No response from VPN server while initiating Phase 1

[gltchr]

Problem: VPN connection fails

Symptoms: Launching NM with --debug and trying to connect to VPN results in

    <info>  [1619623638.0753] audit: op="connection-activate" uuid="d3181395-8d95-4923-be74-ff150504af64" name="My VPN" pid=1518 uid=1000 result="success"
    <info>  [1619623638.0820] vpn-connection[0x55ec0fce0170,d3181395-8d95-4923-be74-ff150504af64,"My VPN",0]: Started the VPN service, PID 29142
    <info>  [1619623638.0988] vpn-connection[0x55ec0fce0170,d3181395-8d95-4923-be74-ff150504af64,"My VPN",0]: Saw the service appear; activating connection
    <info>  [1619623638.1713] vpn-connection[0x55ec0fce0170,d3181395-8d95-4923-be74-ff150504af64,"My VPN",0]: VPN connection: (ConnectInteractive) reply received
    ** Message: 17:27:18.175: Check port 1701
    Stopping strongSwan IPsec failed: starter is not running
    Starting strongSwan 5.8.4 IPsec [starter]...
    Loading config setup
    Loading conn 'd3181395-8d95-4923-be74-ff150504af64'
    initiating Main Mode IKE_SA d3181395-8d95-4923-be74-ff150504af64[1] to ADDRESS1
    generating ID_PROT request 0 [ SA V V V V V ]
    sending packet: from MYADRESS[500] to ADDRESS1[500] (176 bytes)
    sending retransmit 1 of request message ID 0, seq 1
    sending packet: from MYADRESS[500] to ADDRESS1[500] (176 bytes)
    Stopping strongSwan IPsec...
    destroying IKE_SA in state CONNECTING without notification
    establishing connection 'd3181395-8d95-4923-be74-ff150504af64' failed

    (nm-l2tp-service:29142): GLib-GIO-CRITICAL **: 17:27:31.332: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

Things that I have already checked:

• xl2tpd is not running in the background,
• In the NM setting manager Phase1&2 algorithms (3des-sha1-modp1024, 3des-sha1) are "enforced" by appending "!" (which should work with strongswan according to README.md)

[dkosovic]

Normally it sends the phase 1 proposals to the VPN server and it either accepts or rejects them, but it is trying to retransmit as it never got a response for some reason. The logs on the VPN server might indicate why, but not sure.

You could try deleting the phase 1 & 2 algorithms and leave them blank. With newer versions of NetworkManager-l2tp it uses a combination of Win10 and iOS phase 1 & 2 proposals, so you normally shouldn’t need to fill them out.

[dkosovic]

Sometimes it is hit and miss with certain versions of strongswan and changing to libreswan helps (or visa versa).

[dkosovic]

Do you know what sort of VPN server it is?

[gltchr]

sorry, looks like you are using lowercase.

Sometimes it is hit and miss with certain versions of strongswan and changing to libreswan helps (or visa versa).

Thanks, but from what I understood libreswan does not has legacy support of 3des and mod1024, which are needed in this case? (I do not feel comfortable enough recompiling it by myself with the flags that would allow for that)

[gltchr]

Do you know what sort of VPN server it is?

No idea. But I can open a ticket with local IT department so that they look into that? e.g. Does it look to you that this potentially might be a server side problem? If yes I can justify opening an issue with the said department to see what they have to say.

[dkosovic]

It looks like the initial packets might not even be reaching the VPN server.

One quick thing to try is to enable Enforce UDP encapsulation in the IPsec dialog box advanced options as some ISPs, firewalls, etc block ESP traffic.

If that doesn't work, you could try building and installing ike-scan (which looks pretty simple to build using the following instructions) :

• https://github.com/royhills/ike-scan#building-and-installing

then see if ike-scan can contact and query your VPN server :

$ sudo ipsec stop
$ sudo ike-scan 161.202.144.236
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
161.202.144.236 Main Mode Handshake returned HDR=(CKY-R=0185959d02ef1a32) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=cd60464335df21f87cfdb2fc68b6a448 (draft-ietf-ipsec-nat-t-ike-02) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.170 seconds (5.87 hosts/sec).  1 returned handshake; 0 returned notify

161.202.144.236 is a L2TP/IPsec server I found by googling for free L2TP VPN servers, but you can replace it with your VPN server.

[gltchr]

One quick thing to try is to enable Enforce UDP encapsulation in the IPsec dialog box advanced options as some ISPs, firewalls, etc block ESP traffic.

Thanks for a suggestion, but it did not help.

If that doesn't work, you could try building and installing ike-scan

Here is an output of ike-scan on the destination address of VPN:

Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9.4: 1 hosts scanned in 2.435 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

So apparently there is something wrong with the server (I guess?) if it is not responding to a handshake? I have already submitted a ticket to the local IT department, so we'll see what they have to say about it.

[gltchr]

Do you know what sort of VPN server it is?

After some digging it appears to be something named FortiVPN. I have no clue what it means.

[dkosovic]

If the L2TP/IPsec VPN server is using 3des-sha1-modp1024 for phase 1, I would have expected Enc=3DES Hash=SHA1 Group=2:modp1024 and the handshake in the ike-scan output. For some VPN servers you need to run the following ike-scan.sh script instead if they don't support 3des-sha1-modp1024 :

• https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#querying-vpn-server-for-its-ikev1-algorithm-proposals

So it does look like something is wrong with the L2TP/IPsec VPN server.

For FortiVPN, the NetworkManager-fortisslvpn plugin is typically used instead which uses the openfortivpn client :

• https://gitlab.gnome.org/GNOME/NetworkManager-fortisslvpn

[gltchr]

I just received an answer from IT:

Was using inappropriate network while trying to connect to VPN, such that I was still within the "local" network, which conflicts with the settings of the VPN.

Connecting through different network resolved the issue with "no response from VPN server". So I guess I can close it.

Thanks for your help!