Activation of network connection failed Ubuntu 20.04

alkazap commented 2 years ago

Hello, I have used same settings on Ubuntu 18.04, but on Ubuntu 20.04 (newly installed), VPN does not work.

Installation steps:

sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp
sudo apt-get update
sudo apt install network-manager-l2tp
sudo apt install --install-suggests network-manager-l2tp-gnome
sudo reboot
sudo systemctl stop xl2tpd
sudo systemctl disable xl2tpd

I used all the settings that worked previously

Identity: Gateway, User Authentication Type: Password, NT Domain
L2TP IPsec Options: Type: Pre-shared key (PSK), Pre-shared key, Advanced settings left as default
L2TP PPP Options: only checked PAP (unckecked CHAP, MSCHAP, MSCHAPv2, EAP), the rest left as default

I've also tried the following:

output of sudo ./ike-scan.sh ... | grep SA=:

    SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
    SA=(Enc=3DES Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=3DES Hash=MD5 Group=5:modp1536 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=128 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=128 Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=128 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=128 Hash=MD5 Group=5:modp1536 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=192 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=192 Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=192 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=192 Hash=MD5 Group=5:modp1536 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=192 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=256 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=256 Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=256 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=256 Hash=MD5 Group=5:modp1536 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

log from journalctl --no-hostname --unit=NetworkManager:

