search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 83 forks source link

ubuntu l2tp-ipsec VPN connection #175

Closed WesRobbins closed 2 years ago

WesRobbins commented 2 years ago

I am having trouble connecting to a vpn from ubuntu 20.04/strongSwan U5.8.2/K5.13.0-1026-oem. Thought it might have to do with legacy ciphers and have tried updating phase 1 and phase 2 algorithms, but haven't had any luck. I am able to successfully connect to the vpn on macOS.

Output from ike-scan:

        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=19 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=19 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=20 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=20 Auth=RSA_Sig LifeType=Seconds LifeDuration(4)=0x00007080)

Logs:

Jan 19 18:08:51 Prec-7760 NetworkManager[1440]: <info>  [1642640931.7384] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"xx",0]: Started the VPN service, PID 93091
Jan 19 18:08:51 Prec-7760 NetworkManager[1440]: <info>  [1642640931.7492] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"xx",0]: Saw the service appear; activating connection
Jan 19 18:08:51 Prec-7760 NetworkManager[1440]: <info>  [1642640931.7844] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"xx",0]: VPN connection: (ConnectInteractive) reply received
Jan 19 18:08:51 Prec-7760 nm-l2tp-service[93091]: Check port 1701
Jan 19 18:08:51 Prec-7760 NetworkManager[93107]: Stopping strongSwan IPsec failed: starter is not running
Jan 19 18:08:53 Prec-7760 NetworkManager[93104]: Starting strongSwan 5.8.2 IPsec [starter]...
Jan 19 18:08:53 Prec-7760 NetworkManager[93104]: Loading config setup
Jan 19 18:08:53 Prec-7760 NetworkManager[93104]: Loading conn '18b71348-cc03-4d9f-8a98-b962322f0ce3'
Jan 19 18:08:53 Prec-7760 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.13.0-1026-oem, x86_64)
Jan 19 18:08:53 Prec-7760 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 19 18:08:53 Prec-7760 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 19 18:08:53 Prec-7760 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 19 18:08:53 Prec-7760 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 19 18:08:53 Prec-7760 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 19 18:08:53 Prec-7760 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 19 18:08:53 Prec-7760 charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Jan 19 18:08:53 Prec-7760 charon: 00[CFG]   loaded IKE secret for %any
Jan 19 18:08:53 Prec-7760 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jan 19 18:08:53 Prec-7760 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jan 19 18:08:53 Prec-7760 charon: 00[JOB] spawning 16 worker threads
Jan 19 18:08:53 Prec-7760 charon: 05[CFG] received stroke: add connection '18b71348-cc03-4d9f-8a98-b962322f0ce3'
Jan 19 18:08:53 Prec-7760 charon: 05[CFG] added configuration '18b71348-cc03-4d9f-8a98-b962322f0ce3'
Jan 19 18:08:54 Prec-7760 charon: 01[CFG] rereading secrets
Jan 19 18:08:54 Prec-7760 charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 19 18:08:54 Prec-7760 charon: 01[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Jan 19 18:08:54 Prec-7760 charon: 01[CFG]   loaded IKE secret for %any
Jan 19 18:08:54 Prec-7760 charon: 06[CFG] received stroke: initiate '18b71348-cc03-4d9f-8a98-b962322f0ce3'
Jan 19 18:08:54 Prec-7760 charon: 07[IKE] initiating Main Mode IKE_SA 18b71348-cc03-4d9f-8a98-b962322f0ce3[1] to 128.198.18.9
Jan 19 18:08:54 Prec-7760 charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 19 18:08:54 Prec-7760 charon: 07[NET] sending packet: from 10.0.0.45[500] to 128.198.18.9[500] (176 bytes)
Jan 19 18:08:58 Prec-7760 charon: 01[IKE] sending retransmit 1 of request message ID 0, seq 1
Jan 19 18:08:58 Prec-7760 charon: 01[NET] sending packet: from 10.0.0.45[500] to 128.198.18.9[500] (176 bytes)
Jan 19 18:09:04 Prec-7760 NetworkManager[93148]: Stopping strongSwan IPsec...
Jan 19 18:09:04 Prec-7760 charon: 00[DMN] signal of type SIGINT received. Shutting down
Jan 19 18:09:04 Prec-7760 charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Jan 19 18:09:04 Prec-7760 NetworkManager[93145]: initiating Main Mode IKE_SA 18b71348-cc03-4d9f-8a98-b962322f0ce3[1] to 128.198.18.9
Jan 19 18:09:04 Prec-7760 NetworkManager[93145]: generating ID_PROT request 0 [ SA V V V V V ]
Jan 19 18:09:04 Prec-7760 NetworkManager[93145]: sending packet: from 10.0.0.45[500] to 128.198.18.9[500] (176 bytes)
Jan 19 18:09:04 Prec-7760 NetworkManager[93145]: sending retransmit 1 of request message ID 0, seq 1
Jan 19 18:09:04 Prec-7760 NetworkManager[93145]: sending packet: from 10.0.0.45[500] to 128.198.18.9[500] (176 bytes)
Jan 19 18:09:04 Prec-7760 NetworkManager[93145]: destroying IKE_SA in state CONNECTING without notification
Jan 19 18:09:04 Prec-7760 NetworkManager[93145]: establishing connection '18b71348-cc03-4d9f-8a98-b962322f0ce3' failed
Jan 19 18:09:04 Prec-7760 nm-l2tp-service[93091]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Jan 19 18:09:04 Prec-7760 NetworkManager[1440]: <info>  [1642640944.9131] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"xx",0]: VPN plugin: state changed: stopped (6)
Jan 19 18:09:04 Prec-7760 NetworkManager[1440]: <info>  [1642640944.9144] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"xx",0]: VPN service disappeared
Jan 19 18:09:04 Prec-7760 NetworkManager[1440]: <warn>  [1642640944.9150] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"xx",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
dkosovic commented 2 years ago

