Cannot connect to a L2TP/IPSec VPN server

thermopyle · August 2, 2016, 9:13am

Hi.

I’m trying to connect to my workplace VPN which is using L2TP/IPSec without succeeding. I’m using openSUSE Leap 42.1, KDE Plasma 5.5.5.

At first, there was a problem with the package NetworkManager-l2tp which does not exist in LEAP 42.1. Without this package one gets an error message that the service is missing. I found a version of the package in the build service in the home:dkosovic repo which I installed. Currently I have the following L2TP packages installed:

micke@deimos:~/Downloads> sudo zypper se -is l2tp
Loading repository data...
Reading installed packages...


S | Name                      | Type    | Version   | Arch   | Repository   
--+---------------------------+---------+-----------+--------+--------------
i | NetworkManager-l2tp       | package | 1.0.4-2.1 | x86_64 | home:dkosovic
i | NetworkManager-l2tp-gnome | package | 1.0.4-2.1 | x86_64 | home:dkosovic
i | NetworkManager-l2tp-lang  | package | 1.0.4-2.1 | noarch | home:dkosovic
i | plasma-nm5-l2tp           | package | 5.5.5-9.1 | x86_64 | update oss   
i | xl2tpd                    | package | 1.3.6-3.2 | x86_64 | oss

I have been given a gateway server adress, username, password and a pre-shared key to use when setting up the VPN. Configuration works fine in Plasma. When I try to connect I get a timeout. The service should be up and running, other employees (using other OS’s) can connect. The journal reports the following (I have masked the gateway address using WWW.XXX.YYY.ZZZ), I fail to understand whats wrong. Does anybody else have a clue?



