You are not logged in.

#1 2020-06-24 07:28:20

Registered: 2020-04-08
Posts: 3

Unable to connect to ipsec/l2tp vpn

I'm trying to connect to cisco l2tp/ipsec vpn with PSK and IKEv1 username/password.

According to this article, I've found that server supports following authentification methods:

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

I'm using networkmanager-l2tp package. Tried both openswan and libreswan (manually built with `USE_DH2=true` as described in this patchnote).

My .nmconnection file looks like this:



When I'm trying to connect I'm getting the following log:

log using strongswan

log using libreswan with USE_DH2=true

From what I see, it seems like both ways ipsec connection is being established successfully, but then this happens:

xl2tpd[106869]: Listening on IP address, port 1701
xl2tpd[106869]: Connecting to host, port 1701
xl2tpd[106869]: death_handler: Fatal signal 15 received

Strongswan log also has this suspicious message in between of the above:

charon[78694]: 01[NET] received packet: from[4500] to[4500] (164 bytes)
charon[78694]: 01[IKE] received retransmit of response with ID 1610789051, but next request already sent

At this point I've depleted my google skills. If anybody could tell me where to go next or at least tell me if this problem is connected with ipsec or l2tp part of the equation, I would greately appreciate that.


#2 2020-06-24 08:06:29

From: Poland
Registered: 2004-05-03
Posts: 246

Re: Unable to connect to ipsec/l2tp vpn

Your log shows that no traffic selector has been selected. This means that you should set it in your configuration or use 0/0 as traffic selector and let server narrow it down for you (if it supports it, TS narrowing is not a part of IKEv1 but many implementations support it regardless). I'm not sure if this is possible in NetworkManager but it certainly is in strongSwan.

As a side note: crypto that you configured is weak and should no longer be used (also IKEv1 should be avoided).

Last edited by Abaddon (2020-06-24 08:10:48)

Gnome - The weakest link!
Linux, *not* GNU/Linux!


Board footer

Powered by FluxBB