Mar 19 10:36:11 2020 daemon.info ipsec: 06[IKE] ID_PROT request with message ID 0 processing failed
Thu Mar 19 10:36:14 2020 authpriv.info ipsec: 16[NET] received packet: from IP TELEFONO[23037] to IP CASA[4500] (76 bytes)
Thu Mar 19 10:36:14 2020 daemon.info ipsec: 16[NET] received packet: from IP TELEFONO[23037] to IP CASA[4500] (76 bytes)
Thu Mar 19 10:36:14 2020 authpriv.info ipsec: 16[ENC] invalid ID_V1 payload length, decryption failed?
Thu Mar 19 10:36:14 2020 daemon.info ipsec: 16[ENC] invalid ID_V1 payload length, decryption failed?
Thu Mar 19 10:36:14 2020 authpriv.info ipsec: 16[ENC] could not decrypt payloads
Thu Mar 19 10:36:14 2020 daemon.info ipsec: 16[ENC] could not decrypt payloads
Thu Mar 19 10:36:14 2020 authpriv.info ipsec: 16[IKE] message parsing failed
Thu Mar 19 10:36:14 2020 daemon.info ipsec: 16[IKE] message parsing failed
Thu Mar 19 10:36:14 2020 authpriv.info ipsec: 16[ENC] generating INFORMATIONAL_V1 request 3933441266 [ HASH N(PLD_MAL) ]
Thu Mar 19 10:36:14 2020 daemon.info ipsec: 16[ENC] generating INFORMATIONAL_V1 request 3933441266 [ HASH N(PLD_MAL) ]
Thu Mar 19 10:36:14 2020 authpriv.info ipsec: 16[NET] sending packet: from IP CASA[500] to IP TELEFONO[22273] (68 bytes)
Thu Mar 19 10:36:14 2020 daemon.info ipsec: 16[NET] sending packet: from IP CASA[500] to IP TELEFONO[22273] (68 bytes)
Thu Mar 19 10:36:14 2020 authpriv.info ipsec: 16[IKE] ID_PROT request with message ID 0 processing failed
Thu Mar 19 10:36:14 2020 daemon.info ipsec: 16[IKE] ID_PROT request with message ID 0 processing failed
Thu Mar 19 10:36:17 2020 authpriv.info ipsec: 07[NET] received packet: from IP TELEFONO[23037] to IP CASA[4500] (76 bytes)
Thu Mar 19 10:36:17 2020 daemon.info ipsec: 07[NET] received packet: from IP TELEFONO[23037] to IP CASA[4500] (76 bytes)
Thu Mar 19 10:36:17 2020 authpriv.info ipsec: 07[ENC] invalid ID_V1 payload length, decryption failed?
Thu Mar 19 10:36:17 2020 daemon.info ipsec: 07[ENC] invalid ID_V1 payload length, decryption failed?
Thu Mar 19 10:36:17 2020 authpriv.info ipsec: 07[ENC] could not decrypt payloads
Thu Mar 19 10:36:17 2020 daemon.info ipsec: 07[ENC] could not decrypt payloads
Thu Mar 19 10:36:17 2020 authpriv.info ipsec: 07[IKE] message parsing failed
Thu Mar 19 10:36:17 2020 daemon.info ipsec: 07[IKE] message parsing failed
Thu Mar 19 10:36:17 2020 authpriv.info ipsec: 07[ENC] generating INFORMATIONAL_V1 request 1483864306 [ HASH N(PLD_MAL) ]
Thu Mar 19 10:36:17 2020 daemon.info ipsec: 07[ENC] generating INFORMATIONAL_V1 request 1483864306 [ HASH N(PLD_MAL) ]
Thu Mar 19 10:36:17 2020 authpriv.info ipsec: 07[NET] sending packet: from IP CASA[500] to IP TELEFONO[22273] (68 bytes)
Thu Mar 19 10:36:17 2020 daemon.info ipsec: 07[NET] sending packet: from IP CASA[500] to IP TELEFONO[22273] (68 bytes)
Thu Mar 19 10:36:17 2020 authpriv.info ipsec: 07[IKE] ID_PROT request with message ID 0 processing failed
Thu Mar 19 10:36:17 2020 daemon.info ipsec: 07[IKE] ID_PROT request with message ID 0 processing failed
Thu Mar 19 10:36:20 2020 authpriv.info ipsec: 08[NET] received packet: from IP TELEFONO[23037] to IP CASA[4500] (76 bytes)
Thu Mar 19 10:36:20 2020 daemon.info ipsec: 08[NET] received packet: from IP TELEFONO[23037] to IP CASA[4500] (76 bytes)
Thu Mar 19 10:36:20 2020 authpriv.info ipsec: 08[ENC] invalid ID_V1 payload length, decryption failed?
Thu Mar 19 10:36:20 2020 daemon.info ipsec: 08[ENC] invalid ID_V1 payload length, decryption failed?
Thu Mar 19 10:36:20 2020 authpriv.info ipsec: 08[ENC] could not decrypt payloads
Thu Mar 19 10:36:20 2020 daemon.info ipsec: 08[ENC] could not decrypt payloads
Thu Mar 19 10:36:20 2020 authpriv.info ipsec: 08[IKE] message parsing failed
Thu Mar 19 10:36:20 2020 daemon.info ipsec: 08[IKE] message parsing failed
Thu Mar 19 10:36:20 2020 authpriv.info ipsec: 08[ENC] generating INFORMATIONAL_V1 request 2631970308 [ HASH N(PLD_MAL) ]
Thu Mar 19 10:36:20 2020 daemon.info ipsec: 08[ENC] generating INFORMATIONAL_V1 request 2631970308 [ HASH N(PLD_MAL) ]
Thu Mar 19 10:36:20 2020 authpriv.info ipsec: 08[NET] sending packet: from IP CASA[500] to IP TELEFONO[22273] (68 bytes)
Thu Mar 19 10:36:20 2020 daemon.info ipsec: 08[NET] sending packet: from IP CASA[500] to IP TELEFONO[22273] (68 bytes)
Thu Mar 19 10:36:20 2020 authpriv.info ipsec: 08[IKE] ID_PROT request with message ID 0 processing failed
Thu Mar 19 10:36:20 2020 daemon.info ipsec: 08[IKE] ID_PROT request with message ID 0 processing failed
Thu Mar 19 10:36:22 2020 authpriv.info ipsec: 10[JOB] deleting half open IKE_SA with IP TELEFONO after timeout
Thu Mar 19 10:36:22 2020 daemon.info ipsec: 10[JOB] deleting half open IKE_SA with IP TELEFONO after timeout
Thu Mar 19 10:36:45 2020 daemon.info cwmpd[11947]: PROT_TRACE: Events are waiting, need to contact ACS
Thu Mar 19 10:36:45 2020 daemon.info cwmpd[11947]: CONNECTION: Connecting to server
Thu Mar 19 10:36:45 2020 daemon.info cwmpd[11947]: UBUS_CLIENT: external IP address is IP CASA
Thu Mar 19 10:36:45 2020 daemon.info cwmpd[11947]: UBUS_CLIENT: Sending event cwmpd
Thu Mar 19 10:36:45 2020 daemon.info cwmpd[11947]: CONNECTION: Connected to server, starting transaction.
Thu Mar 19 10:36:45 2020 daemon.info cwmpd[11947]: UBUS_CLIENT: external IP address is IP CASA
Thu Mar 19 10:36:45 2020 daemon.info cwmpd[11947]: PROT_TRACE: ConnectionRequestURL updated to http://IP CASA:7170/ConnectionRequest
Thu Mar 19 10:36:45 2020 daemon.info cwmpd[11947]: PROT_TRACE: ConnectionRequestURL updated to http://IP CASA:7170/ConnectionRequest

Dal web leggo che alcuni risolvono in questo modo:

You are initiating a Mode Config push, but the client at the same time does a Mode Config pull.

modeconfig=push

push mode support was not supported until 5.1.1, so it just used pull mode. This is what you usually want with road warrior clients. Try to remove that modeconfig statement for 5.1.1 to use the default pull mode.

[FrancYescO]

direi che stai mettendo la PSK sbagliata.

[satigno]

Purtroppo no.. l'ho cambiata 80 volte e ricontrollata ma niente

[FrancYescO]

Ma cosa stai usando come client? mi scrivi/screenshotti le config?

[satigno]

Sto usando il client VPN integrato in Android e imposto i parametri come da tuo screenshot presente in questo topic.

Tipo: L2TP/IPSec PSK
Indirizzo server: mio ip pubblico casa o DDNS
Chiave precondivisa IPsec: Chiave IPSec precondivisa da GUI
Nome utente: Username da GUI
Password: password del corrispondente Username da GUI