IPSec/L2TP VPN connection fails

Multi tool use
Multi tool use

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
3
down vote

favorite












I'm currently trying to establish a VPN connection to the network of my office using IPSec/L2TP with Ubuntu 16.04 (and/or Fedora 26) which fails with the following syslog entries (complete log below):



11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed


According to this answer on a similar question the problem might be the negotiation of the protocol(s) to use for the connection. As suggested I used the mentioned tool ike-scan to retrieve some information from the server:



# sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan x.x.x.x
Stopping strongSwan IPsec failed: starter is not running
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
x.x.x.x Main Mode Handshake returned HDR=(CKY-R=7b0d4448e7767519) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (MS NT5 ISAKMPOAKLEY) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02n) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 VID=e3a5966a76379fe707228231e5ce8652

Ending ike-scan 1.9: 1 hosts scanned in 0.062 seconds (16.05 hosts/sec). 1 returned handshake; 0 returned notify


As further suggested I updated the NetworkManager connection config to use those algorithms:



[connection]
id=SomeName
uuid=5f4cde33-5549-4535-864b-04944a5d4d69
type=vpn
autoconnect=false
permissions=user:arne:;
secondaries=

[vpn]
password-flags=1
ipsec-esp=3des-sha1!
ipsec-psk=****
user=****
ipsec-enabled=yes
ipsec-ike=3des-sha1-modp1024!
mru=1400
gateway=x.x.x.x
mtu=1400
service-type=org.freedesktop.NetworkManager.l2tp
keyexchange=ikev1

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
method=auto


But this doesn't seem to change anything in the error log.



Does anyone has an idea what might be the problem here?



Thank you very much!




Environment:



# uname -a
Linux arne-Latitude-E5570 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


Complete syslog:



11:46:23 laptop NetworkManager[911]: <info> [1508492783.2731] audit: op="connection-activate" uuid="5f4cde33-5549-4535-864b-04944a5d4d69" name="SomeName" pid=31464 uid=1000 result="success"
11:46:23 laptop NetworkManager[911]: <info> [1508492783.2860] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Started the VPN service, PID 1579
11:46:23 laptop NetworkManager[911]: <info> [1508492783.3102] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Saw the service appear; activating connection
11:46:23 laptop NetworkManager[911]: <info> [1508492783.3934] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: (ConnectInteractive) reply received
11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> ipsec enable flag: yes
11:46:23 laptop NetworkManager[911]: ** Message: Check port 1701
11:46:23 laptop NetworkManager[911]: ** Message: Can't bind to port 1701
11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <warn> L2TP port 1701 is busy, using ephemeral.
11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> starting ipsec
11:46:23 laptop NetworkManager[911]: Stopping strongSwan IPsec failed: starter is not running
11:46:25 laptop NetworkManager[911]: Starting strongSwan 5.3.5 IPsec [starter]...
11:46:25 laptop NetworkManager[911]: Loading config setup
11:46:25 laptop NetworkManager[911]: Loading conn '5f4cde33-5549-4535-864b-04944a5d4d69'
11:46:25 laptop NetworkManager[911]: found netkey IPsec stack
11:46:25 laptop charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-35-generic, x86_64)
11:46:25 laptop charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
11:46:25 laptop charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
11:46:25 laptop charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
11:46:25 laptop charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
11:46:25 laptop charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
11:46:25 laptop charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
11:46:25 laptop charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
11:46:25 laptop charon: 00[JOB] spawning 16 worker threads
11:46:25 laptop charon: 04[CFG] received stroke: add connection '5f4cde33-5549-4535-864b-04944a5d4d69'
11:46:25 laptop charon: 04[CFG] added configuration '5f4cde33-5549-4535-864b-04944a5d4d69'
11:46:26 laptop charon: 06[CFG] rereading secrets
11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.secrets'
11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <info> Spawned ipsec up script with PID 1655.
11:46:26 laptop charon: 08[CFG] received stroke: initiate '5f4cde33-5549-4535-864b-04944a5d4d69'
11:46:26 laptop charon: 10[IKE] initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
11:46:26 laptop charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V ]
11:46:26 laptop charon: 10[NET] sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
11:46:26 laptop charon: 09[NET] received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
11:46:26 laptop charon: 09[ENC] parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
11:46:26 laptop charon: 09[IKE] received NO_PROPOSAL_CHOSEN error notify
11:46:26 laptop NetworkManager[911]: initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
11:46:26 laptop NetworkManager[911]: generating ID_PROT request 0 [ SA V V V V ]
11:46:26 laptop NetworkManager[911]: sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed
11:46:26 laptop NetworkManager[911]: Stopping strongSwan IPsec...
11:46:26 laptop charon: 00[DMN] signal of type SIGINT received. Shutting down
11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <warn> Could not establish IPsec tunnel.
11:46:26 laptop NetworkManager[911]: (nm-l2tp-service:1579): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
11:46:26 laptop NetworkManager[911]: <info> [1508492786.8335] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state changed: stopped (6)
11:46:26 laptop NetworkManager[911]: <info> [1508492786.8359] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state change reason: unknown (0)
11:46:26 laptop NetworkManager[911]: <info> [1508492786.8393] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN service disappeared
11:46:26 laptop NetworkManager[911]: <warn> [1508492786.8418] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'






