Strongswan UNSUPPORTED_CRITICAL_PAYLOAD in Main Mode (phase 1) Ubuntu 22.04

[RALGIE]

I'm trying to connect to my UDM from Unifi. I can't get this to work. I googled this error message but with no success. I've updated and tried a lot of thiks but I can't get it to work. Maybe you can determine what is wrong with my configuration? VPN Protocol L2TP UniFi OS UDM 1.12.22

network-manager-config-connectivity-ubuntu/jammy-updates,jammy-updates,now 1.36.6-0ubuntu2 all [installed]
network-manager-gnome/jammy,now 1.24.0-1ubuntu3 amd64 [installed]
network-manager-l2tp-gnome/jammy,now 1.20.4-1~ubuntu22.04.1~ppa1 amd64 [installed]
network-manager-l2tp/jammy,now 1.20.4-1~ubuntu22.04.1~ppa1 amd64 [installed]
network-manager-openconnect-gnome/jammy,now 1.2.6-4 amd64 [installed]
network-manager-openconnect/jammy,now 1.2.6-4 amd64 [installed]
network-manager-openvpn-gnome/jammy,now 1.8.18-1 amd64 [installed,automatic]
network-manager-openvpn/jammy,now 1.8.18-1 amd64 [installed,automatic]
network-manager-pptp-gnome/jammy,now 1.2.10-1 amd64 [installed]
network-manager-pptp/jammy,now 1.2.10-1 amd64 [installed]

This is the syslog:

Aug 18 23:24:00 ragi NetworkManager[1068]: <info>  [1660857840.6544] vpn[0x5649f2d4a5f0,5c6e7184-9c0f-44a5-b0fa-de4211dca233,"UDM TEST"]: starting l2tp
Aug 18 23:24:00 ragi NetworkManager[1068]: <info>  [1660857840.6561] audit: op="connection-activate" uuid="5c6e7184-9c0f-44a5-b0fa-de4211dca233" name="UDM TEST" pid=3361 uid=1000 result="success"
Aug 18 23:24:00 ragi nm-l2tp-service[17262]: Check port 1701
Aug 18 23:24:00 ragi nm-l2tp-service[17262]: Can't bind to port 1701
Aug 18 23:24:00 ragi NetworkManager[17278]: Stopping strongSwan IPsec failed: starter is not running
Aug 18 23:24:02 ragi NetworkManager[17275]: Starting strongSwan 5.9.5 IPsec [starter]...
Aug 18 23:24:02 ragi NetworkManager[17275]: Loading config setup
Aug 18 23:24:02 ragi NetworkManager[17275]: Loading conn '5c6e7184-9c0f-44a5-b0fa-de4211dca233'
Aug 18 23:24:02 ragi charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-46-generic, x86_64)
Aug 18 23:24:02 ragi charon: 00[LIB] providers loaded by OpenSSL: legacy default
Aug 18 23:24:02 ragi charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug 18 23:24:02 ragi charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug 18 23:24:02 ragi charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug 18 23:24:02 ragi charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug 18 23:24:02 ragi charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 18 23:24:02 ragi charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 18 23:24:02 ragi charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Aug 18 23:24:02 ragi charon: 00[CFG]   loaded IKE secret for %any
Aug 18 23:24:02 ragi charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Aug 18 23:24:02 ragi charon: 00[CFG]   loaded IKE secret for %any
Aug 18 23:24:02 ragi charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Aug 18 23:24:02 ragi charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 18 23:24:02 ragi charon: 00[JOB] spawning 16 worker threads
Aug 18 23:24:02 ragi charon: 05[CFG] received stroke: add connection '5c6e7184-9c0f-44a5-b0fa-de4211dca233'
Aug 18 23:24:02 ragi charon: 05[CFG] added configuration '5c6e7184-9c0f-44a5-b0fa-de4211dca233'
Aug 18 23:24:03 ragi charon: 07[CFG] rereading secrets
Aug 18 23:24:03 ragi charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 18 23:24:03 ragi charon: 07[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Aug 18 23:24:03 ragi charon: 07[CFG]   loaded IKE secret for %any
Aug 18 23:24:03 ragi charon: 07[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Aug 18 23:24:03 ragi charon: 07[CFG]   loaded IKE secret for %any
Aug 18 23:24:03 ragi charon: 09[CFG] received stroke: initiate '5c6e7184-9c0f-44a5-b0fa-de4211dca233'
Aug 18 23:24:03 ragi charon: 11[IKE] initiating Main Mode IKE_SA 5c6e7184-9c0f-44a5-b0fa-de4211dca233[1] to 99.99.99.99
Aug 18 23:24:03 ragi charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Aug 18 23:24:03 ragi charon: 11[NET] sending packet: from 192.168.1.19[500] to 99.99.99.99[500] (532 bytes)
Aug 18 23:24:03 ragi charon: 12[NET] received packet: from 99.99.99.99[500] to 192.168.1.19[500] (532 bytes)
Aug 18 23:24:03 ragi charon: 12[ENC] parsed ID_PROT request 0 [ SA V V V V V ]
Aug 18 23:24:03 ragi charon: 12[IKE] received XAuth vendor ID
Aug 18 23:24:03 ragi charon: 12[IKE] received DPD vendor ID
Aug 18 23:24:03 ragi charon: 12[IKE] received FRAGMENTATION vendor ID
Aug 18 23:24:03 ragi charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Aug 18 23:24:03 ragi charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 18 23:24:03 ragi charon: 12[IKE] 99.99.99.99 is initiating a Main Mode IKE_SA
Aug 18 23:24:03 ragi charon: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 18 23:24:03 ragi charon: 12[ENC] generating ID_PROT response 0 [ SA V V V V ]
Aug 18 23:24:03 ragi charon: 12[NET] sending packet: from 192.168.1.19[500] to 99.99.99.99[500] (160 bytes)
Aug 18 23:24:03 ragi charon: 13[NET] received packet: from 99.99.99.99[500] to 192.168.1.19[500] (160 bytes)
Aug 18 23:24:03 ragi charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V ]
Aug 18 23:24:03 ragi charon: 13[IKE] received XAuth vendor ID
Aug 18 23:24:03 ragi charon: 13[IKE] received DPD vendor ID
Aug 18 23:24:03 ragi charon: 13[IKE] received FRAGMENTATION vendor ID
Aug 18 23:24:03 ragi charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Aug 18 23:24:03 ragi charon: 13[IKE] KE payload missing in message
Aug 18 23:24:03 ragi charon: 13[ENC] generating INFORMATIONAL_V1 request 3610314015 [ N(CRIT) ]
Aug 18 23:24:03 ragi charon: 13[NET] sending packet: from 192.168.1.19[500] to 99.99.99.99[500] (56 bytes)
Aug 18 23:24:03 ragi charon: 14[NET] received packet: from 99.99.99.99[500] to 192.168.1.19[500] (56 bytes)
Aug 18 23:24:03 ragi charon: 14[ENC] parsed INFORMATIONAL_V1 request 3610314015 [ N(CRIT) ]
Aug 18 23:24:03 ragi charon: 14[IKE] received UNSUPPORTED_CRITICAL_PAYLOAD error notify
Aug 18 23:24:03 ragi NetworkManager[17319]: initiating Main Mode IKE_SA 5c6e7184-9c0f-44a5-b0fa-de4211dca233[1] to 99.99.99.99
Aug 18 23:24:03 ragi NetworkManager[17319]: generating ID_PROT request 0 [ SA V V V V V ]
Aug 18 23:24:03 ragi NetworkManager[17319]: sending packet: from 192.168.1.19[500] to 99.99.99.99[500] (532 bytes)
Aug 18 23:24:03 ragi NetworkManager[17319]: received packet: from 99.99.99.99[500] to 192.168.1.19[500] (56 bytes)
Aug 18 23:24:03 ragi NetworkManager[17319]: parsed INFORMATIONAL_V1 request 3610314015 [ N(CRIT) ]
Aug 18 23:24:03 ragi NetworkManager[17319]: received UNSUPPORTED_CRITICAL_PAYLOAD error notify
Aug 18 23:24:03 ragi NetworkManager[17319]: establishing connection '5c6e7184-9c0f-44a5-b0fa-de4211dca233' failed
Aug 18 23:24:04 ragi NetworkManager[17326]: Stopping strongSwan IPsec...
Aug 18 23:24:04 ragi charon: 00[DMN] SIGINT received, shutting down
Aug 18 23:24:04 ragi nm-l2tp-service[17262]: Could not establish IPsec connection.
Aug 18 23:24:04 ragi nm-l2tp-service[17262]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

99.99.99.99 is the obfuscated public ip :)

[dkosovic]

I've never seen the strongswan UNSUPPORTED_CRITICAL_PAYLOAD error before. You might have more luck by switching from strongswan to libreswan with the following:

sudo apt install libreswan

Then try again.

The g_dbus_method_invocation_take_error: assertion 'error != NULL' is just an unfriendly debugging assertion indicating the error variable has been assigned a value (which is shown in the previously line as Could not establish IPsec connection.)

[RALGIE]

@dkosovic thanks for the option. I've fixed the problem... I've rebooted my UDM. That did the trick.