micke@deimos:~/Documents> sudo journalctl --since "2016-08-02 08:06:00" --until "2016-08-02 09:00:00" | grep NetworkManager
root's password:
aug 02 08:06:08 deimos NetworkManager[949]: <info>  Starting VPN service 'l2tp'...
aug 02 08:06:08 deimos NetworkManager[949]: <info>  VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 24477
aug 02 08:06:08 deimos NetworkManager[949]: <info>  VPN service 'l2tp' appeared; activating connections
aug 02 08:06:08 deimos NetworkManager[949]: ** Message: ipsec enable flag: yes
aug 02 08:06:08 deimos NetworkManager[949]: <info>  VPN plugin state changed: starting (3)
aug 02 08:06:08 deimos NetworkManager[949]: ** Message: Use '213.115.131.138' as a gateway
aug 02 08:06:08 deimos NetworkManager[949]: ** Message: Check port 1701
aug 02 08:06:08 deimos NetworkManager[949]: ** Message: starting ipsec
aug 02 08:06:08 deimos NetworkManager[949]: Stopping strongSwan IPsec failed: starter is not running
aug 02 08:06:10 deimos NetworkManager[949]: Starting strongSwan 5.3.5 IPsec [starter]...
aug 02 08:06:10 deimos NetworkManager[949]: Loading config setup
aug 02 08:06:10 deimos NetworkManager[949]: Loading conn 'nm-ipsec-l2tp-24477'
aug 02 08:06:10 deimos NetworkManager[949]: found netkey IPsec stack
aug 02 08:06:11 deimos NetworkManager[949]: initiating Main Mode IKE_SA nm-ipsec-l2tp-24477[1] to 213.115.131.138
aug 02 08:06:11 deimos NetworkManager[949]: generating ID_PROT request 0  SA V V V V ]
aug 02 08:06:11 deimos NetworkManager[949]: sending packet: from 192.168.20.25[500] to 213.115.131.138[500] (280 bytes)
aug 02 08:06:11 deimos NetworkManager[949]: received packet: from 213.115.131.138[500] to 192.168.20.25[500] (124 bytes)
aug 02 08:06:11 deimos NetworkManager[949]: parsed ID_PROT response 0  SA V V ]
aug 02 08:06:11 deimos NetworkManager[949]: received NAT-T (RFC 3947) vendor ID
aug 02 08:06:11 deimos NetworkManager[949]: received FRAGMENTATION vendor ID
aug 02 08:06:11 deimos NetworkManager[949]: generating ID_PROT request 0  KE No NAT-D NAT-D ]
aug 02 08:06:11 deimos NetworkManager[949]: sending packet: from 192.168.20.25[500] to 213.115.131.138[500] (244 bytes)
aug 02 08:06:11 deimos NetworkManager[949]: received packet: from 213.115.131.138[500] to 192.168.20.25[500] (304 bytes)
aug 02 08:06:11 deimos NetworkManager[949]: parsed ID_PROT response 0  KE No V V V V NAT-D NAT-D ]
aug 02 08:06:11 deimos NetworkManager[949]: received Cisco Unity vendor ID
aug 02 08:06:11 deimos NetworkManager[949]: received XAuth vendor ID
aug 02 08:06:11 deimos NetworkManager[949]: received unknown vendor ID: 27:0e:0a:94:93:0b:bb:b4:fc:5e:ac:e7:a1:b2:c1:22
aug 02 08:06:11 deimos NetworkManager[949]: received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
aug 02 08:06:11 deimos NetworkManager[949]: faking NAT situation to enforce UDP encapsulation
aug 02 08:06:11 deimos NetworkManager[949]: generating ID_PROT request 0  ID HASH N(INITIAL_CONTACT) ]
aug 02 08:06:11 deimos NetworkManager[949]: sending packet: from 192.168.20.25[4500] to 213.115.131.138[4500] (100 bytes)
aug 02 08:06:11 deimos NetworkManager[949]: received packet: from 213.115.131.138[4500] to 192.168.20.25[4500] (68 bytes)
aug 02 08:06:11 deimos NetworkManager[949]: parsed ID_PROT response 0  ID HASH ]
aug 02 08:06:11 deimos NetworkManager[949]: IKE_SA nm-ipsec-l2tp-24477[1] established between 192.168.20.25[192.168.20.25]...213.115.131.138[213.115.131.138]
aug 02 08:06:11 deimos NetworkManager[949]: scheduling reauthentication in 9986s
aug 02 08:06:11 deimos NetworkManager[949]: maximum IKE_SA lifetime 10526s
aug 02 08:06:11 deimos NetworkManager[949]: generating QUICK_MODE request 2468577163  HASH SA No ID ID NAT-OA NAT-OA ]
aug 02 08:06:11 deimos NetworkManager[949]: sending packet: from 192.168.20.25[4500] to 213.115.131.138[4500] (244 bytes)
aug 02 08:06:11 deimos NetworkManager[949]: received packet: from 213.115.131.138[4500] to 192.168.20.25[4500] (204 bytes)
aug 02 08:06:11 deimos NetworkManager[949]: parsed QUICK_MODE response 2468577163  HASH SA No ID ID N((24576)) NAT-OA NAT-OA ]
aug 02 08:06:11 deimos NetworkManager[949]: no acceptable traffic selectors found
aug 02 08:06:11 deimos NetworkManager[949]: establishing connection 'nm-ipsec-l2tp-24477' failed
aug 02 08:06:11 deimos NetworkManager[949]: ** Message: strongSwan ready for action
aug 02 08:06:11 deimos NetworkManager[949]: ** Message: xl2tpd started with pid 24859
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: setsockopt recvref[30]: Protocol not available
aug 02 08:06:11 deimos NetworkManager[949]: <info>  VPN connection 'ClearIT VPN (l2tp)' (Connect) reply received.
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: Using l2tp kernel support.
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: xl2tpd version xl2tpd-1.3.6 started on deimos PID:24859
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: Forked by Scott Balmos and David Stipp, (C) 2001
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: Inherited by Jeff McAdams, (C) 2002
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: Forked again by Xelerance (www.xelerance.com) (C) 2006
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: Listening on IP address 0.0.0.0, port 1701
aug 02 08:06:11 deimos NetworkManager[949]: xl2tpd[24859]: Connecting to host 213.115.131.138, port 1701
aug 02 08:06:16 deimos NetworkManager[949]: xl2tpd[24859]: Maximum retries exceeded for tunnel 36323.  Closing.
aug 02 08:06:16 deimos NetworkManager[949]: xl2tpd[24859]: Connection 0 closed to 213.115.131.138, port 1701 (Timeout)
aug 02 08:06:21 deimos NetworkManager[949]: ** (nm-l2tp-service:24477): WARNING **: pppd timeout. Looks like pppd didn't initialize our dbus module
aug 02 08:06:21 deimos NetworkManager[949]: <warn>  VPN plugin failed: unknown (7)
aug 02 08:06:21 deimos NetworkManager[949]: xl2tpd[24859]: Unable to deliver closing message for tunnel 36323. Destroying anyway.
aug 02 08:06:51 deimos NetworkManager[949]: <warn>  VPN connection 'ClearIT VPN (l2tp)' connect timeout exceeded.
aug 02 08:06:51 deimos NetworkManager[949]: (nm-l2tp-service:24477): GLib-CRITICAL **: Source ID 9 was not found when attempting to remove it
aug 02 08:06:51 deimos NetworkManager[949]: ** Message: Terminated l2tp daemon with PID 24859.
aug 02 08:06:51 deimos NetworkManager[949]: xl2tpd[24859]: death_handler: Fatal signal 15 received
aug 02 08:06:51 deimos NetworkManager[949]: ** Message: ipsec shut down
aug 02 08:06:51 deimos NetworkManager[949]: ** (nm-l2tp-service:24477): WARNING **: xl2tpd exited with error code 1
aug 02 08:06:51 deimos NetworkManager[949]: ** Message: ipsec shut down

