[strongSwan] Problem connecting to L2TP/IPSec VPN
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Oct 18 18:39:55 CEST 2018
Hi,
It looks like something is off with your phase two configuration. It can be anything in your phase two configuration that it doesn't like. You're better off just asking the administrator of the other side what they expect.
Kind regards
Noel
Am 16.10.18 um 22:16 schrieb Jonas Koperdraat:
> Hello there,
>
> I'm having trouble connecting to my company's VPN from my Linux laptop. I have spent quite some time trying to figure out what might be causing this problem, but frankly my knowledge on the subject is limited, so I'm hoping someone here might be able to help me in the right direction. Any help would be greatly appreciated!
>
> My campany uses an L2TP VPN with en IPSec tunnel. Using the same credentials as I'm using on my laptop, I am able to connect to the network from my mobile phone funning Android Oreo, without any problems, but from my laptop I am unable to connect.
>
> I am running Ubuntu 18.04.1 LTS.
>
> jonas at Jonas-XPS13:~$ uname -a
> Linux Jonas-XPS13 4.15.0-1018-oem #21-Ubuntu SMP Tue Aug 28 14:12:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>
> Following these instructions, I added the L2TP network manager to Gnome:
> https://medium.com/@hkdb/ubuntu-16-04-connecting-to-l2tp-over-ipsec-via-network-manager-204b5d475721
>
> However, I wasn't able to connect. This stackoverflow question/answer (among others) mentioned that I might have to specify phase 1 and phase 2 algorithms:
> https://askubuntu.com/questions/904217/unable-to-connect-l2tp-ipsec-vpn-from-ubuntu-16-04
>
> I ran an ike-scan, from which I concluded that the VPN indeed uses old algorithms, so I added 3des-sha1-modp1024! and 3des-sha1! as phase 1 and phase 2 algorithms. For good measure I added the exclamation marks, as some solutions mentioned that might be required.
>
> jonas at Jonas-XPS13:~$ sudo ike-scan -v office.********.nl
> DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
> Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
> 87.213.34.174Main Mode Handshake returned HDR=(CKY-R=254e5ebbbb17c30a) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=5b362bc820f60007 (SonicWall-7)
>
> Ending ike-scan 1.9.4: 1 hosts scanned in 0.060 seconds (16.70 hosts/sec). 1 returned handshake; 0 returned notify
>
> Unfortunately, even though that seemed to be the solution for the majority of the problems I encountered online, I am still unable to connect. Below are links to pastebins with relevant information:
>
> Logging of a connection attempt: https://pastebin.com/cEwMQjjC
> /etc/strongswan.conf: https://pastebin.com/LppKLiqw
> /etc/strongswan.d/charon.conf https://pastebin.com/9ecW0LXJ
>
> Kind regards and thanks in advance,
>
> Jonas
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181018/97979e7e/attachment.sig>
More information about the Users
mailing list