L2TP VPN is not working on newly installed Ubunut 20.04 and 20.10. Credentials are correct and same is working with Ubuntu 18.04
Trying to connect a computer to a VPN server configured this way :
Router# show isakmp policy
ISAKMP policy: L2TP_VPN
IKD_ID: 8
negotiation mode: main
proposal: 1
encryption: aes256
authentication: sha256
proposal: 2
encryption: aes256
authentication: sha512
SA lifetime: 86400
key group: group20
NAT traversal: yes
dead peer detection: yes
my address: wan1
type: interface
secure gateway address: 1
address: 0.0.0.0
secure gateway address: 2
address: 0.0.0.0
fall back: deactivate
fall back check interval: 300
authentication method: pre-share
pre-shared key: PRESHAREDKEYHERE
certificate: default
local ID: 0.0.0.0
type: ip
peer ID:
type: any
user ID:
type:
X-Auth: no
type: server
method: default
allowed user: Utilisateurs_VPN
username:
password:
EAP-Auth: no
type:
aaa method:
allowed user:
allowed auth method: mschapv2
username:
auth method: mschapv2
password:
vcp reference count: 0
IKE_version: IKEv1
active: yes
The phase 2 part
Router> show crypto map VPN_CONNECTION1
cryptography mapping: VPN_CONNECTION1
VPN gateway: L2TP_VPN
Gateway IP Version: IPv4
encapsulation: transport
active protocol: esp
transform set: 1
encryption: aes256
authentication: sha512
transform set: 2
encryption: aes256
authentication: sha256
SA lifetime: 28800
PFS: group15
nail up: no
scenario: remote-access-server
l2tp: yes
local policy: L2TP_VPN_LOCAL
remote policy: any
protocol type: any
configuration provide:
mode config: no
configuration payload: no
address pool:
first dns:
second dns:
first wins:
second wins:
policy enforcement: no
replay detection: no
narrowed: yes
adjust mss: yes
mss value: 0
stop rekeying: no
NetBIOS broadcast over IPSec: no
outbound SNAT: no
source:
destination:
target:
inbound SNAT: no
source:
destination:
target:
inbound DNAT: no
vcp reference count: 0
active: yes
VTI:
VPN ID: 2
connected: no
connectivity check: no
check method: none
IP address: none
period: none
timeout: none
fail tolerance: none
port: none
log: no
rule type: 4in4
L2TP part :
Router# show l2tp-over-ipsec ;
L2TP over IPSec:
activate : yes
crypto : VPN_CONNECTION1
address pool : L2TP_VPN_IP_ADDRESS_POOL
authentication : default
certificate : default
user : Utilisateurs_VPN
keepalive timer : 60
first dns server :
second dns server :
first wins server :
second wins server:
This is how ike-scan sees the server :
Zulgrib@computer:~$ sudo ./ike-scan.sh GATEWAYIP | grep SA=
SA=(Enc=AES Hash=SHA2-512 Auth=PSK Group=21 KeyLength=256 LifeType=Seconds LifeDuration(4)=0x00007080)
I configured the client using NetworkManager.
[connection]
id=MyVpnName
uuid=3a6d0094-ff3e-49a2-95a3-54303542b2da
type=vpn
autoconnect=false
permissions=user:Zulgrib:;
timestamp=1605784830
[vpn]
gateway=GATEWAYIP
ipsec-enabled=yes
ipsec-esp=aes256-sha256-ecp384
ipsec-ike=aes256-sha256-ecp384
ipsec-psk=PRESHAREDKEY
password-flags=1
user=testvpn
service-type=org.freedesktop.NetworkManager.l2tp
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto
But router side, logs claim the VPN client tried to use AES128 and modp3072 instead.
Recv:[SA][VID][VID][VID][VID][VID]
Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256 PRF, HMAC-SHA256-128, 384 bit ECP, AES CBC key len = 128, 3072 bit MODP; ).
The cookie pair is : 0xhexhexhex / 0xhexhexhex [count=2]
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
Recv:[NOTIFY:INVALID_KEY_INFORMATION]
Client side, there is an error while negotiating too :
nov. 19 17:28:16 computer NetworkManager[1337]: initiating Main Mode IKE_SA 3a6d0094-ff3e-49a2-95a3-54303542b2da[1] to GATEWAYIP
nov. 19 17:28:16 computer NetworkManager[1337]: generating ID_PROT request 0 [ SA V V V V V ]
nov. 19 17:28:16 computer NetworkManager[1337]: sending packet: from 192.168.170.52[500] to GATEWAYIP[500] (216 bytes)
nov. 19 17:28:16 computer NetworkManager[1337]: received packet: from GATEWAYIP[500] to 192.168.170.52[500] (410 bytes)
nov. 19 17:28:16 computer NetworkManager[1337]: parsed ID_PROT response 0 [ SA V V V V V V V V V V V ]
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
nov. 19 17:28:16 computer NetworkManager[1337]: received draft-ietf-ipsec-nat-t-ike-02 vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received draft-ietf-ipsec-nat-t-ike-03 vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received NAT-T (RFC 3947) vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received XAuth vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received DPD vendor ID
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:32:00
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: ac:40:f8:c4:38:99:27:c6:e8:ac:24:53:1b:b7:8b:2b:27:fc:b5:21:73:53:c1:94:4a:02:92:52:ac:c9:ab:03:8e:fa:5c:a1:d1:c6:24:15:c3:df:8e:e1:58:61:fa:ea:48:80:9d:c2:a6:c4:b
nov. 19 17:28:16 computer NetworkManager[1337]: received unknown vendor ID: b6:c9:8c:ca:29:0a:eb:be:37:f1:9f:31:12:d2:d7:cb
nov. 19 17:28:16 computer NetworkManager[1337]: negotiated DH group not supported
nov. 19 17:28:16 computer NetworkManager[1337]: generating INFORMATIONAL_V1 request 1203248937 [ N(INVAL_KE) ]
nov. 19 17:28:16 computer NetworkManager[1337]: sending packet: from 192.168.170.52[500] to GATEWAYIP[500] (56 bytes)
nov. 19 17:28:16 computer NetworkManager[1337]: establishing connection '3a6d0094-ff3e-49a2-95a3-54303542b2da' failed
nov. 19 17:28:16 computer charon[30591]: 12[IKE] negotiated DH group not supported
nov. 19 17:28:16 computer charon[30591]: 12[ENC] generating INFORMATIONAL_V1 request 1203248937 [ N(INVAL_KE) ]
nov. 19 17:28:16 computer charon[30591]: 12[NET] sending packet: from 192.168.170.52[500] to GATEWAYIP[500] (56 bytes)
nov. 19 17:28:16 computer NetworkManager[1337]: Stopping strongSwan IPsec...
How do I configure NetworkManager to use ecp384 (DH20) and not modp3072 (DH15), plus AES256 in all phases ?
Router side configuration cannot be changed, because it is currently the strongest configuration that are (supposedly) supported by both strongswan (used by network manager) and Win10 IPSec client.
I am trying to setup an IPSEC/L2TP client VPN configuration on a Ubuntu 18.04 using Strongswan and xl2tpd. I have no control over the server side configuration.
UPDATE & Partial Resolution
The lock option in the options.l2tpd.client was producing the error. This was eventually found in SysLog after shutting down other Strongswan VPN connections that were swamping the log file.
Now the pppx interface is available and showing correct VPN internal IP address, but IPSec configuration is still incorrect and won't connect.
SysLog IPSec connection
Nov 19 16:38:08 aeesgroup_r710 ipsec[8348]: 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Nov 19 16:38:08 aeesgroup_r710 ipsec[8348]: 14[NET] sending packet: from 192.168.15.120[500] to 103.195.52.179[500] (1224 bytes)
Nov 19 16:38:08 aeesgroup_r710 ipsec[8348]: 13[IKE] retransmit 1 of request with message ID 0
Nov 19 16:38:08 aeesgroup_r710 ipsec[8348]: 13[NET] sending packet: from 192.168.15.120[500] to 103.195.52.179[500] (1224 bytes)
Nov 19 16:38:08 aeesgroup_r710 ipsec[8348]: 10[IKE] retransmit 2 of request with message ID 0
Nov 19 16:38:08 aeesgroup_r710 ipsec[8348]: 10[NET] sending packet: from 192.168.15.120[500] to 103.195.52.179[500] (1224 bytes)
Nov 19 16:38:08 aeesgroup_r710 ipsec[8348]: 06[IKE] retransmit 3 of request with message ID 0
Nov 19 16:38:19 aeesgroup_r710 kernel: [10293.239767] [UFW BLOCK] IN=eno1 OUT= MAC=01:00:5e:00:00:01:00:10:75:58:fa:79:08:00 SRC=192.168.15.3 DST=224.0.0.1 LEN=144 TOS=0x00 PREC=0x00 TTL=1 ID=49135 DF PROTO=UDP SPT=58157 DPT=4448 LEN=124
Nov 19 16:38:20 aeesgroup_r710 pppd[8954]: sent [LCP EchoReq id=0x1a magic=0x47da512a]
Nov 19 16:38:20 aeesgroup_r710 pppd[8954]: rcvd [LCP EchoReq id=0x17 magic=0x8652e960]
Nov 19 16:38:20 aeesgroup_r710 pppd[8954]: sent [LCP EchoRep id=0x17 magic=0x47da512a]
Nov 19 16:38:20 aeesgroup_r710 pppd[8954]: rcvd [LCP EchoRep id=0x1a magic=0x8652e960]
Nov 19 16:38:31 aeesgroup_r710 charon: 12[IKE] retransmit 4 of request with message ID 0
Nov 19 16:38:31 aeesgroup_r710 charon: 12[NET] sending packet: from 192.168.15.120[500] to 103.195.52.179[500] (1224 bytes)
Nov 19 16:38:50 aeesgroup_r710 pppd[8954]: sent [LCP EchoReq id=0x1b magic=0x47da512a]
Nov 19 16:38:50 aeesgroup_r710 pppd[8954]: rcvd [LCP EchoReq id=0x18 magic=0x8652e960]
Nov 19 16:38:50 aeesgroup_r710 pppd[8954]: sent [LCP EchoRep id=0x18 magic=0x47da512a]
Nov 19 16:38:50 aeesgroup_r710 pppd[8954]: rcvd [LCP EchoRep id=0x1b magic=0x8652e960]
Nov 19 16:39:13 aeesgroup_r710 charon: 08[IKE] retransmit 5 of request with message ID 0
Nov 19 16:39:13 aeesgroup_r710 charon: 08[NET] sending packet: from 192.168.15.120[500] to 103.195.52.179[500] (1224 bytes)
ORIGINAL ISSUE
Currently I seem to run into the issue that using command
echo "c myvpn" > /var/run/xl2tpd/l2tp-control does not create a pppx interface. When running the command as root there is no warning or error message displayed, and I can't seem to find any recorded issues in Syslog. I have tried multiple restarts and reinstalls of xl2tpd. This was the original tutorial I followed, but made a number of changes to support the server configuration and later strongswan version. https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup
Could someone advise where the ppp debug logs reside for xl2tpd & what may be causing issue with no creating of a pppx interface. Network manager is installed on this machine, I'm not sure if this is relevant. All setup has been done in the CLI interface and there are no configurations in the network manager GUI.
Below are the configuration files for Strongswan and xl2tpd
Strongswan ipsec.conf
conn myvpn
authby=secret
ike=aes256-sha1-modp1024
esp=3des-sha1
auto=add
keyingtries=%forever
dpddelay=30
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=192.168.15.120
#leftprotoport=17/1701
right=103.195.52.179
#rightprotoport=17/1701
keyexchange=ikev2
leftid=%any
leftsubnet = 172.20.10.0/24
ipsec.secrets standard leftid/rightid : PSK
xl2tpd.conf
[lac myvpn]
lns = 103.195.52.179
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
options.l2tpd.client file
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name $USERNAME
password $PASSWORD
I'm trying to create an L2TP/IPSEC VPN server in 20.04 that uses LDAP for user authentication.
I'm assuming Strongswan does this.
Where, in Strongswan or other configs would I add the LDAP server info?
Or does it just use SSSD or PAM or something else and you just point Strongswan to that?
I'm specifically looking for LDAP, not Radius. I know radius is possible.
Any help would be appreciated. I realize there are a few questions close to this one. But all their answers require a GUI. This a cloud server, so no gui. Thanks!
After upgrading from Ubuntu 19.04 to Ubuntu 19.10, my VPN connection doesn't work anymore.
My settings:
phase1: 3des-sha1;modp1024
phase2: 3des-sha1
This worked fine so far.
I checked the packages installed:
network-manager-l2tp 1.2.10-1;
network-manager-l2tp-gnome 1.2.10-1;
xl2tpd 1.3.12-1.1
libreswan 3.29-2
What can I do?