Couldn't establish IPsec tunnel

[Noisyflasher]

Hello! I'm trying to establish l2tp connection and have a problem. Service in debug mode shows logs which you can read by link. I'm sorry if using link is deprecated but inserting logs "as is" causes formatting problems. Could anybody helps with this problem? What additional information I should provide? OS: Ubuntu 16.04 LTS NetworkManager: 1.2.0 Thanks a lot!

[dkosovic]

For easier reference, I've copied and pasted the log below:

** Message: starting ipsec
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...
Loading config setup
Loading conn 'nm-ipsec-l2tp-12809'
# deprecated keyword 'pfs' in conn 'nm-ipsec-l2tp-12809'
  PFS is enabled by specifying a DH group in the 'esp' cipher suite
### 1 parsing error (0 fatal) ###
found netkey IPsec stack
initiating Main Mode IKE_SA nm-ipsec-l2tp-12809[1] to <hostIP>
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from <myIP>[500] to <hostIP>[500] (280 bytes)
received packet: from <hostIP>[500] to <myIP>[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from <myIP>[500] to <hostIP>[500] (372 bytes)
received packet: from <hostIP>[500] to <myIP>[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from <myIP>[4500] to <hostIP>[4500] (108 bytes)
received packet: from <hostIP>[4500] to <myIP>[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IDir '<hostIP>' does not match to '<hostGateway>'
deleting IKE_SA nm-ipsec-l2tp-12809[1] between <myIP>[<hostGroupName>]...<hostIP>[%any]
sending DELETE for IKE_SA nm-ipsec-l2tp-12809[1]
generating INFORMATIONAL_V1 request 4271122040 [ HASH D ]
sending packet: from <myIP>[4500] to <hostIP>[4500] (92 bytes)
connection 'nm-ipsec-l2tp-12809' established successfully

** (nm-l2tp-service:12809): WARNING **: Could not establish IPsec tunnel.

(nm-l2tp-service:12809): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

[dkosovic]

You can keep the 'Perfect Forward Secrecy' option ticked in the IPsec settiongs dialog box, with strongSwan it won't enable PFS regardless of if it is ticked or not. Having it ticked will at least stop the following

# deprecated keyword 'pfs' in conn 'nm-ipsec-l2tp-12809'
PFS is enabled by specifying a DH group in the 'esp' cipher suite
### 1 parsing error (0 fatal) ###

I will fix that PFS issue in the next version by removing it from the GUI and having PFS explicitly turned off for just Libreswan.

I haven't seen the following issue before:

IDir '<hostIP>' does not match to '<hostGateway>'

Have you tried keeping the 'Group Name' and/or 'Gateway ID' fields blank in the IPsec config dialog box?

But I think it's a strongSwan leftid/rightid issue. Currently the 'Group Name' and 'Gateway ID' fields in the IPsec dialog box don't accept an IP address and prefixes leftid and rightid with @ to prevent resolving to an IP address. I have a fix in the nm-1-2 branch, but haven't pushed it yet to the master branch. Most people are able to getaway with leaving those two fields blank.

[dkosovic]

Forgot to mention, you can attach log files by either dragging and dropping them, or clicking on the 'selecting them' link in the editing box.

What I did was use a fenced code block which begins and ends with triple backticks ``` , see : https://help.github.com/articles/creating-and-highlighting-code-blocks/

[Noisyflasher]

@dkosovic Thank you for response.

Have you tried keeping the 'Group Name' and/or 'Gateway ID' fields blank in the IPsec config dialog box?

According to the instruction I provided with, these fields should be populated. Anyway, when I left them blank, connection was established but I can't reach any destination. Sorry, but I didn't understand about leftid issue. We can avoid this issue by placing @ before value, but in current version this feature isn't supported, am I right? Thank you for your help.

[dkosovic]

Regarding not being able to reach any destination, sounds like the routing is broken. As Networkmanager-pptp is very similar, I would recommend Googling for "NetworkManager-pptp routing" or "NetworkManager VPN routing", some of the routing solutions might solve your issue, e.g.

• http://askubuntu.com/questions/640172/dns-routing-after-pptp-connection
• http://joefleming.net/posts/pptp-vpn-routing-in-ubuntu-using-network-manager/

When I Googled for the following error you were having, the strongSwan site seemed to indicate it is a misconfiguration issue with leftid and/or rightid.

IDir '<hostIP>' does not match to '<hostGateway>'

The "Group Name" field corresponds to the strongSwan leftid and "Gateway ID" is the rightid, extract from the code :

value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GROUP_NAME);
if(value)write_config_option (ipsec_fd, "  leftid=@%s\n", value);

value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GATEWAY_ID);
if(value)write_config_option (ipsec_fd, "  rightid=@%s\n", value);

As you can see in the code, the @ prefix is hardcoded. With strongSwan > 5.0.0 identifiers like leftid and rightid no longer automatically try to resolve to IP addresses if not prefixed with @. So I've removed the @ prefix for strongSwan in the nm-1-2 branch I'm developing at the moment which I'll eventually sync with the master branch.

As you obfuscated '', I wasn't certain if you were using an IP address, a hostname, a fully qualified hostname or some other gateway identity, so I brought up a potential @ prefix issue. But with a blank "Gateway ID" field, looks like it is a non-issue for you anyway.

[Noisyflasher]

@dkosovic I'm sorry for the delay with response - there was a lot of work. Thank you very-very much for such detailed review of my issue. I'll check routing issue and my configuration instruction in accordance with your advice. Unfortunately, I'll not be able to do it soon, but I hope that it'll be ready not later than within a week - I'll provide you with results of my investigation. Than you very much for your help.

[dkosovic]

I hadn't heard back and there has since been a new release.

I'm closing this issue, if you wish to reopen, reply.