share|improve this question
























    up vote
    3
    down vote

    favorite












    I'm currently trying to establish a VPN connection to the network of my office using IPSec/L2TP with Ubuntu 16.04 (and/or Fedora 26) which fails with the following syslog entries (complete log below):



    11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
    11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
    11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
    11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed


    According to this answer on a similar question the problem might be the negotiation of the protocol(s) to use for the connection. As suggested I used the mentioned tool ike-scan to retrieve some information from the server:



    # sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan x.x.x.x
    Stopping strongSwan IPsec failed: starter is not running
    Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
    x.x.x.x Main Mode Handshake returned HDR=(CKY-R=7b0d4448e7767519) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (MS NT5 ISAKMPOAKLEY) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02n) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 VID=e3a5966a76379fe707228231e5ce8652

    Ending ike-scan 1.9: 1 hosts scanned in 0.062 seconds (16.05 hosts/sec). 1 returned handshake; 0 returned notify


    As further suggested I updated the NetworkManager connection config to use those algorithms:



    [connection]
    id=SomeName
    uuid=5f4cde33-5549-4535-864b-04944a5d4d69
    type=vpn
    autoconnect=false
    permissions=user:arne:;
    secondaries=

    [vpn]
    password-flags=1
    ipsec-esp=3des-sha1!
    ipsec-psk=****
    user=****
    ipsec-enabled=yes
    ipsec-ike=3des-sha1-modp1024!
    mru=1400
    gateway=x.x.x.x
    mtu=1400
    service-type=org.freedesktop.NetworkManager.l2tp
    keyexchange=ikev1

    [ipv4]
    dns-search=
    method=auto

    [ipv6]
    addr-gen-mode=stable-privacy
    dns-search=
    method=auto


    But this doesn't seem to change anything in the error log.



    Does anyone has an idea what might be the problem here?



    Thank you very much!




    Environment:



    # uname -a
    Linux arne-Latitude-E5570 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


    Complete syslog:



