Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Setting up L2TP/IPSec VPN connection to Windows server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Wed Feb 09, 2022 12:55 pm    Post subject: Setting up L2TP/IPSec VPN connection to Windows server Reply with quote

Hey everyone. Does anyone here have any experience setting up L2TP/IPSec VPN connections on Gentoo? I've done it on Manjaro before using a NetworkManager plug-in. I'm not using NetworkManager on Gentoo though.

My work allows employees to connect to the office network with an L2TP/IPSec VPN connection. I know there's an article on the arch wiki on setting this up, and it says you can use xl2tpd and openswan if you don't have NetworkManager: https://wiki.archlinux.org/title/Openswan_L2TP/IPsec_VPN_client_setup

I could only see StrongSwan and Libreswan in the Gentoo package list though, not openswan, so I'm not sure the Arch guide will translate 100% to Gentoo.

Does anyone know the best way to achieve an L2TP/IPSec connection?
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Wed Feb 09, 2022 8:47 pm    Post subject: Reply with quote

Many years ago, I wrote an article on how to set up a IPSec/L2TP server for Linux: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server (it could use a update, ipsec-tools is dead and some of the instructions are out of date). Configuring a client is even easier. The basic concepts are covered, so its a good starting point.
Back to top
View user's profile Send private message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Mon Feb 14, 2022 10:12 am    Post subject: Reply with quote

Alright, so I tried using the wiki in addition to a guide I found for Ubuntu (guide is https://howto.lintel.in/configure-ipsecl2tp-vpn-clients-linux-cli/), and I think I'm almost there.

I've installed strongswan and xl2tpd, and configured them, but here's as far as I got:

Code:
sudo ipsec up vpnconn
initiating Main Mode IKE_SA vpnconn[3] to 122.56.104.6
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.1.65[500] to 122.56.104.6[500] (180 bytes)
received packet: from 122.56.104.6[500] to 192.168.1.65[500] (56 bytes)
parsed INFORMATIONAL_V1 request 3937585212 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpnconn' failed


The syslog doesn't have much help either, just the same output as the console.
Code:
Feb 14 23:01:58 TuxBox charon: 01[CFG] received stroke: initiate 'vpnconn'
Feb 14 23:01:58 TuxBox charon: 09[IKE] initiating Main Mode IKE_SA vpnconn[3] to 122.56.104.6
Feb 14 23:01:58 TuxBox charon: 09[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Feb 14 23:01:58 TuxBox charon: 09[NET] sending packet: from 192.168.1.65[500] to 122.56.104.6[500] (180 bytes)
Feb 14 23:01:58 TuxBox charon: 07[NET] received packet: from 122.56.104.6[500] to 192.168.1.65[500] (56 bytes)
Feb 14 23:01:58 TuxBox charon: 07[ENC] parsed INFORMATIONAL_V1 request 3937585212 [ N(NO_PROP) ]
Feb 14 23:01:58 TuxBox charon: 07[IKE] received NO_PROPOSAL_CHOSEN error notify
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Mon Feb 14, 2022 4:14 pm    Post subject: Reply with quote

It could be a a few things. Depending on whether or not your server requires certificate or a PSK, it might be missing (or not in the right place). Second, if you are talking to a Windows server, it might only support weak encryption. Try adding ike=aes-sha1-modp1024 and if that helps.

You might want to try net-analyzer/ike-scan to get an idea of what the server is looking for.
Back to top
View user's profile Send private message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Mon Feb 14, 2022 9:27 pm    Post subject: Reply with quote

salahx wrote:
You might want to try net-analyzer/ike-scan to get an idea of what the server is looking for.


I tried that, connecting to work's server. It gave me this output.

Code:
sudo ike-scan 122.56.104.6
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
122.56.104.6   Main Mode Handshake returned HDR=(CKY-R=2ebda1f9efafb80c) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.062 seconds (16.06 hosts/sec).  1 returned handshake; 0 returned notify




What am I looking for in the output?
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Mon Feb 14, 2022 10:55 pm    Post subject: Reply with quote

Aha! That's clues were looking for. It expects 3des-sha1-modp1024, and it expects a preshared key. So if you;re using strongswan, lets use the new configuration instead of the old:
Create the missing directory:
Code:
( umask 007; mkdir /etc/swanctl/conf.d )

Then createa file in it, like /etc/swanctl/conf.d/work.conf
Code:

connections {
        work {
                remote_addrs=122.56.104.6
                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
                version=1
                local-1 {
                        auth=psk
                }
                remote-1 {
                        auth=psk
                }
                children {
                        only {
                                mode=transport
                                local_ts=dynamic[udp/l2tp]
                        }
                }
        }
}
pools {
}
secrets {
        ike-1 {
                id = 122.56.104.6
                secret = "password_pass"
        }
}
authorities {
}


If you are using systemd, start the strongswan service.
If you are using something else, start the ipsec service then do
Code:
swanctl -q

Then connect:
Code:
swanctl -i --child only
Back to top
View user's profile Send private message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Tue Feb 15, 2022 9:55 am    Post subject: Reply with quote

I think we're almost there.

I added the swanctl file like you asked, and here's what happened:

Code:
~ $ sudo swanctl -q
opening directory '/etc/swanctl/x509' failed: No such file or directory
opening directory '/etc/swanctl/x509ca' failed: No such file or directory
opening directory '/etc/swanctl/x509ocsp' failed: No such file or directory
opening directory '/etc/swanctl/x509aa' failed: No such file or directory
opening directory '/etc/swanctl/x509ac' failed: No such file or directory
opening directory '/etc/swanctl/x509crl' failed: No such file or directory
opening directory '/etc/swanctl/pubkey' failed: No such file or directory
opening directory '/etc/swanctl/private' failed: No such file or directory
opening directory '/etc/swanctl/rsa' failed: No such file or directory
opening directory '/etc/swanctl/ecdsa' failed: No such file or directory
opening directory '/etc/swanctl/bliss' failed: No such file or directory
opening directory '/etc/swanctl/pkcs8' failed: No such file or directory
opening directory '/etc/swanctl/pkcs12' failed: No such file or directory
loaded ike secret 'ike-1'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'vpnconn'
successfully loaded 1 connections, 0 unloaded
~ $ sudo swanctl -i --child only
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 13991s
[IKE] maximum IKE_SA lifetime 15431s
[ENC] generating QUICK_MODE request 3673023179 [ HASH SA No ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (204 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)
[ENC] parsed INFORMATIONAL_V1 request 3464512211 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify
initiate failed: establishing CHILD_SA 'only' failed
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Tue Feb 15, 2022 4:25 pm    Post subject: Reply with quote

OK, so now its choking on the ESP proposal, let's try this:
Code:

connections {
        work {
                remote_addrs=122.56.104.6
                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
                version=1
                local-1 {
                        auth=psk
                }
                remote-1 {
                        auth=psk
                }
                children {
                        only {
                                esp_proposals=3des-sha1,default
                                mode=transport
                                local_ts=dynamic[udp/l2tp]
                        }
                }
        }
}
pools {
}
secrets {
        ike-1 {
                id = 122.56.104.6
                secret = "password_pass"
        }
}
authorities {
}
Back to top
View user's profile Send private message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Tue Feb 15, 2022 8:59 pm    Post subject: Reply with quote

That's better. but now there's some kind of kernel issue. I'll investigate what I need to change in my config.

Code:
sudo swanctl -i --child only
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 14339s
[IKE] maximum IKE_SA lifetime 15779s
[ENC] generating QUICK_MODE request 3316858122 [ HASH SA No ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)
[ENC] parsed QUICK_MODE response 3316858122 [ HASH SA No ID ID NAT-OA NAT-OA ]
[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
[KNL] received netlink error: Function not implemented (38)
[KNL] unable to add SAD entry with SPI ce559593 (FAILED)
[KNL] received netlink error: Function not implemented (38)
[KNL] unable to add SAD entry with SPI cf5a5c66 (FAILED)
[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
initiate failed: establishing CHILD_SA 'only' failed
Back to top
View user's profile Send private message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Sun Mar 13, 2022 10:25 am    Post subject: Reply with quote

Alright, I've checked my kernel config according to Strongswan's website, to make sure I didn't miss any modules (they're listed at https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules).

I still can't get a connection.

Code:
11[CFG] vici initiate CHILD_SA 'only'
13[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
13[ENC] generating ID_PROT request 0 [ SA V V V V V ]
13[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
03[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
03[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
03[IKE] received XAuth vendor ID
03[IKE] received DPD vendor ID
03[IKE] received FRAGMENTATION vendor ID
03[IKE] received NAT-T (RFC 3947) vendor ID
03[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
03[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
03[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
09[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
09[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
09[IKE] local host is behind NAT, sending keep alives
09[ENC] generating ID_PROT request 0 [ ID HASH ]
09[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
10[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
10[ENC] parsed ID_PROT response 0 [ ID HASH ]
10[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
10[IKE] scheduling rekeying in 14120s
10[IKE] maximum IKE_SA lifetime 15560s
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 14120s
[IKE] maximum IKE_SA lifetime 15560s
10[ENC] generating QUICK_MODE request 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]
10[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)
[ENC] generating QUICK_MODE request 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)
07[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)
07[ENC] parsed QUICK_MODE response 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)
07[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
[ENC] parsed QUICK_MODE response 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]
[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
07[KNL] received netlink error: Function not implemented (38)
07[KNL] unable to add SAD entry with SPI c2d555a5 (FAILED)
[KNL] received netlink error: Function not implemented (38)
[KNL] unable to add SAD entry with SPI c2d555a5 (FAILED)
07[KNL] received netlink error: Function not implemented (38)
07[KNL] unable to add SAD entry with SPI c2c7a5db (FAILED)
07[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
[KNL] received netlink error: Function not implemented (38)
07[KNL] deleting policy 122.56.104.6/32[0/l2tp] === 192.168.1.64/32[udp/l2tp] in failed, not found
07[ENC] generating INFORMATIONAL_V1 request 2349652408 [ HASH N(NO_PROP) ]
07[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (76 bytes)
[KNL] unable to add SAD entry with SPI c2c7a5db (FAILED)
[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
initiate failed: establishing CHILD_SA 'only' failed


I will contact our office's IT support for further assistance.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Sun Mar 13, 2022 8:18 pm    Post subject: Reply with quote

You're probably missing 3des support in the kernel
Code:

CONFIG_CRYPTO_DES=m
CONFIG_CRYPTO_DES3_EDE_X86_64=m
CONFIG_CRYPTO_LIB_DES=m


You can also use sys-kernel/gentoo-kernel-bin which has this compiled in.

I don;t know what they are using as a VPN solution, but you can try
Code:

proposals=aes128-sha1-modp1024,default


This is normally what Windows proposes. Curiously enough, Windows always accepts the "lowest" proposal, if its offered 3DES it'll take it over AES, perhaps the VPN server acts the same. I find it a little strange the VPN server doesn't offer AES, but perhaps it was configured for maximum compatibility.
Back to top
View user's profile Send private message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Fri May 27, 2022 9:33 am    Post subject: Reply with quote

salahx wrote:
You're probably missing 3des support in the kernel


I have added support and tried again. This is what I got next time:

Code:
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 13234s
[IKE] maximum IKE_SA lifetime 14674s
[ENC] generating QUICK_MODE request 2328618335 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (332 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)
[ENC] parsed INFORMATIONAL_V1 request 2856116920 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify


I don't know if this is a problem on my end or on their end.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Fri May 27, 2022 6:46 pm    Post subject: Reply with quote

Its still got a problem with the ESP connection. Try this:

Try this:
Code:
connections {
        work {
                remote_addrs=122.56.104.6
                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
                version=1
                local-1 {
                        auth=psk
                }
                remote-1 {
                        auth=psk
                }
                children {
                        only {
                                esp_proposals=3des-md5,3des-sha1,default
                                mode=transport
                                local_ts=dynamic[udp/l2tp]
                        }
                }
        }
}
pools {
}
secrets {
        ike-1 {
                id = 122.56.104.6
                secret = "password_pass"
        }
}
authorities {
}


IF that fails, it could have something to do with the traffic selectors.In that case, try this:
Code:
connections {
        work {
                remote_addrs=122.56.104.6
                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
                version=1
                local-1 {
                        auth=psk
                }
                remote-1 {
                        auth=psk
                }
                children {
                        only {
                                esp_proposals=3des-md5,3des-sha1,default
                                mode=transport
                                local_ts=dynamic[udp/l2tp]
                                remote_ts=122.56.104.6[udp/l2tp]
                        }
                }
        }
}
pools {
}
secrets {
        ike-1 {
                id = 122.56.104.6
                secret = "password_pass"
        }
}
authorities {
}


If that fails, we'll need to turn up the verbosity an see where its failing it. See https://docs.strongswan.org/docs/5.9/config/logging.html for turning up the verbosity (we want verbosity at level 2) which should let us see the ESP proposal.
Back to top
View user's profile Send private message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Sat May 28, 2022 10:39 am    Post subject: Reply with quote

I enabled logging and changes the settings as you said. It generated a lot of log information.

Here's what my output looks like now:

Code:
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (308 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 13842s
[IKE] maximum IKE_SA lifetime 15282s
[ENC] generating QUICK_MODE request 2205505520 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (332 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)
[ENC] parsed INFORMATIONAL_V1 request 1582596256 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify
initiate failed: establishing CHILD_SA 'only' failed


Here's what the new log says:

https://docs.google.com/document/d/1KdXlkc1X74rlRgk_vqlHsMrn_arEz5Po7WGJEVSSpZE/edit?usp=sharing
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Sun May 29, 2022 12:39 am    Post subject: Reply with quote

Ok, after some experimenting i have some idea what the problem might be. I screwed up the original configuration, local_ts should be remote_ts (on server. its local_ts. But on the client it has to be flipped). So it should really be this:

Code:

connections {
        work {
                remote_addrs=122.56.104.6
                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
                version=1
                local-1 {
                        auth=psk
                }
                remote-1 {
                        auth=psk
                }
                children {
                        only {
                                mode=transport
                                remote_ts=dynamic[udp/l2tp]
                        }
                }
        }
}
pools {
}
secrets {
        ike-1 {
                id = 122.56.104.6
                secret = "password_pass"
        }
}
authorities {
}


As far I can figure out, Strongswan either doesn't log the server's offering (or it never makes one) of the ESP proposals. At that point you'll have to start guessing what it wants for ESP. Some guesses to make for esp_proposals:
Code:

3des-md5
3des-sha1
aes-sha1 # I think this one has the highest chance of working
3des-md5-modp768 # [ Unlikely, Windows can't handle PFS ]
3des-sha1-modp1024 # [ Unlikely, Windows can't handle PFS ]
aes-sha1-modp1024 # [Unlikely, Windows can't handle PFS ]
Back to top
View user's profile Send private message
LemonadeLlama
Tux's lil' helper
Tux's lil' helper


Joined: 26 May 2021
Posts: 101
Location: New Zealand

PostPosted: Sun Aug 07, 2022 9:01 am    Post subject: Reply with quote

No luck so far.

If it helps, I can get a working connection on my laptop running Manjaro, using the networkmanager-l2tp plugin. I am trying to work out how to copy the configuration from the laptop to my Gentoo PC, since the laptop is using networkmanager and the PC is using strongswan directly.

Looking at the log output of both computers, here's the point where the PC fails the connection
Code:
[ENC] generating QUICK_MODE request 4123384968 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (356 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)
[ENC] parsed INFORMATIONAL_V1 request 3731827052 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify
initiate failed: establishing CHILD_SA 'only' failed


And here's the same point of the connection on the laptop, but it succeeds
Code:
Aug 07 20:07:38 laptop charon[27856]: 07[ENC] generating QUICK_MODE request 3231029717 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 07 20:07:38 laptop charon[27856]: 07[NET] sending packet: from 192.168.1.71[4500] to 122.56.104.6[4500] (244 bytes)
Aug 07 20:07:38 laptop charon[27856]: 08[NET] received packet: from 122.56.104.6[4500] to 192.168.1.71[4500] (196 bytes)
Aug 07 20:07:38 laptop charon[27856]: 08[ENC] parsed QUICK_MODE response 3231029717 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 07 20:07:38 laptop charon[27856]: 08[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Aug 07 20:07:38 laptop charon[27856]: 08[IKE] CHILD_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0{1} established with SPIs c1139af9_i c41e7779_o and TS 192.168.1.71/32[udp/l2f] === 122.56.104.6/32[udp/l2f]
Aug 07 20:07:38 laptop charon[27856]: 08[IKE] CHILD_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0{1} established with SPIs c1139af9_i c41e7779_o and TS 192.168.1.71/32[udp/l2f] === 122.56.104.6/32[udp/l2f]
Aug 07 20:07:38 laptop charon[27856]: 08[ENC] generating QUICK_MODE request 3231029717 [ HASH ]
Aug 07 20:07:38 laptop charon[27856]: 08[NET] sending packet: from 192.168.1.71[4500] to 122.56.104.6[4500] (60 bytes)
Aug 07 20:07:38 laptop NetworkManager[27883]: initiating Main Mode IKE_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0[1] to 122.56.104.6
Aug 07 20:07:38 laptop NetworkManager[27883]: generating ID_PROT request 0 [ SA V V V V V ]
Aug 07 20:07:38 laptop NetworkManager[27883]: sending packet: from 192.168.1.71[500] to 122.56.104.6[500] (532 bytes)
Aug 07 20:07:38 laptop NetworkManager[27883]: received packet: from 122.56.104.6[500] to 192.168.1.71[500] (156 bytes)
... and so on ...


What is the difference that I'm missing? The first line that changes in the laptop log is
Code:
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ

But what does that mean for my PC configuration?

I have the full systemd logs from a successful connection on the laptop if requested.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 530

PostPosted: Mon Aug 08, 2022 9:27 pm    Post subject: Reply with quote

Probably you need to do something like this:
Code:
connections {
        work {
                remote_addrs=122.56.104.6
                proposals=aes-sha1-modp1024,default
                version=1
                local-1 {
                        auth=psk
                }
                remote-1 {
                        auth=psk
                }
                children {
                        only {
                                esp_proposals=aes-sha1,default
                                mode=transport
                                remote_ts=dynamic[udp/l2tp]
                        }
                }
        }
}
pools {
}
secrets {
        ike-1 {
                id = 122.56.104.6
                secret = "password_pass"
        }
}
authorities {
}
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum