search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 83 forks source link

Tunnel can't connect with Strongswan stopped in phase 2: "received DELETE for IKE_SA" #157

Closed ebourmalo closed 3 years ago

ebourmalo commented 3 years ago

I'm trying to connect my laptop running ubuntu 20.04 to a Sonicwall VPN but Strongswan is stopped at the end of phase 2. The connection sometimes even get established before receiving the DELETE instruction.

I configured the connection with the GUI network-manager to start (network-manager-gnome)

Here are the logs from journalctl --unit=NetworkManager showing this behaviour:

Feb 14 04:13:03 Emmanuels-MBP NetworkManager[5320]: connection 'bc95ce27-ab98-457f-8cb4-c82578e6f262' established successfully
Feb 14 04:13:03 Emmanuels-MBP charon[5291]: 03[NET] received packet: from xx.xx.xx.xx[4500] to 192.168.235.132[4500] (84 bytes)
Feb 14 04:13:03 Emmanuels-MBP charon[5291]: 03[ENC] parsed INFORMATIONAL_V1 request 2833268232 [ HASH D ]
Feb 14 04:13:03 Emmanuels-MBP charon[5291]: 03[IKE] received DELETE for IKE_SA bc95ce27-ab98-457f-8cb4-c82578e6f262[1]
Feb 14 04:13:03 Emmanuels-MBP charon[5291]: 03[IKE] deleting IKE_SA bc95ce27-ab98-457f-8cb4-c82578e6f262[1] between 192.168.235.132[192.168.235.132]...xx.xx.xx.xx[192.168.1.2]
Feb 14 04:13:03 Emmanuels-MBP charon[5291]: 03[IKE] deleting IKE_SA bc95ce27-ab98-457f-8cb4-c82578e6f262[1] between 192.168.235.132[192.168.235.132]...xx.xx.xx.xx[192.168.1.2]
Feb 14 04:13:03 Emmanuels-MBP NetworkManager[5328]: Stopping strongSwan IPsec...

I succeed connecting my macbook running osx Catalina (10.15.6) with a native l2tp over ipsec configuration so everything should be ok on the vpn server side to make it work with my ubuntu laptop.

Here is the configuration of the connection:

sudo cat /etc/NetworkManager/system-connections/testvpn.nmconnection

[connection]
id=testvpn
uuid=bc95ce27-ab98-457f-8cb4-c82578e6f262
type=vpn
autoconnect=false
permissions=user:manu:;

[vpn]
gateway=xx.xx.xx.xx
ipsec-enabled=yes
ipsec-esp=3des-sha1!
ipsec-ike=3des-sha1-modp1024!
ipsec-psk=xxxxx
password-flags=0
user=vpn-test-6
service-type=org.freedesktop.NetworkManager.l2tp

[vpn-secrets]
password=xxxxxx

[ipv4]
address1=192.168.100.40/0,192.168.100.40
dns=10.198.45.241;
dns-search=
ignore-auto-dns=true
method=manual

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

[proxy]

The version installed of network-manager-l2tp is 1.2.18-1~ubuntu20.04.1~ppa2

I also ran an ike-scan to make sure phase 1 was correctly setup:

$> ike-scan xx.xx.xx.xx
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
xx.xx.xx.xx   Main Mode Handshake returned HDR=(CKY-R=83693253f6a985d1) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=5b362bc820f60007 (SonicWall-7)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.035 seconds (28.73 hosts/sec).  1 returned handshake; 0 returned notify

I then read the issue https://github.com/nm-l2tp/NetworkManager-l2tp/issues/145 that seemed to be quite similar and tried to use libreswan.

But it doesn't work either. I end up with a NO_PROPOSAL_CHOSEN issue.

Here is the configuration file used by ipsec:

manu@ubuntu:~$ sudo cat /run/nm-l2tp-bc95ce27-ab98-457f-8cb4-c82578e6f262/ipsec.conf
conn bc95ce27-ab98-457f-8cb4-c82578e6f262
  auto=add
  type=transport
  authby=secret
  left=%defaultroute
  leftprotoport=udp/l2tp
  right=xx.xx.xx.xx
  rightid=%any
  rightprotoport=udp/l2tp
  keyingtries=%forever
  ike=3des-sha1-modp1024!
  esp=3des-sha1!
  ikev2=no

I also attached the full log when trying to connect with StrongSwan: vpn.log Any idea what could happen?

dkosovic commented 3 years ago

With later versions of network-manager-l2tp (like the one you are using), you shouldn't need to fill out the the phase 1 & 2 algorithms as it will use the same proposals that macOS and iOS are using. If you delete the existing phase 1 & 2 algorithms, it should fix the NO_PROPOSAL_CHOSEN libreswan issue you are having.

