Results 1 to 9 of 9

Thread: VPN (ipsec/l2tp) to windows server

  1. #1

    Default VPN (ipsec/l2tp) to windows server

    Hi all,


    trying to connect my wife to her office network, Corona .....

    She needs an rdp access to her windows workstation. I've got VPN gateway's IPv4, ipsec preshared key, plus gateway user and pw.
    Connection should originally be established via Raspberry Pi. Ipsec connection works fine, established. But No l2tp tunnel, timed out. No meaningful log, at least not for me.

    After trying and trying I've switched to my OpenSuse Leap 15.2 box, installed l2tp modules, and tried. Same, time out for l2tp. Please advice if any logs might be helpful.

    Tried 3rd to connect via Android device, my experience was before, that Android VPN connections, at least for me, worked smoothly. IF they're working, no logs or even a hint why not Which was the case again, for my wife.

    So three different, unsuccessful tries.

    Got the information from my wife's company's external network admin, both small companies, that windows to windows VPN connection "works with default settings".

    As I have no windows device available for testing, could anyone tell me these mystic "default windows settings", or some hints regarding VPN connecting from Linux to Windows?


    Thanks,
    Michael

  2. #2

    Default Re: VPN (ipsec/l2tp) to windows server

    FYI /var/log/NetworkManager diff, specific for trying to connect to VPN:

    Code:
    15504,15563d15503
    < 2021-01-19T10:43:43.493590+01:00 myhost NetworkManager[729]: <info>  [1611049423.4931] audit: op="connection-activate" uuid="1e7c7d52-a1ca-4c89-803b-b54faccc3c35" name="myvpnconnection" pid=7139 uid=1000 result="success"
    < 2021-01-19T10:43:43.510276+01:00 myhost NetworkManager[729]: <info>  [1611049423.5099] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: Started the VPN service, PID 20960
    < 2021-01-19T10:43:43.552238+01:00 myhost NetworkManager[729]: <info>  [1611049423.5516] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: Saw the service appear; activating connection
    < 2021-01-19T10:43:43.668875+01:00 myhost nm-l2tp-service[20960]: Check port 1701
    < 2021-01-19T10:43:43.740261+01:00 myhost NetworkManager[729]: Stopping strongSwan IPsec failed: starter is not running
    < 2021-01-19T10:43:45.781580+01:00 myhost NetworkManager[729]: Starting strongSwan 5.8.2 IPsec [starter]...
    < 2021-01-19T10:43:45.783612+01:00 myhost NetworkManager[729]: Loading config setup
    < 2021-01-19T10:43:45.784844+01:00 myhost NetworkManager[729]: Loading conn '1e7c7d52-a1ca-4c89-803b-b54faccc3c35'
    < 2021-01-19T10:43:47.218736+01:00 myhost NetworkManager[729]: initiating Main Mode IKE_SA 1e7c7d52-a1ca-4c89-803b-b54faccc3c35[1] to xxx.xxx.xxx.xxx
    < 2021-01-19T10:43:47.219377+01:00 myhost NetworkManager[729]: generating ID_PROT request 0 [ SA V V V V V ]
    < 2021-01-19T10:43:47.219846+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
    < 2021-01-19T10:43:47.220290+01:00 myhost NetworkManager[729]: received packet: from xxx.xxx.xxx.xxx[500] to 192.168.2.8[500] (176 bytes)
    < 2021-01-19T10:43:47.220833+01:00 myhost NetworkManager[729]: parsed ID_PROT response 0 [ SA V V V V V ]
    < 2021-01-19T10:43:47.221321+01:00 myhost NetworkManager[729]: received strongSwan vendor ID
    < 2021-01-19T10:43:47.221753+01:00 myhost NetworkManager[729]: received Cisco Unity vendor ID
    < 2021-01-19T10:43:47.222184+01:00 myhost NetworkManager[729]: received XAuth vendor ID
    < 2021-01-19T10:43:47.222639+01:00 myhost NetworkManager[729]: received DPD vendor ID
    < 2021-01-19T10:43:47.223091+01:00 myhost NetworkManager[729]: received NAT-T (RFC 3947) vendor ID
    < 2021-01-19T10:43:47.223591+01:00 myhost NetworkManager[729]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    < 2021-01-19T10:43:47.224069+01:00 myhost NetworkManager[729]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    < 2021-01-19T10:43:47.224592+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[500] to xxx.xxx.xxx.xxx[500] (396 bytes)
    < 2021-01-19T10:43:47.225170+01:00 myhost NetworkManager[729]: received packet: from xxx.xxx.xxx.xxx[500] to 192.168.2.8[500] (380 bytes)
    < 2021-01-19T10:43:47.225648+01:00 myhost NetworkManager[729]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    < 2021-01-19T10:43:47.226146+01:00 myhost NetworkManager[729]: local host is behind NAT, sending keep alives
    < 2021-01-19T10:43:47.226619+01:00 myhost NetworkManager[729]: generating ID_PROT request 0 [ ID HASH ]
    < 2021-01-19T10:43:47.227093+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[4500] to xxx.xxx.xxx.xxx[4500] (92 bytes)
    < 2021-01-19T10:43:47.227559+01:00 myhost NetworkManager[729]: received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.2.8[4500] (76 bytes)
    < 2021-01-19T10:43:47.228019+01:00 myhost NetworkManager[729]: parsed ID_PROT response 0 [ ID HASH ]
    < 2021-01-19T10:43:47.228490+01:00 myhost NetworkManager[729]: IKE_SA 1e7c7d52-a1ca-4c89-803b-b54faccc3c35[1] established between 192.168.2.8[192.168.2.8]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
    < 2021-01-19T10:43:47.228959+01:00 myhost NetworkManager[729]: scheduling reauthentication in 10026s
    < 2021-01-19T10:43:47.229454+01:00 myhost NetworkManager[729]: maximum IKE_SA lifetime 10566s
    < 2021-01-19T10:43:47.229928+01:00 myhost NetworkManager[729]: generating QUICK_MODE request 2589582093 [ HASH SA No ID ID NAT-OA NAT-OA ]
    < 2021-01-19T10:43:47.230398+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[4500] to xxx.xxx.xxx.xxx[4500] (268 bytes)
    < 2021-01-19T10:43:47.230884+01:00 myhost NetworkManager[729]: received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.2.8[4500] (172 bytes)
    < 2021-01-19T10:43:47.231359+01:00 myhost NetworkManager[729]: parsed QUICK_MODE response 2589582093 [ HASH SA No ID ID ]
    < 2021-01-19T10:43:47.231837+01:00 myhost NetworkManager[729]: selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
    < 2021-01-19T10:43:47.232314+01:00 myhost NetworkManager[729]: no acceptable traffic selectors found
    < 2021-01-19T10:43:47.232776+01:00 myhost NetworkManager[729]: generating INFORMATIONAL_V1 request 1155004185 [ HASH N(NO_PROP) ]
    < 2021-01-19T10:43:47.233280+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[4500] to xxx.xxx.xxx.xxx[4500] (92 bytes)
    < 2021-01-19T10:43:47.233750+01:00 myhost NetworkManager[729]: establishing connection '1e7c7d52-a1ca-4c89-803b-b54faccc3c35' failed
    < 2021-01-19T10:43:47.397833+01:00 myhost nm-l2tp-service[20960]: xl2tpd started with pid 21015
    < 2021-01-19T10:43:47.400271+01:00 myhost NetworkManager[729]: xl2tpd[21015]: setsockopt recvref[30]: Protocol not available
    < 2021-01-19T10:43:47.400879+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Using l2tp kernel support.
    < 2021-01-19T10:43:47.401438+01:00 myhost NetworkManager[729]: xl2tpd[21015]: xl2tpd version xl2tpd-1.3.10 started on myhost.localdomain PID:21015
    < 2021-01-19T10:43:47.401950+01:00 myhost NetworkManager[729]: <info>  [1611049427.3999] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: state changed: starting (3)
    < 2021-01-19T10:43:47.402463+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    < 2021-01-19T10:43:47.402903+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Forked by Scott Balmos and David Stipp, (C) 2001
    < 2021-01-19T10:43:47.403341+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Inherited by Jeff McAdams, (C) 2002
    < 2021-01-19T10:43:47.403779+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
    < 2021-01-19T10:43:47.404222+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Listening on IP address 0.0.0.0, port 1701
    < 2021-01-19T10:43:47.404653+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Connecting to host xxx.xxx.xxx.xxx, port 1701
    < 2021-01-19T10:44:01.410756+01:00 myhost NetworkManager[729]: xl2tpd[21015]: death_handler: Fatal signal 15 received
    < 2021-01-19T10:44:01.411435+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Connection 0 closed to xxx.xxx.xxx.xxx, port 1701 (Server closing)
    < 2021-01-19T10:44:01.412103+01:00 myhost NetworkManager[729]: <warn>  [1611049441.4117] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: failed: connect-failed (1)
    < 2021-01-19T10:44:01.412791+01:00 myhost NetworkManager[729]: <warn>  [1611049441.4118] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: failed: connect-failed (1)
    < 2021-01-19T10:44:01.413921+01:00 myhost NetworkManager[729]: <info>  [1611049441.4137] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: state changed: stopping (5)
    < 2021-01-19T10:44:01.429091+01:00 myhost NetworkManager[729]: Stopping strongSwan IPsec...
    < 2021-01-19T10:44:01.541137+01:00 myhost nm-l2tp-service[20960]: ipsec shut down
    < 2021-01-19T10:44:01.543853+01:00 myhost NetworkManager[729]: <info>  [1611049441.5435] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: state changed: stopped (6)
    < 2021-01-19T10:44:01.551845+01:00 myhost NetworkManager[729]: <info>  [1611049441.5515] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN service disappeared

  3. #3

    Default Re: VPN (ipsec/l2tp) to windows server


  4. #4

    Default Re: VPN (ipsec/l2tp) to windows server

    1. Do you need PPP Echo packets sending here?
    2. Try to establish connection without saved password.
    3. Allow needed user or all users to use needed L2TP connection (tab "Main Parameters").
    4. You may temporarily install Windows 8.1 or 10 to test connection.

    I had troubles with saving password for L2TP. It needs KDE Wallet, etc.

  5. #5

    Default Re: VPN (ipsec/l2tp) to windows server

    Quote Originally Posted by Svyatko View Post
    1. Do you need PPP Echo packets sending here?
    Tried with our without, no change, still connection not established.

    Quote Originally Posted by Svyatko View Post
    2. Try to establish connection without saved password.
    Tried, no change ...

    Quote Originally Posted by Svyatko View Post
    3. Allow needed user or all users to use needed L2TP connection (tab "Main Parameters").
    Tried, no change ...

    Quote Originally Posted by Svyatko View Post
    4. You may temporarily install Windows 8.1 or 10 to test connection.
    • Created a Win10 VM on my Leap 15.2 box.
    • Added VPN connection, same basic settings, very long user pw and PSK copied&pasted from same file.
    • Connection established at once, on first try


    I then compared option by option the Win10 Advanced VPN connection settings with my NetworkManager (NM) settings:
    • "Options" / "idle time until disconnect: NONE": No idea how to set in NM
    • "PPP-Settings / LCP-Extensions activated = TRUE": No idea how to set in NM
    • "Security" / "Data Encryption - Optional (connection also wtithout encryption)": No idea how to set in NM
    • "Accept following protocols" - only "MS-CHAP v2" is default. set the same on NM: No change ...



    Any more hints or ideas would be cool

    Could this behaviour maybe just be a bug??






    I had troubles with saving password for L2TP. It needs KDE Wallet, etc.

  6. #6

    Default Re: VPN (ipsec/l2tp) to windows server

    Too long password with uncommon characters?
    Try to connect Linux setup to another L2TP server (with another password).
    Wireshark may help you: https://en.wikipedia.org/wiki/Wireshark .

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: VPN (ipsec/l2tp) to windows server

    Your error is identical to this old Forum thread, your fix may be the same.

    https://forums.opensuse.org/showthre...Sec-VPN-server

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8

    Default Re: VPN (ipsec/l2tp) to windows server

    Quote Originally Posted by tsu2 View Post
    Your error is identical to this old Forum thread, your fix may be the same.
    I've found and read this thread before opening my own, but afai understood there's no solution in the other thread

  9. #9

    Default Re: VPN (ipsec/l2tp) to windows server

    Asked in #suse and got this hint:

    |14:34] <DarkMac> did you tried setting manually the left and right proto on the client side? I mean for example to have leftprotoport=udp/l2tp rightprotoport=udp/any?

    Unfortunately it's completely unclear to me WHERE to set this option(s)

    https://wiki.strongswan.org/projects...wiki/IpsecConf mentions /etc/ipsec.conf. Which is completely "empty " on my Leap 15.2, empty=only commented lines.
    As doc says, there leftprotoport clauses must be set in context of a "conn" section, how do they interact with NetworkManager connections?

    Tried with a /etc/ipsec.conf like this:
    Code:
            # strictcrlpolicy=yes
            # uniqueids = no
    # Add connections here.
    # Sample VPN connections
    #conn sample-self-signed
    #      leftsubnet=10.1.0.0/16
    #      leftcert=selfCert.der
    #      leftsendcert=never
    #      right=192.168.0.2
    #      rightsubnet=10.2.0.0/16
    #      rightcert=peerCert.der
    #      auto=start
    #conn sample-with-ca-cert
    #      leftsubnet=10.1.0.0/16
    #      leftcert=myCert.pem
    #      right=192.168.0.2
    #      rightsubnet=10.2.0.0/16
    #      rightid="C=CH, O=Linux strongSwan CN=peer name"
    #      auto=start
    
    conn %default
       leftprotoport=udp/%any
    --> NOT succesful

    Found that my NetworkManager connections are stored in /etc/NetworkManager/system-connections, no idea if the leftprotoport can/should be added there?

    Found also, that while NetworkManager tries to enable the vpn connection, I can check them with "ipsec status" or "ipsec statusall", but got no information if my /etc/ipsec.conf modifications above are used

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •