L2TP / IPSec failing to connect (Kubuntu 17.10)

kubuntu vpn 17.10 ipsec
40,045

Solution 1

After spending a few hours digging around, I found out what the problem is, and the solution.

The problem:

  1. Linux no longer supports the 3DES cipher, but many appliances still use it.
  2. Kubuntu 17.10 is missing phase1 and phase2 algorithm entry fields under IPSec Settings (this is a known bug), which are needed to setup an L2TP/IPSec connection to use 3DES.

The solution:

  1. Install the latest version of KDE Plasma from the "backports" PPA.
  2. Reboot, then create a new L2TP/IPSec VPN connection - phase1 and phase2 algorithm entry fields should now be present.
  3. For the Phase1 Algorithm, enter: 3des-sha1-modp1024!
  4. For the Phase2 Algorithm, enter: 3des-sha1!

From memory, I did the following:

sudo add-apt-repository ppa:kubuntu-ppa/backports
sudo apt update && sudo apt upgrade
sudo reboot
sudo apt install network-manager-l2tp-gnome
sudo apt install strongswan
sudo apt install libstrongswan-extra-plugins
sudo apt install libcharon-extra-plugins

Reboot, then add L2TP/IPSec as normal. You should now see the Phase1 and Phase2 algorithm textboxes as show in the attached image.

enter image description here

It's important to note that the above steps will not work if you have installed the latest Linux kernel (4.14 or higher, I believe), so it is highly likely that this workaround to get L2TP/IPSec working with the 3DES cipher will not work when the up and coming *Ubuntu 18.04 LTS is released.

Solution 2

I know that this question was in regards to getting L2TP/IPSec working on Kubuntu 17.10. However, 18.04 is out now, and here's how I get L2TP/IPSec working on Kubuntu 18.04:

  1. $ sudo apt install network-manager-l2tp
  2. $ sudo systemctl stop xl2tpd.service
  3. $ sudo systemctl disable xl2tpd.service

Messing around with backports is not longer required as the Phase1 algorithms and Phase2 algorithms text-inputs are now included in the default Network Manager.

Solution 3

You can use ike-scan (option --nat-t for NAT traversal) to ask the VPN server if you need those options:

sudo ike-scan vpn.myserver.org
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
52.x.x.x    Main Mode Handshake returned HDR=(CKY-R=aa91011bd9b543f7) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)

Ending ike-scan 1.9: 1 hosts scanned in 0.064 seconds (15.54 hosts/sec).  1 returned handshake; 0 returned notify

The outputs Enc=3DES and Hash=SHA1 and Group=2:modp1024 gives you a hint if you need to adjust the phase algorithms. Note: My network-manager settings has a button which adds Legacy Proposals for both Phase1 and Phase2 Algorithms:

  • Phase1 Algorithms: aes256-sha1-ecp384,aes128-sha1-ecp256,3des-sha1-modp1024!
  • Phase2 Algorithms: aes256-sha1,aes128-sha1,3des-sha1!

Pick those values you find in the output of ike-scan.

Solution 4

The kernel 4.14 bug is related to the following commit :

That kernel 4.14 commit breaks IPsec transportation mode when a wildcard address is used on the client side as is the case with network-manager-l2tp. The commit was reverted in kernel-4.15-rc1 :

Unfortunately the reversion commit reintroduces a stack out-of-bounds bug. We might need to wait for the kernel 4.14 branch to get a fix after kernel 4.15 is released. More details in this netdev linux kernel mailing list thread :

Share:
40,045

Related videos on Youtube

Vanessa Deagan
Author by

Vanessa Deagan

Updated on September 18, 2022

Comments

  • Vanessa Deagan
    Vanessa Deagan almost 2 years

    I'm trying to connect to the corporate VPN from Kubuntu 17.10. I have network-manager-l2tp installed (version 1.2.8). The output I'm getting:

    Nov 28 17:20:48 T460 NetworkManager[667]: initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:20:48 T460 NetworkManager[667]: generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:20:48 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:20:48 T460 NetworkManager[667]: sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:20:48 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:20:48 T460 NetworkManager[667]: destroying IKE_SA in state CONNECTING without notification
Nov 28 17:20:48 T460 NetworkManager[667]: establishing connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332' failed
Nov 28 17:20:48 T460 nm-l2tp-service[3673]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Nov 28 17:20:48 T460 NetworkManager[667]: <info>  [1511889648.3131] vpn-connection[0x55fe5d8fe2f0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN service disappeared
Nov 28 17:20:48 T460 NetworkManager[667]: <warn>  [1511889648.3161] vpn-connection[0x55fe5d8fe2f0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9310] audit: op="connection-activate" uuid="41d2e76d-a4c4-4f56-bd6a-58ad795af332" name="WorkVPN" pid=1017 uid=1000 result="success"
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9371] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: Started the VPN service, PID 3759
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9477] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: Saw the service appear; activating connection
Nov 28 17:24:01 T460 nm-l2tp-service[3759]: Check port 1701
Nov 28 17:24:01 T460 NetworkManager[667]: Stopping strongSwan IPsec failed: starter is not running
Nov 28 17:24:03 T460 NetworkManager[667]: Starting strongSwan 5.5.1 IPsec [starter]...
Nov 28 17:24:03 T460 NetworkManager[667]: Loading config setup
Nov 28 17:24:03 T460 NetworkManager[667]: Loading conn '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:03 T460 NetworkManager[667]: found netkey IPsec stack
Nov 28 17:24:03 T460 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.14.2-041402-generic, x86_64)
Nov 28 17:24:03 T460 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 28 17:24:03 T460 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 28 17:24:03 T460 charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-41d2e76d-a4c4-4f56-bd6a-58ad795af332.secrets'
Nov 28 17:24:03 T460 charon: 00[CFG]   loaded IKE secret for %any
Nov 28 17:24:03 T460 charon: 00[LIB] loaded plugins: charon test-vectors aesni aes rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
Nov 28 17:24:03 T460 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Nov 28 17:24:03 T460 charon: 00[JOB] spawning 16 worker threads
Nov 28 17:24:03 T460 charon: 05[CFG] received stroke: add connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:03 T460 charon: 05[CFG] added configuration '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:04 T460 charon: 07[CFG] rereading secrets
Nov 28 17:24:04 T460 charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 28 17:24:04 T460 charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-41d2e76d-a4c4-4f56-bd6a-58ad795af332.secrets'
Nov 28 17:24:04 T460 charon: 07[CFG]   loaded IKE secret for %any
Nov 28 17:24:04 T460 charon: 10[CFG] received stroke: initiate '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:04 T460 charon: 11[IKE] initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:24:04 T460 charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:24:04 T460 charon: 11[NET] sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:08 T460 charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:24:08 T460 charon: 12[NET] sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: Stopping strongSwan IPsec...
Nov 28 17:24:14 T460 charon: 00[DMN] signal of type SIGINT received. Shutting down
Nov 28 17:24:14 T460 charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Nov 28 17:24:14 T460 NetworkManager[667]: initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:24:14 T460 NetworkManager[667]: generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:24:14 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:24:14 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: destroying IKE_SA in state CONNECTING without notification
Nov 28 17:24:14 T460 NetworkManager[667]: establishing connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332' failed
Nov 28 17:24:14 T460 nm-l2tp-service[3759]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Nov 28 17:24:14 T460 NetworkManager[667]: <info>  [1511889854.5718] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN plugin: state changed: stopped (6)
Nov 28 17:24:14 T460 NetworkManager[667]: <info>  [1511889854.5779] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN service disappeared
Nov 28 17:24:14 T460 NetworkManager[667]: <warn>  [1511889854.5803] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

    EDIT:

    Here's the debug info output:

    van@z97:/opt/testing$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[24282] <debug> nm-l2tp-service (version 1.2.8) starting...
nm-l2tp[24282] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[24282] <info>  ipsec enable flag: yes
** Message: Check port 1701
** Message: Can't bind to port 1701
nm-l2tp[24282] <warn>  L2TP port 1701 is busy, using ephemeral.
connection
        id : "Work" (s)
        uuid : "71468d41-cd5a-4c91-a70a-c6bc7e1db86a" (s)
        interface-name : NULL (sd)
        type : "vpn" (s)
        permissions : ["user:van:"] (s)
        autoconnect : TRUE (sd)
        autoconnect-priority : 0 (sd)
        autoconnect-retries : -1 (sd)
        timestamp : 0 (sd)
        read-only : FALSE (sd)
        zone : NULL (sd)
        master : NULL (sd)
        slave-type : NULL (sd)
        autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
        secondaries : NULL (sd)
        gateway-ping-timeout : 0 (sd)
        metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
        lldp : -1 (sd)
        stable-id : NULL (sd)


ipv6
        method : "auto" (s)
        dns : [] (s)
        dns-search : [] (s)
        dns-options : NULL (sd)
        dns-priority : 0 (sd)
        addresses : ((GPtrArray*) 0x5645b3895ae0) (s)
        gateway : NULL (sd)
        routes : ((GPtrArray*) 0x5645b3895ae0) (s)
        route-metric : -1 (sd)
        ignore-auto-routes : FALSE (sd)
        ignore-auto-dns : FALSE (sd)
        dhcp-hostname : NULL (sd)
        dhcp-send-hostname : TRUE (sd)
        never-default : FALSE (sd)
        may-fail : TRUE (sd)
        dad-timeout : -1 (sd)
        dhcp-timeout : 0 (sd)
        ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
        addr-gen-mode : 1 (sd)
        token : NULL (sd)


proxy
        method : 0 (sd)
        browser-only : FALSE (sd)
        pac-url : NULL (sd)
        pac-script : NULL (sd)


vpn
        service-type : "org.freedesktop.NetworkManager.l2tp" (s)
        user-name : "van" (s)
        persistent : FALSE (sd)
        data : ((GHashTable*) 0x7fef54006de0) (s)
        secrets : ((GHashTable*) 0x7fef54006cc0) (s)
        timeout : 0 (sd)


ipv4
        method : "auto" (s)
        dns : [] (s)
        dns-search : [] (s)
        dns-options : NULL (sd)
        dns-priority : 0 (sd)
        addresses : ((GPtrArray*) 0x5645b38957a0) (s)
        gateway : NULL (sd)
        routes : ((GPtrArray*) 0x5645b3895a00) (s)
        route-metric : -1 (sd)
        ignore-auto-routes : FALSE (sd)
        ignore-auto-dns : FALSE (sd)
        dhcp-hostname : NULL (sd)
        dhcp-send-hostname : TRUE (sd)
        never-default : FALSE (sd)
        may-fail : TRUE (sd)
        dad-timeout : -1 (sd)
        dhcp-timeout : 0 (sd)
        dhcp-client-id : NULL (sd)
        dhcp-fqdn : NULL (sd)


nm-l2tp[24282] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.5.1 IPsec [starter]...
Loading config setup
Loading conn '71468d41-cd5a-4c91-a70a-c6bc7e1db86a'
found netkey IPsec stack
nm-l2tp[24282] <info>  Spawned ipsec up script with PID 24345.
initiating Main Mode IKE_SA 71468d41-cd5a-4c91-a70a-c6bc7e1db86a[1] to xxx.xxx.xxx.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.0.2[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 192.168.0.2[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
nm-l2tp[24282] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[24282] <info>  Terminating ipsec script with PID 24345.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
establishing connection '71468d41-cd5a-4c91-a70a-c6bc7e1db86a' failed
nm-l2tp[24282] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:24282): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
  • Yura Shinkarev
    Yura Shinkarev almost 6 years
    I'am use 16.04. I try your recommendations but still missing phase1 and phase2 algorithm entry fields. Can you give me your config from /etc/NetworkManager/system-connections/ ?
  • Vanessa Deagan
    Vanessa Deagan almost 6 years
    @YuraShinkarev - In my [vpn] section I have: ipsec-esp=3des-sha1 and ipsec-ike=3des-sha1-modp1024
  • Scott Deagan
    Scott Deagan almost 5 years
    Thanks! This worked for me with Kubuntu 19.04. Just one minor correction - step 2 should read: $ sudo systemctl stop xl2tpd.service
  • IljaBek
    IljaBek over 2 years
    thanks, it helped on Kubuntu 20.04

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

how do I connect to a VPN with ipsec?
Kubuntu 16.04 (Plasma 5) connect to VPN
VPN between Ubuntu server (14.04.1 LTS ) AND Cisco ASA 5510
How to Reinstall Sound Drivers?
Can't connect to VPN in network manager for KDE in Kubuntu 19.04
How to install KDE Plasma without installing full Kubuntu Desktop?
How to connect to a L2TP VPN given some info from a sysadmin
L2TP IPsec VPN client on Ubuntu Desktop 16.04
How to automatically connect to VPN in Ubuntu 17.10?
Hamachi not working on Ubuntu 17.10