Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
aeronell
Posts: 2
Joined: Thu Aug 30, 2018 8:02 pm

Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Post by aeronell » Thu Aug 30, 2018 8:22 pm

Hello friends,

I have a compact router that runs a linux build called BusyBox. You might know it! The router is a good little unit, and it has some VPN functionality which (and I'm not expert) looks to me to be an import of the ipsec-tools (site is in the subject).

The problem is... I can't get it working. The Phase 1 of the IPSec appears to work but Phase 2 does not. I have tried to match the settings of the processes as clearly as possible, but I can't get a stable connection between the router and the SoftEther server.

The SoftEther log does not report anything obviously bad but the BusyBox console shows a bit more of the process. I will paste them below.

QUESTION: Does anyone have any experience of getting ipsec-tools to work with SoftEther? We would love to be able to use a router directly to connect a tunnel to our SoftEther server rather than using Windows clients and Windows machines. We could remove the Windows OS systems altogether if we can achieve this.

Very many thanks for your help and ideas and recommendations!

---snip---

Here's the SoftEther log:

2018-08-30 20:06:53.346 IPsec Client 32 (213.205.194.10:1011 -> 10.0.0.4:500): A new IPsec client is created.
2018-08-30 20:06:53.347 IPsec IKE Session (IKE SA) 32 (Client: 32) (213.205.194.10:1011 -> 10.0.0.4:500): A new IKE SA (Aggressive Mode) is created. Initiator Cookie: 0xBFA6EB7A88F9B72B, Responder Cookie: 0xFF46DC54E7C77A4A, DH Group: MODP 1024 (Group 2), Hash Algorithm: SHA-1, Cipher Algorithm: AES-CBC, Cipher Key Size: 128 bits, Lifetime: 4294967295 Kbytes or 28800 seconds
2018-08-30 20:06:53.347 IPsec Client 32 (213.205.194.10:1011 -> 10.0.0.4:500):
2018-08-30 20:07:03.359 IPsec IKE Session (IKE SA) 32 (Client: 32) (213.205.194.10:1011 -> 10.0.0.4:500): This IKE SA is deleted.
2018-08-30 20:07:03.359 IPsec Client 32 (213.205.194.10:1011 -> 10.0.0.4:500): This IPsec Client is deleted.

--- snip

And here's the BusyBox log (where cc.cc.cc.cc is the client and ss.ss.ss.ss is the server):

