Hey everyone. Does anyone here have any experience setting up L2TP/IPSec VPN connections on Gentoo? I've done it on Manjaro before using a NetworkManager plug-in. I'm not using NetworkManager on Gentoo though.
My work allows employees to connect to the office network with an L2TP/IPSec VPN connection. I know there's an article on the arch wiki on setting this up, and it says you can use xl2tpd and openswan if you don't have NetworkManager: https://wiki.archlinux.org/title/Opensw ... ient_setup
I could only see StrongSwan and Libreswan in the Gentoo package list though, not openswan, so I'm not sure the Arch guide will translate 100% to Gentoo.
Does anyone know the best way to achieve an L2TP/IPSec connection?
Setting up L2TP/IPSec VPN connection to Windows server
Message
- LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
Many years ago, I wrote an article on how to set up a IPSec/L2TP server for Linux: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server (it could use a update, ipsec-tools is dead and some of the instructions are out of date). Configuring a client is even easier. The basic concepts are covered, so its a good starting point.
- LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
Alright, so I tried using the wiki in addition to a guide I found for Ubuntu (guide is https://howto.lintel.in/configure-ipsec ... linux-cli/), and I think I'm almost there.
I've installed strongswan and xl2tpd, and configured them, but here's as far as I got:
The syslog doesn't have much help either, just the same output as the console.
I've installed strongswan and xl2tpd, and configured them, but here's as far as I got:
Code: Select all
sudo ipsec up vpnconn
initiating Main Mode IKE_SA vpnconn[3] to 122.56.104.6
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.1.65[500] to 122.56.104.6[500] (180 bytes)
received packet: from 122.56.104.6[500] to 192.168.1.65[500] (56 bytes)
parsed INFORMATIONAL_V1 request 3937585212 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpnconn' failedCode: Select all
Feb 14 23:01:58 TuxBox charon: 01[CFG] received stroke: initiate 'vpnconn'
Feb 14 23:01:58 TuxBox charon: 09[IKE] initiating Main Mode IKE_SA vpnconn[3] to 122.56.104.6
Feb 14 23:01:58 TuxBox charon: 09[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Feb 14 23:01:58 TuxBox charon: 09[NET] sending packet: from 192.168.1.65[500] to 122.56.104.6[500] (180 bytes)
Feb 14 23:01:58 TuxBox charon: 07[NET] received packet: from 122.56.104.6[500] to 192.168.1.65[500] (56 bytes)
Feb 14 23:01:58 TuxBox charon: 07[ENC] parsed INFORMATIONAL_V1 request 3937585212 [ N(NO_PROP) ]
Feb 14 23:01:58 TuxBox charon: 07[IKE] received NO_PROPOSAL_CHOSEN error notifyIt could be a a few things. Depending on whether or not your server requires certificate or a PSK, it might be missing (or not in the right place). Second, if you are talking to a Windows server, it might only support weak encryption. Try adding ike=aes-sha1-modp1024 and if that helps.
You might want to try net-analyzer/ike-scan to get an idea of what the server is looking for.
You might want to try net-analyzer/ike-scan to get an idea of what the server is looking for.
- LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
I tried that, connecting to work's server. It gave me this output.salahx wrote:You might want to try net-analyzer/ike-scan to get an idea of what the server is looking for.
Code: Select all
sudo ike-scan 122.56.104.6
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
122.56.104.6 Main Mode Handshake returned HDR=(CKY-R=2ebda1f9efafb80c) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.062 seconds (16.06 hosts/sec). 1 returned handshake; 0 returned notifyWhat am I looking for in the output?
Aha! That's clues were looking for. It expects 3des-sha1-modp1024, and it expects a preshared key. So if you;re using strongswan, lets use the new configuration instead of the old:
Create the missing directory:
Then createa file in it, like /etc/swanctl/conf.d/work.conf
If you are using systemd, start the strongswan service.
If you are using something else, start the ipsec service then do
Then connect:
Create the missing directory:
Code: Select all
( umask 007; mkdir /etc/swanctl/conf.d )Code: Select all
connections {
work {
remote_addrs=122.56.104.6
proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
version=1
local-1 {
auth=psk
}
remote-1 {
auth=psk
}
children {
only {
mode=transport
local_ts=dynamic[udp/l2tp]
}
}
}
}
pools {
}
secrets {
ike-1 {
id = 122.56.104.6
secret = "password_pass"
}
}
authorities {
}
If you are using something else, start the ipsec service then do
Code: Select all
swanctl -qCode: Select all
swanctl -i --child only- LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
I think we're almost there.
I added the swanctl file like you asked, and here's what happened:
I added the swanctl file like you asked, and here's what happened:
Code: Select all
~ $ sudo swanctl -q
opening directory '/etc/swanctl/x509' failed: No such file or directory
opening directory '/etc/swanctl/x509ca' failed: No such file or directory
opening directory '/etc/swanctl/x509ocsp' failed: No such file or directory
opening directory '/etc/swanctl/x509aa' failed: No such file or directory
opening directory '/etc/swanctl/x509ac' failed: No such file or directory
opening directory '/etc/swanctl/x509crl' failed: No such file or directory
opening directory '/etc/swanctl/pubkey' failed: No such file or directory
opening directory '/etc/swanctl/private' failed: No such file or directory
opening directory '/etc/swanctl/rsa' failed: No such file or directory
opening directory '/etc/swanctl/ecdsa' failed: No such file or directory
opening directory '/etc/swanctl/bliss' failed: No such file or directory
opening directory '/etc/swanctl/pkcs8' failed: No such file or directory
opening directory '/etc/swanctl/pkcs12' failed: No such file or directory
loaded ike secret 'ike-1'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'vpnconn'
successfully loaded 1 connections, 0 unloaded
~ $ sudo swanctl -i --child only
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 13991s
[IKE] maximum IKE_SA lifetime 15431s
[ENC] generating QUICK_MODE request 3673023179 [ HASH SA No ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (204 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)
[ENC] parsed INFORMATIONAL_V1 request 3464512211 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify
initiate failed: establishing CHILD_SA 'only' failedOK, so now its choking on the ESP proposal, let's try this:
Code: Select all
connections {
work {
remote_addrs=122.56.104.6
proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
version=1
local-1 {
auth=psk
}
remote-1 {
auth=psk
}
children {
only {
esp_proposals=3des-sha1,default
mode=transport
local_ts=dynamic[udp/l2tp]
}
}
}
}
pools {
}
secrets {
ike-1 {
id = 122.56.104.6
secret = "password_pass"
}
}
authorities {
}
- LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
That's better. but now there's some kind of kernel issue. I'll investigate what I need to change in my config.
Code: Select all
sudo swanctl -i --child only
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 14339s
[IKE] maximum IKE_SA lifetime 15779s
[ENC] generating QUICK_MODE request 3316858122 [ HASH SA No ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)
[ENC] parsed QUICK_MODE response 3316858122 [ HASH SA No ID ID NAT-OA NAT-OA ]
[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
[KNL] received netlink error: Function not implemented (38)
[KNL] unable to add SAD entry with SPI ce559593 (FAILED)
[KNL] received netlink error: Function not implemented (38)
[KNL] unable to add SAD entry with SPI cf5a5c66 (FAILED)
[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
initiate failed: establishing CHILD_SA 'only' failed- LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
Alright, I've checked my kernel config according to Strongswan's website, to make sure I didn't miss any modules (they're listed at https://wiki.strongswan.org/projects/st ... nelModules).
I still can't get a connection.
I will contact our office's IT support for further assistance.
I still can't get a connection.
Code: Select all
11[CFG] vici initiate CHILD_SA 'only'
13[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
13[ENC] generating ID_PROT request 0 [ SA V V V V V ]
13[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
03[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
03[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
03[IKE] received XAuth vendor ID
03[IKE] received DPD vendor ID
03[IKE] received FRAGMENTATION vendor ID
03[IKE] received NAT-T (RFC 3947) vendor ID
03[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
03[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
03[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
09[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
09[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
09[IKE] local host is behind NAT, sending keep alives
09[ENC] generating ID_PROT request 0 [ ID HASH ]
09[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
10[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
10[ENC] parsed ID_PROT response 0 [ ID HASH ]
10[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
10[IKE] scheduling rekeying in 14120s
10[IKE] maximum IKE_SA lifetime 15560s
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 14120s
[IKE] maximum IKE_SA lifetime 15560s
10[ENC] generating QUICK_MODE request 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]
10[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)
[ENC] generating QUICK_MODE request 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)
07[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)
07[ENC] parsed QUICK_MODE response 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)
07[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
[ENC] parsed QUICK_MODE response 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]
[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
07[KNL] received netlink error: Function not implemented (38)
07[KNL] unable to add SAD entry with SPI c2d555a5 (FAILED)
[KNL] received netlink error: Function not implemented (38)
[KNL] unable to add SAD entry with SPI c2d555a5 (FAILED)
07[KNL] received netlink error: Function not implemented (38)
07[KNL] unable to add SAD entry with SPI c2c7a5db (FAILED)
07[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
[KNL] received netlink error: Function not implemented (38)
07[KNL] deleting policy 122.56.104.6/32[0/l2tp] === 192.168.1.64/32[udp/l2tp] in failed, not found
07[ENC] generating INFORMATIONAL_V1 request 2349652408 [ HASH N(NO_PROP) ]
07[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (76 bytes)
[KNL] unable to add SAD entry with SPI c2c7a5db (FAILED)
[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
initiate failed: establishing CHILD_SA 'only' failed
You're probably missing 3des support in the kernel
You can also use sys-kernel/gentoo-kernel-bin which has this compiled in.
I don;t know what they are using as a VPN solution, but you can try
This is normally what Windows proposes. Curiously enough, Windows always accepts the "lowest" proposal, if its offered 3DES it'll take it over AES, perhaps the VPN server acts the same. I find it a little strange the VPN server doesn't offer AES, but perhaps it was configured for maximum compatibility.
Code: Select all
CONFIG_CRYPTO_DES=m
CONFIG_CRYPTO_DES3_EDE_X86_64=m
CONFIG_CRYPTO_LIB_DES=m
I don;t know what they are using as a VPN solution, but you can try
Code: Select all
proposals=aes128-sha1-modp1024,default
- LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
I have added support and tried again. This is what I got next time:salahx wrote:You're probably missing 3des support in the kernel
Code: Select all
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 13234s
[IKE] maximum IKE_SA lifetime 14674s
[ENC] generating QUICK_MODE request 2328618335 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (332 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)
[ENC] parsed INFORMATIONAL_V1 request 2856116920 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify
Its still got a problem with the ESP connection. Try this:
Try this:
IF that fails, it could have something to do with the traffic selectors.In that case, try this:
If that fails, we'll need to turn up the verbosity an see where its failing it. See https://docs.strongswan.org/docs/5.9/co ... gging.html for turning up the verbosity (we want verbosity at level 2) which should let us see the ESP proposal.
Try this:
Code: Select all
connections {
work {
remote_addrs=122.56.104.6
proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
version=1
local-1 {
auth=psk
}
remote-1 {
auth=psk
}
children {
only {
esp_proposals=3des-md5,3des-sha1,default
mode=transport
local_ts=dynamic[udp/l2tp]
}
}
}
}
pools {
}
secrets {
ike-1 {
id = 122.56.104.6
secret = "password_pass"
}
}
authorities {
} Code: Select all
connections {
work {
remote_addrs=122.56.104.6
proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
version=1
local-1 {
auth=psk
}
remote-1 {
auth=psk
}
children {
only {
esp_proposals=3des-md5,3des-sha1,default
mode=transport
local_ts=dynamic[udp/l2tp]
remote_ts=122.56.104.6[udp/l2tp]
}
}
}
}
pools {
}
secrets {
ike-1 {
id = 122.56.104.6
secret = "password_pass"
}
}
authorities {
} - LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
I enabled logging and changes the settings as you said. It generated a lot of log information.
Here's what my output looks like now:
Here's what the new log says:
https://docs.google.com/document/d/1KdX ... sp=sharing
Here's what my output looks like now:
Code: Select all
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (308 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)
[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[IKE] local host is behind NAT, sending keep alives
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]
[IKE] scheduling rekeying in 13842s
[IKE] maximum IKE_SA lifetime 15282s
[ENC] generating QUICK_MODE request 2205505520 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (332 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)
[ENC] parsed INFORMATIONAL_V1 request 1582596256 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify
initiate failed: establishing CHILD_SA 'only' failedhttps://docs.google.com/document/d/1KdX ... sp=sharing
Ok, after some experimenting i have some idea what the problem might be. I screwed up the original configuration, local_ts should be remote_ts (on server. its local_ts. But on the client it has to be flipped). So it should really be this:
As far I can figure out, Strongswan either doesn't log the server's offering (or it never makes one) of the ESP proposals. At that point you'll have to start guessing what it wants for ESP. Some guesses to make for esp_proposals:
Code: Select all
connections {
work {
remote_addrs=122.56.104.6
proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default
version=1
local-1 {
auth=psk
}
remote-1 {
auth=psk
}
children {
only {
mode=transport
remote_ts=dynamic[udp/l2tp]
}
}
}
}
pools {
}
secrets {
ike-1 {
id = 122.56.104.6
secret = "password_pass"
}
}
authorities {
}
Code: Select all
3des-md5
3des-sha1
aes-sha1 # I think this one has the highest chance of working
3des-md5-modp768 # [ Unlikely, Windows can't handle PFS ]
3des-sha1-modp1024 # [ Unlikely, Windows can't handle PFS ]
aes-sha1-modp1024 # [Unlikely, Windows can't handle PFS ]
- LemonadeLlama
- Tux's lil' helper
- Posts: 105
- Joined: Wed May 26, 2021 9:06 am
- Location: New Zealand
No luck so far.