 7월 27 19:08:32 NetworkManager[880]: <info>  [1627380512.0616] audit: op="connection-activate" uuid="..." name="..." pid=2773 uid=1000 result="success"
 7월 27 19:08:32 NetworkManager[880]: <info>  [1627380512.0753] vpn-connection[0x564df7b5e770,...,"...",0]: Started the VPN service, PID 3252
 7월 27 19:08:32 NetworkManager[880]: <info>  [1627380512.0973] vpn-connection[0x564df7b5e770,...,"...",0]: Saw the service appear; activating connection
 7월 27 19:08:32 NetworkManager[880]: <info>  [1627380512.1976] vpn-connection[0x564df7b5e770,...,"...",0]: VPN connection: (ConnectInteractive) reply received
 7월 27 19:08:32 nm-l2tp-service[3252]: Check port 1701
 7월 27 19:08:32 NetworkManager[3268]: Stopping strongSwan IPsec failed: starter is not running
 7월 27 19:08:34 NetworkManager[3265]: Starting strongSwan 5.8.2 IPsec [starter]...
 7월 27 19:08:34 NetworkManager[3265]: Loading config setup
 7월 27 19:08:34 NetworkManager[3265]: Loading conn '...'
 7월 27 19:08:34 ipsec_starter[3265]: Starting strongSwan 5.8.2 IPsec [starter]...
 7월 27 19:08:34 ipsec_starter[3265]: Loading config setup
 7월 27 19:08:34 ipsec_starter[3265]: Loading conn '...'
 7월 27 19:08:34 ipsec_starter[3276]: Attempting to start charon...
 7월 27 19:08:34 charon[3277]: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.8.0-63-generic, x86_64)
 7월 27 19:08:34 charon[3277]: 00[CFG] PKCS11 module '<name>' lacks library path
 7월 27 19:08:34 charon[3277]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
 7월 27 19:08:34 charon[3277]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
 7월 27 19:08:34 charon[3277]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
 7월 27 19:08:34 charon[3277]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
 7월 27 19:08:34 charon[3277]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
 7월 27 19:08:34 charon[3277]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
 7월 27 19:08:34 charon[3277]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
 7월 27 19:08:34 charon[3277]: 00[CFG]   loaded IKE secret for %any
 7월 27 19:08:34 charon[3277]: 00[CFG] loaded 0 RADIUS server configurations
 7월 27 19:08:34 charon[3277]: 00[CFG] HA config misses local/remote address
 7월 27 19:08:34 charon[3277]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs1>
 7월 27 19:08:34 charon[3277]: 00[LIB] dropped capabilities, running as uid 0, gid 0
 7월 27 19:08:34 charon[3277]: 00[JOB] spawning 16 worker threads
 7월 27 19:08:34 ipsec_starter[3276]: charon (3277) started after 20 ms
 7월 27 19:08:34 charon[3277]: 06[CFG] received stroke: add connection '...'
 7월 27 19:08:34 charon[3277]: 06[CFG] added configuration '...'
 7월 27 19:08:35 charon[3277]: 08[CFG] rereading secrets
 7월 27 19:08:35 charon[3277]: 08[CFG] loading secrets from '/etc/ipsec.secrets'
 7월 27 19:08:35 charon[3277]: 08[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
 7월 27 19:08:35 charon[3277]: 08[CFG]   loaded IKE secret for %any
 7월 27 19:08:35 charon[3277]: 09[CFG] received stroke: initiate '...'
 7월 27 19:08:35 charon[3277]: 11[IKE] initiating Main Mode IKE_SA ...[1] to ....
 7월 27 19:08:35 charon[3277]: 11[IKE] initiating Main Mode IKE_SA ...[1] to ....
 7월 27 19:08:35 charon[3277]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
 7월 27 19:08:35 charon[3277]: 11[NET] sending packet: from ....[500] to ....[500] (532 bytes)
 7월 27 19:08:35 charon[3277]: 12[NET] received packet: from ....[500] to ....[500] (180 bytes)
 7월 27 19:08:35 charon[3277]: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
 7월 27 19:08:35 charon[3277]: 12[IKE] received XAuth vendor ID
 7월 27 19:08:35 charon[3277]: 12[IKE] received DPD vendor ID
 7월 27 19:08:35 charon[3277]: 12[IKE] received Cisco Unity vendor ID
 7월 27 19:08:35 charon[3277]: 12[IKE] received FRAGMENTATION vendor ID
 7월 27 19:08:35 charon[3277]: 12[IKE] received NAT-T (RFC 3947) vendor ID
 7월 27 19:08:35 charon[3277]: 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 7월 27 19:08:35 charon[3277]: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
 7월 27 19:08:35 charon[3277]: 12[NET] sending packet: from ....[500] to ....[500] (244 bytes)
 7월 27 19:08:35 charon[3277]: 13[NET] received packet: from ....[500] to ....[500] (244 bytes)
 7월 27 19:08:35 charon[3277]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
 7월 27 19:08:35 charon[3277]: 13[IKE] local host is behind NAT, sending keep alives
 7월 27 19:08:35 charon[3277]: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
 7월 27 19:08:35 charon[3277]: 13[NET] sending packet: from ....[4500] to ....[4500] (76 bytes)
 7월 27 19:08:35 charon[3277]: 14[NET] received packet: from ....[500] to ....[500] (76 bytes)
 7월 27 19:08:35 charon[3277]: 14[ENC] invalid HASH_V1 payload length, decryption failed?
 7월 27 19:08:35 charon[3277]: 14[ENC] could not decrypt payloads
 7월 27 19:08:35 charon[3277]: 14[IKE] message parsing failed
 7월 27 19:08:35 charon[3277]: 14[IKE] ignore malformed INFORMATIONAL request
 7월 27 19:08:35 charon[3277]: 14[IKE] INFORMATIONAL_V1 request with message ID 2175675279 processing failed
 7월 27 19:08:39 charon[3277]: 05[IKE] sending retransmit 1 of request message ID 0, seq 3
 7월 27 19:08:39 charon[3277]: 05[NET] sending packet: from ....[4500] to ....[4500] (76 bytes)
 7월 27 19:08:39 charon[3277]: 06[NET] received packet: from ....[500] to ....[500] (76 bytes)
 7월 27 19:08:39 charon[3277]: 06[ENC] invalid HASH_V1 payload length, decryption failed?
 7월 27 19:08:39 charon[3277]: 06[ENC] could not decrypt payloads
 7월 27 19:08:39 charon[3277]: 06[IKE] message parsing failed
 7월 27 19:08:39 charon[3277]: 06[IKE] ignore malformed INFORMATIONAL request
 7월 27 19:08:39 charon[3277]: 06[IKE] INFORMATIONAL_V1 request with message ID 2470614658 processing failed
 7월 27 19:08:45 NetworkManager[3312]: Stopping strongSwan IPsec...
 7월 27 19:08:45 charon[3277]: 00[DMN] signal of type SIGINT received. Shutting down
 7월 27 19:08:45 charon[3277]: 00[IKE] destroying IKE_SA in state CONNECTING without notification
 7월 27 19:08:45 NetworkManager[3306]: initiating Main Mode IKE_SA ...[1] to ....
 7월 27 19:08:45 NetworkManager[3306]: generating ID_PROT request 0 [ SA V V V V V ]
 7월 27 19:08:45 NetworkManager[3306]: sending packet: from ....[500] to ....[500] (532 bytes)
 7월 27 19:08:45 NetworkManager[3306]: received packet: from ....[500] to ....[500] (180 bytes)
 7월 27 19:08:45 NetworkManager[3306]: parsed ID_PROT response 0 [ SA V V V V V ]
 7월 27 19:08:45 NetworkManager[3306]: received XAuth vendor ID
 7월 27 19:08:45 NetworkManager[3306]: received DPD vendor ID
 7월 27 19:08:45 NetworkManager[3306]: received Cisco Unity vendor ID
 7월 27 19:08:45 NetworkManager[3306]: received FRAGMENTATION vendor ID
 7월 27 19:08:45 NetworkManager[3306]: received NAT-T (RFC 3947) vendor ID
 7월 27 19:08:45 NetworkManager[3306]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 7월 27 19:08:45 NetworkManager[3306]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
 7월 27 19:08:45 NetworkManager[3306]: sending packet: from ....[500] to ....[500] (244 bytes)
 7월 27 19:08:45 NetworkManager[3306]: received packet: from ....[500] to ....[500] (244 bytes)
 7월 27 19:08:45 NetworkManager[3306]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
 7월 27 19:08:45 NetworkManager[3306]: local host is behind NAT, sending keep alives
 7월 27 19:08:45 NetworkManager[3306]: generating ID_PROT request 0 [ ID HASH ]
 7월 27 19:08:45 NetworkManager[3306]: sending packet: from ....[4500] to ....[4500] (76 bytes)
 7월 27 19:08:45 NetworkManager[3306]: received packet: from ....[500] to ....[500] (76 bytes)
 7월 27 19:08:45 NetworkManager[3306]: invalid HASH_V1 payload length, decryption failed?
 7월 27 19:08:45 NetworkManager[3306]: could not decrypt payloads
 7월 27 19:08:45 NetworkManager[3306]: message parsing failed
 7월 27 19:08:45 NetworkManager[3306]: ignore malformed INFORMATIONAL request
 7월 27 19:08:45 NetworkManager[3306]: INFORMATIONAL_V1 request with message ID 2175675279 processing failed
 7월 27 19:08:45 NetworkManager[3306]: sending retransmit 1 of request message ID 0, seq 3
 7월 27 19:08:45 NetworkManager[3306]: sending packet: from ....[4500] to ....[4500] (76 bytes)
 7월 27 19:08:45 NetworkManager[3306]: received packet: from ....[500] to ....[500] (76 bytes)
 7월 27 19:08:45 NetworkManager[3306]: invalid HASH_V1 payload length, decryption failed?
 7월 27 19:08:45 NetworkManager[3306]: could not decrypt payloads
 7월 27 19:08:45 NetworkManager[3306]: message parsing failed
 7월 27 19:08:45 NetworkManager[3306]: ignore malformed INFORMATIONAL request
 7월 27 19:08:45 NetworkManager[3306]: INFORMATIONAL_V1 request with message ID 2470614658 processing failed
 7월 27 19:08:45 NetworkManager[3306]: destroying IKE_SA in state CONNECTING without notification
 7월 27 19:08:45 NetworkManager[3306]: establishing connection '...' failed
 7월 27 19:08:45 ipsec_starter[3276]: child 3277 (charon) has quit (exit code 0)
 7월 27 19:08:45 ipsec_starter[3276]: 
 7월 27 19:08:45 ipsec_starter[3276]: charon stopped after 200 ms
 7월 27 19:08:45 ipsec_starter[3276]: ipsec starter stopped
 7월 27 19:08:45 nm-l2tp-service[3252]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
 7월 27 19:08:45 NetworkManager[880]: <info>  [1627380525.3692] vpn-connection[0x564df7b5e770,...,"...",0]: VPN plugin: state changed: stopped (6)
 7월 27 19:08:45 NetworkManager[880]: <info>  [1627380525.3778] vpn-connection[0x564df7b5e770,...,"...",0]: VPN service disappeared
7월 27 19:13:57 NetworkManager[880]: <warn>  [1627380837.4743] vpn-connection[0x564df7b5e560,...,"...",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

From here https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html#phase-1-pre-shared-key-mismatch I found that my log identifies "Phase 1 Pre-Shared Key Mismatch"

charon: 09[ENC] invalid HASH_V1 payload length, decryption failed?
charon: 09[ENC] could not decrypt payloads
charon: 09[IKE] message parsing failed

But in fact my Pre-Shared Key is correct

I have no idea how to resolve it or what could be the problem, please help.

dkosovic commented 2 years ago

I would try switching from strongswan to libreswan with :

sudo apt install libreswan

I would have thought it was a PSK issue if you didn't mention the PSK was correct, you might have more luck with libreswan.

Edit: removed my comments about using the nm-l2tp PPA which you are already using.

alkazap commented 2 years ago

I have tried installing libreswan but it does not seem to resolve the issue, is there any additional setup needed?

 7월 27 21:09:31 NetworkManager[885]: <info>  [1627387771.2613] audit: op="connection-activate" uuid="3795692a-8468-49c3-9fde-c0c59c213d16" name="..." pid=1811 uid=1000 result="success"
 7월 27 21:09:31 NetworkManager[885]: <info>  [1627387771.3014] vpn-connection[0x55bb921da100,3795692a-8468-49c3-9fde-c0c59c213d16,"...",0]: Started the VPN service, PID 3745
 7월 27 21:09:31 NetworkManager[885]: <info>  [1627387771.3079] vpn-connection[0x55bb921da100,3795692a-8468-49c3-9fde-c0c59c213d16,"...",0]: Saw the service appear; activating connection
 7월 27 21:09:31 NetworkManager[885]: <info>  [1627387771.3763] vpn-connection[0x55bb921da100,3795692a-8468-49c3-9fde-c0c59c213d16,"...",0]: VPN connection: (ConnectInteractive) reply received
 7월 27 21:09:31 nm-l2tp-service[3745]: Check port 1701
 7월 27 21:09:31 NetworkManager[3754]: whack: Pluto is not running (no "/run/pluto/pluto.ctl")
 7월 27 21:09:31 NetworkManager[3758]: Redirecting to: systemctl restart ipsec.service
 7월 27 21:09:32 NetworkManager[885]: <info>  [1627387772.3998] manager: (ip_vti0): new Generic device (/org/freedesktop/NetworkManager/Devices/5)
 7월 27 21:09:32 NetworkManager[4175]: 002 listening for IKE messages
 7월 27 21:09:32 NetworkManager[4175]: 002 Kernel supports NIC esp-hw-offload
 7월 27 21:09:32 NetworkManager[4175]: 002 adding interface wlo1/wlo1 (esp-hw-offload=no) 172.30.1.12:500
 7월 27 21:09:32 NetworkManager[4175]: 002 adding interface wlo1/wlo1 172.30.1.12:4500
 7월 27 21:09:32 NetworkManager[4175]: 002 Kernel supports NIC esp-hw-offload
 7월 27 21:09:32 NetworkManager[4175]: 002 adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
 7월 27 21:09:32 NetworkManager[4175]: 002 adding interface lo/lo 127.0.0.1:4500
 7월 27 21:09:32 NetworkManager[4175]: 002 Kernel supports NIC esp-hw-offload
 7월 27 21:09:32 NetworkManager[4175]: 002 adding interface lo/lo (esp-hw-offload=no) ::1:500
 7월 27 21:09:32 NetworkManager[4175]: 002 loading secrets from "/etc/ipsec.secrets"
 7월 27 21:09:32 NetworkManager[4175]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
 7월 27 21:09:32 NetworkManager[4180]: debugging mode enabled
 7월 27 21:09:32 NetworkManager[4180]: end of file /run/nm-l2tp-3795692a-8468-49c3-9fde-c0c59c213d16/ipsec.conf
 7월 27 21:09:32 NetworkManager[4180]: Loading conn 3795692a-8468-49c3-9fde-c0c59c213d16
 7월 27 21:09:32 NetworkManager[4180]: starter: left is KH_DEFAULTROUTE
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" modecfgdns=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" modecfgdomains=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" modecfgbanner=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" mark=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" mark-in=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" mark-out=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" vti_iface=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" redirect-to=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" accept-redirect-to=<unset>
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" esp=aes256-sha1,aes128-sha1,3des-sha1
 7월 27 21:09:32 NetworkManager[4180]: conn: "3795692a-8468-49c3-9fde-c0c59c213d16" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp15>
 7월 27 21:09:32 NetworkManager[4180]: opening file: /run/nm-l2tp-3795692a-8468-49c3-9fde-c0c59c213d16/ipsec.conf
 7월 27 21:09:32 NetworkManager[4180]: loading named conns: 3795692a-8468-49c3-9fde-c0c59c213d16
 7월 27 21:09:32 NetworkManager[4180]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
 7월 27 21:09:32 NetworkManager[4180]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
 7월 27 21:09:32 NetworkManager[4180]: dst  via 172.30.1.254 dev wlo1 src  table 254
 7월 27 21:09:32 NetworkManager[4180]: set nexthop: 172.30.1.254
 7월 27 21:09:32 NetworkManager[4180]: dst 169.254.0.0 via  dev wlo1 src  table 254
 7월 27 21:09:32 NetworkManager[4180]: dst 172.30.1.0 via  dev wlo1 src 172.30.1.12 table 254
 7월 27 21:09:32 NetworkManager[4180]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
 7월 27 21:09:32 NetworkManager[4180]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
 7월 27 21:09:32 NetworkManager[4180]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
 7월 27 21:09:32 NetworkManager[4180]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
