IPsec Shared secrets collision with several L2TP over IPsec configurations

[frol]

I bumped into an issue when I added another L2TP over IPsec configuration into the Network Manager settings. Adding more configurations ends up having new nm-l2tp-*.secrets in the /etc/ipsec.d/ folder, and once I try to connect, libreswan just selects the first PSK since no "ID selection" is specified (: PSK "my-secret"), thus I was hitting "received 1 malformed payload notifies" after "STATE_MAIN_I3: sent MI3, expecting MR3" due to the fact that a wrong shared secret key was selected (it used the key from another configuration).

It seems that the solution would be to generate the secrets string with the gateway IP address before the colon (my.vpn.gateway.com : PSK "my-secret").

P.S. Is it possible to maintain more than one L2TP over IPsec connection at the same time? Naive attempt to do that resulted in "The 'l2tp' plugin only supports a single active connection." Is it something that is completely impossible?

[dkosovic]

The /etc/ipsec.d/nm-l2tp-*.secrets files are supposed to be deleted when a VPN connection is torn down, but weren't with version 1.2.6 of this VPN plug-in (and were only getting deleted when xl2tpd crashed and that xl2tpd bug crash has now been fix on most linux distributions).

With version 1.2.8, the generated files now get deleted, except if you enable debugging mode as mentioned in the README.md file.

So I would recommend upgrading to 1.2.8 (or 1.0.8 in the 1.0.x series) if you haven't and issuing the following:

sudo rm -f /etc/ipsec.d/nm-l2tp-*.secrets

There is a 'Gateway ID' field in the IPsec config dialog box which is used as an ID selector, i.e. the value before the colon in the corresponding nm-l2tp-*.secrets file. It isn't possible to generate it as it isn't always the gateway IP address, it sometimes is a NAT'ed IP address and you may have to look in the logs to see what ID the server is providing.

As for your question regarding more than one L2TP/IPsec connection, with a bit of code modification, I think it would be possible with libreswan, but not with strongswan.

This VPN plugin starts strongswan with something like the following command-line:

ipsec start  --conf /var/run/nm-l2tp-ipsec-UUID.conf --debug

There is no way to supply a ipsec config file which defines a connection after the ipsec service has started, so no way to add another connection.

With libreswan, it's pretty easy to add a new connection with something like the following command :

ipsec auto --config /var/run/nm-l2tp-ipsec-UUID.conf  --add connection-name

I suspect xl2tpd will be able to handle multiple connections, but I haven't really looked into it.

Hope what I wrote makes sense.

[frol]

I am running Arch Linux, so I have 1.2.8 version of the plugin installed since August 1st, but there seemed to be an old secrets file (unfortunately, I haven't checked when it was created, which would give a better understanding on the matter) or there is a corner case when the secrets file can be left behind (e.g. hard reset).

Thank you for your prompt and comprehensive response!