If it helps, I can get a working connection on my laptop running Manjaro, using the networkmanager-l2tp plugin. I am trying to work out how to copy the configuration from the laptop to my Gentoo PC, since the laptop is using networkmanager and the PC is using strongswan directly.
Looking at the log output of both computers, here's the point where the PC fails the connection
And here's the same point of the connection on the laptop, but it succeeds
What is the difference that I'm missing? The first line that changes in the laptop log is
But what does that mean for my PC configuration?
I have the full systemd logs from a successful connection on the laptop if requested.
If it helps, I can get a working connection on my laptop running Manjaro, using the networkmanager-l2tp plugin. I am trying to work out how to copy the configuration from the laptop to my Gentoo PC, since the laptop is using networkmanager and the PC is using strongswan directly.
Looking at the log output of both computers, here's the point where the PC fails the connection
Code: Select all
[ENC] generating QUICK_MODE request 4123384968 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (356 bytes)
[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)
[ENC] parsed INFORMATIONAL_V1 request 3731827052 [ HASH N(NO_PROP) ]
[IKE] received NO_PROPOSAL_CHOSEN error notify
initiate failed: establishing CHILD_SA 'only' failedCode: Select all
Aug 07 20:07:38 laptop charon[27856]: 07[ENC] generating QUICK_MODE request 3231029717 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 07 20:07:38 laptop charon[27856]: 07[NET] sending packet: from 192.168.1.71[4500] to 122.56.104.6[4500] (244 bytes)
Aug 07 20:07:38 laptop charon[27856]: 08[NET] received packet: from 122.56.104.6[4500] to 192.168.1.71[4500] (196 bytes)
Aug 07 20:07:38 laptop charon[27856]: 08[ENC] parsed QUICK_MODE response 3231029717 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 07 20:07:38 laptop charon[27856]: 08[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Aug 07 20:07:38 laptop charon[27856]: 08[IKE] CHILD_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0{1} established with SPIs c1139af9_i c41e7779_o and TS 192.168.1.71/32[udp/l2f] === 122.56.104.6/32[udp/l2f]
Aug 07 20:07:38 laptop charon[27856]: 08[IKE] CHILD_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0{1} established with SPIs c1139af9_i c41e7779_o and TS 192.168.1.71/32[udp/l2f] === 122.56.104.6/32[udp/l2f]
Aug 07 20:07:38 laptop charon[27856]: 08[ENC] generating QUICK_MODE request 3231029717 [ HASH ]
Aug 07 20:07:38 laptop charon[27856]: 08[NET] sending packet: from 192.168.1.71[4500] to 122.56.104.6[4500] (60 bytes)
Aug 07 20:07:38 laptop NetworkManager[27883]: initiating Main Mode IKE_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0[1] to 122.56.104.6
Aug 07 20:07:38 laptop NetworkManager[27883]: generating ID_PROT request 0 [ SA V V V V V ]
Aug 07 20:07:38 laptop NetworkManager[27883]: sending packet: from 192.168.1.71[500] to 122.56.104.6[500] (532 bytes)
Aug 07 20:07:38 laptop NetworkManager[27883]: received packet: from 122.56.104.6[500] to 192.168.1.71[500] (156 bytes)
... and so on ...Code: Select all
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQI have the full systemd logs from a successful connection on the laptop if requested.
Probably you need to do something like this:
Code: Select all
connections {
work {
remote_addrs=122.56.104.6
proposals=aes-sha1-modp1024,default
version=1
local-1 {
auth=psk
}
remote-1 {
auth=psk
}
children {
only {
esp_proposals=aes-sha1,default
mode=transport
remote_ts=dynamic[udp/l2tp]
}
}
}
}
pools {
}
secrets {
ike-1 {
id = 122.56.104.6
secret = "password_pass"
}
}
authorities {
}