    11:46:23 laptop NetworkManager[911]: <info> [1508492783.2731] audit: op="connection-activate" uuid="5f4cde33-5549-4535-864b-04944a5d4d69" name="SomeName" pid=31464 uid=1000 result="success"
    11:46:23 laptop NetworkManager[911]: <info> [1508492783.2860] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Started the VPN service, PID 1579
    11:46:23 laptop NetworkManager[911]: <info> [1508492783.3102] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Saw the service appear; activating connection
    11:46:23 laptop NetworkManager[911]: <info> [1508492783.3934] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: (ConnectInteractive) reply received
    11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> ipsec enable flag: yes
    11:46:23 laptop NetworkManager[911]: ** Message: Check port 1701
    11:46:23 laptop NetworkManager[911]: ** Message: Can't bind to port 1701
    11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <warn> L2TP port 1701 is busy, using ephemeral.
    11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> starting ipsec
    11:46:23 laptop NetworkManager[911]: Stopping strongSwan IPsec failed: starter is not running
    11:46:25 laptop NetworkManager[911]: Starting strongSwan 5.3.5 IPsec [starter]...
    11:46:25 laptop NetworkManager[911]: Loading config setup
    11:46:25 laptop NetworkManager[911]: Loading conn '5f4cde33-5549-4535-864b-04944a5d4d69'
    11:46:25 laptop NetworkManager[911]: found netkey IPsec stack
    11:46:25 laptop charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-35-generic, x86_64)
    11:46:25 laptop charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
    11:46:25 laptop charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
    11:46:25 laptop charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
    11:46:25 laptop charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
    11:46:25 laptop charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
    11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
    11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
    11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
    11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
    11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
    11:46:25 laptop charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
    11:46:25 laptop charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
    11:46:25 laptop charon: 00[JOB] spawning 16 worker threads
    11:46:25 laptop charon: 04[CFG] received stroke: add connection '5f4cde33-5549-4535-864b-04944a5d4d69'
    11:46:25 laptop charon: 04[CFG] added configuration '5f4cde33-5549-4535-864b-04944a5d4d69'
    11:46:26 laptop charon: 06[CFG] rereading secrets
    11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.secrets'
    11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
    11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
    11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
    11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
    11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <info> Spawned ipsec up script with PID 1655.
    11:46:26 laptop charon: 08[CFG] received stroke: initiate '5f4cde33-5549-4535-864b-04944a5d4d69'
    11:46:26 laptop charon: 10[IKE] initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
    11:46:26 laptop charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V ]
    11:46:26 laptop charon: 10[NET] sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
    11:46:26 laptop charon: 09[NET] received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
    11:46:26 laptop charon: 09[ENC] parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
    11:46:26 laptop charon: 09[IKE] received NO_PROPOSAL_CHOSEN error notify
    11:46:26 laptop NetworkManager[911]: initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
    11:46:26 laptop NetworkManager[911]: generating ID_PROT request 0 [ SA V V V V ]
    11:46:26 laptop NetworkManager[911]: sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
    11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
    11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
    11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
    11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed
    11:46:26 laptop NetworkManager[911]: Stopping strongSwan IPsec...
    11:46:26 laptop charon: 00[DMN] signal of type SIGINT received. Shutting down
    11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <warn> Could not establish IPsec tunnel.
    11:46:26 laptop NetworkManager[911]: (nm-l2tp-service:1579): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
    11:46:26 laptop NetworkManager[911]: <info> [1508492786.8335] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state changed: stopped (6)
    11:46:26 laptop NetworkManager[911]: <info> [1508492786.8359] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state change reason: unknown (0)
    11:46:26 laptop NetworkManager[911]: <info> [1508492786.8393] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN service disappeared
    11:46:26 laptop NetworkManager[911]: <warn> [1508492786.8418] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'






    share|improve this question






















      up vote
      3
      down vote

      favorite









      up vote
      3
      down vote

      favorite











      I'm currently trying to establish a VPN connection to the network of my office using IPSec/L2TP with Ubuntu 16.04 (and/or Fedora 26) which fails with the following syslog entries (complete log below):



      11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
      11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
      11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
      11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed


      According to this answer on a similar question the problem might be the negotiation of the protocol(s) to use for the connection. As suggested I used the mentioned tool ike-scan to retrieve some information from the server:



      # sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan x.x.x.x
      Stopping strongSwan IPsec failed: starter is not running
      Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
      x.x.x.x Main Mode Handshake returned HDR=(CKY-R=7b0d4448e7767519) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (MS NT5 ISAKMPOAKLEY) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02n) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 VID=e3a5966a76379fe707228231e5ce8652

      Ending ike-scan 1.9: 1 hosts scanned in 0.062 seconds (16.05 hosts/sec). 1 returned handshake; 0 returned notify


      As further suggested I updated the NetworkManager connection config to use those algorithms:



      [connection]
      id=SomeName
      uuid=5f4cde33-5549-4535-864b-04944a5d4d69
      type=vpn
      autoconnect=false
      permissions=user:arne:;
      secondaries=

      [vpn]
      password-flags=1
      ipsec-esp=3des-sha1!
      ipsec-psk=****
      user=****
      ipsec-enabled=yes
      ipsec-ike=3des-sha1-modp1024!
      mru=1400
      gateway=x.x.x.x
      mtu=1400
      service-type=org.freedesktop.NetworkManager.l2tp
      keyexchange=ikev1

      [ipv4]
      dns-search=
      method=auto

      [ipv6]
      addr-gen-mode=stable-privacy
      dns-search=
      method=auto


      But this doesn't seem to change anything in the error log.



      Does anyone has an idea what might be the problem here?



      Thank you very much!




      Environment:



      # uname -a
      Linux arne-Latitude-E5570 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


      Complete syslog:



      11:46:23 laptop NetworkManager[911]: <info> [1508492783.2731] audit: op="connection-activate" uuid="5f4cde33-5549-4535-864b-04944a5d4d69" name="SomeName" pid=31464 uid=1000 result="success"
      11:46:23 laptop NetworkManager[911]: <info> [1508492783.2860] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Started the VPN service, PID 1579
      11:46:23 laptop NetworkManager[911]: <info> [1508492783.3102] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Saw the service appear; activating connection
      11:46:23 laptop NetworkManager[911]: <info> [1508492783.3934] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: (ConnectInteractive) reply received
      11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> ipsec enable flag: yes
      11:46:23 laptop NetworkManager[911]: ** Message: Check port 1701
      11:46:23 laptop NetworkManager[911]: ** Message: Can't bind to port 1701
      11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <warn> L2TP port 1701 is busy, using ephemeral.
      11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> starting ipsec
      11:46:23 laptop NetworkManager[911]: Stopping strongSwan IPsec failed: starter is not running
      11:46:25 laptop NetworkManager[911]: Starting strongSwan 5.3.5 IPsec [starter]...
      11:46:25 laptop NetworkManager[911]: Loading config setup
      11:46:25 laptop NetworkManager[911]: Loading conn '5f4cde33-5549-4535-864b-04944a5d4d69'
      11:46:25 laptop NetworkManager[911]: found netkey IPsec stack
      11:46:25 laptop charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-35-generic, x86_64)
      11:46:25 laptop charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
      11:46:25 laptop charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
      11:46:25 laptop charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
      11:46:25 laptop charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
      11:46:25 laptop charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
      11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
      11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
      11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
      11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
      11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
      11:46:25 laptop charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
      11:46:25 laptop charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
      11:46:25 laptop charon: 00[JOB] spawning 16 worker threads
      11:46:25 laptop charon: 04[CFG] received stroke: add connection '5f4cde33-5549-4535-864b-04944a5d4d69'
      11:46:25 laptop charon: 04[CFG] added configuration '5f4cde33-5549-4535-864b-04944a5d4d69'
      11:46:26 laptop charon: 06[CFG] rereading secrets
      11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.secrets'
      11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
      11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
      11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
      11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
      11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <info> Spawned ipsec up script with PID 1655.
      11:46:26 laptop charon: 08[CFG] received stroke: initiate '5f4cde33-5549-4535-864b-04944a5d4d69'
      11:46:26 laptop charon: 10[IKE] initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
      11:46:26 laptop charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V ]
      11:46:26 laptop charon: 10[NET] sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
      11:46:26 laptop charon: 09[NET] received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
      11:46:26 laptop charon: 09[ENC] parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
      11:46:26 laptop charon: 09[IKE] received NO_PROPOSAL_CHOSEN error notify
      11:46:26 laptop NetworkManager[911]: initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
      11:46:26 laptop NetworkManager[911]: generating ID_PROT request 0 [ SA V V V V ]
      11:46:26 laptop NetworkManager[911]: sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
      11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
      11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
      11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
      11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed
      11:46:26 laptop NetworkManager[911]: Stopping strongSwan IPsec...
      11:46:26 laptop charon: 00[DMN] signal of type SIGINT received. Shutting down
      11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <warn> Could not establish IPsec tunnel.
      11:46:26 laptop NetworkManager[911]: (nm-l2tp-service:1579): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
      11:46:26 laptop NetworkManager[911]: <info> [1508492786.8335] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state changed: stopped (6)
      11:46:26 laptop NetworkManager[911]: <info> [1508492786.8359] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state change reason: unknown (0)
      11:46:26 laptop NetworkManager[911]: <info> [1508492786.8393] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN service disappeared
      11:46:26 laptop NetworkManager[911]: <warn> [1508492786.8418] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'






      share|improve this question












      I'm currently trying to establish a VPN connection to the network of my office using IPSec/L2TP with Ubuntu 16.04 (and/or Fedora 26) which fails with the following syslog entries (complete log below):



