Closed Wrufesh closed 4 years ago
It is not getting a response from the first phase 1 (main mode) packet that gets sent, so most likely a firewall issue.
In the IPsec settings dialog box, try the "Enforce UDP encapsulation" checkbox which can help with firewalls.
Sorry "Enforce UDP encapsulation" didnt get it working.
Querying VPN server for its IKEv1 algorithm proposals gives
[wrocket@wrocket-pc tmp1]$ sudo ./ike-scan 103.1.93.39 | grep SA=
[sudo] password for wrocket:
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=14:modp2048 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=14:modp2048 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
PSK in IPsec setting is some random string as i was not given that from VPN provider
Also I have disabled all firewalls
Still no clue what is going wrong :(
PSK authentication is one of the most critical parts of the phase 1 (main mode) connection, you can't use a random PSK string for the connection.
Great, Got the PSK Now I am getting this
proxy
connection
autoconnect : false
id : 'aayulogic'
permissions : []
type : 'vpn'
uuid : 'd5f71e5c-6190-4642-a0d2-eac8c32ce977'
ipv6
address-data : []
dns : []
dns-search : []
ip6-privacy : 0
method : 'auto'
route-data : []
nm-l2tp[17898] <info> starting ipsec
Redirecting to: systemctl restart ipsec.service
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
opening file: /var/run/nm-l2tp-d5f71e5c-6190-4642-a0d2-eac8c32ce977/ipsec.conf
debugging mode enabled
end of file /var/run/nm-l2tp-d5f71e5c-6190-4642-a0d2-eac8c32ce977/ipsec.conf
Loading conn d5f71e5c-6190-4642-a0d2-eac8c32ce977
starter: left is KH_DEFAULTROUTE
loading named conns: d5f71e5c-6190-4642-a0d2-eac8c32ce977
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst via 192.168.1.1 dev wlp3s0 src table 254
set nexthop: 192.168.1.1
dst 172.17.0.0 via dev docker0 src 172.17.0.1 table 254
dst 192.168.1.0 via dev wlp3s0 src 192.168.1.219 table 254
dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored)
dst 172.17.0.0 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.17.0.1 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.17.255.255 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 192.168.1.0 via dev wlp3s0 src 192.168.1.219 table 255 (ignored)
dst 192.168.1.219 via dev wlp3s0 src 192.168.1.219 table 255 (ignored)
dst 192.168.1.255 via dev wlp3s0 src 192.168.1.219 table 255 (ignored)
seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst 192.168.1.1 via dev wlp3s0 src 192.168.1.219 table 254
set addr: 192.168.1.219
seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" modecfgdns=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" modecfgdomains=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" modecfgbanner=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" mark=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" mark-in=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" mark-out=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" vti_iface=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" redirect-to=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" accept-redirect-to=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" esp=aes128-sha1
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" ike=aes128-sha1;modp2048
002 added connection description "d5f71e5c-6190-4642-a0d2-eac8c32ce977"
nm-l2tp[17898] <info> Spawned ipsec auto --up script with PID 18222.
002 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: initiating Main Mode
102 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: STATE_MAIN_I1: sent MI1, expecting MR1
104 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: STATE_MAIN_I2: sent MI2, expecting MR2
106 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: Peer ID is ID_IPV4_ADDR: '103.1.93.39'
004 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
002 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:2ac9f784 proposal=AES_CBC_128-HMAC_SHA1_96 pfsgroup=MODP2048}
115 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: sent QI1, expecting QR1
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
nm-l2tp[17898] <warn> Timeout trying to establish IPsec connection
nm-l2tp[17898] <info> Terminating ipsec script with PID 18222.
nm-l2tp[17898] <warn> Could not establish IPsec tunnel.
(nm-l2tp-service:17898): GLib-GIO-CRITICAL **: 11:08:21.071: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 16 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 32 seconds for response
And my IPsec settings looks like this
Okay, phase 1 (main mode) is now working, but phase 2 (quick mode) is failing.
Perhaps your VPN server doesn't like PFS for phase 2, so try "Disable PFS"
Still no luck disabling PFS
m-l2tp[20868] <info> starting ipsec
Redirecting to: systemctl restart ipsec.service
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
opening file: /var/run/nm-l2tp-d5f71e5c-6190-4642-a0d2-eac8c32ce977/ipsec.conf
debugging mode enabled
end of file /var/run/nm-l2tp-d5f71e5c-6190-4642-a0d2-eac8c32ce977/ipsec.conf
Loading conn d5f71e5c-6190-4642-a0d2-eac8c32ce977
starter: left is KH_DEFAULTROUTE
loading named conns: d5f71e5c-6190-4642-a0d2-eac8c32ce977
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst via 192.168.1.1 dev wlp3s0 src table 254
set nexthop: 192.168.1.1
dst 172.17.0.0 via dev docker0 src 172.17.0.1 table 254
dst 192.168.1.0 via dev wlp3s0 src 192.168.1.219 table 254
dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored)
dst 172.17.0.0 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.17.0.1 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.17.255.255 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 192.168.1.0 via dev wlp3s0 src 192.168.1.219 table 255 (ignored)
dst 192.168.1.219 via dev wlp3s0 src 192.168.1.219 table 255 (ignored)
dst 192.168.1.255 via dev wlp3s0 src 192.168.1.219 table 255 (ignored)
seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst 192.168.1.1 via dev wlp3s0 src 192.168.1.219 table 254
set addr: 192.168.1.219
seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" modecfgdns=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" modecfgdomains=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" modecfgbanner=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" mark=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" mark-in=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" mark-out=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" vti_iface=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" redirect-to=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" accept-redirect-to=<unset>
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" esp=aes128-sha1
conn: "d5f71e5c-6190-4642-a0d2-eac8c32ce977" ike=aes128-sha1;modp2048
002 added connection description "d5f71e5c-6190-4642-a0d2-eac8c32ce977"
nm-l2tp[20868] <info> Spawned ipsec auto --up script with PID 21189.
002 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: initiating Main Mode
102 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: STATE_MAIN_I1: sent MI1, expecting MR1
104 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: STATE_MAIN_I2: sent MI2, expecting MR2
106 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: Peer ID is ID_IPV4_ADDR: '103.1.93.39'
004 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
002 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:3fad9e6a proposal=AES_CBC_128-HMAC_SHA1_96 pfsgroup=no-pfs}
115 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: sent QI1, expecting QR1
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
nm-l2tp[20868] <warn> Timeout trying to establish IPsec connection
nm-l2tp[20868] <info> Terminating ipsec script with PID 21189.
nm-l2tp[20868] <warn> Could not establish IPsec tunnel.
(nm-l2tp-service:20868): GLib-GIO-CRITICAL **: 11:30:32.514: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 16 seconds for response
010 "d5f71e5c-6190-4642-a0d2-eac8c32ce977" #2: STATE_QUICK_I1: retransmission; will wait 32 seconds for response
Could you try getting rid of the Phase 2 algorithms and try again, so NetworkManager-l2tp will use its defaults.
Thanks @dkosovic . It seems to work now.
I am trying to connect to l2tp vpn but has no luck.
I got the following logs
Please help to debug this. WorkFromHome Covid19