ShyLionTjmn
commented
4 years ago where can i see wich nets/proto/port is in phase2 proposal? I suspect problem is there.
Closed ShyLionTjmn closed 4 years ago
ShyLionTjmn
commented
4 years ago where can i see wich nets/proto/port is in phase2 proposal? I suspect problem is there.
dkosovic
commented
4 years ago lion-msi ~ # sudo CHARONDEBUG="all 2" /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[5007] nm-l2tp-service (version 1.2.8) starting...NetworkManager-l2tp 1.2.8 is pretty old and doesn't know anything about the CHARONDEBUG env variable which I think was first introduced in version 1.2.14. So you should be able to see a lot more debugging with later versions.
Could you try enabling "Enforce UDP encapsulation" in the IPsec config options, which corresponds to the strongSwan forceencaps option :
forceencaps = yes
force UDP encapsulation for ESP packets even if no NAT situation is detected. This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked.
ShyLionTjmn
commented
4 years ago It's a Mint 19
Enforcing UDP just skips ESP to UDP 4500 transition, nothing else changes in debugs.
ShyLionTjmn
commented
4 years ago Will try to go up to Mint 19.3
dkosovic
commented
4 years ago You can find newer packages on the following PPA:
ShyLionTjmn
commented
4 years ago Upgraded to 1.2.16 and to Mint 19.3 Still got the same debug output.
used: sudo CHARONDEBUG="dmn 3,mgr 3,ike 3,chd 3,job 3,cfg 3,knl 3,net 3,asn 3,enc 3,tnc 3,imc 3,imv 3,pts 3,tls 3,esp 3,lib 3" /usr/lib/NetworkManager/nm-l2tp-service --debug
.... local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH ] sending packet: from 100.100.13.22[4500] to 91.a.b.101[4500] (124 bytes) received packet: from 91.a.b.101[4500] to 100.100.13.22[4500] (124 bytes) parsed ID_PROT response 0 [ ID HASH ] IKE_SA 16cf875c-2365-46fb-88b4-b201aa0c44a0[1] established between 100.100.13.22[100.100.13.22]...91.a.b.101[91.a.b.101] scheduling reauthentication in 10061s maximum IKE_SA lifetime 10601s generating QUICK_MODE request 2977422572 [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 100.100.13.22[4500] to 91.a.b.101[4500] (236 bytes) received packet: from 91.a.b.101[4500] to 100.100.13.22[4500] (140 bytes) parsed INFORMATIONAL_V1 request 2676519167 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection '16cf875c-2365-46fb-88b4-b201aa0c44a0' failed ... despite ipsec error, l2tp comes up (Cisco permits l2tp without ipsec by config)
ShyLionTjmn
commented
4 years ago Feels like CHARONDEBUG has no effect
ShyLionTjmn
commented
4 years ago config setup charondebug="dmn 4,mgr 4,ike 4,chd 4,job 4,cfg 4,knl 4,net 4,asn 4,enc 4,tnc 4,imc 4,imv 4,pts 4,tls 4,esp 4,lib 4"
conn 16cf875c-2365-46fb-88b4-b201aa0c44a0 auto=add type=transport authby=secret left=%defaultroute leftprotoport=udp/l2tp right=91.a.b.101 rightid=%any rightprotoport=udp/l2tp keyingtries=%forever ike=aes256-sha512-modp4096! esp=aes256-sha512! forceencaps=yes keyexchange=ikev1
dkosovic
commented
4 years ago In the following code : https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/src/nm-l2tp-service.c#L1463
the log output will only print "strongSwan IPsec tunnel is up" if the following has ESTABLISHED in the output :
/usr/sbin/ipsec status '16cf875c-2365-46fb-88b4-b201aa0c44a0'So looks like a false positive when it comes to strongSwan claiming the connection has been established.
I've never seen Win10 use aes256-sha512 for phase 2. Could you try leaving the Phase 2 Algorithms blank. The newer network-manager-l2tp uses a merge of Windows 10 and macOS/iOS/iPadOS L2TP/IPsec clients' IKEv1 proposals for its default (instead of using strongSwan's defaults). The weakest proposals that were not common to both Win10 and iOS were dropped, but all of the strongest ones were kept.
dkosovic
commented
4 years ago You could try switching from strongswan to libreswan to see if it helps, e.g.:
sudo killall -TERM nm-l2tp-service
sudo apt install libreswanYou'll need to remove or modify the existing Phase 1 Algorithms as libreswan doesn't like ! at the end.
