3DES + SHA 1 + MODP1024 on Ubuntu

[rainerCH]

Hi, I am using a fresh ubuntu 18.04LTS with your l2tp Network Manager. Unfortunately it's secured by 3des + sha1 + modp1024. I am using strongswan and added 3des-sha1-modp1024 / 3des-sha1 from your readme to the connection. Sadly it's still not working and i have no clue what to do. Do you guys have any hints what i can do? i already used ike-scan to check the host, but i did not receive any handshake. VPN works on a Mac with latest updates.

thank you very much.

NetworkManager Output: https://gist.github.com/rainerCH/1d5d507fe472e50cfa04dce9413a36f4

[dkosovic]

Try putting an exclamation mark at the end of Phase 1 & 2, so that it overrides and not just supplements the default proposals, e.g.:

• Phase 1 : 3des-sha1-modp1024!
• Phase 2 : 3des-sha1!

Some VPN servers have issues if they are presented with too many proposals, the exclamation mark helps in those cases.

You seem to have a lot of /etc/ipsec.d/nm-l2tp-ipsec-*.secrets files that weren't cleaned up probably due to ungraceful disconnections. Wildcard expansion won't work as a normal user in that folder due to permissions, so you could do the following to delete those files :

sudo su -
rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets

[dkosovic]

Regarding ike-scan, did you use the ike-scan.sh script on the following page to iterate through the proposals?

• https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

I would have some concerns if ike-scan.sh doesn't find any proposals.

Although not related to your current issue, since you are using Ubuntu 18.04, you might also want to look at the DNS not working after disconnecting link on the aforementioned wiki.

[rainerCH]

Hi @dkosovic

thank you for your detailed information. same result with exclamation mark :/ i made some tests with the guy configuring our sonicwall, and the log says that my client is connecting with aes128, sha256 and dh 256-bit random. is it possible that 3des is somehow missing or blocked on my system?

Screenshot of configuration on FW:

thank you.

[dkosovic]

Very strange, I have no idea why strongswan would be doing that, it's as if the Phase 1 proposal value is being ignored.

I can't see how 3DES could be be missing, as according to the following page, it is part of the default built-in crypto plugin along with the openssl, gcrypt and af-alg plugins :

• https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

Only thing with 3DES is that it is not in the default proposals anymore as strongswan considers it weak.

You could try switching to libreswan to see if that works, which can be done with:

sudo killall -TERM nm-l2tp-service
sudo apt install libreswan

Let the installer replace any files with the packager's version. For Phase 1 and 2, get rid of the exclamation mark (note: unlike strongswan, libreswan no longer uses the exclamation mark and will override the default proposals by default ).

[rainerCH]

Hey

it works with the libreswan integration.

thanks!