Page 1 of 1

Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Posted: Thu Aug 30, 2018 8:22 pm
by aeronell
Hello friends,

I have a compact router that runs a linux build called BusyBox. You might know it! The router is a good little unit, and it has some VPN functionality which (and I'm not expert) looks to me to be an import of the ipsec-tools (site is in the subject).

The problem is... I can't get it working. The Phase 1 of the IPSec appears to work but Phase 2 does not. I have tried to match the settings of the processes as clearly as possible, but I can't get a stable connection between the router and the SoftEther server.

The SoftEther log does not report anything obviously bad but the BusyBox console shows a bit more of the process. I will paste them below.

QUESTION: Does anyone have any experience of getting ipsec-tools to work with SoftEther? We would love to be able to use a router directly to connect a tunnel to our SoftEther server rather than using Windows clients and Windows machines. We could remove the Windows OS systems altogether if we can achieve this.

Very many thanks for your help and ideas and recommendations!

---snip---

Here's the SoftEther log:

2018-08-30 20:06:53.346 IPsec Client 32 (213.205.194.10:1011 -> 10.0.0.4:500): A new IPsec client is created.
2018-08-30 20:06:53.347 IPsec IKE Session (IKE SA) 32 (Client: 32) (213.205.194.10:1011 -> 10.0.0.4:500): A new IKE SA (Aggressive Mode) is created. Initiator Cookie: 0xBFA6EB7A88F9B72B, Responder Cookie: 0xFF46DC54E7C77A4A, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
2018-08-30 20:06:53.347 IPsec Client 32 (213.205.194.10:1011 -> 10.0.0.4:500):
2018-08-30 20:07:03.359 IPsec IKE Session (IKE SA) 32 (Client: 32) (213.205.194.10:1011 -> 10.0.0.4:500): This IKE SA is deleted.
2018-08-30 20:07:03.359 IPsec Client 32 (213.205.194.10:1011 -> 10.0.0.4:500): This IPsec Client is deleted.

--- snip

And here's the BusyBox log (where cc.cc.cc.cc is the client and ss.ss.ss.ss is the server):