21:06:50 router: vpn_ipsec: start!
21:06:51 racoon: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
21:06:51 racoon: INFO: @(#)This product linked OpenSSL 0.9.8x 10 May 2012 (http://www.openssl.org/)
21:06:51 racoon: INFO: Reading configuration from "/var/racoon.conf"
21:06:51 racoon: INFO: 192.168.1.50[500] used for NAT-T
21:06:51 racoon: INFO: 192.168.1.50[500] used as isakmp port (fd=8)
21:06:51 racoon: INFO: 192.168.1.50[4500] used for NAT-T
21:06:51 racoon: INFO: 192.168.1.50[4500] used as isakmp port (fd=9)
21:06:51 racoon: INFO: cc.cc.cc.cc[500] used for NAT-T
21:06:51 racoon: INFO: cc.cc.cc.cc[500] used as isakmp port (fd=10)
21:06:51 racoon: INFO: cc.cc.cc.cc[4500] used for NAT-T
21:06:51 racoon: INFO: cc.cc.cc.cc[4500] used as isakmp port (fd=11)
21:06:51 racoon: INFO: 127.0.0.1[500] used for NAT-T
21:06:51 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=12)
21:06:51 racoon: INFO: 127.0.0.1[4500] used for NAT-T
21:06:51 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=13)
21:06:51 racoon: INFO: 127.0.0.0[500] used for NAT-T
21:06:51 racoon: INFO: 127.0.0.0[500] used as isakmp port (fd=14)
21:06:51 racoon: INFO: 127.0.0.0[4500] used for NAT-T
21:06:51 racoon: INFO: 127.0.0.0[4500] used as isakmp port (fd=15)
21:06:51 racoon: INFO: IPsec-SA request for ss.ss.ss.ss queued due to no phase1 found.
21:06:51 racoon: INFO: initiate new phase 1 negotiation: cc.cc.cc.cc[500]<=>ss.ss.ss.ss[500]
21:06:51 racoon: INFO: begin Aggressive mode.
21:06:51 racoon: INFO: received Vendor ID: RFC 3947
21:06:51 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
21:06:51 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
21:06:51 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
21:06:51 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
21:06:51 racoon: INFO: received Vendor ID: DPD
21:06:51 racoon: [ss.ss.ss.ss] INFO: Selected NAT-T version: RFC 3947
21:06:51 racoon: [cc.cc.cc.cc] INFO: Hashing cc.cc.cc.cc[500] with algo #2
21:06:51 racoon: INFO: NAT-D payload #-1 doesn't match
21:06:51 racoon: [ss.ss.ss.ss] INFO: Hashing ss.ss.ss.ss[500] with algo #2
21:06:51 racoon: INFO: NAT-D payload #0 doesn't match
21:06:51 racoon: INFO: NAT detected: ME PEER
21:06:51 racoon: INFO: KA list add: cc.cc.cc.cc[4500]->ss.ss.ss.ss[4500]
21:06:52 racoon: [ss.ss.ss.ss] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
21:06:52 racoon: INFO: Adding remote and local NAT-D payloads.
21:06:52 racoon: [ss.ss.ss.ss] INFO: Hashing ss.ss.ss.ss[4500] with algo #2
21:06:52 racoon: [cc.cc.cc.cc] INFO: Hashing cc.cc.cc.cc[4500] with algo #2
21:06:52 racoon: INFO: ISAKMP-SA established cc.cc.cc.cc[4500]-ss.ss.ss.ss[4500] spi:bfa6eb7a88f9b72b:ff46dc54e7c77a4a
21:06:52 router: vpn_ipsec:phase1_up-cc.cc.cc.cc:4500:ss.ss.ss.ss:4500:10.0.0.4
21:06:52 racoon: INFO: initiate new phase 2 negotiation: cc.cc.cc.cc[4500]<=>ss.ss.ss.ss[4500]
21:06:52 racoon: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
21:06:53 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:06:55 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:06:57 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:06:59 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:07:01 racoon: NOTIFY: the packet is retransmitted by ss.ss.ss.ss[500] (2).
21:07:01 racoon: [ss.ss.ss.ss] ERROR: unknown Informational exchange received.
21:07:22 racoon: INFO: IPsec-SA expired: ESP/Tunnel ss.ss.ss.ss[500]->cc.cc.cc.cc[500] spi=262872876(0xfab1f2c)
21:07:32 racoon: INFO: ISAKMP-SA deleted cc.cc.cc.cc[4500]-ss.ss.ss.ss[4500] spi:bfa6eb7a88f9b72b:ff46dc54e7c77a4a
21:07:32 racoon: INFO: KA remove: cc.cc.cc.cc[4500]->ss.ss.ss.ss[4500]
21:07:33 router: vpn_ipsec:phase1_down-cc.cc.cc.cc:4500:ss.ss.ss.ss:4500:10.0.0.4
21:08:55 racoon: INFO: caught signal 15
21:08:55 racoon: INFO: racoon process 591 shutdown
21:08:55 router: vpn_ipsec: exit!

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Post by thisjun » Thu Sep 13, 2018 7:07 am

SoftEther VPN Server doesn't support vanilla IPSec.

vlaryk
Posts: 9
Joined: Tue May 30, 2017 2:20 pm

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Post by vlaryk » Sat Sep 15, 2018 1:42 pm

thisjun wrote:
Thu Sep 13, 2018 7:07 am
SoftEther VPN Server doesn't support vanilla IPSec.
What do You mean by vanilla IPSec?

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Post by thisjun » Wed Oct 17, 2018 6:19 am

Vanilla means native IPSec without L2TP.

aeronell
Posts: 2
Joined: Thu Aug 30, 2018 8:02 pm

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Post by aeronell » Wed Oct 17, 2018 7:27 am

Thanks @thisjun for your reply. Just to clarify then, SoftEther is compatible with ipsec-tools under the correct conditions e.g. using L2TP? If so are there any config guides for this? Thanks!

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Is SoftEther compatible with ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)?

Post by thisjun » Thu Nov 01, 2018 6:44 am

AFAIK, ipsec-tools can't be an initiator of L2TP/IPSec.

Post Reply