0

My company gave me ip address, username, password & pre-shared key to connect to vpn using L2TP.

My workstation: Fedora 32 + Gnome.

Installed xl2tpd, NetworkManager-l2tp, NetworkManager-l2tp-gnome, ike-scan packages.

enabled L2TP kernel modules by commenting blacklisting lines in modprobe files: /etc/modprobe.d/l2tp_ppp-blacklist.conf & /etc/modprobe.d/l2tp_netlink-blacklist.conf

Rebooted. Created VPN connection from Gnome settings. Didn't work. Got this in logs: NO_PROPOSAL_CHOSEN Found out, I was missing Phase1 & Phase2 algorithm config in connection.

Ran a script mentioned here to query VPN server for its IKEv1 algorithm proposals. Got output:

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)

Based on above output, used these as Phase1 & Phase2 algorithms respectively:

3des-sha1-modp1024,3des-md5-modp1024
aes256-sha1,aes128-sha1,3des-sha1,3des-md5

Still doesn't work. Fetched this from journalctl logs:

Jun 29 19:19:40 localhost.localdomain NetworkManager[829]: <info>  [1593438580.8130] audit: op="connection-activate" uuid="4dd9b863-c9f3-4c0a-9f41-240078fa51d1" name="RMP" pid=6295 uid=1000 result="success"
Jun 29 19:19:40 localhost.localdomain NetworkManager[829]: <info>  [1593438580.8190] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: Started the VPN service, PID 6406
Jun 29 19:19:40 localhost.localdomain NetworkManager[829]: <info>  [1593438580.8288] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: Saw the service appear; activating connection
Jun 29 19:19:40 localhost.localdomain NetworkManager[829]: <info>  [1593438580.8839] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN connection: (ConnectInteractive) reply received
Jun 29 19:19:40 localhost.localdomain nm-l2tp-service[6406]: Check port 1701
Jun 29 19:19:40 localhost.localdomain NetworkManager[6417]: whack: Pluto is not running (no "/run/pluto/pluto.ctl")
Jun 29 19:19:40 localhost.localdomain NetworkManager[6420]: Redirecting to: systemctl restart ipsec.service
Jun 29 19:19:41 localhost.localdomain NetworkManager[6705]: 002 listening for IKE messages
Jun 29 19:19:41 localhost.localdomain NetworkManager[6705]: 002 forgetting secrets
Jun 29 19:19:41 localhost.localdomain NetworkManager[6705]: 002 loading secrets from "/etc/ipsec.secrets"
Jun 29 19:19:41 localhost.localdomain NetworkManager[6705]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: debugging mode enabled
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: end of file /var/run/nm-l2tp-4dd9b863-c9f3-4c0a-9f41-240078fa51d1/ipsec.conf
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: Loading conn 4dd9b863-c9f3-4c0a-9f41-240078fa51d1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: starter: left is KH_DEFAULTROUTE
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgdns=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgdomains=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgbanner=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark-in=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark-out=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" vti_iface=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" redirect-to=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" accept-redirect-to=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" esp=aes256-sha1,aes128-sha1,3des-sha1,3des-md5
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" ike=3des-sha1-modp1024,3des-md5-modp1024
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: opening file: /var/run/nm-l2tp-4dd9b863-c9f3-4c0a-9f41-240078fa51d1/ipsec.conf
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: loading named conns: 4dd9b863-c9f3-4c0a-9f41-240078fa51d1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst  via 192.168.0.1 dev wlp3s0 src  table 254
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: set nexthop: 192.168.0.1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.0 via  dev wlp3s0 src 192.168.0.107 table 254
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.0 via  dev wlp3s0 src 192.168.0.107 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.107 via  dev wlp3s0 src 192.168.0.107 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.255 via  dev wlp3s0 src 192.168.0.107 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.1 via  dev wlp3s0 src 192.168.0.107 table 254
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: set addr: 192.168.0.107
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
Jun 29 19:19:41 localhost.localdomain nm-l2tp-service[6406]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Jun 29 19:19:41 localhost.localdomain NetworkManager[829]: <info>  [1593438581.3082] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN plugin: state changed: stopped (6)
Jun 29 19:19:41 localhost.localdomain NetworkManager[829]: <info>  [1593438581.3107] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN service disappeared
Jun 29 19:19:41 localhost.localdomain NetworkManager[829]: <warn>  [1593438581.3118] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN connection: failed to connect: 'Remote peer disconnected'

Don't understand what I'm doing wrong here. Any help on resolving this is highly appreciated! I have to connect to vpn asap to resume my work. The same connection properties work in Windows without any issues. I don't even have to configure any deciphering algorithms. It just works out of the box.

My company wants me to use Windows in that case and I cannot stand that OS. It brings my machine to grinding halt and thrashes on my HDD non-stop.

Please help me connect to the VPN.

ShashiKanth Chill
  • 11
  • 1
  • 2

1 Answers1

1

libreswan >= 3.30 isn't built with DH (modp1024) support by default anymore. I'm not sure why you aren't getting an algorithm 'modp1024' is not supported error with libreswan. See:

With NetworkManager-l2tp >= 1.2.16 you should not need to enter the phase 1 & 2 algorithms as it overrides the default libreswan or strongswan proposals and uses a combination of Win10 and iOS algorithms (minus modp1024 if it detects libreswan is being used).

I would try deleting the phase 1 & 2 algorithms and switch from libreswan to strongswan which can be done by installing strongswan and uninstalling libreswan (or at least put an exclamation ! at the end of the phase 1 & 2 lines when strongswan is used) :

sudo dnf install strongswan
sudo rpm -e libreswan

Not sure, but there might be some SElinux issues with NetworkManager, strongswan and Fedora 32, but they might be fixed by now.

Douglas Kosovic
  • 186
  • 5
  • Thank you very much for your reply! With your instructions, I've got it to work! Alas, only for few seconds. After successful authentication, now I get: `NetworkManager[6724]: xl2tpd[6724]: check_control: Received out of order control packet on tunnel 40187 (got 2, expected 3) NetworkManager[6724]: xl2tpd[6724]: handle_control: bad control packet!` Connection then gets terminated. I've put logs in pastebin. Can you please take a look at it? I'm not well versed in Linux networking :/ https://pastebin.com/AiaQskbp – ShashiKanth Chill Jun 30 '20 at 04:02
  • You could try adding `-D CONFIG_WATCHDOG_FIREWALL` to the `DFLAGS` in the xl2tpd Makefile and recompile xl2tpd, see https://github.com/xelerance/xl2tpd/issues/136 – Douglas Kosovic Jun 30 '20 at 09:41