Looks like the VPN server server is offering both PSK and Machine Certificate (RSA_Sig) proposals, only the 3des-sha1-modp1024 proposals are considered legacy/weak, the other proposals most definitely aren't and the strongest one will be selected if you leave the phase 1 & 2 algorithm settings blank.

I think it might be a compatibility bug with strongswan, I would try switching from strongswan to libreswan with the following and seeing if you have more luck (also leave the phase 1 & 2 algorithm settings blank) :

sudo apt install libreswan

I would also recommend using the newer network-manager-l2tp package from the following site :

WesRobbins commented 2 years ago

Thank you for the quick response. I am still unable to connect after those steps.

Here are the libreswan logs:

Jan 19 19:36:55 Prec-7760 NetworkManager[1440]: <info>  [1642646215.6183] audit: op="connection-activate" uuid="18b71348-cc03-4d9f-8a98-b962322f0ce3" name="UCCSVPN" pid=106662 uid=1001 result="success"
Jan 19 19:36:55 Prec-7760 NetworkManager[1440]: <info>  [1642646215.6241] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"UCCSVPN",0]: Started the VPN service, PID 109032
Jan 19 19:36:55 Prec-7760 NetworkManager[1440]: <info>  [1642646215.6337] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"UCCSVPN",0]: Saw the service appear; activating connection
Jan 19 19:36:55 Prec-7760 NetworkManager[1440]: <info>  [1642646215.6726] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"UCCSVPN",0]: VPN connection: (ConnectInteractive) reply received
Jan 19 19:36:55 Prec-7760 nm-l2tp-service[109032]: Check port 1701
Jan 19 19:36:55 Prec-7760 NetworkManager[109045]: Redirecting to: systemctl restart ipsec.service
Jan 19 19:36:55 Prec-7760 systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jan 19 19:36:55 Prec-7760 NetworkManager[109025]: 002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: deleting state (STATE_QUICK_I1) aged 23.853s and NOT sending notification
Jan 19 19:36:55 Prec-7760 whack[109049]: 002 shutting down
Jan 19 19:36:55 Prec-7760 ipsec[109055]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:55 Prec-7760 libipsecconf[109055]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:55 Prec-7760 systemd[1]: ipsec.service: Succeeded.
Jan 19 19:36:55 Prec-7760 systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jan 19 19:36:55 Prec-7760 systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jan 19 19:36:55 Prec-7760 addconn[109059]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:55 Prec-7760 libipsecconf[109059]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:55 Prec-7760 _stackmanager[109062]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:55 Prec-7760 libipsecconf[109062]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:55 Prec-7760 _stackmanager[109067]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:55 Prec-7760 libipsecconf[109067]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:56 Prec-7760 ipsec[109320]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:56 Prec-7760 libipsecconf[109320]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:56 Prec-7760 ipsec[109318]: nflog ipsec capture disabled
Jan 19 19:36:56 Prec-7760 systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jan 19 19:36:56 Prec-7760 libipsecconf[109347]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 listening for IKE messages
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface docker0/docker0 (esp-hw-offload=no) 172.17.0.1:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface docker0/docker0 172.17.0.1:4500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface wlp147s0/wlp147s0 (esp-hw-offload=no) 10.0.0.188:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface wlp147s0/wlp147s0 10.0.0.188:4500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface enp0s31f6/enp0s31f6 (esp-hw-offload=no) 10.0.0.45:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface enp0s31f6/enp0s31f6 10.0.0.45:4500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface lo/lo 127.0.0.1:4500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface lo/lo (esp-hw-offload=no) ::1:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface enp0s31f6/enp0s31f6 (esp-hw-offload=no) 2601:281:cc01:8180::ead9:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface enp0s31f6/enp0s31f6 (esp-hw-offload=no) 2601:281:cc01:8180:afec:ed27:6998:e9b8:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface enp0s31f6/enp0s31f6 (esp-hw-offload=no) 2601:281:cc01:8180:c2e3:7deb:9e36:fa33:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface wlp147s0/wlp147s0 (esp-hw-offload=no) 2601:281:cc01:8180::99ca:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface wlp147s0/wlp147s0 (esp-hw-offload=no) 2601:281:cc01:8180:ee41:efea:8b06:e573:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 Kernel supports NIC esp-hw-offload
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 adding interface wlp147s0/wlp147s0 (esp-hw-offload=no) 2601:281:cc01:8180:f553:7b42:a6eb:86c1:500
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 loading secrets from "/etc/ipsec.secrets"
Jan 19 19:36:56 Prec-7760 NetworkManager[109348]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: debugging mode enabled
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: end of file /run/nm-l2tp-18b71348-cc03-4d9f-8a98-b962322f0ce3/ipsec.conf
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: Loading conn 18b71348-cc03-4d9f-8a98-b962322f0ce3
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: starter: left is KH_DEFAULTROUTE
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" modecfgdns=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" modecfgdomains=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" modecfgbanner=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" mark=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" mark-in=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" mark-out=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" vti_iface=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" redirect-to=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" accept-redirect-to=<unset>
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" esp=aes256-sha1,aes128-sha1,3des-sha1
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp_384,aes128-sha1-modp1024,aes128-sha1-ecp_256,3des-sha1-modp2048,3des-sha1-modp1024
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: opening file: /run/nm-l2tp-18b71348-cc03-4d9f-8a98-b962322f0ce3/ipsec.conf
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: loading named conns: 18b71348-cc03-4d9f-8a98-b962322f0ce3
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst  via 10.0.0.1 dev enp0s31f6 src  table 254
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: set nexthop: 10.0.0.1
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst  via 10.0.0.1 dev wlp147s0 src  table 254
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.0 via  dev enp0s31f6 src 10.0.0.45 table 254
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.0 via  dev wlp147s0 src 10.0.0.188 table 254
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 169.254.0.0 via  dev wlp147s0 src  table 254
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 172.17.0.0 via  dev docker0 src 172.17.0.1 table 254
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.0 via  dev wlp147s0 src 10.0.0.188 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.0 via  dev enp0s31f6 src 10.0.0.45 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.45 via  dev enp0s31f6 src 10.0.0.45 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.188 via  dev wlp147s0 src 10.0.0.188 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.255 via  dev wlp147s0 src 10.0.0.188 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.255 via  dev enp0s31f6 src 10.0.0.45 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 172.17.0.0 via  dev docker0 src 172.17.0.1 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 172.17.0.1 via  dev docker0 src 172.17.0.1 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 172.17.255.255 via  dev docker0 src 172.17.0.1 table 255 (ignored)
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: dst 10.0.0.1 via  dev enp0s31f6 src 10.0.0.45 table 254
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: set addr: 10.0.0.45
Jan 19 19:36:56 Prec-7760 NetworkManager[109353]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: initiating Main Mode
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 104 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: STATE_MAIN_I1: initiate
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 003 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: ignoring unknown Vendor ID payload [72872b95fcda2eb708efe322119b4971]
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: WARNING: connection 18b71348-cc03-4d9f-8a98-b962322f0ce3 PSK length of 4 bytes is too short for sha PRF in FIPS mode (10 bytes required)
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 106 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 108 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: Peer ID is ID_IPV4_ADDR: '128.198.18.9'
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 004 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=DH20}
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:2408415d proposal=AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=DH20}
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 117 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: STATE_QUICK_I1: initiate
Jan 19 19:36:56 Prec-7760 NetworkManager[109355]: 010 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
Jan 19 19:36:57 Prec-7760 NetworkManager[109355]: 010 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
Jan 19 19:36:58 Prec-7760 NetworkManager[109355]: 010 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
Jan 19 19:37:00 Prec-7760 NetworkManager[109355]: 010 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
Jan 19 19:37:04 Prec-7760 NetworkManager[109355]: 010 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
Jan 19 19:37:06 Prec-7760 nm-l2tp-service[109032]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Jan 19 19:37:06 Prec-7760 NetworkManager[1440]: <info>  [1642646226.1885] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"UCCSVPN",0]: VPN plugin: state changed: stopped (6)
Jan 19 19:37:06 Prec-7760 NetworkManager[1440]: <info>  [1642646226.1923] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"UCCSVPN",0]: VPN service disappeared
Jan 19 19:37:06 Prec-7760 NetworkManager[1440]: <warn>  [1642646226.1940] vpn-connection[0x56083aad86f0,18b71348-cc03-4d9f-8a98-b962322f0ce3,"UCCSVPN",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
dkosovic commented 2 years ago

It is now passing main mode (i.e. phase 1) which it wasn't previously, but is failing with quick mode (phase 2).

The client is proposing PFS (Perfect Forward Secrecy) for quick mode, perhaps the VPN server doesn't support PFS or hasn't enabled PFS, try the disable PFS checkbox in the IPsec settings on the client.

WesRobbins commented 2 years ago

Ok thank you. I now have this error:

m-l2tp[116203] <info>  starting ipsec
Redirecting to: systemctl restart ipsec.service
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
opening file: /run/nm-l2tp-18b71348-cc03-4d9f-8a98-b962322f0ce3/ipsec.conf
debugging mode enabled
end of file /run/nm-l2tp-18b71348-cc03-4d9f-8a98-b962322f0ce3/ipsec.conf
Loading conn 18b71348-cc03-4d9f-8a98-b962322f0ce3
starter: left is KH_DEFAULTROUTE
loading named conns: 18b71348-cc03-4d9f-8a98-b962322f0ce3
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst  via 10.0.0.1 dev wlp147s0 src  table 254
set nexthop: 10.0.0.1
dst 10.0.0.0 via  dev wlp147s0 src 10.0.0.188 table 254
dst 169.254.0.0 via  dev wlp147s0 src  table 254
dst 172.17.0.0 via  dev docker0 src 172.17.0.1 table 254
dst 10.0.0.0 via  dev wlp147s0 src 10.0.0.188 table 255 (ignored)
dst 10.0.0.188 via  dev wlp147s0 src 10.0.0.188 table 255 (ignored)
dst 10.0.0.255 via  dev wlp147s0 src 10.0.0.188 table 255 (ignored)
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 172.17.0.0 via  dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.17.0.1 via  dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.17.255.255 via  dev docker0 src 172.17.0.1 table 255 (ignored)

seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst 10.0.0.1 via  dev wlp147s0 src 10.0.0.188 table 254
set addr: 10.0.0.188

seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" modecfgdns=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" modecfgdomains=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" modecfgbanner=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" mark=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" mark-in=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" mark-out=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" vti_iface=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" redirect-to=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" accept-redirect-to=<unset>
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" esp=aes256-sha1,aes128-sha1,3des-sha1
conn: "18b71348-cc03-4d9f-8a98-b962322f0ce3" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp_384,aes128-sha1-modp1024,aes128-sha1-ecp_256,3des-sha1-modp2048,3des-sha1-modp1024
002 added connection description "18b71348-cc03-4d9f-8a98-b962322f0ce3"
nm-l2tp[116203] <info>  Spawned ipsec auto --up script with PID 116526.
002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: initiating Main Mode
104 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: STATE_MAIN_I1: initiate
003 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: ignoring unknown Vendor ID payload [72872b95fcda2eb708efe322119b4971]
002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: WARNING: connection 18b71348-cc03-4d9f-8a98-b962322f0ce3 PSK length of 4 bytes is too short for sha PRF in FIPS mode (10 bytes required)
106 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: Peer ID is ID_IPV4_ADDR: '128.198.18.9'
004 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=DH20}
002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:69fc32f0 proposal=AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=no-pfs}
117 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: STATE_QUICK_I1: initiate
003 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=69fc32f0, length=28
003 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
003 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: our client subnet returned doesn't match my proposal - us: 10.0.0.188/32 vs them: 24.9.132.245/32
003 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
004 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0xdb9017e6 <0x836236b9 xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=128.198.18.9:4500 DPD=unsupported}
nm-l2tp[116203] <info>  Libreswan IPsec tunnel is up.
** Message: 20:58:03.010: xl2tpd started with pid 116540
xl2tpd[116540]: Not looking for kernel SAref support.
xl2tpd[116540]: Using l2tp kernel support.
xl2tpd[116540]: xl2tpd version xl2tpd-1.3.12 started on Prec-7760 PID:116540
xl2tpd[116540]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[116540]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[116540]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[116540]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[116540]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[116540]: get_call: allocating new tunnel for host 128.198.18.9, port 1701.
xl2tpd[116540]: Connecting to host 128.198.18.9, port 1701
xl2tpd[116540]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[116540]: control_finish: sending SCCRQ
xl2tpd[116540]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[116540]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[116540]: framing_caps_avp: supported peer frames: sync
xl2tpd[116540]: bearer_caps_avp: supported peer bearers:
xl2tpd[116540]: firmware_rev_avp: peer reports firmware version 2560 (0x0a00)
xl2tpd[116540]: hostname_avp: peer reports hostname 'VPN5'
xl2tpd[116540]: vendor_avp: peer reports vendor 'Microsoft'
xl2tpd[116540]: assigned_tunnel_avp: using peer's tunnel 2254
xl2tpd[116540]: receive_window_size_avp: peer wants RWS of 8.  Will use flow control.
xl2tpd[116540]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 2254, call is 0.
xl2tpd[116540]: control_finish: sending SCCCN
xl2tpd[116540]: Connection established to 128.198.18.9, 1701.  Local: 46601, Remote: 2254 (ref=0/0).
xl2tpd[116540]: Calling on tunnel 46601
xl2tpd[116540]: control_finish: message type is (null)(0).  Tunnel is 2254, call is 0.
xl2tpd[116540]: control_finish: sending ICRQ
xl2tpd[116540]: message_type_avp: message type 11 (Incoming-Call-Reply)
xl2tpd[116540]: assigned_call_avp: using peer's call 11
xl2tpd[116540]: control_finish: message type is Incoming-Call-Reply(11).  Tunnel is 2254, call is 11.
xl2tpd[116540]: control_finish: Sending ICCN
xl2tpd[116540]: Call established with 128.198.18.9, Local: 30365, Remote: 11, Serial: 1 (ref=0/0)
xl2tpd[116540]: start_pppd: I'm running: 
xl2tpd[116540]: "/usr/sbin/pppd" 
xl2tpd[116540]: "plugin" 
xl2tpd[116540]: "pppol2tp.so" 
xl2tpd[116540]: "pppol2tp" 
xl2tpd[116540]: "7" 
xl2tpd[116540]: "passive" 
xl2tpd[116540]: "nodetach" 
xl2tpd[116540]: ":" 
xl2tpd[116540]: "debug" 
xl2tpd[116540]: "file" 
xl2tpd[116540]: "/run/nm-l2tp-18b71348-cc03-4d9f-8a98-b962322f0ce3/ppp-options" 
xl2tpd[116540]: message_type_avp: message type 14 (Call-Disconnect-Notify)
xl2tpd[116540]: result_code_avp: peer closing for reason 3 (Control channel already exists), error = 0 ()
xl2tpd[116540]: assigned_call_avp: using peer's call 11
xl2tpd[116540]: control_finish: message type is Call-Disconnect-Notify(14).  Tunnel is 2254, call is 11.
xl2tpd[116540]: control_finish: Connection closed to 128.198.18.9, serial 1 ()
xl2tpd[116540]: Terminating pppd: sending TERM signal to pid 116541
nm-l2tp[116203] <info>  Terminated xl2tpd daemon with PID 116540.
xl2tpd[116540]: death_handler: Fatal signal 15 received
xl2tpd[116540]: Connection 2254 closed to 128.198.18.9, port 1701 (Server closing)
002 "18b71348-cc03-4d9f-8a98-b962322f0ce3": terminating SAs using this connection
002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: deleting state (STATE_QUICK_I2) aged 0.315s and sending notification
005 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #2: ESP traffic information: in=593B out=582B
002 "18b71348-cc03-4d9f-8a98-b962322f0ce3" #1: deleting state (STATE_MAIN_I4) aged 0.383s and sending notification
** Message: 20:58:03.149: ipsec shut down
nm-l2tp[116203] <warn>  xl2tpd exited with error code 1
** Message: 20:58:03.151: ipsec shut down
dkosovic commented 2 years ago

I don't see any pppd logs which are only visible with journalctl, try : 

journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd

It could be something as simple as a pppd authentication error. As it appears to be a Microsoft VPN server, in the PPP settings you could uncheck all of the authentication methods apart from MS-CHAP V2 (but its generally not necessary to do so with Microsoft VPN servers).

WesRobbins commented 2 years ago

Unchecked authentication methods and I'm able to connect--thanks for your help!