ShyLionTjmn
commented
4 years ago nm-l2tp[7915]
Cisco's debug show that now my machine does not accept propposal.
Apr 20 13:02:36: IPSEC(create_sa): sa created,
(sa) sa_dest= 91.a.b.101, sa_proto= 50,
sa_spi= 0x20A4CFA5(547671973),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2390
sa_lifetime(k/sec)= (4608000/3600)
Apr 20 13:02:36: IPSEC(create_sa): sa created,
(sa) sa_dest= 185.x.y.113, sa_proto= 50,
sa_spi= 0xCA636083(3395510403),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2391
sa_lifetime(k/sec)= (4608000/3600)
Apr 20 13:02:36: ISAKMP:(12287):Received IPSec Install callback... proceeding with the negotiation
Apr 20 13:02:36: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_KMI_CREATE_SA message to ACL, static seqno 65535, dynamic seqno 1
Apr 20 13:02:36: ISAKMP:(12287): sending packet to 185.x.y.113 my_port 4500 peer_port 4500 (R) QM_IDLE
Apr 20 13:02:36: ISAKMP:(12287):Sending an IKE IPv4 Packet.
Apr 20 13:02:36: ISAKMP:(12287):Node 1420213629, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Apr 20 13:02:36: ISAKMP:(12287):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
Apr 20 13:02:36: ISAKMP (12287): received packet from 185.x.y.113 dport 4500 sport 4500 Global (R) QM_IDLE
Apr 20 13:02:36: ISAKMP: set new node 1669698630 to QM_IDLE
Apr 20 13:02:36: ISAKMP:(12287): processing HASH payload. message ID = 1669698630
Apr 20 13:02:36: ISAKMP:(12287): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3395510403, message ID = 1669698630, sa = 0x290C11D8
ShyLionTjmn
commented
4 years ago sudo killall -TERM nm-l2tp-service sudo apt install libreswan
oh yes, that helped!
ShyLionTjmn
commented
4 years ago I suggest strongswan and Cisco did not agree on traffic selectors.
dkosovic
commented
4 years ago Glad to hear you got the connection working with libreswan.
Not sure what the issue was with charondebug in the generated ipsec.conf not having any effect. But I did read If you define any log settings in strongswan.conf, charondebug does not have any effect at all.
ShyLionTjmn
commented
4 years ago Thank you for help!
Hi. There is L2TP/IPSec server on Cisco IOS (NOT ASA!). It perfectly works with windows built in client. Using preshared key with RADIUS PPP authientication.
Cisco's config:
crypto keyring L2TP_IPSec
pre-shared-key address 0.0.0.0 0.0.0.0 key verysecretkey no crypto isakmp default policy crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 crypto isakmp policy 20 encr aes 256 hash md5 authentication pre-share group 2 crypto isakmp policy 30 encr 3des hash md5 authentication pre-share group 2 crypto isakmp policy 40 encr aes hash md5 authentication pre-share group 2 crypto isakmp policy 50 encr aes authentication pre-share group 2
crypto isakmp policy 60 encr 3des authentication pre-share group 2
crypto isakmp policy 70 encr 3des hash md5 authentication pre-share crypto isakmp policy 80 encr aes 256 hash sha512 authentication pre-share group 2
crypto isakmp policy 90 encr aes 256 hash sha512 authentication pre-share group 16 ! crypto ipsec transform-set 3DES_SHA_tr esp-3des esp-sha-hmac mode transport crypto ipsec transform-set AES_SHA_tr esp-aes esp-sha-hmac mode transport crypto ipsec transform-set AES_256_SHA_tr esp-aes 256 esp-sha-hmac mode transport crypto ipsec transform-set aes256-sha1 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set aes256-sha512_tr esp-aes 256 esp-sha512-hmac mode transport ! crypto dynamic-map L2TP_IPSec 1 set nat demux set transform-set 3DES_SHA_tr crypto dynamic-map L2TP_IPSec 2 set nat demux set transform-set AES_SHA_tr crypto dynamic-map L2TP_IPSec 3 set nat demux set transform-set AES_256_SHA_tr crypto dynamic-map L2TP_IPSec 4 set nat demux set transform-set 3DES_SHA_tr crypto dynamic-map L2TP_IPSec 5 set nat demux set transform-set AES_SHA_tr crypto dynamic-map L2TP_IPSec 6 set nat demux set transform-set aes256-sha512_tr crypto map OUTSIDE local-address Loopback1 crypto map OUTSIDE 65535 ipsec-isakmp dynamic L2TP_IPSec crypto map OUTSIDE`
VPN config:
[connection] id=somename uuid=16cf875c-2365-46fb-88b4-b201aa0c44a0 type=vpn autoconnect=false permissions=user:lion:; timestamp=1587278530
[vpn] gateway=91.a.b.101 ipsec-enabled=yes ipsec-esp=aes256-sha512! ipsec-ike=aes256-sha512-modp4096! ipsec-psk=verysecretkey lcp-echo-failure=5 lcp-echo-interval=30 mru=1400 mtu=1400 no-vj-comp=yes noaccomp=yes nobsdcomp=yes nodeflate=yes nopcomp=yes password-flags=0 refuse-eap=yes refuse-pap=yes user=klusov_sn service-type=org.freedesktop.NetworkManager.l2tp
[vpn-secrets] password=mypass
[ipv4] dns-search= ignore-auto-routes=true method=auto never-default=true
[ipv6] addr-gen-mode=stable-privacy dns-search= ip6-privacy=0 method=auto
Phase1 goes up, phase 2 matches aglo, but still fails:
Apr 20 11:06:55: ISAKMP: local port 500, remote port 513 Apr 20 11:06:55: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 2925FC58 Apr 20 11:06:55: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Apr 20 11:06:55: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Apr 20 11:06:55: ISAKMP:(0): processing SA payload. message ID = 0 Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch Apr 20 11:06:55: ISAKMP:(0): vendor ID is XAUTH Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): vendor ID is DPD Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): processing IKE frag vendor id payload Apr 20 11:06:55: ISAKMP:(0):Support for IKE Fragmentation not enabled Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch Apr 20 11:06:55: ISAKMP (0): vendor ID is NAT-T RFC 3947 Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Apr 20 11:06:55: ISAKMP:(0): vendor ID is NAT-T v2 Apr 20 11:06:55: ISAKMP:(0):found peer pre-shared key matching 185.x.y.113 Apr 20 11:06:55: ISAKMP:(0): local preshared key found Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):Hash algorithm offered does not match policy! Apr 20 11:06:55: ISAKMP:(0):atts are not acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 20 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):Hash algorithm offered does not match policy! Apr 20 11:06:55: ISAKMP:(0):atts are not acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 30 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):Encryption algorithm offered does not match policy! Apr 20 11:06:55: ISAKMP:(0):atts are not acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 40 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):Hash algorithm offered does not match policy! Apr 20 11:06:55: ISAKMP:(0):atts are not acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 50 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):Hash algorithm offered does not match policy! Apr 20 11:06:55: ISAKMP:(0):atts are not acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 60 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):Encryption algorithm offered does not match policy! Apr 20 11:06:55: ISAKMP:(0):atts are not acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 70 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):Encryption algorithm offered does not match policy! Apr 20 11:06:55: ISAKMP:(0):atts are not acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 80 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):Diffie-Hellman group offered does not match policy! Apr 20 11:06:55: ISAKMP:(0):atts are not acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Checking ISAKMP transform 1 against priority 90 policy Apr 20 11:06:55: ISAKMP: encryption AES-CBC Apr 20 11:06:55: ISAKMP: keylength of 256 Apr 20 11:06:55: ISAKMP: hash SHA512 Apr 20 11:06:55: ISAKMP: default group 16 Apr 20 11:06:55: ISAKMP: auth pre-share Apr 20 11:06:55: ISAKMP: life type in seconds Apr 20 11:06:55: ISAKMP: life duration (basic) of 10800 Apr 20 11:06:55: ISAKMP:(0):atts are acceptable. Next payload is 0 Apr 20 11:06:55: ISAKMP:(0):Acceptable atts:actual life: 0 Apr 20 11:06:55: ISAKMP:(0):Acceptable atts:life: 0 Apr 20 11:06:55: ISAKMP:(0):Basic life_in_seconds:10800 Apr 20 11:06:55: ISAKMP:(0):Returning Actual lifetime: 10800 Apr 20 11:06:55: ISAKMP:(0)::Started lifetime timer: 10800.
Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch Apr 20 11:06:55: ISAKMP:(0): vendor ID is XAUTH Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): vendor ID is DPD Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): processing IKE frag vendor id payload Apr 20 11:06:55: ISAKMP:(0):Support for IKE Fragmentation not enabled Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch Apr 20 11:06:55: ISAKMP (0): vendor ID is NAT-T RFC 3947 Apr 20 11:06:55: ISAKMP:(0): processing vendor id payload Apr 20 11:06:55: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Apr 20 11:06:55: ISAKMP:(0): vendor ID is NAT-T v2 Apr 20 11:06:55: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Apr 20 11:06:55: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Apr 20 11:06:55: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID Apr 20 11:06:55: ISAKMP:(0): sending packet to 185.x.y.113 my_port 500 peer_port 513 (R) MM_SA_SETUP Apr 20 11:06:55: ISAKMP:(0):Sending an IKE IPv4 Packet. Apr 20 11:06:55: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Apr 20 11:06:55: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Apr 20 11:06:55: ISAKMP (0): received packet from 185.x.y.113 dport 500 sport 513 Global (R) MM_SA_SETUP Apr 20 11:06:55: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Apr 20 11:06:55: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Apr 20 11:06:55: ISAKMP:(0): processing KE payload. message ID = 0 Apr 20 11:06:55: ISAKMP:(0): processing NONCE payload. message ID = 0 Apr 20 11:06:55: ISAKMP:(0):found peer pre-shared key matching 185.x.y.113 Apr 20 11:06:55: ISAKMP:received payload type 20 Apr 20 11:06:55: ISAKMP (12024): His hash no match - this node outside NAT Apr 20 11:06:55: ISAKMP:received payload type 20 Apr 20 11:06:55: ISAKMP (12024): His hash no match - this node outside NAT Apr 20 11:06:55: ISAKMP:(12024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Apr 20 11:06:55: ISAKMP:(12024):Old State = IKE_R_MM3 New State = IKE_R_MM3
Apr 20 11:06:55: ISAKMP:(12024): sending packet to 185.x.y.113 my_port 500 peer_port 513 (R) MM_KEY_EXCH Apr 20 11:06:55: ISAKMP:(12024):Sending an IKE IPv4 Packet. Apr 20 11:06:55: ISAKMP:(12024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Apr 20 11:06:55: ISAKMP:(12024):Old State = IKE_R_MM3 New State = IKE_R_MM4
Apr 20 11:06:55: ISAKMP (12024): received packet from 185.x.y.113 dport 4500 sport 4500 Global (R) MM_KEY_EXCH Apr 20 11:06:55: ISAKMP:(12024):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Apr 20 11:06:55: ISAKMP:(12024):Old State = IKE_R_MM4 New State = IKE_R_MM5
Apr 20 11:06:55: ISAKMP:(12024): processing ID payload. message ID = 0 Apr 20 11:06:55: ISAKMP (12024): ID payload next-payload : 8 type : 1 address : 100.100.13.22 protocol : 0 port : 0 length : 12 Apr 20 11:06:55: ISAKMP:(12024): processing HASH payload. message ID = 0 Apr 20 11:06:55: ISAKMP:(12024):SA authentication status: authenticated Apr 20 11:06:55: ISAKMP:(12024):SA has been authenticated with 185.x.y.113 Apr 20 11:06:55: ISAKMP:(12024):Detected port floating to port = 4500 Apr 20 11:06:55: ISAKMP:(12024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Apr 20 11:06:55: ISAKMP:(12024):Old State = IKE_R_MM5 New State = IKE_R_MM5
Apr 20 11:06:55: ISAKMP:(12024):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR Apr 20 11:06:55: ISAKMP (12024): ID payload next-payload : 8 type : 1 address : 91.a.b.101 protocol : 17 port : 0 length : 12 Apr 20 11:06:55: ISAKMP:(12024):Total payload length: 12 Apr 20 11:06:55: ISAKMP:(12024): sending packet to 185.x.y.113 my_port 4500 peer_port 4500 (R) MM_KEY_EXCH Apr 20 11:06:55: ISAKMP:(12024):Sending an IKE IPv4 Packet. Apr 20 11:06:55: ISAKMP:(12024):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE Apr 20 11:06:55: ISAKMP:(12024):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Apr 20 11:06:55: ISAKMP:(12024):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Apr 20 11:06:55: ISAKMP:(12024):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Apr 20 11:06:55: ISAKMP (12024): received packet from 185.x.y.113 dport 4500 sport 4500 Global (R) QM_IDLE
Apr 20 11:06:55: ISAKMP: set new node -1941890658 to QM_IDLE
Apr 20 11:06:55: ISAKMP:(12024): processing HASH payload. message ID = 2353076638 Apr 20 11:06:55: ISAKMP:(12024): processing SA payload. message ID = 2353076638 Apr 20 11:06:55: ISAKMP (12024): processing NAT-OAi payload. addr = 100.100.13.22, message ID = 2353076638 Apr 20 11:06:55: ISAKMP (12024): processing NAT-OAr payload. addr = 91.a.b.101, message ID = 2353076638 Apr 20 11:06:55: ISAKMP:(12024):Checking IPSec proposal 0 Apr 20 11:06:55: ISAKMP: transform 1, ESP_AES Apr 20 11:06:55: ISAKMP: attributes in transform: Apr 20 11:06:55: ISAKMP: key length is 256 Apr 20 11:06:55: ISAKMP: authenticator is HMAC-SHA512 Apr 20 11:06:55: ISAKMP: encaps is 4 (Transport-UDP) Apr 20 11:06:55: ISAKMP: SA life type in seconds Apr 20 11:06:55: ISAKMP: SA life duration (basic) of 3600 Apr 20 11:06:55: ISAKMP:(12024):atts are acceptable. Apr 20 11:06:55: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: {esp-aes 256 esp-sha512-hmac } Apr 20 11:06:55: ISAKMP:(12024): IPSec policy invalidated proposal with error 256 Apr 20 11:06:55: ISAKMP:(12024): phase 2 SA policy not acceptable! (local 91.a.b.101 remote 185.x.y.113) Apr 20 11:06:55: ISAKMP: set new node 683882107 to QM_IDLE
Apr 20 11:06:55: ISAKMP:(12024):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 606109024, message ID = 683882107 Apr 20 11:06:55: ISAKMP:(12024): sending packet to 185.x.y.113 my_port 4500 peer_port 4500 (R) QM_IDLE
Apr 20 11:06:55: ISAKMP:(12024):Sending an IKE IPv4 Packet. Apr 20 11:06:55: ISAKMP:(12024):purging node 683882107 Apr 20 11:06:55: ISAKMP:(12024):deleting node -1941890658 error TRUE reason "QM rejected"
Log from my machine:
lion-msi ~ # sudo CHARONDEBUG="all 2" /usr/lib/NetworkManager/nm-l2tp-service --debug nm-l2tp[5007] nm-l2tp-service (version 1.2.8) starting...
nm-l2tp[5007] uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[5007] ipsec enable flag: yes
Message: 10:56:06.468: Check port 1701
Message: 10:56:06.468: Can't bind to port 1701
nm-l2tp[5007] L2TP port 1701 is busy, using ephemeral.
connection
id : "somename" (s)
uuid : "16cf875c-2365-46fb-88b4-b201aa0c44a0" (s)
interface-name : NULL (sd)
type : "vpn" (s)
permissions : ["user:lion:"] (s)
autoconnect : FALSE (s)
autoconnect-priority : 0 (sd)
autoconnect-retries : -1 (sd)
timestamp : 1587278530 (s)
read-only : FALSE (sd)
zone : NULL (sd)
master : NULL (sd)
slave-type : NULL (sd)
autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
secondaries : NULL (sd)
gateway-ping-timeout : 0 (sd)
metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
lldp : -1 (sd)
mdns : -1 (sd)
stable-id : NULL (sd)
auth-retries : -1 (sd)
ipv6 method : "auto" (s) dns : [] (s) dns-search : [] (s) dns-options : NULL (sd) dns-priority : 0 (sd) addresses : ((GPtrArray) 0x5621918d7b40) (s) gateway : NULL (sd) routes : ((GPtrArray) 0x5621918d7b60) (s) route-metric : -1 (sd) route-table : 0 (sd) ignore-auto-routes : FALSE (sd) ignore-auto-dns : FALSE (sd) dhcp-hostname : NULL (sd) dhcp-send-hostname : TRUE (sd) never-default : FALSE (sd) may-fail : TRUE (sd) dad-timeout : -1 (sd) dhcp-timeout : 0 (sd) ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_DISABLED) (s) addr-gen-mode : 1 (sd) token : NULL (sd)
proxy method : 0 (sd) browser-only : FALSE (sd) pac-url : NULL (sd) pac-script : NULL (sd)
vpn service-type : "org.freedesktop.NetworkManager.l2tp" (s) user-name : NULL (sd) persistent : FALSE (sd) data : ((GHashTable) 0x7f5a68006de0) (s) secrets : ((GHashTable) 0x7f5a68006de0) (s) timeout : 0 (sd)
ipv4 method : "auto" (s) dns : [] (s) dns-search : [] (s) dns-options : NULL (sd) dns-priority : 0 (sd) addresses : ((GPtrArray) 0x5621918d7c60) (s) gateway : NULL (sd) routes : ((GPtrArray) 0x5621918d7c80) (s) route-metric : -1 (sd) route-table : 0 (sd) ignore-auto-routes : TRUE (s) ignore-auto-dns : FALSE (sd) dhcp-hostname : NULL (sd) dhcp-send-hostname : TRUE (sd) never-default : TRUE (s) may-fail : TRUE (sd) dad-timeout : -1 (sd) dhcp-timeout : 0 (sd) dhcp-client-id : NULL (sd) dhcp-fqdn : NULL (sd)
nm-l2tp[5007] starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.6.2 IPsec [starter]...
Loading config setup
Loading conn '16cf875c-2365-46fb-88b4-b201aa0c44a0'
found netkey IPsec stack
nm-l2tp[5007] Spawned ipsec up script with PID 5087.
initiating Main Mode IKE_SA 16cf875c-2365-46fb-88b4-b201aa0c44a0[1] to 91.a.b.101
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 100.100.13.22[500] to 91.a.b.101[500] (180 bytes)
received packet: from 91.a.b.101[500] to 100.100.13.22[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 100.100.13.22[500] to 91.a.b.101[500] (716 bytes)
received packet: from 91.a.b.101[500] to 100.100.13.22[500] (776 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: 98:51:ee:57:3a:3f:63:7a:e9:06:94:bd:fe:9a:9f:16
received XAuth vendor ID
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 100.100.13.22[4500] to 91.a.b.101[4500] (124 bytes)
received packet: from 91.a.b.101[4500] to 100.100.13.22[4500] (124 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA 16cf875c-2365-46fb-88b4-b201aa0c44a0[1] established between 100.100.13.22[100.100.13.22]...91.a.b.101[91.a.b.101]
scheduling reauthentication in 9956s
maximum IKE_SA lifetime 10496s
generating QUICK_MODE request 2763205389 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 100.100.13.22[4500] to 91.a.b.101[4500] (236 bytes)
received packet: from 91.a.b.101[4500] to 100.100.13.22[4500] (140 bytes)
parsed INFORMATIONAL_V1 request 3542422153 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection '16cf875c-2365-46fb-88b4-b201aa0c44a0' failed
nm-l2tp[5007] strongSwan IPsec tunnel is up.
Message: 10:56:09.797: xl2tpd started with pid 5096
xl2tpd[5096]: Not looking for kernel SAref support.
xl2tpd[5096]: Using l2tp kernel support.
xl2tpd[5096]: xl2tpd version xl2tpd-1.3.10 started on lion-msi PID:5096
xl2tpd[5096]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[5096]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[5096]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[5096]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[5096]: Listening on IP address 0.0.0.0, port 43988
xl2tpd[5096]: get_call: allocating new tunnel for host 91.a.b.101, port 1701.
xl2tpd[5096]: Connecting to host 91.a.b.101, port 1701
xl2tpd[5096]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
xl2tpd[5096]: control_finish: sending SCCRQ
xl2tpd[5096]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[5096]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[5096]: framing_caps_avp: supported peer frames:
xl2tpd[5096]: firmware_rev_avp: peer reports firmware version 4400 (0x1130)
xl2tpd[5096]: hostname_avp: peer reports hostname 'tmn-pleh-3945e'
xl2tpd[5096]: vendor_avp: peer reports vendor 'Cisco Systems, Inc.'
xl2tpd[5096]: assigned_tunnel_avp: using peer's tunnel 48395
xl2tpd[5096]: receive_window_size_avp: peer wants RWS of 1024. Will use flow control.
xl2tpd[5096]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 48395, call is 0.
xl2tpd[5096]: control_finish: sending SCCCN
xl2tpd[5096]: Connection established to 91.a.b.101, 1701. Local: 43783, Remote: 48395 (ref=0/0).
xl2tpd[5096]: Calling on tunnel 43783
xl2tpd[5096]: control_finish: message type is (null)(0). Tunnel is 48395, call is 0.
xl2tpd[5096]: control_finish: sending ICRQ
xl2tpd[5096]: message_type_avp: message type 11 (Incoming-Call-Reply)
xl2tpd[5096]: assigned_call_avp: using peer's call 65268
xl2tpd[5096]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 48395, call is 65268.
xl2tpd[5096]: control_finish: Sending ICCN
xl2tpd[5096]: Call established with 91.a.b.101, Local: 35830, Remote: 65268, Serial: 1 (ref=0/0)
xl2tpd[5096]: start_pppd: I'm running:
xl2tpd[5096]: "/usr/sbin/pppd"
xl2tpd[5096]: "plugin"
xl2tpd[5096]: "pppol2tp.so"
xl2tpd[5096]: "pppol2tp"
xl2tpd[5096]: "7"
xl2tpd[5096]: "passive"
xl2tpd[5096]: "nodetach"
xl2tpd[5096]: ":"
xl2tpd[5096]: "debug"
xl2tpd[5096]: "file"
xl2tpd[5096]: "/var/run/nm-l2tp-ppp-options-16cf875c-2365-46fb-88b4-b201aa0c44a0"
nm-l2tp[5007] Terminated xl2tpd daemon with PID 5096.
xl2tpd[5096]: death_handler: Fatal signal 15 received
xl2tpd[5096]: Terminating pppd: sending TERM signal to pid 5097
xl2tpd[5096]: Connection 48395 closed to 91.a.b.101, port 1701 (Server closing)
Stopping strongSwan IPsec...
Message: 10:56:38.606: ipsec shut down
nm-l2tp[5007] xl2tpd exited with error code 1
Stopping strongSwan IPsec failed: starter is not running
** Message: 10:56:38.610: ipsec shut down
L2tp comes up, BUT not encrypted. There is no IPSEC sa on Cisco and no sa on linux:
lion-msi ~ # ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-91-generic, x86_64): uptime: 20 seconds, since Apr 20 11:02:53 2020 malloc: sbrk 3366912, mmap 532480, used 1267328, free 2099584 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 100.100.13.22 10.95.251.82 Connections: 16cf875c-2365-46fb-88b4-b201aa0c44a0: %any...91.a.b.101 IKEv1 16cf875c-2365-46fb-88b4-b201aa0c44a0: local: [100.100.13.22] uses pre-shared key authentication 16cf875c-2365-46fb-88b4-b201aa0c44a0: remote: uses pre-shared key authentication 16cf875c-2365-46fb-88b4-b201aa0c44a0: child: dynamic === dynamic[udp/l2f] TRANSPORT Security Associations (1 up, 0 connecting): 16cf875c-2365-46fb-88b4-b201aa0c44a0[1]: ESTABLISHED 19 seconds ago, 100.100.13.22[100.100.13.22]...91.a.b.101[91.a.b.101] 16cf875c-2365-46fb-88b4-b201aa0c44a0[1]: IKEv1 SPIs: 8e2b9e7d6d7fc2f8_i* 6d96494a6d7c269c_r, pre-shared key reauthentication in 2 hours 16cf875c-2365-46fb-88b4-b201aa0c44a0[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096