problem with ipsec connection

bitpaydotir commented 5 years ago

i set PSK, phase 1 and phase 2 , but i get this error:

002 loading secrets from "/etc/ipsec.secrets"

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets" line 1: expected record boundary in key

002 listening for IKE messages

002 loading secrets from "/etc/ipsec.secrets"

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets" line 1: expected record boundary in key

002 listening for IKE messages

002 loading secrets from "/etc/ipsec.secrets"

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets" line 1: expected record boundary in key

002 listening for IKE messages

002 loading secrets from "/etc/ipsec.secrets"

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets" line 1: expected record boundary in key

002 listening for IKE messages

002 loading secrets from "/etc/ipsec.secrets"

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets" line 1: expected record boundary in key

002 listening for IKE messages

002 loading secrets from "/etc/ipsec.secrets"

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-68a34a10-dd17-4d97-bfcb-25fe0f38809c.secrets" line 1: expected record boundary in key

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets"

003 "/etc/ipsec.d/nm-l2tp-ipsec-a9167953-cf61-4026-aca4-bed7dae13afd.secrets" line 1: expected record boundary in key

STATE_MAIN_I1: initiate

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: Can't authenticate: no preshared key found for `125.17.22.12' and `135.17.72.96'.  Attribute OAKLEY_AUTHENTICATION_METHOD

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: no acceptable Oakley Transform
214 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

002 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: sending notification NO_PROPOSAL_CHOSEN to 135.17.72.96:500
010 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: Can't authenticate: no preshared key found for `125.17.22.12' and `135.17.72.96'.  Attribute OAKLEY_AUTHENTICATION_METHOD

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: no acceptable Oakley Transform
214 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

002 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: sending notification NO_PROPOSAL_CHOSEN to 135.17.72.96:500
010 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: retransmission; will wait 1 seconds for response

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: Can't authenticate: no preshared key found for `125.17.22.12' and `135.17.72.96'.  Attribute OAKLEY_AUTHENTICATION_METHOD

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: no acceptable Oakley Transform
214 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

002 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: sending notification NO_PROPOSAL_CHOSEN to 135.17.72.96:500
010 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: retransmission; will wait 2 seconds for response

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: Can't authenticate: no preshared key found for `125.17.22.12' and `135.17.72.96'.  Attribute OAKLEY_AUTHENTICATION_METHOD

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: no acceptable Oakley Transform
214 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

002 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: sending notification NO_PROPOSAL_CHOSEN to 135.17.72.96:500
010 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: retransmission; will wait 4 seconds for response

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: Can't authenticate: no preshared key found for `125.17.22.12' and `135.17.72.96'.  Attribute OAKLEY_AUTHENTICATION_METHOD

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: no acceptable Oakley Transform
214 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

002 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: sending notification NO_PROPOSAL_CHOSEN to 135.17.72.96:500

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: Can't authenticate: no preshared key found for `125.17.22.12' and `135.17.72.96'.  Attribute OAKLEY_AUTHENTICATION_METHOD

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: no acceptable Oakley Transform
214 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

002 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: sending notification NO_PROPOSAL_CHOSEN to 135.17.72.96:500
010 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: retransmission; will wait 8 seconds for response

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: Can't authenticate: no preshared key found for `125.17.22.12' and `135.17.72.96'.  Attribute OAKLEY_AUTHENTICATION_METHOD

003 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: no acceptable Oakley Transform
214 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

002 "68a34a10-dd17-4d97-bfcb-25fe0f38809c" #1: sending notification NO_PROPOSAL_CHOSEN to 135.17.72.96:500
nm-l2tp[3825] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[3825] <info>  Terminating ipsec script with PID 4469.
nm-l2tp[3825] <warn>  Could not establish IPsec tunnel.

dkosovic commented 5 years ago

Could you delete the /etc/ipsec.d/nm-l2tp-ipsec*.secrets files, you seem to have a number of them that weren't cleaned up, probably because you configured multiple VPN connections and corresponding connections weren't successfully closed.

Could you run the ike-scan.sh script found on the following page :

https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues#querying-vpn-server-for-its-ikev1-algorithm-proposals

Like mentioned on that page, issue sudo ./ike-scan.sh 125.17.22.12 | grep SA= , it'll tell us what proposals the VPN server offers. Also as mentioned, you might need to issue sudo ipsec stop first.

bitpaydotir commented 5 years ago

i delete all secrets, but problem not solved

i ran ike-scan and output were: SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds ....

i set in propsal 1: 3DES-SHA1;modp1024

proposal2: 3DES-SHA1

but not work in error (first post) says : STATE_MAIN_I1: NO_PROPOSAL_CHOSEN

please help

dkosovic commented 5 years ago

With the following error :

003 "/etc/ipsec.d/nm-l2tp-ipsec-108413ee-772a-4ab3-9a2f-34788aa948f3.secrets" line 1: expected record boundary in key

It's as if it isn't reading the PSK properly in that file.

Could you create a test secrets file call it say /etc/ipsec.d/test.secrets , it doesn't matter what it is called as long as it ends in .secrets with the contents something like :

: PSK my_pre_shared_key

with my_pre_shared_key replaced by the actual PSK value and see if you are then able to connect.

I just want to rule out an issue with commit https://github.com/nm-l2tp/network-manager-l2tp/commit/08c980797f1729474f5ea6c14861f5716d6712bc where I converted the PSK to a base64 value. It did work for me with the version of Libreswan I tested with, but I only checked with a recent version.

dkosovic commented 5 years ago

Forgot to mention, if the PSK contains quotes, single quotes or spaces, it might confuse Libreswan, that's why I now encode the PSK to base64 to avoid such errors.

bitpaydotir commented 5 years ago

my PSK contains double qutes

"

PSK is:

: PSK "gh"dvE#^"

is wrong?

dkosovic commented 5 years ago

Libreswan doesn't like having the double quote (") in the middle, as a workaround you could change the PSK to base64. To find out what the base64 value is, you can use the base64 command, e.g. :

$ echo -n 'gh"dvE#^' | base64
Z2giZHZFI14=

Then in the PSK file have :

: PSK 0sZ2giZHZFI14=

note: Libreswan starts a base64 string with 0s.

bitpaydotir commented 5 years ago

I use gnome Is it possible to install strongswan in centos with network-manager-l2tp I did not find anything related to centos, in wiki

dkosovic commented 5 years ago

I describe how to use strongswan with Fedora here :

https://github.com/nm-l2tp/network-manager-l2tp/wiki/Prebuilt-Packages

Unfortunately RHEL7 / CentOS 7 uses an older version of RPM which doesn't support optional dependencies, so with CentOS 7 you will need to use--nodeps to uninstall libreswan and then install strongswang, e.g. :

sudo rpm -e --nodeps libreswan
sudo yum install strongswan

dkosovic commented 5 years ago

Forgot to mention you might like to issue the following so that the nm-l2tp service detects the change from the default libreswan to strongswan :

sudo killall -TERM nm-l2tp-service

Also, strongswan has the same syntax restrictions with the PSK as libreswan. You can also put 0sZ2giZHZFI14= directly into the PSK text field of the IPsec Options dialog box. At least until a release a new version which automatically stores the base64 balue.

bitpaydotir commented 5 years ago

thanks :+1: :heart:

nm-l2tp / NetworkManager-l2tp

problem with ipsec connection #100