Closed gltchr closed 3 years ago
Normally it sends the phase 1 proposals to the VPN server and it either accepts or rejects them, but it is trying to retransmit as it never got a response for some reason. The logs on the VPN server might indicate why, but not sure.
You could try deleting the phase 1 & 2 algorithms and leave them blank. With newer versions of NetworkManager-l2tp it uses a combination of Win10 and iOS phase 1 & 2 proposals, so you normally shouldn’t need to fill them out.
Sometimes it is hit and miss with certain versions of strongswan and changing to libreswan helps (or visa versa).
Do you know what sort of VPN server it is?
sorry, looks like you are using lowercase.
Sometimes it is hit and miss with certain versions of strongswan and changing to libreswan helps (or visa versa).
Thanks, but from what I understood libreswan does not has legacy support of 3des and mod1024, which are needed in this case? (I do not feel comfortable enough recompiling it by myself with the flags that would allow for that)
Do you know what sort of VPN server it is?
No idea. But I can open a ticket with local IT department so that they look into that? e.g. Does it look to you that this potentially might be a server side problem? If yes I can justify opening an issue with the said department to see what they have to say.
It looks like the initial packets might not even be reaching the VPN server.
One quick thing to try is to enable Enforce UDP encapsulation in the IPsec dialog box advanced options as some ISPs, firewalls, etc block ESP traffic.
If that doesn't work, you could try building and installing ike-scan (which looks pretty simple to build using the following instructions) :
then see if ike-scan
can contact and query your VPN server :
$ sudo ipsec stop
$ sudo ike-scan 161.202.144.236
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
161.202.144.236 Main Mode Handshake returned HDR=(CKY-R=0185959d02ef1a32) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=7d9419a65310ca6f2c179d9215529d56 (draft-ietf-ipsec-nat-t-ike-03) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=cd60464335df21f87cfdb2fc68b6a448 (draft-ietf-ipsec-nat-t-ike-02) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
Ending ike-scan 1.9.4: 1 hosts scanned in 0.170 seconds (5.87 hosts/sec). 1 returned handshake; 0 returned notify
161.202.144.236
is a L2TP/IPsec server I found by googling for free L2TP VPN servers, but you can replace it with your VPN server.
One quick thing to try is to enable Enforce UDP encapsulation in the IPsec dialog box advanced options as some ISPs, firewalls, etc block ESP traffic.
Thanks for a suggestion, but it did not help.
If that doesn't work, you could try building and installing ike-scan
Here is an output of ike-scan
on the destination address of VPN:
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9.4: 1 hosts scanned in 2.435 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
So apparently there is something wrong with the server (I guess?) if it is not responding to a handshake? I have already submitted a ticket to the local IT department, so we'll see what they have to say about it.
Do you know what sort of VPN server it is?
After some digging it appears to be something named FortiVPN. I have no clue what it means.
If the L2TP/IPsec VPN server is using 3des-sha1-modp1024
for phase 1, I would have expected Enc=3DES Hash=SHA1 Group=2:modp1024
and the handshake in the ike-scan output. For some VPN servers you need to run the following ike-scan.sh script instead if they don't support 3des-sha1-modp1024
:
So it does look like something is wrong with the L2TP/IPsec VPN server.
For FortiVPN, the NetworkManager-fortisslvpn plugin is typically used instead which uses the openfortivpn client :
I just received an answer from IT:
Was using inappropriate network while trying to connect to VPN, such that I was still within the "local" network, which conflicts with the settings of the VPN.
Connecting through different network resolved the issue with "no response from VPN server". So I guess I can close it.
Thanks for your help!
Problem: VPN connection fails
Symptoms: Launching NM with --debug and trying to connect to VPN results in
Things that I have already checked: