ubuntu - can not connect to the work vpn (ms peap, IPsec sha256 encryption)

[k0st1x]

Hello, I've trying to connect from the home ubuntu pc to the work network but without success. (but I can connect from the win10 pc with automatic configurations, where I can see that IPsec uses sha256 encryption).

please help me to diagnose issue. here is my exported config file: http://pastebin.com/6jjtvyC3 and here the log: http://pastebin.com/u8PUHPab

Firstly, I can't see SHA encryption using in the log. Secondary, log (line 113) prints "connection established successfully" but on the next line "Could not establish IPsec tunnel" :( Third (and most important) "GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed"

Please, hint me and guide me, what I can try to do to connect to the remote network?

[dkosovic]

Extract from the "ike = \<cipher suites>" section on wiki.strongswan.org/projects/strongswan/wiki/ConnSection

Defaults to aes128-sha256-modp3072 (aes128-sha1-modp2048,3des-sha1-modp1536 before 5.4.0) for IKEv1. The daemon adds its extensive default proposal to this default or the configured value.

As you are using strongswan 5.3.5, looks like the aes128-sha256-modp3072 cipher isn't one of the default initial proposals.

Some things you could try :

• add the cipher to the following line in the source code for the ike ciphers : https://github.com/nm-l2tp/network-manager-l2tp/blob/master/src/nm-l2tp-service.c#L716 if this option works, let me know and I could add it to the source code.
• uninstall system strongswan and locally build and install libreswan to /usr/local https://libreswan.org
• uninstall system strongswan and locally build and install newer strongswan to /usr/local https://www.strongswan.org

[k0st1x]

@dkosovic I am very grateful to you for your advice and your time on me. I will test your suggestions in two days

[k0st1x]

@dkosovic I've tested first suggestion

add the cipher to the following line in the source code for the ike ciphers

As I understand, I've replaced "aes128-sha1-modp2048,3des-sha1-modp1536" to "aes128-sha256-modp3072", called "make" and "sudo make install", reboot pc. Unfortunately this action is not made changes to vpn connectivity and logs are the same.

trying the secondary step...

[k0st1x]

I've removed strongswan, cloned libreswan, installed dependencies, "make programs", "sudo make install" (I thought this is what you mean under the "install libreswan to /usr/local" text). unfortunately, without success here logs: http://pastebin.com/JyQd8TdB there is a strange place "but peer declares '172.22.0.60'" (but my host is '188.128.36.80') don't know, is that ip is accident (by mistake) is placed in one of my local conf files? or this is response from the vpn server?

trying to find the '172.22.0.60' locally...

[dkosovic]

That's indeed what I meant by installing libreswan or strongswan to /usr/local, as the default value of the configure --prefix argument is /usr/local. It's a pretty safe location to install and can readily delete any files installed under there without compromising system files.

NetworkManager-l2tp generates temp conf files each time it is run and can be found under /var/run/. you can have a look at the following file conf file for what is used with libreswan : /var/run/nm-ipsec-l2tp.????/ipsec.conf

I'm not really sure what's going on with '172.22.0.60'.

In the IPsec Settings dialog, are the Group Name and Gateway ID fields empty? If not, try deleting the entries, especially the IPsec Gateway ID.

[k0st1x]

That's indeed what I meant by installing libreswan or strongswan to /usr/local, as the default value of the configure --prefix argument is /usr/local. It's a pretty safe location to install and can readily delete any files installed under there without compromising system files.

thank you for detailed description.

NetworkManager-l2tp generates temp conf files each time it is run and can be found under /var/run/. you can have a look at the following file conf file for what is used with libreswan : /var/run/nm-ipsec-l2tp.????/ipsec.conf

yes, i've found file '/run/nm-ipsec-l2tp.7438/ipsec.conf' with the content: http://pastebin.com/Hi3Mq1Gd (there is '188.128.36.80' address used but not the '172.22.0.60')

In the IPsec Settings dialog, are the Group Name and Gateway ID fields empty?

yes, its empty https://1drv.ms/i/s!AnIsKYlgFpEwrZw_mkSnyKKg000mmA

currently trying to delete the libreswan and I will try to perform the last third step...

[k0st1x]

I've tried the third step. cloned https://github.com/strongswan/strongswan , 'make' -> 'make install' unfortunately, there is still error "IDir '172.22.0.60' does not match to '188.128.36.80'" http://pastebin.com/DaGfgTcp

I unsuccessfully looked for the '172.22.0.60' string in the /etc/ and /var/ directories. I give up. @dkosovic Thank you for your advises that made me wiser.

[dkosovic]

Seems like the VPN server is behind a NAT, so is advertising it's private before-NAT IP address as the identifier which is '172.22.0.60' .

Perhaps setting the Gateway ID in the IPsec Settings dialog box to 172.22.0.60 might appease strongswan or libreswan.