Closed dosentmatter closed 7 years ago
For IPsec IKEv2, L2TP is not required and as this is a L2TP VPN plugin with optional IPsec IKEv1 support, it doesn't make sense for it to support IKEv2.
If you want to use IPsec IKEv2, try using network-manager-strongswan instead.
But I'm not sure what you are trying to connect to is IKEv2. Another thing to try is removing the phase 1 & phase 2 entries and installing libreswan (which will also uninstall strongswan) with the following:
sudo apt install libreswan
Assuming you are using the network-manager-l2tp-1.2.8 PPA package from:
as that PPA includes a backport of libreswan-3.19 from Ubuntu 17.04.
The Vendor ID of 40:4b:f4:39:52:2c:a3:f6 seems to indicate the VPN server is a SonicWall which often have "payload type ID_V1 was not encrypted" when aggressive mode is used, and I'm not sure but it might be using XAuth. I would recommend trying network-manager-libreswan (which is one of the VPN plugins maintained by the GNOME Project) which supports Xauth authentication and aggressive mode. Unfortunately as far as I know, there is no network-manager-libreswan package for Debian (and consequently derivates like Mint and Ubuntu), but I did find the following bug report :
I'll also add that the IPsec servers that are using Xauth don't use L2TP, so there is no point in adding Xauth support to this VPN plugin.
Okay, well as you can tell, I don't really know what I'm talking about. I'm able to connect to the vpn on the following: windows using Dell Sonicwall Global VPN Client and mac using the System Preferences > Network and adding a new VPN Actually, now that I check my mac settings, I am using L2TP over IPsec and not IKEv2. So you are correct. While I was waiting for your answer, I was trying network-manager-strongswan. It says it only supports IKEv2, so that's actually not what I need. Even if it supports L2TP, I couldn't figure out how to get my pre shared key in there. https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
Yes, I am using that ppa.
You are correct that the VPN server is a SonicWall.
I'll try libreswan first. If that doesn't work, do you know if I can install network-manager-libreswan from here? https://download.gnome.org/sources/NetworkManager-libreswan/
or maybe I can just build it myself.
The only information I have is the following: 1) IP to vpn server 2) username 3) password 4) shared secret
holy crap, libreswan works! I've been spending the whole day on this. Thank you so much!
Do you know what could be the difference between libreswan and strongswan that allowed libreswan to work? Is it the legacy ciphers? Would it have worked if I installed an older version of strongswan with legacy ciphers?
Also, would there be any difference if I used network-manager-l2tp vs network-manager-libreswan? network-manager-libreswan doesn't have l2tp right - just plain old IPsec?
Now that I check, the ppa does come with libreswan by default. I think I might have installed strongswan after I couldn't get it to work because I didn't have "Enable IPsec tunnel to L2TP host" checked. When googling, a bunch of people were talking about strongswan and filling out the ciphers so maybe I assumed that strongswan was default.
Actually, I'm reinstalled to check again and it installs strongswan by default. I used this guide: http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/ Oh probably because I'm on linux mint 18 which is based on Ubuntu 16.04 (Trusty)
Glad to hear you got it working!
stongswan dropped 3des-sha1-modp1024 cipher from the initial proposal a long time ago, maybe in the last decade (but I'm not sure what version), more recently strongSwan 5.4.0 dropped aes128-sha1-modp2048 and 3des-sha1-modp1536. Setting phase 1 & 2 algorithms should have been enough to add the missing 3DES support back.
I've had a few situations where users switched from strongswan to libreswan (and fewer cases visa versa) and things started working.
I agree more or less with you last statement and just elaborating, network-manager-libreswan uses XAuth and not L2TP (or more specifically PPP) for the user authentication. With XAuth, it's more of a Cisco IPsec extension rather than Microsoft compatible IPsec implementation. Although I saw XAuth mentioned in your log output I didn't see XAUTH in the "ID_PROT request" lines, so I'm not sure if network-manager-libreswan would work.
Thanks for the explanation! The admins are going to switch to better ciphers soon so maybe I'll have to switch to strongswan later. Gonna close this issue now.
The vpn server I am connecting to uses legacy ciphers: phase 1: 3des-sha1-modp1024 phase 2: 3des-sha1
However, I am still not able to connect. I think the vpn server uses IKEv2.
I have installed strongswan-plugin-openssl, network-manager-l2tp-gnome, network-manager-l2tp.
I am on linux mint (debian, ubuntu based). Thanks!
Here is my log with some information replaced: