mjhjmtu

I'm currently trying to establish a VPN connection to the network of my office using IPSec/L2TP with Ubuntu 16.04 (and/or Fedora 26) which fails with the following syslog entries (complete log below):

11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed

According to this answer on a similar question the problem might be the negotiation of the protocol(s) to use for the connection. As suggested I used the mentioned tool ike-scan to retrieve some information from the server:

# sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan x.x.x.x
Stopping strongSwan IPsec failed: starter is not running
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
x.x.x.x Main Mode Handshake returned HDR=(CKY-R=7b0d4448e7767519) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (MS NT5 ISAKMPOAKLEY) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02n) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 VID=e3a5966a76379fe707228231e5ce8652

Ending ike-scan 1.9: 1 hosts scanned in 0.062 seconds (16.05 hosts/sec). 1 returned handshake; 0 returned notify

As further suggested I updated the NetworkManager connection config to use those algorithms:

[connection]
id=SomeName
uuid=5f4cde33-5549-4535-864b-04944a5d4d69
type=vpn
autoconnect=false
permissions=user:arne:;
secondaries=

[vpn]
password-flags=1
ipsec-esp=3des-sha1!
ipsec-psk=****
user=****
ipsec-enabled=yes
ipsec-ike=3des-sha1-modp1024!
mru=1400
gateway=x.x.x.x
mtu=1400
service-type=org.freedesktop.NetworkManager.l2tp
keyexchange=ikev1

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto

But this doesn't seem to change anything in the error log.

Does anyone has an idea what might be the problem here?

Thank you very much!

Environment:

# uname -a
Linux arne-Latitude-E5570 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Complete syslog:

11:46:23 laptop NetworkManager[911]: <info> [1508492783.2731] audit: op="connection-activate" uuid="5f4cde33-5549-4535-864b-04944a5d4d69" name="SomeName" pid=31464 uid=1000 result="success"
11:46:23 laptop NetworkManager[911]: <info> [1508492783.2860] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Started the VPN service, PID 1579
11:46:23 laptop NetworkManager[911]: <info> [1508492783.3102] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Saw the service appear; activating connection
11:46:23 laptop NetworkManager[911]: <info> [1508492783.3934] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: (ConnectInteractive) reply received
11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> ipsec enable flag: yes
11:46:23 laptop NetworkManager[911]: ** Message: Check port 1701
11:46:23 laptop NetworkManager[911]: ** Message: Can't bind to port 1701
11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <warn> L2TP port 1701 is busy, using ephemeral.
11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> starting ipsec
11:46:23 laptop NetworkManager[911]: Stopping strongSwan IPsec failed: starter is not running
11:46:25 laptop NetworkManager[911]: Starting strongSwan 5.3.5 IPsec [starter]...
11:46:25 laptop NetworkManager[911]: Loading config setup
11:46:25 laptop NetworkManager[911]: Loading conn '5f4cde33-5549-4535-864b-04944a5d4d69'
11:46:25 laptop NetworkManager[911]: found netkey IPsec stack
11:46:25 laptop charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-35-generic, x86_64)
11:46:25 laptop charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
11:46:25 laptop charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
11:46:25 laptop charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
11:46:25 laptop charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
11:46:25 laptop charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
11:46:25 laptop charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
11:46:25 laptop charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
11:46:25 laptop charon: 00[JOB] spawning 16 worker threads
11:46:25 laptop charon: 04[CFG] received stroke: add connection '5f4cde33-5549-4535-864b-04944a5d4d69'
11:46:25 laptop charon: 04[CFG] added configuration '5f4cde33-5549-4535-864b-04944a5d4d69'
11:46:26 laptop charon: 06[CFG] rereading secrets
11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.secrets'
11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <info> Spawned ipsec up script with PID 1655.
11:46:26 laptop charon: 08[CFG] received stroke: initiate '5f4cde33-5549-4535-864b-04944a5d4d69'
11:46:26 laptop charon: 10[IKE] initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
11:46:26 laptop charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V ]
11:46:26 laptop charon: 10[NET] sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
11:46:26 laptop charon: 09[NET] received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
11:46:26 laptop charon: 09[ENC] parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
11:46:26 laptop charon: 09[IKE] received NO_PROPOSAL_CHOSEN error notify
11:46:26 laptop NetworkManager[911]: initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
11:46:26 laptop NetworkManager[911]: generating ID_PROT request 0 [ SA V V V V ]
11:46:26 laptop NetworkManager[911]: sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed
11:46:26 laptop NetworkManager[911]: Stopping strongSwan IPsec...
11:46:26 laptop charon: 00[DMN] signal of type SIGINT received. Shutting down
11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <warn> Could not establish IPsec tunnel.
11:46:26 laptop NetworkManager[911]: (nm-l2tp-service:1579): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
11:46:26 laptop NetworkManager[911]: <info> [1508492786.8335] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state changed: stopped (6)
11:46:26 laptop NetworkManager[911]: <info> [1508492786.8359] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state change reason: unknown (0)
11:46:26 laptop NetworkManager[911]: <info> [1508492786.8393] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN service disappeared
11:46:26 laptop NetworkManager[911]: <warn> [1508492786.8418] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

Could you delete the temporary secrets files that didn't get deleted :

sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets

The NO_PROPOSAL_CHOSEN error indicates there is still something wrong with the phase 1 algorithm used for the initial proposal. I would also try it without the exclamation mark, Libreswan (which is what you are probably using on Fedora) most definitely doesn't support that syntax.

Could you try running the ike-scan.sh script in the "Querying VPN server for supported IPsec IKEv1 ciphers" section of the following page :

• https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

Running ike-scan by itself sometimes isn't enough as the VPN server might support more cipher suites.

What you did for phase 1 and phase 2 algorithms should have worked with the 3DES algorithm, but perhaps something else is going wrong. Hopefully your VPN server supports other algorithms that ike-scan.sh will report and you could try them.

I assume you are using the network-manager-l2tp PPA for Ubuntu 16.04. If you are still having issues, could you try libreswan instead of strongswan on Ubuntu 16.04, remove the phase 1 & 2 algorithms in the IPsec config dialog box and install libreswan by issuing:

sudo apt install libreswan

Older versions of libreswan still have the legacy ciphers suites in the default set of ciphers for the phase 1 and 2 algorithms.

The newer version of libreswan that is in Fedora 26 Updates is like strongswan when it comes to legacy cipher suites, see Fedora Bugzilla bug#1486604. Hopefully you are able to use some other ciphers.