Closed rdbisme closed 6 years ago
The syntax for phase 1 is : cipher-hash-modpgroup,cipher-hash-modpgroup,...
The syntax for phase 2 is : cipher-hash,cipher-hash,...
So I would try a phase 2 that doesn't have modpgroup, e.g. :
phase 1 : aes256-sha1-modp2048,aes256-sha1-modp1024,aes192-sha1-modp2048,aes192-sha1-modp1024 phase 2 : aes256-sha1, aes192-sha1
Note: the ike-scan.sh is only for phase 1, but fortunately phase 2 is often based on the algorithms used in phase 1. Unfortunately some VPN servers have phase 2 configurations that are totally different to phase 1, but have only seen that in a small number of cases.
Thanks for you fast response.
I tried as you suggest but still getting exactly the same output. :(
How do I debug furtherly? Because the only strange entries I see are:
nm-l2tp[26182] <warn> Timeout trying to establish IPsec connection
and
Feb 03 14:54:47 iridium charon[26512]: 03[KNL] received netlink error: Invalid argument (22)
Feb 03 14:54:47 iridium charon[26512]: 03[KNL] unable to install source route for %any6
That %any6
looks wrong...
There is a 10 second timeout for establishing an IPsec connection and then a kill SIGINT signal is sent to strongswan to stop it, you are seeing the warning message.
I'm not sure about the kernel messages, earlier versions of kernel 4.14 broke IPsec transport mode in the xfrm kernel module. It could possibly be a new kernel bug, I haven't tried kernel-4.14.15.
You could try using libreswan instead of strongswan, sometimes switching solves interoperability issues with VPN servers.
You could use libreswan or strongswan on the command-line with the generated ipsec config file for further debugging. The below ipsec
commands are identical to what this VPN client uses ( except it doesn't use the sleep 2
command, but a for loop to determine when it is ready).
first make sure nm-l2tp-service isn't running :
sudo killall -TERM nm-l2tp-service
for strongswan:
sudo ipsec restart --conf /var/run/nm-l2tp-ipsec-95118aae-acad-4101-b472-8d4c2d89528c.conf --debug
sleep 2
sudo ipsec up 95118aae-acad-4101-b472-8d4c2d89528c
sudo ipsec status
For libreswan:
sudo ipsec restart
sleep 2
sudo ipsec auto --config /var/run/nm-l2tp-ipsec-95118aae-acad-4101-b472-8d4c2d89528c.conf --verbose --add 95118aae-acad-4101-b472-8d4c2d89528c
sudo ipsec auto --up 95118aae-acad-4101-b472-8d4c2d89528c
sudo ipsec status
See the libreswan or strongswan documentation for debugging verbosity and ipsec.conf syntax.
nm-l2tp-service will need to be restarted if you switch between libreswan and strongswan so that a compatible ipsec config file is generated under /var/run/.
@dkosovic I did not succeed to make it work. I'm not able to connect to a VPN that is working on Windows 10.
I'll search better to understand what's going on.
From the log output IPv6 is definitely involved somehow (e.g. uninstalling bypass policy for fe80::/64
, unable to install source route for %any6
), so I suspect the issue is something to do with IPv6. I'm not able to reproduce the log output as I don't have IPv6.
With the latest update I did today (I updated also Archlinux system packages), the VPN is now working (without any modification).
Still don't know if it's working because of an update of system packages or because of the 1.2.10-1
update of the AUR package.
Glad to hear it is now working.
NetworkManger-1.2.10 only had two minor bug fixes, one was a workaround for libreswan when the PSK is < 8 characters in length and the other correctly shows UDP encapsulation as ticked (if it was originally ticked) on subsequent times the IPSec Options dialog box is reopened.
So I suspect it was due to updates other than NetworkManger-1.2.10.
I then configured manually the algorithms for phase 1 and 2 as this:
This is the debug log:
This is the
journal -b
output:System
uname -a
Linux iridium 4.14.15-1-ARCH #1 SMP PREEMPT Tue Jan 23 21:49:25 UTC 2018 x86_64 GNU/Linux
What I'm missing here? Thanks in advance for the help.