search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
489 stars 84 forks source link

Interpreting the output of ike-scan.sh script #139

Closed cristobaltapia closed 4 years ago

cristobaltapia commented 4 years ago

Hi, I am having problems at interpreting the output of the ike-scan.sh script from the wiki. Could there be some additional references in that wiki page as to how the output is translated to the different phase algorithms?

For example, I get this:

SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=19 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=19 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=20 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=20 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080)

but don't know how to interpret it. I mean, there are some of the lines that are mostly the same as in the example, but what should I use for Auth=RSA_Sig for example?

dkosovic commented 4 years ago

Auth=RSA_Sig means it supports machine certificates for the IPsec authentication., it also supports PSK with Auth=PSK. You would need to use NetworkManager-l2tp >= 1.8.0 for machine certificate support (note: PSK is still supported with versions >= 1.8.0).

With NetworkManager-l2tp >= 1.2.16 you shouldn't need to enter anything in for the phase 1 & 2 algorithms as it no longer uses the strongSwan and libreswan default set of allowed algorithms, instead algorithms that are a merge of Windows 10 and macOS/iOS/iPadOS L2TP/IPsec clients' IKEv1 proposals are used instead for the default. The weakest proposals that were not common to both Win10 and iOS were dropped, but all of the strongest ones were kept. See:

Unfortunately the ike-scan.sh script only does phase 1 (main mode).

if you are not using NetworkManager-l2tp >= 1.2.16, I would recommend the following phase 2 (quick mode) algorithms for libreswan :

aes256-sha1,aes128-sha1,3des-sha1

or the following for strongswan:

aes256-sha1,aes128-sha1,3des-sha1!

which are the phase 2 algorithms used by Win10 and macOS (as well as iOS and iPadOS).

If you are using Ubuntu < 20.04, i would recommend using the following PPA for a newer version of network-manager-l2tp than what comes with Ubuntu:

dkosovic commented 4 years ago

I will try and update the wiki this week to make it clearer.

cristobaltapia commented 4 years ago

Thanks for the detailed answer! I changed the Phase algorithms accordingly. I am using Archlinux btw.

However, I am having a problem with ipsec. I posted it here. It used to work until last week. I don't know what I did.

dkosovic commented 4 years ago

On the libreswan issues page:

I see a runtime breakage with Libreswan and nss-3.52 issue on that page and Arch Linux seems to be using NSS 3.52 :

Perhaps the Arch Linux version of libreswan could be built with USE_NSS_PRF=false as mentioned in that issue.

EDIT: updated as Arch Linux is using NSS 3.52

cristobaltapia commented 4 years ago

Thanks for that information! (and for this program that allows me to work from home!... specially useful in these times ;) )