Closed ebourmalo closed 3 years ago
With later versions of network-manager-l2tp (like the one you are using), you shouldn't need to fill out the the phase 1 & 2 algorithms as it will use the same proposals that macOS and iOS are using. If you delete the existing phase 1 & 2 algorithms, it should fix the NO_PROPOSAL_CHOSEN
libreswan issue you are having.
The way you ran ike-scan
will only test one proposal, it is better to run it with the the following ike-scan.sh script which iterates through a number of proposals:
https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#querying-vpn-server-for-its-ikev1-algorithm-proposals
I recommend using libreswan in this case, not sure what the issue is with strongswan and Sonicwall.
Thanks for your help @dkosovic
I ran the script ike-scan and got the following:
manu@ubuntu:~$ sudo ./ike-scan.sh xx.xx.xx.xx | grep SA=
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
When I use libreswan and if I remove the phases, I first get the following output:
we require IKEv1 peer to have ID 'xx.xx.xx.xx', but peer declares '192.168.1.2'
Logs:
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: | ISAKMP Notification Payload
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: | 00 00 00 1c 00 00 00 01 01 10 60 02
Feb 14 23:40:34 Emmanuels-MBP NetworkManager[16055]: 003 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
Feb 14 23:40:34 Emmanuels-MBP pluto[16042]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: we require IKEv1 peer to have ID 'xx.xx.xx.xx', but peer declares '192.168.1.2'
Feb 14 23:40:34 Emmanuels-MBP NetworkManager[16055]: 002 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
Feb 14 23:40:34 Emmanuels-MBP NetworkManager[16055]: 003 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: we require IKEv1 peer to have ID 'xx.xx.xx.xx', but peer declares '192.168.1.2'
Feb 14 23:40:34 Emmanuels-MBP NetworkManager[16055]: 218 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
Is it because the VPN server is behind a NAT?
I updated the IPsec settings
> Remote ID
in the settings and added 192.168.1.2
.
When I retry, I get the NO_PROPOSAL_CHOSEN
issue (with or without having it in ipsec settings):
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: | ISAKMP Notification Payload
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: | 00 00 00 1c 00 00 00 01 01 10 60 02
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1024}
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 003 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 002 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: Peer ID is ID_IPV4_ADDR: '192.168.1.2'
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 004 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1024}
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 002 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:71ef0c6a pr>
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:71ef0c6a proposal=AES_CB>
Feb 14 23:47:59 Emmanuels-MBP NetworkManager[16405]: 117 "bc95ce27-ab98-457f-8cb4-c82578e6f262" #2: STATE_QUICK_I1: initiate
Feb 14 23:47:59 Emmanuels-MBP pluto[16392]: "bc95ce27-ab98-457f-8cb4-c82578e6f262" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=52
Is it only a matter of ip settings in the ipsec conf file?
In the generated ipsec.conf file for either libreswan or strongswan, it would be using rightid=%any
if Remote ID isn't set. Using rightid=%any
is normally enough, I think it is just a bug with the version of libreswan you are using. NAT on the VPN server side shouldn't be an issue. If 192.168.1.2
isn't a static private IP address, using 0.0.0.0
(which is equivalent to %any
) for Remote ID might work.
PFS is part of the phase 2 (quick mode) proposal, perhaps you might need to click Disable PFS and see if that fixes the NO_PROPOSAL_CHOSEN
issue.
Wow it's been a week I was trying to connect to the VPN on ubuntu and just got it working with your help, thanks a lot @dkosovic 🙏
To give the last update:
3.29-2build1 amd64
of libreswan0.0.0.0
instead of 192.168.1.2
for Remote ID didn't workNO_PROPOSAL_CHOSEN
issue.I'll use these settings with nmcli
to automate the connection via CLI only. Thanks again @dkosovic
Glad to hear you got it working.
Just a heads-up in the future, libreswan >= 3.30 is no longer built with USE_DH2
(i.e. modp1024 that your VPN server is proposing). So with Ubuntu >= 20.10, you'll need to rebuild libreswan with USE_DH2
and I would recommend re-building network-manager-l2tp with the --enable-libreswan-dh2
configure switch (which sets the default phase 1 algorithms to use modp1024). Or better yet if you can, get your Sonicwall VPN to provide more and stronger proposals.
Wow good to know that, thank you for this precious data @dkosovic, you saved me some days ❤️
Glad to hear you got it working.
Just a heads-up in the future, libreswan >= 3.30 is no longer built with
USE_DH2
(i.e. modp1024 that your VPN server is proposing). So with Ubuntu >= 20.10, you'll need to rebuild libreswan withUSE_DH2
and I would recommend re-building network-manager-l2tp with the--enable-libreswan-dh2
configure switch (which sets the default phase 1 algorithms to use modp1024). Or better yet if you can, get your Sonicwall VPN to provide more and stronger proposals.
can i download older version of libreswan if i don't want to rebuild it? ( Actually i rebuilt it but it's not working as expected)
@rithgan I have no idea which linux distro you are using.
I previously put up libreswan built with DH2 for Ubuntu 22.04 temporarily here:
Here are the differences in the modified libreswan package compared to what ships with Ubuntu 22.04 :
I'm trying to connect my laptop running ubuntu 20.04 to a Sonicwall VPN but Strongswan is stopped at the end of phase 2. The connection sometimes even get established before receiving the DELETE instruction.
I configured the connection with the GUI network-manager to start (
network-manager-gnome
)Here are the logs from
journalctl --unit=NetworkManager
showing this behaviour:I succeed connecting my macbook running osx Catalina (10.15.6) with a native l2tp over ipsec configuration so everything should be ok on the vpn server side to make it work with my ubuntu laptop.
Here is the configuration of the connection:
The version installed of
network-manager-l2tp
is1.2.18-1~ubuntu20.04.1~ppa2
I also ran an
ike-scan
to make sure phase 1 was correctly setup:I then read the issue https://github.com/nm-l2tp/NetworkManager-l2tp/issues/145 that seemed to be quite similar and tried to use libreswan.
But it doesn't work either. I end up with a
NO_PROPOSAL_CHOSEN
issue.Here is the configuration file used by ipsec:
I also attached the full log when trying to connect with StrongSwan: vpn.log Any idea what could happen?