Closed cristobaltapia closed 4 years ago
Auth=RSA_Sig
means it supports machine certificates for the IPsec authentication., it also supports PSK with Auth=PSK
. You would need to use NetworkManager-l2tp >= 1.8.0 for machine certificate support (note: PSK is still supported with versions >= 1.8.0).
With NetworkManager-l2tp >= 1.2.16 you shouldn't need to enter anything in for the phase 1 & 2 algorithms as it no longer uses the strongSwan and libreswan default set of allowed algorithms, instead algorithms that are a merge of Windows 10 and macOS/iOS/iPadOS L2TP/IPsec clients' IKEv1 proposals are used instead for the default. The weakest proposals that were not common to both Win10 and iOS were dropped, but all of the strongest ones were kept. See:
Unfortunately the ike-scan.sh
script only does phase 1 (main mode).
if you are not using NetworkManager-l2tp >= 1.2.16, I would recommend the following phase 2 (quick mode) algorithms for libreswan :
aes256-sha1,aes128-sha1,3des-sha1
or the following for strongswan:
aes256-sha1,aes128-sha1,3des-sha1!
which are the phase 2 algorithms used by Win10 and macOS (as well as iOS and iPadOS).
If you are using Ubuntu < 20.04, i would recommend using the following PPA for a newer version of network-manager-l2tp than what comes with Ubuntu:
I will try and update the wiki this week to make it clearer.
Thanks for the detailed answer! I changed the Phase algorithms accordingly. I am using Archlinux btw.
However, I am having a problem with ipsec. I posted it here. It used to work until last week. I don't know what I did.
On the libreswan issues page:
I see a runtime breakage with Libreswan and nss-3.52 issue on that page and Arch Linux seems to be using NSS 3.52 :
Perhaps the Arch Linux version of libreswan could be built with USE_NSS_PRF=false
as mentioned in that issue.
EDIT: updated as Arch Linux is using NSS 3.52
Thanks for that information! (and for this program that allows me to work from home!... specially useful in these times ;) )
Hi, I am having problems at interpreting the output of the
ike-scan.sh
script from the wiki. Could there be some additional references in that wiki page as to how the output is translated to the different phase algorithms?For example, I get this:
but don't know how to interpret it. I mean, there are some of the lines that are mostly the same as in the example, but what should I use for
Auth=RSA_Sig
for example?