tsu2 · August 3, 2016, 4:41pm

From your posted log, this seems to be the critically important error entry

setsockopt recvref[30]: Protocol not available

Doing a Google search on that returned a number of results, you might try this one…
https://ubuntuforums.org/showthread.php?t=2211939
which leads to
https://lists.openswan.org/pipermail/users/2013-July/022546.html

which suggests setting the protocol port to “any” instead of 1701 (which is the standard L2TP port).

BTW - another search result is this
https://linuxexplore.com/how-tos/l2tp-vpn-using-xl2tpd/

Which suggests that if the first result doesn’t fix your problem, then you’re probably very close.

TSU

thermopyle · August 4, 2016, 1:53pm

Thanks for the reply.

After posting I continued to Google on a few of the error messages present in the log and I also came to the conclusion that the problem is related to the port 1701. But all of your suggested solutions are on the server side, right? There’s nothing I can do on the client side.

I’m trying to connect to the VPN at my workplace. I do not have access to the VPN server to do any reconfigurations. But I can always suggest what might be wrong to the guys responsible for the company VPN. I will ask them to reconfigure the port according to the docs you gave me.

Regards, Micke.

adamjrat · August 16, 2016, 10:10pm

Did you confirm this port is open in the firewalls of both your home router and local machine?

thermopyle · August 17, 2016, 9:48am

I’ve been testing this at work where I’m behind the company firewall and I don’t have any firewall enabled on my machine. Everyone else at work can connect to the VPN besides me, they are not running Linux though. So the port must be open in the company firewall.

I believe I have to configure the port on the local machine, I just haven’t figured out how yet. And it’s a bit confusing also, I run KDE and have the VPN connection configured in the KDE network manager. There you have no option to specify any ports or alike. So I guess I should add additional configuration of L2TP/IPSec in their configuration files. But it feels a bit confusing having to configure the connection in two different places.

arvidjaar · August 17, 2016, 2:00pm

Well, here is the problem, everything after this message is just follow up error (older versions of NM l2tp plugin ignored failure and attempted to start xl2tpd anyway). Somehow client and server do not find common configuration. NM starts ipsec with --debug and this is not configurable. What you could do is to replace ipsec binary (actually it is script) with simple wrapper that replaces --debug with --debug-more and calls real ipsec. This would give you full dump of what’s going on and could give some clue what client does not like. Alternatively you can try calling ipsec manually; configuration NM generates is rather trivial.

ipsec.conf:

conn test
  type=transport
  authby=secret
  keyingtries=0
  left=%defaultroute
  leftprotoport=udp/l2tp
  rightprotoport=udp/l2tp
  leftid=@*GROUP_NAME_FROM_CONFIGURATION*
  right=*L2TP_KEY_GATEWAY_IP_FROM_CONFIGURATION*
  rightid=@*IPSEC_KEY_GATEWAY_ID_FROM_CONFIGURATION*
  esp=aes128-sha1,3des-sha1
  ike=aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024
  keyexchange=ikev1
  pfs=*0|1 FROM CONFIGURATION*

/etc/ipsec.secrets (may be /etc/strongswan/ipsec.secrets):


%any %any : PSK *YOUR_PSK_FROM_CONFIGURATION*

Restart strongswan or issue “ipsec rereadsecrets”

Hopefully it provides enough information to understand the issue.