[strongSwan] Problem connecting to L2TP/IPSec VPN

Mon Nov 5 17:22:22 CET 2018

So I've sat down with a colleague from support today, and found out that
the VPN server is configured to propose the following for phase 1 and phase
2:

IKE (Phase 1) proposal:
* CH Group: Group 2
* Encryption: 3DES
* Authentication SHA1
* Life Time (seconds): 28800

Ipsec (Phase 2) proposal:
* Protocol: ESP
* Encryption: AES-128
* Authentication: SHA1
* Enable Perfect Forward Secrecy: no
* Life Time (seconds): 28800

Based on this, I figured I had to specify "3des-sha1-modp1024" as phase 1
algoritms and "aes128-sha1" as phase 2 algorithms, but so far I haven't had
any luck.. Can anyone validate my assumption about the phase 1 and phase 2
algoritms values?

My next step will be to try and get more logging from StrongSwan, to see if
I can more precicely pinpoint the problem.

Kind regards,

Jonas Koperdraat

Op za 20 okt. 2018 om 07:00 schreef Jonas Koperdraat <
jonas at jonaskoperdraat.nl>:

> Thanks for the reply.
>
> I'll get in touch with support and see if I can find out the specifics of
> phase 2.
>
> Kind regards,
>
> Jonas
>
> On Thu, Oct 18, 2018, 18:40 Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
>> Hi,
>>
>> It looks like something is off with your phase two configuration. It can
>> be anything in your phase two configuration that it doesn't like. You're
>> better off just asking the administrator of the other side what they expect.
>>
>> Kind regards
>>
>> Noel
>>
>> Am 16.10.18 um 22:16 schrieb Jonas Koperdraat:
>> > Hello there,
>> >
>> > I'm having trouble connecting to my company's VPN from my Linux laptop.
>> I have spent quite some time trying to figure out what might be causing
>> this problem, but frankly my knowledge on the subject is limited, so I'm
>> hoping someone here might be able to help me in the right direction. Any
>> help would be greatly appreciated!
>> >
>> > My campany uses an L2TP VPN with en IPSec tunnel. Using the same
>> credentials as I'm using on my laptop, I am able to connect to the network
>> from my mobile phone funning Android Oreo, without any problems, but from
>> my laptop I am unable to connect.
>> >
>> > I am running Ubuntu 18.04.1 LTS.
>> >
>> > jonas at Jonas-XPS13:~$ uname -a
>> > Linux Jonas-XPS13 4.15.0-1018-oem #21-Ubuntu SMP Tue Aug 28 14:12:47
>> UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>> >
>> > Following these instructions, I added the L2TP network manager to Gnome:
>> >
>> https://medium.com/@hkdb/ubuntu-16-04-connecting-to-l2tp-over-ipsec-via-network-manager-204b5d475721
>> >
>> > However, I wasn't able to connect. This stackoverflow question/answer
>> (among others) mentioned that I might have to specify phase 1 and phase 2
>> algorithms:
>> >
>> https://askubuntu.com/questions/904217/unable-to-connect-l2tp-ipsec-vpn-from-ubuntu-16-04
>> >
>> > I ran an ike-scan, from which I concluded that the VPN indeed uses old
>> algorithms, so I added 3des-sha1-modp1024! and 3des-sha1! as phase 1 and
>> phase 2 algorithms. For good measure I added the exclamation marks, as some
>> solutions mentioned that might be required.
>> >
>> > jonas at Jonas-XPS13:~$ sudo ike-scan -v office.********.nl
>> > DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
>> > Starting ike-scan 1.9.4 with 1 hosts (
>> http://www.nta-monitor.com/tools/ike-scan/)
>> > 87.213.34.174Main Mode Handshake returned HDR=(CKY-R=254e5ebbbb17c30a)
>> SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds
>> LifeDuration=28800) VID=5b362bc820f60007 (SonicWall-7)
>> >
>> > Ending ike-scan 1.9.4: 1 hosts scanned in 0.060 seconds (16.70
>> hosts/sec).  1 returned handshake; 0 returned notify
>> >
>> > Unfortunately, even though that seemed to be the solution for the
>> majority of the problems I encountered online, I am still unable to
>> connect. Below are links to pastebins with relevant information:
>> >
>> > Logging of a connection attempt: https://pastebin.com/cEwMQjjC
>> > /etc/strongswan.conf: https://pastebin.com/LppKLiqw
>> > /etc/strongswan.d/charon.conf https://pastebin.com/9ecW0LXJ
>> >
>> > Kind regards and thanks in advance,
>> >
>> > Jonas
>> >
>> >
>> >
>> >
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181105/6f2899ed/attachment.html>