Home / user-364786

Denis Sheremet's questions

Martin Hope
Denis Sheremet
Asked: 2020-06-19 06:51:02 +0800 CST
  • 1

I'm trying to connect to cisco l2tp/ipsec vpn with PSK and IKEv1 username/password.

According to this article, I've found that server supports following authentification methods:

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

I'm using networkmanager-l2tp package. Tried both openswan and libreswan (manually built with USE_DH2=true as described in this patchnote).

My .nmconnection file looks like this:

[connection]
id=etis
uuid=70147d0a-5d7f-467a-80ee-9048601960e1
type=vpn
permissions=user:***:;

[vpn]
gateway=vpn.psu.ru
ipsec-enabled=yes
ipsec-esp=aes128-sha1,3des-md5
ipsec-ike=aes128-sha1-modp1024,3des-sha1-modp1024
ipsec-psk=***
password-flags=1
user=***
service-type=org.freedesktop.NetworkManager.l2tp

When I'm trying to connect I'm getting the following log:

log using strongswan

log using libreswan with USE_DH2=true

From what I see, it seems like both ways ipsec connection is being established successfully, but then this happens:

xl2tpd[106869]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[106869]: Connecting to host 212.192.80.206, port 1701
xl2tpd[106869]: death_handler: Fatal signal 15 received

Strongswan log also has this suspicious message in between of the above:

charon[78694]: 01[NET] received packet: from 212.192.80.206[4500] to 192.168.5.28[4500] (164 bytes)
charon[78694]: 01[IKE] received retransmit of response with ID 1610789051, but next request already sent

At this point I've depleted my google skills. If anybody could tell me where to go next or at least tell me if this problem is connected with ipsec or l2tp part of the equation, I would greately appreciate that.

ipsec l2tp linux-networking strongswan xl2tpd
Martin Hope
Denis Sheremet
Asked: 2019-07-16 23:24:08 +0800 CST
  • 1

I've got a Zyxel Keenetic Giga II router (firmware version 2.15). I'm connecting to the Internet through L2TP (L2TP0) over LTE (UsbLte0). LTE interface has no IPv6 address attached, so my goal is to obtain IPv6 address over L2TP. Here are the relevant parts of my config:

(config)> show running-config 
! $$$ Model: ZyXEL Keenetic Giga II
! $$$ Version: 2.06.1
! $$$ Agent: http/rci
! $$$ Last change: Tue, 16 Jul 2019 06:32:07 GMT
! $$$ Md5 checksum: 446f15b38e231ae9075d9db684ae20bd
system
    ...
    set net.ipv6.conf.all.forwarding 1
    set net.ipv6.conf.all.accept_ra 1
!
...
interface UsbLte0
    description "USB LTE"
    usb device-id 12d1 1506
    usb apn internet
    security-level public
    ip address dhcp
    ip dhcp client dns-routes
    ip dhcp client name-servers
    ip global 16908
    up
!
interface Bridge0
    rename Home
    description "Home network"
    inherit GigabitEthernet0/Vlan1
    include AccessPoint
    mac access-list type none
    security-level private
    ip address 192.168.5.1 255.255.255.0
    ip dhcp client dns-routes
    ip dhcp client name-servers
    ipv6 address auto
    up
!
interface L2TP0
    description <hdden>
    role misc
    peer <hidden>
    ipv6cp
    lcp echo 30 3
    ipcp default-route
    ipcp name-servers
    ipcp dns-routes
    no ccp
    security-level public
    authentication identity <hidden>
    authentication password <hidden>
    authentication chap
    ip dhcp client dns-routes
    ip dhcp client name-servers
    ip mtu 1400
    ip global 49325
    ip tcp adjust-mss pmtu
    ipv6 address auto
    ipv6 prefix auto
    ipv6 name-servers auto
    ipv6 force-default
    connect via UsbLte0
    up
    bandwidth-limit 3621
!
...
ipv6 subnet HomeV6
    bind Home
    number 3
    mode slaac
!
ipv6 local-prefix default
ipv6 name-server 2001:4860:4860::8888 ""
ipv6 name-server 2001:4860:4860::8844 ""
ipv6 firewall
...

So far I've got a working IPv6 connection on router itself (I can connect to it via SSH, and there I can execute ping -6 google.com), but it does not work on any of the hosts connected to it.

There's some information about connection from the host:

 ❯ ip -6 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fdb6:e163:9f30:3:e2a6:5615:57de:66a5/64 scope global dynamic noprefixroute 
       valid_lft 4294966395sec preferred_lft 4294966395sec
    inet6 fe80::f23f:9eee:2abf:3cdd/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
 ❯ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
fdb6:e163:9f30:3::/64 dev enp5s0 proto ra metric 100 pref medium
fdb6:e163:9f30::/48 via fe80::ee43:f6ff:fe08:9400 dev enp5s0 proto ra metric 100 pref medium
fe80::/64 dev enp5s0 proto kernel metric 100 pref medium

I've tried typing ip -6 route add default dev enp5s0 manually, does not help. I've also tried to install radvd on router and advertise IPv6 using it, still nothing. What else am I missing?

routing