l2tp/strongswan/NetworkManager: no connection to a remote server

Heulsuse71 · March 16, 2018, 11:14am

After solving a printer issue by buying a new one I am now struggling with a networking problem. My company offers access to remote folders via a l2tp vpn connection. Everything works with Windows 10 with the credentials provided. The connection needs IPSec.

Packages installed:

$ sudo zypper search -i | grep l2tp
i+ | NetworkManager-l2tp                        | NetworkManager VPN support for L2TP and L2TP/IPsec                                    | Paket    
i+ | openSUSE-2017-1312                         | Feature update adding NetworkManager-l2tp                                             | Patch    
i+ | plasma-nm5-l2tp                            | L2TP support for plasma-nm5                                                           | Paket    
i  | xl2tpd                                     | Layer 2 Tunnelling Protocol Daemon (RFC 2661)                                         | Paket 

$ sudo zypper search -i | grep swan
i+ | strongswan                                 | OpenSource IPsec-based VPN Solution                                                   | Paket    
i  | strongswan-ipsec                           | OpenSource IPsec-based VPN Solution                                                   | Paket    
i  | strongswan-libs0                           | OpenSource IPsec-based VPN Solution                                                   | Paket

I checked for phase 1 and 2 algorithms as advised here by using ike-scan and was using the entries in the IPSec options windows in NetworkManager:

"phase 1" algorithm: 3des-md5-modp1024,3des-sha1-modp1024,aes128-sha1-modp768,aes128-sha1-modp1024
"phase 2" algorithm: aes128-sha1,3des-md5

No luck. Here is the systemd log (some data replaced by “xxx” due to privacy concerns):

16.03.18 10:38    NetworkManager    <info>  Starting VPN service 'l2tp'...
16.03.18 10:38    NetworkManager    <info>  VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 9679
16.03.18 10:38    NetworkManager    <info>  VPN service 'l2tp' appeared; activating connections
16.03.18 10:38    kdeinit5    plasma-nm: virtual NMVariantMapMap SecretAgent::GetSecrets(const NMVariantMapMap&, const QDBusObjectPath&, const QString&, const QStringList&, uint)
16.03.18 10:38    kdeinit5    plasma-nm: Path: "/org/freedesktop/NetworkManager/Settings/2"
16.03.18 10:38    kdeinit5    plasma-nm: Setting name: "vpn"
16.03.18 10:38    kdeinit5    plasma-nm: Hints: ()
16.03.18 10:38    kdeinit5    plasma-nm: Flags: 4
16.03.18 10:38    NetworkManager    ** Message: ipsec enable flag: yes
16.03.18 10:38    kdeinit5    plasma-nm: Unhandled VPN connection state change:  3
16.03.18 10:38    NetworkManager    ** Message: Check port 1701
16.03.18 10:38    NetworkManager    ** Message: starting ipsec
16.03.18 10:38    NetworkManager    Stopping strongSwan IPsec failed: starter is not running
16.03.18 10:38    ipsec_starter    Starting strongSwan 5.2.2 IPsec [starter]...
16.03.18 10:38    ipsec_starter    Loading config setup
16.03.18 10:38    ipsec_starter    Loading conn 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
16.03.18 10:38    NetworkManager    Starting strongSwan 5.2.2 IPsec [starter]...
16.03.18 10:38    NetworkManager    Loading config setup
16.03.18 10:38    NetworkManager    Loading conn 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
16.03.18 10:38    ipsec_starter    found netkey IPsec stack
16.03.18 10:38    ipsec_starter    Attempting to start charon...
16.03.18 10:38    NetworkManager    found netkey IPsec stack
16.03.18 10:38    charon    00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 4.4.114-42-default, x86_64)
16.03.18 10:38    charon    00[LIB] openssl FIPS mode(0) - disabled
16.03.18 10:38    charon    00[CFG] HA config misses local/remote address
16.03.18 10:38    charon    00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
16.03.18 10:38    charon    00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
16.03.18 10:38    charon    00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
16.03.18 10:38    charon    00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
16.03.18 10:38    charon    00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
16.03.18 10:38    charon    00[CFG] loading crls from '/etc/ipsec.d/crls'
16.03.18 10:38    charon    00[CFG] loading secrets from '/etc/ipsec.secrets'
16.03.18 10:38    charon    00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-856af385-43e3-462f-b013-xxxxxxxxxxxxx.secrets'
16.03.18 10:38    charon    00[CFG]   loaded IKE secret for %any
16.03.18 10:38    charon    00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx.secrets'
16.03.18 10:38    charon    00[CFG]   loaded IKE secret for %any
16.03.18 10:38    charon    00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
16.03.18 10:38    charon    00[CFG] loaded 0 RADIUS server configurations
16.03.18 10:38    charon    00[TNC] TNC recommendation policy is 'default'
16.03.18 10:38    charon    00[TNC] loading IMVs from '/etc/tnc_config'
16.03.18 10:38    charon    00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
16.03.18 10:38    charon    00[CFG] missing PDP server name, PDP disabled
16.03.18 10:38    charon    00[TNC] loading IMCs from '/etc/tnc_config'
16.03.18 10:38    charon    00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
16.03.18 10:38    charon    00[CFG] coupling file path unspecified
16.03.18 10:38    charon    00[LIB] loaded plugins: charon ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl soup attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
16.03.18 10:38    charon    00[LIB] unable to load 16 plugin features (13 due to unmet dependencies)
16.03.18 10:38    charon    00[LIB] dropped capabilities, running as uid 0, gid 0
16.03.18 10:38    charon    00[JOB] spawning 16 worker threads
16.03.18 10:38    ipsec_starter    charon (9708) started after 60 ms
16.03.18 10:38    charon    08[CFG] received stroke: add connection 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
16.03.18 10:38    charon    08[CFG] left nor right host is our side, assuming left=local
16.03.18 10:38    charon    08[CFG] added configuration 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
16.03.18 10:38    charon    11[CFG] rereading secrets
16.03.18 10:38    charon    11[CFG] loading secrets from '/etc/ipsec.secrets'
16.03.18 10:38    charon    11[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-856af385-43e3-462f-b013-xxxxxxxxxxxxx.secrets'
16.03.18 10:38    charon    11[CFG]   loaded IKE secret for %any
16.03.18 10:38    charon    11[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx.secrets'
16.03.18 10:38    charon    11[CFG]   loaded IKE secret for %any
16.03.18 10:38    NetworkManager    ** Message: Spawned ipsec up script with PID 9734.
16.03.18 10:38    charon    12[CFG] received stroke: initiate 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
16.03.18 10:38    charon    14[IKE] initiating Main Mode IKE_SA fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx[1] to 12.32.xxx.xxx
16.03.18 10:38    charon    14[IKE] initiating Main Mode IKE_SA fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx[1] to 12.32.xxx.xxx
16.03.18 10:38    charon    14[ENC] generating ID_PROT request 0  SA V V V V ]
16.03.18 10:38    charon    14[NET] sending packet: from 192.168.0.108[500] to 12.32.xxx.xxx[500] (316 bytes)
16.03.18 10:38    charon    07[NET] received packet: from 12.32.xxx.xxx[500] to 192.168.0.108[500] (80 bytes)
16.03.18 10:38    charon    07[ENC] parsed ID_PROT response 0  SA ]
16.03.18 10:38    charon    07[ENC] generating ID_PROT request 0  KE No ]
16.03.18 10:38    charon    07[NET] sending packet: from 192.168.0.108[500] to 12.32.xxx.xxx[500] (196 bytes)
16.03.18 10:38    charon    15[NET] received packet: from 12.32.xxx.xxx[500] to 192.168.0.108[500] (91 bytes)
16.03.18 10:38    charon    15[ENC] parsed INFORMATIONAL_V1 request 3146227473  N(AUTH_FAILED) ]
16.03.18 10:38    charon    15[IKE] received AUTHENTICATION_FAILED error notify
16.03.18 10:38    NetworkManager    initiating Main Mode IKE_SA fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx[1] to 12.32.xxx.xxx
16.03.18 10:38    NetworkManager    generating ID_PROT request 0  SA V V V V ]
16.03.18 10:38    NetworkManager    sending packet: from 192.168.0.108[500] to 12.32.xxx.xxx[500] (316 bytes)
16.03.18 10:38    NetworkManager    received packet: from 12.32.xxx.xxx[500] to 192.168.0.108[500] (80 bytes)
16.03.18 10:38    NetworkManager    parsed ID_PROT response 0  SA ]
16.03.18 10:38    NetworkManager    generating ID_PROT request 0  KE No ]
16.03.18 10:38    NetworkManager    sending packet: from 192.168.0.108[500] to 12.32.xxx.xxx[500] (196 bytes)
16.03.18 10:38    NetworkManager    received packet: from 12.32.xxx.xxx[500] to 192.168.0.108[500] (91 bytes)
16.03.18 10:38    NetworkManager    parsed INFORMATIONAL_V1 request 3146227473  N(AUTH_FAILED) ]
16.03.18 10:38    NetworkManager    received AUTHENTICATION_FAILED error notify
16.03.18 10:38    NetworkManager    establishing connection 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx' failed
16.03.18 10:38    NetworkManager    Stopping strongSwan IPsec...
16.03.18 10:38    charon    00[DMN] signal of type SIGINT received. Shutting down
16.03.18 10:38    ipsec_starter    child 9708 (charon) has quit (exit code 0)
16.03.18 10:38    ipsec_starter    

16.03.18 10:38    ipsec_starter    charon stopped after 200 ms
16.03.18 10:38    ipsec_starter    plugin 'kernel-netlink': loaded successfully
16.03.18 10:38    ipsec_starter    known interfaces and IP addresses:
16.03.18 10:38    ipsec_starter      lo
16.03.18 10:38    ipsec_starter        127.0.0.1
16.03.18 10:38    ipsec_starter        ::1
16.03.18 10:38    ipsec_starter      eth0
16.03.18 10:38    ipsec_starter        192.168.0.108
16.03.18 10:38    ipsec_starter        xxxx:8071:818e:1d00:xxxx:f4ff:xxxx:c7e4
16.03.18 10:38    ipsec_starter        fe80::be5f:xxxx:fe75:xxxx
16.03.18 10:38    ipsec_starter    flushing all SAD entries
16.03.18 10:38    ipsec_starter    flushing all policies from SPD
16.03.18 10:38    ipsec_starter    ipsec starter stopped
16.03.18 10:38    NetworkManager    <info>  VPN connection 'company' (Connect) reply received.
16.03.18 10:38    NetworkManager    <warn>  VPN connection 'company' failed to connect: 'Method invoked for Connect returned FALSE but did not set error'.
16.03.18 10:38    NetworkManager    <warn>  error disconnecting VPN: Could not process the request because no VPN connection was active.
16.03.18 10:38    NetworkManager    ** (nm-l2tp-service:9679): WARNING **: Could not establish IPsec tunnel.

Yes, the credentials entered in NetworkManager are triple checked.

Any ideas?

tsu2 · March 21, 2018, 7:37pm

Seems to me the following from your log are the critical errors

16.03.18 10:38    NetworkManager    parsed INFORMATIONAL_V1 request 3146227473  N(AUTH_FAILED) ]
16.03.18 10:38    NetworkManager    received AUTHENTICATION_FAILED error notify

Authentication failed.
It’s less clear exactly what about your authentication failed because earlier in your posted logfile there were a number of non-critical errors where specific files which could have contained details/specifications how the authentication might be handled were missing. Those missing files might have been important, but maybe not.

Does your Windows connection generate a logfile(likely)?
If the VPN connection files for both Linux and Windows provided to you are the same, you could compare to see what might have been successful in your Windows connection that wasn’t found in the Linux connection.

TSU