IPsec XAUTH compatibility with installed package from PPA.

[zubrzubr]

Hello, guys. I installed package from ppa, configured l2tp network in network manager but it doesn't works for me.Here is my loggs:

sudo /usr/lib/Netw
orkManager/nm-l2tp-service --debug
nm-l2tp[12432] <debug> nm-l2tp-service (version 1.2.6) starting...
nm-l2tp[12432] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[12432] <info>  ipsec enable flag: yes
** Message: Check port 1701
connection
    id : "Curve VPN" (s)
    uuid : "e15702fb-0564-4118-bf00-b4fbb1010465" (s)
    interface-name : NULL (sd)
    type : "vpn" (s)
    permissions : ["user:maxzubr:"] (s)
    autoconnect : FALSE (s)
    autoconnect-priority : 0 (sd)
    timestamp : 0 (sd)
    read-only : FALSE (sd)
    zone : NULL (sd)
    master : NULL (sd)
    slave-type : NULL (sd)
    autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
    secondaries : [] (s)
    gateway-ping-timeout : 0 (sd)
    metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
    lldp : -1 (sd)

ipv6
    method : "auto" (s)
    dns : [] (s)
    dns-search : [] (s)
    dns-options : NULL (sd)
    dns-priority : 0 (sd)
    addresses : ((GPtrArray*) 0x1845960) (s)
    gateway : NULL (sd)
    routes : ((GPtrArray*) 0x1845940) (s)
    route-metric : -1 (sd)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-hostname : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    dad-timeout : -1 (sd)
    dhcp-timeout : 0 (sd)
    ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_DISABLED) (s)
    addr-gen-mode : 1 (sd)

ipv4
    method : "auto" (s)
    dns : [] (s)
    dns-search : [] (s)
    dns-options : NULL (sd)
    dns-priority : 0 (sd)
    addresses : ((GPtrArray*) 0x1845820) (s)
    gateway : NULL (sd)
    routes : ((GPtrArray*) 0x1844b60) (s)
    route-metric : -1 (sd)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-hostname : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    dad-timeout : -1 (sd)
    dhcp-timeout : 0 (sd)
    dhcp-client-id : NULL (sd)
    dhcp-fqdn : NULL (sd)

vpn
    service-type : "org.freedesktop.NetworkManager.l2tp" (s)
    user-name : "maxzubr" (s)
    persistent : FALSE (sd)
    data : ((GHashTable*) 0x1846520) (s)
    secrets : ((GHashTable*) 0x1846580) (s)
    timeout : 0 (sd)

nm-l2tp[12432] <info>  starting ipsec
Stopping strongSwan IPsec...
Starting strongSwan 5.5.1 IPsec [starter]...
Loading config setup
Loading conn 'e15702fb-0564-4118-bf00-b4fbb1010465'
found netkey IPsec stack
nm-l2tp[12432] <info>  Spawned ipsec up script with PID 12531.
initiating Main Mode IKE_SA e15702fb-0564-4118-bf00-b4fbb1010465[1] to xx.xx.xx.xx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from xxxx[500] to xxxx[500] (240 bytes)
received packet: from xxxx[500] to xxxx[500] (92 bytes)
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
thread 15 received 11
 dumping 2 stack frame addresses:
  /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fb4aeb60000 [0x7fb4aeb71390]
    -> ??:?
    [0x5643161adaf0]
killing ourself, received critical signal
nm-l2tp[12432] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:12432): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

When I try to connect to l2tp network after feeling a password nothing happens.

[dkosovic]

I suspect the received NO_PROPOSAL_CHOSEN error notify is happening because you are using a VPN server that is using legacy ciphers that strongSwan now considers broken and none of the default ciphers newer versions of strongSwan now use for the initial proposal.

Have a look at the user specified cipher suites section on the following page on how to supplement the default cipers :

• https://github.com/nm-l2tp/network-manager-l2tp#user-specified-ipsec-ikev1-cipher-suites

there is an example there on what you need to set for phase 1 & 2 algorithms in the advanced section of the IPsec dialog box.