      11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
      11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
      11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
      11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed


      According to this answer on a similar question the problem might be the negotiation of the protocol(s) to use for the connection. As suggested I used the mentioned tool ike-scan to retrieve some information from the server:



      # sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan x.x.x.x
      Stopping strongSwan IPsec failed: starter is not running
      Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
      x.x.x.x Main Mode Handshake returned HDR=(CKY-R=7b0d4448e7767519) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (MS NT5 ISAKMPOAKLEY) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02n) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 VID=e3a5966a76379fe707228231e5ce8652

      Ending ike-scan 1.9: 1 hosts scanned in 0.062 seconds (16.05 hosts/sec). 1 returned handshake; 0 returned notify


      As further suggested I updated the NetworkManager connection config to use those algorithms:



      [connection]
      id=SomeName
      uuid=5f4cde33-5549-4535-864b-04944a5d4d69
      type=vpn
      autoconnect=false
      permissions=user:arne:;
      secondaries=

      [vpn]
      password-flags=1
      ipsec-esp=3des-sha1!
      ipsec-psk=****
      user=****
      ipsec-enabled=yes
      ipsec-ike=3des-sha1-modp1024!
      mru=1400
      gateway=x.x.x.x
      mtu=1400
      service-type=org.freedesktop.NetworkManager.l2tp
      keyexchange=ikev1

      [ipv4]
      dns-search=
      method=auto

      [ipv6]
      addr-gen-mode=stable-privacy
      dns-search=
      method=auto


      But this doesn't seem to change anything in the error log.



      Does anyone has an idea what might be the problem here?



      Thank you very much!




      Environment:



      # uname -a
      Linux arne-Latitude-E5570 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


      Complete syslog:



      11:46:23 laptop NetworkManager[911]: <info> [1508492783.2731] audit: op="connection-activate" uuid="5f4cde33-5549-4535-864b-04944a5d4d69" name="SomeName" pid=31464 uid=1000 result="success"
      11:46:23 laptop NetworkManager[911]: <info> [1508492783.2860] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Started the VPN service, PID 1579
      11:46:23 laptop NetworkManager[911]: <info> [1508492783.3102] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: Saw the service appear; activating connection
      11:46:23 laptop NetworkManager[911]: <info> [1508492783.3934] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: (ConnectInteractive) reply received
      11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> ipsec enable flag: yes
      11:46:23 laptop NetworkManager[911]: ** Message: Check port 1701
      11:46:23 laptop NetworkManager[911]: ** Message: Can't bind to port 1701
      11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <warn> L2TP port 1701 is busy, using ephemeral.
      11:46:23 laptop NetworkManager[911]: nm-l2tp[1579] <info> starting ipsec
      11:46:23 laptop NetworkManager[911]: Stopping strongSwan IPsec failed: starter is not running
      11:46:25 laptop NetworkManager[911]: Starting strongSwan 5.3.5 IPsec [starter]...
      11:46:25 laptop NetworkManager[911]: Loading config setup
      11:46:25 laptop NetworkManager[911]: Loading conn '5f4cde33-5549-4535-864b-04944a5d4d69'
      11:46:25 laptop NetworkManager[911]: found netkey IPsec stack
      11:46:25 laptop charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-35-generic, x86_64)
      11:46:25 laptop charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
      11:46:25 laptop charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
      11:46:25 laptop charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
      11:46:25 laptop charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
      11:46:25 laptop charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
      11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
      11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
      11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
      11:46:25 laptop charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
      11:46:25 laptop charon: 00[CFG] loaded IKE secret for %any
      11:46:25 laptop charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
      11:46:25 laptop charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
      11:46:25 laptop charon: 00[JOB] spawning 16 worker threads
      11:46:25 laptop charon: 04[CFG] received stroke: add connection '5f4cde33-5549-4535-864b-04944a5d4d69'
      11:46:25 laptop charon: 04[CFG] added configuration '5f4cde33-5549-4535-864b-04944a5d4d69'
      11:46:26 laptop charon: 06[CFG] rereading secrets
      11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.secrets'
      11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-5f4cde33-5549-4535-864b-04944a5d4d69.secrets'
      11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
      11:46:26 laptop charon: 06[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-77751670-3316-4fdc-abaf-1293b25b7687.secrets'
      11:46:26 laptop charon: 06[CFG] loaded IKE secret for %any
      11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <info> Spawned ipsec up script with PID 1655.
      11:46:26 laptop charon: 08[CFG] received stroke: initiate '5f4cde33-5549-4535-864b-04944a5d4d69'
      11:46:26 laptop charon: 10[IKE] initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
      11:46:26 laptop charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V ]
      11:46:26 laptop charon: 10[NET] sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
      11:46:26 laptop charon: 09[NET] received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
      11:46:26 laptop charon: 09[ENC] parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
      11:46:26 laptop charon: 09[IKE] received NO_PROPOSAL_CHOSEN error notify
      11:46:26 laptop NetworkManager[911]: initiating Main Mode IKE_SA 5f4cde33-5549-4535-864b-04944a5d4d69[1] to x.x.x.x
      11:46:26 laptop NetworkManager[911]: generating ID_PROT request 0 [ SA V V V V ]
      11:46:26 laptop NetworkManager[911]: sending packet: from 192.168.0.102[500] to x.x.x.x[500] (148 bytes)
      11:46:26 laptop NetworkManager[911]: received packet: from x.x.x.x[500] to 192.168.0.102[500] (56 bytes)
      11:46:26 laptop NetworkManager[911]: parsed INFORMATIONAL_V1 request 3879417451 [ N(NO_PROP) ]
      11:46:26 laptop NetworkManager[911]: received NO_PROPOSAL_CHOSEN error notify
      11:46:26 laptop NetworkManager[911]: establishing connection '5f4cde33-5549-4535-864b-04944a5d4d69' failed
      11:46:26 laptop NetworkManager[911]: Stopping strongSwan IPsec...
      11:46:26 laptop charon: 00[DMN] signal of type SIGINT received. Shutting down
      11:46:26 laptop NetworkManager[911]: nm-l2tp[1579] <warn> Could not establish IPsec tunnel.
      11:46:26 laptop NetworkManager[911]: (nm-l2tp-service:1579): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
      11:46:26 laptop NetworkManager[911]: <info> [1508492786.8335] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state changed: stopped (6)
      11:46:26 laptop NetworkManager[911]: <info> [1508492786.8359] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN plugin: state change reason: unknown (0)
      11:46:26 laptop NetworkManager[911]: <info> [1508492786.8393] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN service disappeared
      11:46:26 laptop NetworkManager[911]: <warn> [1508492786.8418] vpn-connection[0xfbd460,5f4cde33-5549-4535-864b-04944a5d4d69,"SomeName",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'








      share|improve this question











      share|improve this question




      share|improve this question










      asked Oct 20 '17 at 10:33









      user2900170

      1613




      1613




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          4
          down vote













          Could you delete the temporary secrets files that didn't get deleted :



          sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets


          The NO_PROPOSAL_CHOSEN error indicates there is still something wrong with the phase 1 algorithm used for the initial proposal. I would also try it without the exclamation mark, Libreswan (which is what you are probably using on Fedora) most definitely doesn't support that syntax.



          Could you try running the ike-scan.sh script in the "Querying VPN server for supported IPsec IKEv1 ciphers" section of the following page :



          • https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

          Running ike-scan by itself sometimes isn't enough as the VPN server might support more cipher suites.



          What you did for phase 1 and phase 2 algorithms should have worked with the 3DES algorithm, but perhaps something else is going wrong. Hopefully your VPN server supports other algorithms that ike-scan.sh will report and you could try them.



          I assume you are using the network-manager-l2tp PPA for Ubuntu 16.04. If you are still having issues, could you try libreswan instead of strongswan on Ubuntu 16.04, remove the phase 1 & 2 algorithms in the IPsec config dialog box and install libreswan by issuing:



          sudo apt install libreswan


          Older versions of libreswan still have the legacy ciphers suites in the default set of ciphers for the phase 1 and 2 algorithms.



          The newer version of libreswan that is in Fedora 26 Updates is like strongswan when it comes to legacy cipher suites, see Fedora Bugzilla bug#1486604. Hopefully you are able to use some other ciphers.






          share|improve this answer
















          • 1




            Douglas, thank you. installing libreswan helped me.
            – Daniil Mashkin
            Apr 27 at 18:54










          • Thanks. everything were ok except I didn't installed libreswan after that and without restarting I tried and connected!
            – Capy
            Jun 25 at 11:44










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f399325%2fipsec-l2tp-vpn-connection-fails%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          4
          down vote













          Could you delete the temporary secrets files that didn't get deleted :



          sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets


          The NO_PROPOSAL_CHOSEN error indicates there is still something wrong with the phase 1 algorithm used for the initial proposal. I would also try it without the exclamation mark, Libreswan (which is what you are probably using on Fedora) most definitely doesn't support that syntax.



          Could you try running the ike-scan.sh script in the "Querying VPN server for supported IPsec IKEv1 ciphers" section of the following page :



          • https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

          Running ike-scan by itself sometimes isn't enough as the VPN server might support more cipher suites.



          What you did for phase 1 and phase 2 algorithms should have worked with the 3DES algorithm, but perhaps something else is going wrong. Hopefully your VPN server supports other algorithms that ike-scan.sh will report and you could try them.



          I assume you are using the network-manager-l2tp PPA for Ubuntu 16.04. If you are still having issues, could you try libreswan instead of strongswan on Ubuntu 16.04, remove the phase 1 & 2 algorithms in the IPsec config dialog box and install libreswan by issuing:



          sudo apt install libreswan


          Older versions of libreswan still have the legacy ciphers suites in the default set of ciphers for the phase 1 and 2 algorithms.



          The newer version of libreswan that is in Fedora 26 Updates is like strongswan when it comes to legacy cipher suites, see Fedora Bugzilla bug#1486604. Hopefully you are able to use some other ciphers.






          share|improve this answer
















          • 1




            Douglas, thank you. installing libreswan helped me.
            – Daniil Mashkin
            Apr 27 at 18:54










          • Thanks. everything were ok except I didn't installed libreswan after that and without restarting I tried and connected!
            – Capy
            Jun 25 at 11:44














          up vote
          4
          down vote













          Could you delete the temporary secrets files that didn't get deleted :



          sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets


          The NO_PROPOSAL_CHOSEN error indicates there is still something wrong with the phase 1 algorithm used for the initial proposal. I would also try it without the exclamation mark, Libreswan (which is what you are probably using on Fedora) most definitely doesn't support that syntax.



          Could you try running the ike-scan.sh script in the "Querying VPN server for supported IPsec IKEv1 ciphers" section of the following page :



          • https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

          Running ike-scan by itself sometimes isn't enough as the VPN server might support more cipher suites.



          What you did for phase 1 and phase 2 algorithms should have worked with the 3DES algorithm, but perhaps something else is going wrong. Hopefully your VPN server supports other algorithms that ike-scan.sh will report and you could try them.



          I assume you are using the network-manager-l2tp PPA for Ubuntu 16.04. If you are still having issues, could you try libreswan instead of strongswan on Ubuntu 16.04, remove the phase 1 & 2 algorithms in the IPsec config dialog box and install libreswan by issuing:



          sudo apt install libreswan


          Older versions of libreswan still have the legacy ciphers suites in the default set of ciphers for the phase 1 and 2 algorithms.



          The newer version of libreswan that is in Fedora 26 Updates is like strongswan when it comes to legacy cipher suites, see Fedora Bugzilla bug#1486604. Hopefully you are able to use some other ciphers.






          share|improve this answer
















          • 1




            Douglas, thank you. installing libreswan helped me.
            – Daniil Mashkin
            Apr 27 at 18:54










          • Thanks. everything were ok except I didn't installed libreswan after that and without restarting I tried and connected!
            – Capy
            Jun 25 at 11:44












          up vote
          4
          down vote










          up vote
          4
          down vote









          Could you delete the temporary secrets files that didn't get deleted :



          sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets


          The NO_PROPOSAL_CHOSEN error indicates there is still something wrong with the phase 1 algorithm used for the initial proposal. I would also try it without the exclamation mark, Libreswan (which is what you are probably using on Fedora) most definitely doesn't support that syntax.



          Could you try running the ike-scan.sh script in the "Querying VPN server for supported IPsec IKEv1 ciphers" section of the following page :



          • https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

          Running ike-scan by itself sometimes isn't enough as the VPN server might support more cipher suites.



          What you did for phase 1 and phase 2 algorithms should have worked with the 3DES algorithm, but perhaps something else is going wrong. Hopefully your VPN server supports other algorithms that ike-scan.sh will report and you could try them.



          I assume you are using the network-manager-l2tp PPA for Ubuntu 16.04. If you are still having issues, could you try libreswan instead of strongswan on Ubuntu 16.04, remove the phase 1 & 2 algorithms in the IPsec config dialog box and install libreswan by issuing:



          sudo apt install libreswan


          Older versions of libreswan still have the legacy ciphers suites in the default set of ciphers for the phase 1 and 2 algorithms.



          The newer version of libreswan that is in Fedora 26 Updates is like strongswan when it comes to legacy cipher suites, see Fedora Bugzilla bug#1486604. Hopefully you are able to use some other ciphers.






          share|improve this answer












          Could you delete the temporary secrets files that didn't get deleted :



          sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets


          The NO_PROPOSAL_CHOSEN error indicates there is still something wrong with the phase 1 algorithm used for the initial proposal. I would also try it without the exclamation mark, Libreswan (which is what you are probably using on Fedora) most definitely doesn't support that syntax.



          Could you try running the ike-scan.sh script in the "Querying VPN server for supported IPsec IKEv1 ciphers" section of the following page :



          • https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

          Running ike-scan by itself sometimes isn't enough as the VPN server might support more cipher suites.



          What you did for phase 1 and phase 2 algorithms should have worked with the 3DES algorithm, but perhaps something else is going wrong. Hopefully your VPN server supports other algorithms that ike-scan.sh will report and you could try them.



          I assume you are using the network-manager-l2tp PPA for Ubuntu 16.04. If you are still having issues, could you try libreswan instead of strongswan on Ubuntu 16.04, remove the phase 1 & 2 algorithms in the IPsec config dialog box and install libreswan by issuing:



          sudo apt install libreswan


          Older versions of libreswan still have the legacy ciphers suites in the default set of ciphers for the phase 1 and 2 algorithms.



          The newer version of libreswan that is in Fedora 26 Updates is like strongswan when it comes to legacy cipher suites, see Fedora Bugzilla bug#1486604. Hopefully you are able to use some other ciphers.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Oct 24 '17 at 4:25









          Douglas Kosovic

          1411




          1411







          • 1




            Douglas, thank you. installing libreswan helped me.
            – Daniil Mashkin
            Apr 27 at 18:54










          • Thanks. everything were ok except I didn't installed libreswan after that and without restarting I tried and connected!
            – Capy
            Jun 25 at 11:44












          • 1




            Douglas, thank you. installing libreswan helped me.
            – Daniil Mashkin
            Apr 27 at 18:54










          • Thanks. everything were ok except I didn't installed libreswan after that and without restarting I tried and connected!
            – Capy
            Jun 25 at 11:44







          1




          1




          Douglas, thank you. installing libreswan helped me.
          – Daniil Mashkin
          Apr 27 at 18:54




          Douglas, thank you. installing libreswan helped me.
          – Daniil Mashkin
          Apr 27 at 18:54












          Thanks. everything were ok except I didn't installed libreswan after that and without restarting I tried and connected!
          – Capy
          Jun 25 at 11:44




          Thanks. everything were ok except I didn't installed libreswan after that and without restarting I tried and connected!
          – Capy
          Jun 25 at 11:44

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f399325%2fipsec-l2tp-vpn-connection-fails%23new-answer', 'question_page');

          );

          Post as a guest













































































          A0p kzG f3pV mY F,wWUKMYqxxe8C,UVOW4VwAXH 2c3LN7,Um6oWs7fj4vy uF1 pB1o nDsw
          LwCM,WS,gP9UQmeqSfI3,wPOZkZCd39DAkl e7WcdQKx4FRrBReR,GP7 SpwiAT3BTPpXHHtfzx,cVyrk,9A6AGRPEtK8,7xYqtY3L

          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          How many registers does an x86_64 CPU actually have?

          Displaying single band from multi-band raster using QGIS