The way you ran ike-scan will only test one proposal, it is better to run it with the the following ike-scan.sh script which iterates through a number of proposals: https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#querying-vpn-server-for-its-ikev1-algorithm-proposals

I recommend using libreswan in this case, not sure what the issue is with strongswan and Sonicwall.

ebourmalo commented 3 years ago

Thanks for your help @dkosovic

I ran the script ike-scan and got the following:

manu@ubuntu:~$ sudo ./ike-scan.sh xx.xx.xx.xx | grep SA=
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

When I use libreswan and if I remove the phases, I first get the following output: we require IKEv1 peer to have ID 'xx.xx.xx.xx', but peer declares '192.168.1.2'

Logs:

Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: | ISAKMP Notification Payload
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: |   00 00 00 1c  00 00 00 01  01 10 60 02
Feb 14 23:40:34 Emmanuels-MBP NetworkManager[16055]: 003 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: we require IKEv1 peer to have ID 'xx.xx.xx.xx', but peer declares '192.168.1.2'
Feb 14 23:40:34 Emmanuels-MBP NetworkManager[16055]: 002 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
Feb 14 23:40:34 Emmanuels-MBP NetworkManager[16055]: 003 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: we require IKEv1 peer to have ID 'xx.xx.xx.xx', but peer declares '192.168.1.2'
Feb 14 23:40:34 Emmanuels-MBP NetworkManager[16055]: 218 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION

Is it because the VPN server is behind a NAT?

I updated the IPsec settings > Remote ID in the settings and added 192.168.1.2.

When I retry, I get the NO_PROPOSAL_CHOSEN issue (with or without having it in ipsec settings):

Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: | ISAKMP Notification Payload
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: |   00 00 00 1c  00 00 00 01  01 10 60 02
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1024}
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 003 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 002 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 004 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1024}
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 002 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:71ef0c6a pr>
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:71ef0c6a proposal=AES_CB>
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 117 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #2: STATE_QUICK_I1: initiate
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=52

Is it only a matter of ip settings in the ipsec conf file?

dkosovic commented 3 years ago

In the generated ipsec.conf file for either libreswan or strongswan, it would be using rightid=%any if Remote ID isn't set. Using rightid=%any is normally enough, I think it is just a bug with the version of libreswan you are using. NAT on the VPN server side shouldn't be an issue. If 192.168.1.2 isn't a static private IP address, using 0.0.0.0 (which is equivalent to %any) for Remote ID might work.

PFS is part of the phase 2 (quick mode) proposal, perhaps you might need to click Disable PFS and see if that fixes the NO_PROPOSAL_CHOSEN issue.

ebourmalo commented 3 years ago

Wow it's been a week I was trying to connect to the VPN on ubuntu and just got it working with your help, thanks a lot @dkosovic 🙏

To give the last update:

I'll use these settings with nmcli to automate the connection via CLI only. Thanks again @dkosovic

dkosovic commented 3 years ago

Glad to hear you got it working.

Just a heads-up in the future, libreswan >= 3.30 is no longer built with USE_DH2 (i.e. modp1024 that your VPN server is proposing). So with Ubuntu >= 20.10, you'll need to rebuild libreswan with USE_DH2 and I would recommend re-building network-manager-l2tp with the --enable-libreswan-dh2 configure switch (which sets the default phase 1 algorithms to use modp1024). Or better yet if you can, get your Sonicwall VPN to provide more and stronger proposals.

ebourmalo commented 3 years ago

Wow good to know that, thank you for this precious data @dkosovic, you saved me some days ❤️

rithgan commented 2 months ago

Glad to hear you got it working.

Just a heads-up in the future, libreswan >= 3.30 is no longer built with USE_DH2 (i.e. modp1024 that your VPN server is proposing). So with Ubuntu >= 20.10, you'll need to rebuild libreswan with USE_DH2 and I would recommend re-building network-manager-l2tp with the --enable-libreswan-dh2 configure switch (which sets the default phase 1 algorithms to use modp1024). Or better yet if you can, get your Sonicwall VPN to provide more and stronger proposals.

can i download older version of libreswan if i don't want to rebuild it? ( Actually i rebuilt it but it's not working as expected)

dkosovic commented 2 months ago

@rithgan I have no idea which linux distro you are using.

I previously put up libreswan built with DH2 for Ubuntu 22.04 temporarily here:

Here are the differences in the modified libreswan package compared to what ships with Ubuntu 22.04 :