Does this support IKEv2?

[dosentmatter]

The vpn server I am connecting to uses legacy ciphers: phase 1: 3des-sha1-modp1024 phase 2: 3des-sha1

However, I am still not able to connect. I think the vpn server uses IKEv2.

I have installed strongswan-plugin-openssl, network-manager-l2tp-gnome, network-manager-l2tp.

I am on linux mint (debian, ubuntu based). Thanks!

Here is my log with some information replaced:

kevinlau@kevin-lau-yoga ~ $ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[7229] <debug> nm-l2tp-service (version 1.2.8) starting...
nm-l2tp[7229] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[7229] <info>  ipsec enable flag: yes
** Message: Check port 1701
connection
    id : "VPN NAME" (s)
    uuid : "5dc2cb5a-eed0-4e57-bccd-eb399f4b5cd9" (s)
    interface-name : NULL (sd)
    type : "vpn" (s)
    permissions : ["user:kevinlau:"] (s)
    autoconnect : FALSE (s)
    autoconnect-priority : 0 (sd)
    timestamp : 0 (sd)
    read-only : FALSE (sd)
    zone : NULL (sd)
    master : NULL (sd)
    slave-type : NULL (sd)
    autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
    secondaries : [] (s)
    gateway-ping-timeout : 0 (sd)
    metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
    lldp : -1 (sd)

ipv6
    method : "auto" (s)
    dns : [] (s)
    dns-search : [] (s)
    dns-options : NULL (sd)
    dns-priority : 0 (sd)
    addresses : ((GPtrArray*) 0x2431160) (s)
    gateway : NULL (sd)
    routes : ((GPtrArray*) 0x2431180) (s)
    route-metric : -1 (sd)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-hostname : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    dad-timeout : -1 (sd)
    dhcp-timeout : 0 (sd)
    ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
    addr-gen-mode : 1 (sd)

ipv4
    method : "auto" (s)
    dns : [] (s)
    dns-search : [] (s)
    dns-options : NULL (sd)
    dns-priority : 0 (sd)
    addresses : ((GPtrArray*) 0x2431240) (s)
    gateway : NULL (sd)
    routes : ((GPtrArray*) 0x2431260) (s)
    route-metric : -1 (sd)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-hostname : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    dad-timeout : -1 (sd)
    dhcp-timeout : 0 (sd)
    dhcp-client-id : NULL (sd)
    dhcp-fqdn : NULL (sd)

vpn
    service-type : "org.freedesktop.NetworkManager.l2tp" (s)
    user-name : "kevinlau" (s)
    persistent : FALSE (sd)
    data : ((GHashTable*) 0x2428860) (s)
    secrets : ((GHashTable*) 0x7f5dd00048c0) (s)
    timeout : 0 (sd)

nm-l2tp[7229] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.3.5 IPsec [starter]...
Loading config setup
Loading conn '5dc2cb5a-eed0-4e57-bccd-eb399f4b5cd9'
found netkey IPsec stack
nm-l2tp[7229] <info>  Spawned ipsec up script with PID 7307.
initiating Main Mode IKE_SA 5dc2cb5a-eed0-4e57-bccd-eb399f4b5cd9[1] to XX.XXX.XX.XXX
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.1.77[500] to XX.XXX.XX.XXX[500] (212 bytes)
received packet: from XX.XXX.XX.XXX[500] to 192.168.1.77[500] (112 bytes)
parsed ID_PROT response 0 [ SA V V ]
received unknown vendor ID: 5b:36:2b:c8:20:f6:00:07
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.77[500] to XX.XXX.XX.XXX[500] (244 bytes)
received packet: from XX.XXX.XX.XXX[500] to 192.168.1.77[500] (276 bytes)
parsed ID_PROT response 0 [ KE NAT-D NAT-D No V V V ]
received unknown vendor ID: 40:4b:f4:39:52:2c:a3:f6
received XAuth vendor ID
received DPD vendor ID
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.1.77[4500] to XX.XXX.XX.XXX[4500] (68 bytes)
received packet: from XX.XXX.XX.XXX[4500] to 192.168.1.77[4500] (76 bytes)
queueing TRANSACTION request as tasks still active
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.1.77[4500] to XX.XXX.XX.XXX[4500] (68 bytes)
received packet: from XX.XXX.XX.XXX[4500] to 192.168.1.77[4500] (92 bytes)
payload type ID_V1 was not encrypted
could not decrypt payloads
integrity check failed
generating INFORMATIONAL_V1 request 1468002580 [ HASH N(INVAL_HASH) ]
sending packet: from 192.168.1.77[4500] to XX.XXX.XX.XXX[4500] (68 bytes)
ID_PROT response with message ID 0 processing failed
nm-l2tp[7229] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[7229] <info>  Terminating ipsec script with PID 7307.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
establishing connection '5dc2cb5a-eed0-4e57-bccd-eb399f4b5cd9' failed
nm-l2tp[7229] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:7229): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

[dkosovic]

For IPsec IKEv2, L2TP is not required and as this is a L2TP VPN plugin with optional IPsec IKEv1 support, it doesn't make sense for it to support IKEv2.

If you want to use IPsec IKEv2, try using network-manager-strongswan instead.

But I'm not sure what you are trying to connect to is IKEv2. Another thing to try is removing the phase 1 & phase 2 entries and installing libreswan (which will also uninstall strongswan) with the following:

sudo apt install libreswan

Assuming you are using the network-manager-l2tp-1.2.8 PPA package from:

• https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

as that PPA includes a backport of libreswan-3.19 from Ubuntu 17.04.

The Vendor ID of 40:4b:f4:39:52:2c:a3:f6 seems to indicate the VPN server is a SonicWall which often have "payload type ID_V1 was not encrypted" when aggressive mode is used, and I'm not sure but it might be using XAuth. I would recommend trying network-manager-libreswan (which is one of the VPN plugins maintained by the GNOME Project) which supports Xauth authentication and aggressive mode. Unfortunately as far as I know, there is no network-manager-libreswan package for Debian (and consequently derivates like Mint and Ubuntu), but I did find the following bug report :

• https://bugs.launchpad.net/ubuntu/+bug/1692066

I'll also add that the IPsec servers that are using Xauth don't use L2TP, so there is no point in adding Xauth support to this VPN plugin.

[dosentmatter]

Okay, well as you can tell, I don't really know what I'm talking about. I'm able to connect to the vpn on the following: windows using Dell Sonicwall Global VPN Client and mac using the System Preferences > Network and adding a new VPN Actually, now that I check my mac settings, I am using L2TP over IPsec and not IKEv2. So you are correct. While I was waiting for your answer, I was trying network-manager-strongswan. It says it only supports IKEv2, so that's actually not what I need. Even if it supports L2TP, I couldn't figure out how to get my pre shared key in there. https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager

Yes, I am using that ppa.

You are correct that the VPN server is a SonicWall.

I'll try libreswan first. If that doesn't work, do you know if I can install network-manager-libreswan from here? https://download.gnome.org/sources/NetworkManager-libreswan/

or maybe I can just build it myself.

The only information I have is the following: 1) IP to vpn server 2) username 3) password 4) shared secret

[dosentmatter]

holy crap, libreswan works! I've been spending the whole day on this. Thank you so much!

Do you know what could be the difference between libreswan and strongswan that allowed libreswan to work? Is it the legacy ciphers? Would it have worked if I installed an older version of strongswan with legacy ciphers?

Also, would there be any difference if I used network-manager-l2tp vs network-manager-libreswan? network-manager-libreswan doesn't have l2tp right - just plain old IPsec?

Now that I check, the ppa does come with libreswan by default. I think I might have installed strongswan after I couldn't get it to work because I didn't have "Enable IPsec tunnel to L2TP host" checked. When googling, a bunch of people were talking about strongswan and filling out the ciphers so maybe I assumed that strongswan was default.

Actually, I'm reinstalled to check again and it installs strongswan by default. I used this guide: http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/ Oh probably because I'm on linux mint 18 which is based on Ubuntu 16.04 (Trusty)

[dkosovic]

Glad to hear you got it working!

stongswan dropped 3des-sha1-modp1024 cipher from the initial proposal a long time ago, maybe in the last decade (but I'm not sure what version), more recently strongSwan 5.4.0 dropped aes128-sha1-modp2048 and 3des-sha1-modp1536. Setting phase 1 & 2 algorithms should have been enough to add the missing 3DES support back.

I've had a few situations where users switched from strongswan to libreswan (and fewer cases visa versa) and things started working.

I agree more or less with you last statement and just elaborating, network-manager-libreswan uses XAuth and not L2TP (or more specifically PPP) for the user authentication. With XAuth, it's more of a Cisco IPsec extension rather than Microsoft compatible IPsec implementation. Although I saw XAuth mentioned in your log output I didn't see XAUTH in the "ID_PROT request" lines, so I'm not sure if network-manager-libreswan would work.

[dosentmatter]

Thanks for the explanation! The admins are going to switch to better ciphers soon so maybe I'll have to switch to strongswan later. Gonna close this issue now.