 7월 27 21:09:32 NetworkManager[4180]: dst 172.30.1.0 via  dev wlo1 src 172.30.1.12 table 255 (ignored)
 7월 27 21:09:32 NetworkManager[4180]: dst 172.30.1.12 via  dev wlo1 src 172.30.1.12 table 255 (ignored)
 7월 27 21:09:32 NetworkManager[4180]: dst 172.30.1.255 via  dev wlo1 src 172.30.1.12 table 255 (ignored)
 7월 27 21:09:32 NetworkManager[4180]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
 7월 27 21:09:32 NetworkManager[4180]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
 7월 27 21:09:32 NetworkManager[4180]: dst 172.30.1.254 via  dev wlo1 src 172.30.1.12 table 254
 7월 27 21:09:32 NetworkManager[4180]: set addr: 172.30.1.12
 7월 27 21:09:32 NetworkManager[4180]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
 7월 27 21:09:32 NetworkManager[4182]: 002 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: initiating Main Mode
 7월 27 21:09:32 NetworkManager[4182]: 104 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I1: initiate
 7월 27 21:09:32 NetworkManager[4182]: 106 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I2: sent MI2, expecting MR2
 7월 27 21:09:32 NetworkManager[4182]: 108 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I3: sent MI3, expecting MR3
 7월 27 21:09:32 NetworkManager[4182]: 002 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x88 but should have been zero (ignored)
 7월 27 21:09:32 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: length of ISAKMP Hash Payload is larger than can fit
 7월 27 21:09:32 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: malformed payload in packet
 7월 27 21:09:33 NetworkManager[4182]: 010 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response
 7월 27 21:09:33 NetworkManager[4182]: 002 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x8b but should have been zero (ignored)
 7월 27 21:09:33 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: length of ISAKMP Hash Payload is larger than can fit
 7월 27 21:09:33 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: malformed payload in packet
 7월 27 21:09:33 NetworkManager[4182]: 010 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I3: retransmission; will wait 1 seconds for response
 7월 27 21:09:33 NetworkManager[4182]: 002 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x15 but should have been zero (ignored)
 7월 27 21:09:33 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: length of ISAKMP Hash Payload is larger than can fit
 7월 27 21:09:33 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: malformed payload in packet
 7월 27 21:09:34 NetworkManager[4182]: 010 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I3: retransmission; will wait 2 seconds for response
 7월 27 21:09:34 NetworkManager[4182]: 002 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0xea but should have been zero (ignored)
 7월 27 21:09:34 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: length of ISAKMP Hash Payload is larger than can fit
 7월 27 21:09:34 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: malformed payload in packet
 7월 27 21:09:36 NetworkManager[4182]: 010 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I3: retransmission; will wait 4 seconds for response
 7월 27 21:09:36 NetworkManager[4182]: 002 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x91 but should have been zero (ignored)
 7월 27 21:09:36 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: length of ISAKMP Hash Payload is larger than can fit
 7월 27 21:09:36 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: malformed payload in packet
 7월 27 21:09:40 NetworkManager[4182]: 010 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I3: retransmission; will wait 8 seconds for response
 7월 27 21:09:40 NetworkManager[4182]: 002 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x62 but should have been zero (ignored)
 7월 27 21:09:40 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: length of ISAKMP Hash Payload is larger than can fit
 7월 27 21:09:40 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: malformed payload in packet
 7월 27 21:09:42 nm-l2tp-service[3745]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
 7월 27 21:09:42 NetworkManager[885]: <info>  [1627387782.8831] vpn-connection[0x55bb921da100,3795692a-8468-49c3-9fde-c0c59c213d16,"...",0]: VPN plugin: state changed: stopped (6)
 7월 27 21:09:42 NetworkManager[885]: <info>  [1627387782.8897] vpn-connection[0x55bb921da100,3795692a-8468-49c3-9fde-c0c59c213d16,"...",0]: VPN service disappeared
 7월 27 21:09:42 NetworkManager[885]: <warn>  [1627387782.8909] vpn-connection[0x55bb921da100,3795692a-8468-49c3-9fde-c0c59c213d16,"...",0]: VPN connection: failed to connect: 'Message recipient>
 7월 27 21:09:48 NetworkManager[4182]: 010 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: STATE_MAIN_I3: retransmission; will wait 16 seconds for response
 7월 27 21:09:48 NetworkManager[4182]: 002 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x98 but should have been zero (ignored)
 7월 27 21:09:48 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: length of ISAKMP Hash Payload is larger than can fit
 7월 27 21:09:48 NetworkManager[4182]: 003 "3795692a-8468-49c3-9fde-c0c59c213d16" #1: malformed payload in packet

Seems like its still a PSK issue but same PSK works with Win10 VPN and worked on Ubuntu 18.04, I am not a server admin, but if you give any suggestions I will talk to the admin about VPN server settings. I don't really know much about it and they didn't seem to know what could be causing this issue on Ubuntu...

dkosovic commented 2 years ago

Could you try clicking "Enforce UDP encapsulation" in the IPsec advanced options?

alkazap commented 2 years ago

Still same issue and same output, could a special character & in PSK cause it? [Edit: it should be fine] By the way, thank you for replying so fast

When I look into /etc/ipsec.d/ipsec.nm-l2tp.secret there's a line

: PSK ...

But the string doesn't match my PSK, is it encrypted or should I overwrite it? how is this file generated?

dkosovic commented 2 years ago

The string is base64 encoded and should start with 0s, the base64 encoding should handle special characters. You could try the following on the command-line but with your PSK to see what the base64 encoding looks like :

echo -n 'my-psk' | base64

base64 --decode can be used to do the reverse.

alkazap commented 2 years ago

Thank you for explaining... and ugh it matches... lol hmmm could it be NT Domain problem or do I need to enter Remote ID (not sure what either one should be, I put the group name in NT Domain, which worked before...)

dkosovic commented 2 years ago

The NT Domain field is equivalent to entering DOMAIN\username for the username. It is not use for the IPsec connection, but later with the L2TP connection after the IPsec connection is established first.

If you use Remote ID, /etc/ipsec.d/ipsec.nm-l2tp.secret will look like :

Remote-ID : PSK  ...

Generally the Remote ID is used if there is some error about Peer ID.

From the logs it looks at the following two files for the PSK:

/etc/ipsec.secrets
/etc/ipsec.d/ipsec.nm-l2tp.secrets

The /etc/ipsec.d/ipsec.nm-l2tp.secrets file gets overwritten/re-created every time the VPN connection is attempted. You can add a new PSK to the /etc/ipsec.secrets file without worrying if it will be overwritten.

The PSK format in clear text is just:

: PSK "MyPSK"

alkazap commented 2 years ago

Thank you. Since the PSK is correct I have no idea what could cause a mismatch error...

dkosovic commented 2 years ago

I can't see anything obvious that could be wrong.

One other thing you could try is to enable IKEv2 in the IPsec advance config.

dkosovic commented 2 years ago

Actually I've been reading the following and got some ideas :

https://github.com/libreswan/libreswan/issues/270

Where they claim it is a misconfiguration of the IKE parameter (i.e. phase 1), it might be offering too many proposals for the VPN server. After reverting the other IPsec advanced options, you could try setting phase 1 algorithms to only offer a few algorithms, e.g. if using libreswan, try:

3des-sha1-modp2048,3des-sha1-modp1024

alkazap commented 2 years ago

Thank you once again, just tried but still no luck

dkosovic commented 2 years ago

With libreswan, you could try running sudo ipsec verify which performs some checks on your computer to see if there are any IPsec issues. You might need to run sudo ipsec start first.

Being Ubuntu, could be a AppArmor issue, could try temporarily stopping AppArmor. journalctl might show some non-NetworkManager errors.

Could be a firewall issue if you enabled a firewall.

I'm at a loss as to what else to try.

alkazap commented 2 years ago

sudo ipsec verify gives me this output:

Verifying installed system and configuration files

Version check and ipsec on-path                     [OK]
Libreswan 3.29 (netkey) on 5.8.0-63-generic
Checking for IPsec support in kernel                [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         ICMP default/accept_redirects              [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

         XFRM larval drop                           [OK]
Pluto ipsec.conf syntax                             [OK]
Checking rp_filter                                  [OK]
Checking that pluto is running                      [OK]
 Pluto listening for IKE on udp 500                 [OK]
 Pluto listening for IKE/NAT-T on udp 4500          [OK]
 Pluto ipsec.secret syntax                          [OK]
Checking 'ip' command                               [OK]
Checking 'iptables' command                         [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options            [OBSOLETE KEYWORD]
Traceback (most recent call last):
  File "/usr/lib/ipsec/verify", line 393, in <module>
    main()
  File "/usr/lib/ipsec/verify", line 384, in main
    configsetupcheck()
  File "/usr/lib/ipsec/verify", line 366, in configsetupcheck
    err = err.replace("Warning"," Warning")
TypeError: a bytes-like object is required, not 'str'

dkosovic commented 2 years ago

Although there is a python syntax error for the "OBSOLETE KEYWORD" keyword check of /etc/ipsec.conf, not sure what the obsolete keyword is, but doubt it would have an impact.

There was nothing that FAILED with ipsec verify.

erfantkerfan commented 2 years ago

+1 on ubuntu 22.04

DibeshMSShrestha commented 1 year ago

+1 on ubuntu 22.04

dkosovic commented 1 year ago

Although an incorrect PSK is the most common problem with the invalid HASH_V1 payload length, decryption failed error, others have reported issues if the PSK contains a special character like (!) when a CISCO VPN server is used. e.g. :

https://community.ui.com/questions/L2TP-over-IPsec-VPN-server-issue-with-no-response/9b17353c-d84f-4d7d-a8a7-bde041ec0924

nm-l2tp / NetworkManager-l2tp

Activation of network connection failed Ubuntu 20.04 #167