[zubrzubr]

@dkosovic Hello! Thanks for the answer. I tried to setup 1 and 2 phases algorithms but got the same issue:

Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
thread 0 received 11
 dumping 2 stack frame addresses:
  /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f362c6b2000 [0x7f362c6c3390]
    -> ??:?
    [0x565286b97b10]
killing ourself, received critical signal
Starting strongSwan 5.5.1 IPsec [starter]...
Loading config setup
Loading conn 'e15702fb-0564-4118-bf00-b4fbb1010465'
found netkey IPsec stack
nm-l2tp[17632] <info>  Spawned ipsec up script with PID 18076.
initiating Main Mode IKE_SA e15702fb-0564-4118-bf00-b4fbb1010465[1] to xx.xx.xx.xx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from xxxx[500] to xxxx[500] (272 bytes)
received packet: from xxxx[500] to xxxx[500] (92 bytes)
parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
thread 8 received 11
 dumping 2 stack frame addresses:
  /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7fd5a7a21000 [0x7fd5a7a32390]
    -> ??:?
    [0x556477424b10]
killing ourself, received critical signal
nm-l2tp[17632] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:17632): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

[dkosovic]

I'm still pretty sure it is still a cipher related issue. Could you run the ike-scan command against your VPN server to see which cipher it is using? e.g.:

sudo apt install ike-scan
sudo ipsec stop
sudo ike-scan 123.54.76.9

You might even need to use an exclamation mark at the end of the phase one and two settings to override and not just supplement the default ciphers. Some VPN servers can be fussy.

[zubrzubr]

@dkosovic Got it! I'm not vpn server own so need to ask if it is possible. Maybe I'll ask them which cipher they are using. I'll attach results into this issue...

[dkosovic]

There was a typo in my last message I meant run the ike-scan command against the VPN server, not on the VPN server.

But in issue https://github.com/nm-l2tp/network-manager-l2tp/issues/34 , I had someone using a Cisco Unity VPN server and had to use the following :

• Phase1 Algorithms: aes128-sha1-modp1024,3des-sha1-modp1024!
• Phase2 Algorithms: 3des-md5

[zubrzubr]

@dkosovic Next algorithms didn't help me:

• Phase1 Algorithms: aes128-sha1-modp1024,3des-sha1-modp1024!
• Phase2 Algorithms: 3des-md5

I asked VPN server owners to give me theirs cipher algorithms.

[dkosovic]

I've written a script that uses /usr/bin/ike-scan from the ike-scan package that is based on the script from the ike-scan homepage :

• http://www.nta-monitor.com/wiki/index.php/Ike-scan_User_Guide

that queries the VPN server for the ciphers it supports, but note it can take a few minutes to run and iterate through the options.

#!/bin/sh

# Encryption algorithms: 3DES=5, AES/128=7/128, AES/192=7/192 and AES/256=7/256
ENCLIST="5 7/128 7/192 7/256"
# Hash algorithms: MD5=1, SHA1=2, SHA256=5, SHA384=6
HASHLIST="1 2 5 6"
# Authentication methods: Pre-Shared Key=1, RSA Signatures=3, Hybrid Mode=64221 XAUTH=65001
AUTHLIST="1"
# Diffie-Hellman groups: 1, 2, 5, 14, 15
GROUPLIST="1 2 5 14 15"
#
for ENC in $ENCLIST; do
   for HASH in $HASHLIST; do
      for AUTH in $AUTHLIST; do
         for GROUP in $GROUPLIST; do
            echo ike-scan --trans=$ENC,$HASH,$AUTH,$GROUP -M "$@"
            ike-scan --trans=$ENC,$HASH,$AUTH,$GROUP -M "$@"
         done
      done
   done
done

Lets call the script ike-scan.sh, assuming you have the ike-scan package installed, you can run the script like so :

sudo ipsec stop
chmod a+rx ./ike-scan.sh
sudo ./ike-scan.sh 123.54.76.9  | grep SA
  SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
  SA=(Enc=AES Hash=SHA1 Auth=PSK Group=14:modp2048 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)

in the above replace 123.54.76.9 with your VPN server.

From the above script output example, would mean the following phase 1 & 2 options could be set in the IPsec dialog box advance options:

• Phase1 Algorithms: aes128-sha1-modp1024,3des-sha1-modp1024
• Phase2 Algorithms: aes128-sha1,3des-md5

[zubrzubr]

@dkosovic Hello! Thanks a lot! I'll try it tomorrow and add results here. PS. Still didn't get any answer from my VPN provider.

[zubrzubr]

@dkosovic Hello! As I understood we are using DES3 encoding:

xxx Notify message 14 (NO-PROPOSAL-CHOSEN)
xxx Notify message 14 (NO-PROPOSAL-CHOSEN)
xxx Notify message 14 (NO-PROPOSAL-CHOSEN)
xxx Notify message 14 (NO-PROPOSAL-CHOSEN)
xxx Notify message 14 (NO-PROPOSAL-CHOSEN)
xxx Notify message 14 (NO-PROPOSAL-CHOSEN)
    SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

[dkosovic]

The following should hopefully do it :

• Phase1 Algorithms: 3des-sha1-modp1024!
• Phase2 Algorithms: 3des-sha1

There is another proposal where it could be failing that I forgot about, it is related to which port IPsec is using on the client side with L2TP and you need to stop the system xl2tpd for this proposal to take effect, stop xl2tpd with :

sudo systemctl stop xl2tpd

NetworkManager-l2tp will start its own xl2tpd process. If the VPN connection now works, you can disable the xl2tpd service so that it doesn't start next time at boot time :

sudo systemctl disable xl2tpd

[zubrzubr]

Hm, I changed algoritms and got next in my logs.

(nm-l2tp-service:1617): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
sending retransmit 2 of request message ID 0, seq 3
sending packet: from 192.168.16.82[4500] to xx.xx.xx.xx[4500] (68 bytes)
received packet: from xx.xx.xx.xx[4500] to 192.168.16.82[4500] (164 bytes)
parsed INFORMATIONAL_V1 request 1163525044 [ N(INVAL_IKE_SPI) ]
ignoring unprotected INFORMATIONAL from xx.xx.xx.xx
message verification failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 1163525044 processing failed

It is strange, I disabled xl2tpd process and now nothing happens. Logs didn't shows anything:

sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[2186] <debug> nm-l2tp-service (version 1.2.6) starting...
nm-l2tp[2186] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"

[dkosovic]

With sudo /usr/lib/NetworkManager/nm-l2tp-service --debug you you don't see much more than that until you try to connect the VPN connection. If you still don't see any more you need to look at the output of journalctl to see what's going on.

If things go bad try restarting NetworkManager with sudo systemctl restart networkManager

Do you know what vendor the VPN server is? e.g. Microsoft, strongSwan, Cisco, etc

[dkosovic]

I was was able to work out what sort of VPN server you are trying to connect to, it is a SonicWall. I worked it out from the output of ike-scan which had VID=5b362bc820f60008, by googling for 5b362bc820f60008.

On the following pages:

• https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
• http://manpages.ubuntu.com/manpages/zesty/man5/strongswan.conf.5.html

They say you may need to set charon.accept_unencrypted_mainmode_messages = yes in /etc/strongswan.d/charon.conf for some SonicWall devices.

[zubrzubr]

@dkosovic still can't get it work. I tried to add charon.accept_unencrypted_mainmode_messages = yes and restarted my pc. But still, nothing happens after trying to connect.

[zubrzubr]

@dkosovic and most likely vendor is netgear.

[zubrzubr]

Here are my logs of journalctl:

тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: maximum IKE_SA lifetime 10625s
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: parsed TRANSACTION request 2527681045 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: generating TRANSACTION response 2527681045 [ HASH CP ]
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: sending packet: from 192.168.15.68[4500] to xx.xx.xx.xx[4500] (68 bytes)
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: generating QUICK_MODE request 506351935 [ HASH SA No ID ID NAT-OA NAT-OA ]
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: sending packet: from 192.168.15.68[4500] to xx.xx.xx.xx[4500] (220 bytes)
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: received packet: from xx.xx.xx.xx[4500] to 192.168.15.68[4500] (84 bytes)
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: parsed INFORMATIONAL_V1 request 1623582993 [ HASH D ]
тра 29 10:31:37 maxzubr-K53SC ipsec_starter[16402]: child 16403 (charon) has been killed by sig 6
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: received DELETE for IKE_SA e15702fb-0564-4118-bf00-b4fbb1010465[1]
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: deleting IKE_SA e15702fb-0564-4118-bf00-b4fbb1010465[1] between 192.168.15.68[192.168.15.68]...xx.xx.xx.xx[xx.xx.xx.xx]
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: thread 4 received 11
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]:  dumping 2 stack frame addresses:
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]:   /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f9c52be0000 [0x7f9c52bf1390]
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]:     -> ??:?
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]:   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f9c52817000 [0x7f9c52bdab78]
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]:     -> ??:0
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: killing ourself, received critical signal
тра 29 10:31:37 maxzubr-K53SC ipsec_starter[16402]: 
тра 29 10:31:37 maxzubr-K53SC ipsec_starter[16402]: charon has died -- restart scheduled (5sec)
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: nm-l2tp[16352] <warn>  Could not establish IPsec tunnel.
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: (nm-l2tp-service:16352): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: <info>  [1496043097.5305] vpn-connection[0x1d835d0,e15702fb-0564-4118-bf00-b4fbb1010465,"Curve VPN",0]: VPN plugin: state changed: stopped (6)
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: <info>  [1496043097.5325] vpn-connection[0x1d835d0,e15702fb-0564-4118-bf00-b4fbb1010465,"Curve VPN",0]: VPN plugin: state change reason: unknown (0)
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: <info>  [1496043097.5338] vpn-connection[0x1d835d0,e15702fb-0564-4118-bf00-b4fbb1010465,"test VPN",0]: VPN service disappeared
тра 29 10:31:37 maxzubr-K53SC NetworkManager[975]: <warn>  [1496043097.5358] vpn-connection[0x1d835d0,e15702fb-0564-4118-bf00-b4fbb1010465,"test VPN",0]: VPN connection: failed to connect: 'Message recipient di
тра 29 10:31:37 maxzubr-K53SC avahi-daemon[971]: Joining mDNS multicast group on interface vethade18e8.IPv6 with address fe80::3c7c:2ff:fe67:c081.
тра 29 10:31:37 maxzubr-K53SC avahi-daemon[971]: New relevant interface vethade18e8.IPv6 for mDNS.
тра 29 10:31:37 maxzubr-K53SC avahi-daemon[971]: Registering new address record for fe80::3c7c:2ff:fe67:c081 on vethade18e8.*.
тра 29 10:31:42 maxzubr-K53SC ipsec_starter[16402]: Attempting to start charon...
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.8.0-52-generic, x86_64)
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[KNL] unable to create IPv4 routing table rule
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[KNL] unable to create IPv6 routing table rule
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-e15702fb-0564-4118-bf00-b4fbb1010465.secrets'
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[CFG]   loaded IKE secret for %any
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[LIB] loaded plugins: charon des aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl 
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[LIB] dropped capabilities, running as uid 0, gid 0
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 00[JOB] spawning 16 worker threads
тра 29 10:31:42 maxzubr-K53SC ipsec_starter[16402]: charon (16620) started after 40 ms
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 09[CFG] received stroke: add connection 'e15702fb-0564-4118-bf00-b4fbb1010465'
тра 29 10:31:42 maxzubr-K53SC charon[16620]: 09[CFG] added configuration 'e15702fb-0564-4118-bf00-b4fbb1010465'

[dkosovic]

I wonder if you are able to establish an IPsec connection using the strongSwan command-line.

Assuming NetworkManager-l2tp run-time generated files as mentioned on the following page are still around :

• https://github.com/nm-l2tp/network-manager-l2tp#run-time-generated-files

issue the following:

sudo ipsec restart --conf /var/run/nm-l2tp-ipsec-e15702fb-0564-4118-bf00-b4fbb1010465.conf --debug
sudo ipsec up e15702fb-0564-4118-bf00-b4fbb1010465

You can double check the IPsec connection is up by issuing sudo ipsec status.

The above ipsec commands are the same as what Networkmanger-l2tp uses to establish an IPsec connection, but unlike Networkmanger-l2tp there is no 10 second timeout.

[zubrzubr]

I tried your commands and looks like ipsec can't be started:

maxzubr@maxzubr-K53SC:/run/log/journal$ sudo ipsec restart --conf /var/run/nm-l2tp-ipsec-e15702fb-0564-4118-bf00-b4fbb1010465.conf --debug
Stopping strongSwan IPsec...
Starting strongSwan 5.5.1 IPsec [starter]...
Loading config setup
Loading conn 'e15702fb-0564-4118-bf00-b4fbb1010465'
found netkey IPsec stack
maxzubr@maxzubr-K53SC:/run/log/journal$ sudo ipsec up e15702fb-0564-4118-bf00-b4fbb1010465
initiating Main Mode IKE_SA e15702fb-0564-4118-bf00-b4fbb1010465[1] to xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.15.68[500] to xxx[500] (236 bytes)
received packet: from xxx[500] to 192.168.15.68[500] (112 bytes)
parsed ID_PROT response 0 [ SA V V ]
received unknown vendor ID: 5b:36:2b:c8:20:f6:00:08
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.15.68[500] to xxx[500] (244 bytes)
received packet: from xxx[500] to 192.168.15.68[500] (276 bytes)
parsed ID_PROT response 0 [ KE NAT-D NAT-D No V V V ]
received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
received XAuth vendor ID
received DPD vendor ID
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.15.68[4500] to xxx[4500] (68 bytes)
received packet: from xxx[4500] to 192.168.15.68[4500] (76 bytes)
queueing TRANSACTION request as tasks still active
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.15.68[4500] to xxx[4500] (68 bytes)
received packet: from xxx[4500] to 192.168.15.68[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
IKE_SA e15702fb-0564-4118-bf00-b4fbb1010465[1] established between 192.168.15.68[192.168.15.68]...xxx[xxx]
scheduling reauthentication in 10186s
maximum IKE_SA lifetime 10726s
parsed TRANSACTION request 1588459142 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 1588459142 [ HASH CP ]
sending packet: from 192.168.15.68[4500] to xxx[4500] (68 bytes)
generating QUICK_MODE request 67676794 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.15.68[4500] to xxx[4500] (220 bytes)
received packet: from xxx[4500] to 192.168.15.68[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 4145454248 [ HASH D ]
received DELETE for IKE_SA e15702fb-0564-4118-bf00-b4fbb1010465[1]
deleting IKE_SA e15702fb-0564-4118-bf00-b4fbb1010465[1] between 192.168.15.68[192.168.15.68]...xxx[46.140.117.206]
thread 6 received 11
 dumping 2 stack frame addresses:
  /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f81e97ef000 [0x7f81e9800390]
    -> ??:?
  /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f81e9426000 [0x7f81e97e9b78]
    -> ??:0
killing ourself, received critical signal
maxzubr@maxzubr-K53SC:/run/log/journal$ 

[dkosovic]

I'm at a bit of a loss as to what is going wrong, but think you might have more success contacting strongSwan support :

• https://www.strongswan.org/support.html

and provide nm-l2tp-ipsec-e15702fb-0564-4118-bf00-b4fbb1010465.conf or a variation or edited version of it.

The only other suggestion I have is to try Libreswan instead of strongSwan. But on Ubuntu, that would most likely mean building Libreswan from source code.

[dkosovic]

Actually I think I might know what the issue is, the following line:

parsed TRANSACTION request 1588459142 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]

Seems to indicate that the VPN server is expecting a Cisco VPN like XAUTH username and password for the IPsec connection.

This VPN plug-in only supports PSK for IPsec, and not PSK + XAUTH as it uses the L2TP part for the user authentication and IPsec just for the PSK .

Think you might have better luck with network-manager-libreswan which supports IPsec XAUTH, it doesn't use L2TP and is just an IPsec VPN IKEv1 client for Cisco VPN like servers.

But in any case, you should still able to use strongSwan from the command-line with an appropriate connection configuration. As mentioned previously, strongSwan support should be able to help with any configuration issues.