search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 83 forks source link

no shared key found for my_local_IP_behind_nat - public_IP_of_the_server #134

Closed JuliusLongmind closed 4 years ago

JuliusLongmind commented 4 years ago

After upgrading to 1.18.2 I cannot connect to the VPN server with preshared keys, while with 1.8.0 it was working. After downgrading to 1.8.0 the VPN connection doesn't work either.

Both ends are behind NAT.

Debug output of /usr/lib/NetworkManager/nm-l2tp-service

Starting strongSwan 5.8.2 IPsec [starter]... Loading config setup Loading conn 'e20fb2b4-74d3-4248-a4a9-7dd117b1574f' nm-l2tp[22018] Spawned ipsec up script with PID 22069. initiating Main Mode IKE_SA e20fb2b4-74d3-4248-a4a9-7dd117b1574f[1] to public_IP_of_the_server generating ID_PROT request 0 [ SA V V V V V ] sending packet: from my_local_IP_behind_nat[500] to public_IP_of_the_server[500] (532 bytes) received packet: from public_IP_of_the_server[500] to my_local_IP_behind_nat[500] (140 bytes) parsed ID_PROT response 0 [ SA V V V ] received unknown vendor ID: 4f:53:57:71:77:50:64:40:5e:49:41:45 received DPD vendor ID received NAT-T (RFC 3947) vendor ID selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from my_local_IP_behind_nat[500] to public_IP_of_the_server[500] (396 bytes) received packet: from public_IP_of_the_server[500] to my_local_IP_behind_nat[500] (380 bytes) parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] no shared key found for my_local_IP_behind_nat - public_IP_of_the_server generating INFORMATIONAL_V1 request 2417051706 [ N(INVAL_KE) ] sending packet: from my_local_IP_behind_nat[500] to public_IP_of_the_server[500] (56 bytes) establishing connection 'e20fb2b4-74d3-4248-a4a9-7dd117b1574f' failed Stopping strongSwan IPsec... nm-l2tp[22018] Could not establish IPsec tunnel.

dkosovic commented 4 years ago

I can't see the log output where strongswan tries to open the pre-shared key file, /etc/ipsec.d/ipsec.nm-l2tp.secrets (or /etc/strongswan/ipsec.d/ipsec.nm-l2tp.secrets e.g. Fedora).

Does /etc/ipsec.secrets (or /etc/strongswan/ipsec.secrets e.g. Fedora) have the following line?

include ipsec.d/ipsec.nm-l2tp.secrets

If not, add that line to ipsec.secrets.

Does /etc/ipsec.d/ipsec.nm-l2tp.secrets (or /etc/strongswan/ipsec.d/ipsec.nm-l2tp.secrets e.g. Fedora) look something like the following (with an encoded PSK starting with 0s) ? :

: PSK 0sBase64_encoded_PSK
dkosovic commented 4 years ago

I should add, /etc/ipsec.d/ipsec.nm-l2tp.secrets (or /etc/strongswan/ipsec.d/ipsec.nm-l2tp.secrets e.g. Fedora) usually gets deleted when a VPN connection is gracefully stopped. When in debugging mode (see README.md) or I believe on connection failure, the ipsec.nm-l2tp.secrets file wouldn't get deleted.

dkosovic commented 4 years ago

closing due to lack of activity.