ipsec vpn to Unifi Security Gateway Pro unable to connect

ipyakuza · 2020-03-08 01:18:53

Hello, I am trying to follow the openswan (ipsec) + xl2tpd VPN document here at https://wiki.archlinux.org/index.php/Op … ient_setup. My environment:
* Latest updates for Archlinux
* Currently remote behind a cable modem with NAT (standard)
* The VPN side is Ubiquiti UniFi Security Gateway PRO (setup as ipsec + l2tp with user/pass and based on that user account assigns out IP addresses in the 192.168.7.x/24 range)
* The Ubiquiti Unifi Security Gateway is on a static public IP (not natted/dynamic routing)
* I know the VPN server works because Windows 10 and my iPad Pro connect just fine with ipsec + l2tp PSK + user credentials
* On my archlinux laptop all iptables firewall rules are off for now (open both ways default accept policy) for testing purposes until I get this working

I've followed the wiki article here (https://wiki.archlinux.org/index.php/Op … ient_setup) and everytime I get to "starting the VPN connection":

# systemctl start openswan
# systemctl start xl2tpd
# ipsec auto --up L2TP-PSK
# echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

When I run : ipsec auto --up L2TP-PSK it returns this:

002 "L2TP-PSK" #2: initiating Main Mode
105 "L2TP-PSK" #2: STATE_MAIN_I1: initiate
003 "L2TP-PSK" #2: received Vendor ID payload [XAUTH]
003 "L2TP-PSK" #2: received Vendor ID payload [Dead Peer Detection]
003 "L2TP-PSK" #2: received Vendor ID payload [RFC 3947] method set to=115 
002 "L2TP-PSK" #2: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "L2TP-PSK" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
107 "L2TP-PSK" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "L2TP-PSK" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
002 "L2TP-PSK" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
109 "L2TP-PSK" #2: STATE_MAIN_I3: sent MI3, expecting MR3
002 "L2TP-PSK" #2: Main mode peer ID is ID_IPV4_ADDR: '<my_vpn_server_ip_address_hidden>'
002 "L2TP-PSK" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "L2TP-PSK" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY oursig= theirsig= cipher=aes_128 prf=oakley_sha group=modp2048}
002 "L2TP-PSK" #2: Dead Peer Detection (RFC 3706): enabled
002 "L2TP-PSK" #3: initiating Quick Mode PSK+ENCRYPT+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#2 msgid:13d9d882 proposal=defaults pfsgroup=no-pfs}
118 "L2TP-PSK" #3: STATE_QUICK_I1: initiate
003 "L2TP-PSK" #3: NAT-Traversal: received 2 NAT-OA. ignored because peer is not NATed
003 "L2TP-PSK" #3: our client subnet returned does not match my self-proposal - us:<my_local_ip_192.168.x.x_hidden>/32 vs them:<my_public_gateway_ip_hidden>/32
218 "L2TP-PSK" #3: STATE_QUICK_I1: INVALID_ID_INFORMATION
002 "L2TP-PSK" #3: sending encrypted notification INVALID_ID_INFORMATION to <my_vpn_server_ip_address_hidden>:4500
002 "L2TP-PSK" #3: deleting state #3 (STATE_QUICK_I1)

I'm trying to figure out how I confirm it actually made a connection.

004 "L2TP-PSK" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY oursig= theirsig= cipher=aes_128 prf=oakley_sha group=modp2048}

makes me thing that it was successful but I couldnt find an ipsec command that lets me list/show all active connections.

Then when I type the last command:

echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

It doesn't show any PPP connections when I run ip link command.

Any thoughts on where I should start? I've reviewed my configs a bunch of times and tested from two different locations (same thing behind cable modems natted 192.168.1.x subnet). Just curious where I can look for whats failing or configured incorrectly. I did enable debugging on openswan config (ipsec.conf) but too much verbose information to post. If you have a grep/query I should look for something specific that would be appreciated.

Last edited by ipyakuza (2020-03-10 18:41:43)

ipyakuza · 2020-03-08 01:23:09

Here is my ipsec.conf

config setup
     plutodebug=all # debug enable
     plutostderrlog=/var/log/openswan.log # Debug logfile
     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
     nat_traversal=yes
     protostack=netkey            # default is auto, which will try netkey first
     plutoopts="--interface=wlp59s0" # Set interface here or use %defaultroute to use default route

conn L2TP-PSK
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=yes
     ikelifetime=8h
     keylife=1h
     type=transport
     left=192.168.1.137           # Replace with your local IP address (private, behind NAT IP is okay as well)
     leftprotoport=17/1701
     right=<my_vpn_server_ip>      # Replace with your VPN server's IP
     rightprotoport=17/1701

ipsec.secrets

<local_ip_address> <vpn_ip_address>: PSK "<vpn_psk_password>"

Here is my xl2tpd.conf

[lac vpn-connection]
lns = <my_vpn_ip_address> 
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd

login
lcp-echo-interval 10
lcp-echo-failure 2
noipx

refuse-pap
refuse-chap
refuse-mschap

require-mppe
require-mschap-v2

nodefaultroute
proxyarp

#bsdcomp
#deflate
#accomp
#noccp
#nopcomp
#nopredictor1
#novj
#novjccomp
#debug 7

options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name <vpn_username>
password <vpn_password>

Last edited by ipyakuza (2020-03-08 01:27:27)

Zod · 2020-03-08 02:24:01

ipyahusa wrote:

I'm trying to figure out how I confirm it actually made a connection.

If I understand correctly and you are just trying to confirm the connection, it should be pretty straight forward.

Using ping and traceroute to known hosts on the remote network. specifically going to names to test for resolution would be nice.

This would work for a work or Internet tunnel.

ipyakuza · 2020-03-08 17:37:34

You're right two parts. Part A. Need to see if there is an ipsec command to verify I have an actual ipsec connection active. Part B. why is this article not working (or what am I missing) where the command

echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

is failing to create a PPPx interface. The current end result is I have no VPN connection as there is no PPPx connection. However as per the documentation and the results of the command it looks to me like ipsec may have succeeded. I can't tell if my issue is something misconfigured in the ipsec (openswan) or xl2tpd. Basically I need help trying to get my VPN connection working.

mico · 2020-08-03 11:23:52

Did you manage to get this solved? I too am trying to establish a VPN connection with openswan, ipsec, and xl2tpd.
I have the same issue - ppp device is not created. I get similar output from ipsec that looks suspicios:

# ipsec auto --up L2TP-PSK
...
003 "L2TP-PSK" #2: our client subnet returned does not match my self-proposal - us:111.111.111.111/32 vs them:222.222.222.222/32
218 "L2TP-PSK" #2: STATE_QUICK_I1: INVALID_ID_INFORMATION
002 "L2TP-PSK" #2: sending encrypted notification INVALID_ID_INFORMATION to 333.333.333.333:4500
002 "L2TP-PSK" #2: deleting state #2 (STATE_QUICK_I1)

111.111.111.111 is my local IP address. I put this address also in config files as specified in IPsec_VPN_client_setup
222.222.222.222 is my internet IP address
333.333.333.333 is IP address of the VPN server I am trying to connect to.

Last edited by mico (2020-08-04 11:33:21)

xexaxo · 2020-09-28 16:52:48

Somewhat recently the code was reworked and a `ALLOW_MICROSOFT_BAD_PROPOSAL` was dropped (assuming by mistake) in the "self-proposal" path.
The following MR solves the problem on my end: https://github.com/xelerance/Openswan/pull/447

Arch Linux

#1 2020-03-08 01:18:53

ipsec vpn to Unifi Security Gateway Pro unable to connect

#2 2020-03-08 01:23:09

Re: ipsec vpn to Unifi Security Gateway Pro unable to connect

#3 2020-03-08 02:24:01

Re: ipsec vpn to Unifi Security Gateway Pro unable to connect

#4 2020-03-08 17:37:34

Re: ipsec vpn to Unifi Security Gateway Pro unable to connect

#5 2020-08-03 11:23:52

Re: ipsec vpn to Unifi Security Gateway Pro unable to connect

#6 2020-09-28 16:52:48

Re: ipsec vpn to Unifi Security Gateway Pro unable to connect

Board footer