21:06:50 router: vpn_ipsec: start!
21:06:51 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
21:06:51 racoon: INFO: @(#)This product linked OpenSSL 0.9.8x 10 May 2012 (http://www.openssl.org/)
21:06:51 racoon: INFO: Reading configuration from "/var/racoon.conf"
21:06:51 racoon: INFO: 192.168.1.50[500] used for NAT-T
21:06:51 racoon: INFO: 192.168.1.50[500] used as isakmp port (fd=8)
21:06:51 racoon: INFO: 192.168.1.50[4500] used for NAT-T
21:06:51 racoon: INFO: 192.168.1.50[4500] used as isakmp port (fd=9)
21:06:51 racoon: INFO: cc.cc.cc.cc[500] used for NAT-T
21:06:51 racoon: INFO: cc.cc.cc.cc[500] used as isakmp port (fd=10)
21:06:51 racoon: INFO: cc.cc.cc.cc[4500] used for NAT-T
21:06:51 racoon: INFO: cc.cc.cc.cc[4500] used as isakmp port (fd=11)
21:06:51 racoon: INFO: 127.0.0.1[500] used for NAT-T
21:06:51 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=12)
21:06:51 racoon: INFO: 127.0.0.1[4500] used for NAT-T
21:06:51 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=13)
21:06:51 racoon: INFO: 127.0.0.0[500] used for NAT-T
21:06:51 racoon: INFO: 127.0.0.0[500] used as isakmp port (fd=14)
21:06:51 racoon: INFO: 127.0.0.0[4500] used for NAT-T
21:06:51 racoon: INFO: 127.0.0.0[4500] used as isakmp port (fd=15)
21:06:51 racoon: INFO: IPsec-SA request for ss.ss.ss.ss queued due to no phase1 found.
21:06:51 racoon: INFO: initiate new phase 1 negotiation: cc.cc.cc.cc[500]<=>ss.ss.ss.ss[500]
21:06:51 racoon: INFO: begin Aggressive mode.
21:06:51 racoon: INFO: received Vendor ID: RFC 3947
21:06:51 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
21:06:51 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
21:06:51 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
21:06:51 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
21:06:51 racoon: INFO: received Vendor ID: DPD
21:06:51 racoon: [ss.ss.ss.ss] INFO: Selected NAT-T version: RFC 3947
21:06:51 racoon: [cc.cc.cc.cc] INFO: Hashing cc.cc.cc.cc[500] with algo #2
21:06:51 racoon: INFO: NAT-D payload #-1 doesn't match
21:06:51 racoon: [ss.ss.ss.ss] INFO: Hashing ss.ss.ss.ss[500] with algo #2
21:06:51 racoon: INFO: NAT-D payload #0 doesn't match
21:06:51 racoon: INFO: NAT detected: ME PEER
21:06:51 racoon: INFO: KA list add: cc.cc.cc.cc[4500]->ss.ss.ss.ss[4500]
21:06:52 racoon: [ss.ss.ss.ss] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
21:06:52 racoon: INFO: Adding remote and local NAT-D payloads.
21:06:52 racoon: [ss.ss.ss.ss] INFO: Hashing ss.ss.ss.ss[4500] with algo #2
21:06:52 racoon: [cc.cc.cc.cc] INFO: Hashing cc.cc.cc.cc[4500] with algo #2
21:06:52 racoon: INFO: ISAKMP-SA established cc.cc.cc.cc[4500]-ss.ss.ss.ss[4500] spi:bfa6eb7a88f9b72b:ff46dc54e7c77a4a
21:06:52 router: vpn_ipsec:phase1_up-cc.cc.cc.cc:4500:ss.ss.ss.ss:4500:10.0.0.4
21:06:52 racoon: INFO: initiate new phase 2 negotiation: cc.cc.cc.cc[4500]<=>ss.ss.ss.ss[4500]
21:06:52 racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
21:06:53 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:06:55 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:06:57 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:06:59 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:07:01 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:07:01 racoon: [ss.ss.ss.ss] ERROR: unknown Informational exchange received.
21:07:22 racoon: INFO: IPsec-SA expired: ESP/Tunnel ss.ss.ss.ss[500]->cc.cc.cc.cc[500] spi=262872876(0xfab1f2c)
21:07:32 racoon: INFO: ISAKMP-SA deleted cc.cc.cc.cc[4500]-ss.ss.ss.ss[4500] spi:bfa6eb7a88f9b72b:ff46dc54e7c77a4a
21:07:32 racoon: INFO: KA remove: cc.cc.cc.cc[4500]->ss.ss.ss.ss[4500]
21:07:33 router: vpn_ipsec:phase1_down-cc.cc.cc.cc:4500:ss.ss.ss.ss:4500:10.0.0.4
21:08:55 racoon: INFO: caught signal 15
21:08:55 racoon: INFO: racoon process 591 shutdown
21:08:55 router: vpn_ipsec: exit!

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Posted: Thu Sep 13, 2018 7:07 am
by thisjun
SoftEther VPN Server doesn't support vanilla IPSec.

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Posted: Sat Sep 15, 2018 1:42 pm
by vlaryk
thisjun wrote:
Thu Sep 13, 2018 7:07 am
SoftEther VPN Server doesn't support vanilla IPSec.
What do You mean by vanilla IPSec?

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Posted: Wed Oct 17, 2018 6:19 am
by thisjun
Vanilla means native IPSec without L2TP.

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Posted: Wed Oct 17, 2018 7:27 am
by aeronell
Thanks @thisjun for your reply. Just to clarify then, SoftEther is compatible with ipsec-tools under the correct conditions e.g. using L2TP? If so are there any config guides for this? Thanks!

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Posted: Thu Nov 01, 2018 6:44 am
by thisjun
AFAIK, ipsec-tools can't be an initiator of L2TP/IPSec.