Hi all,
trying to connect my wife to her office network, Corona …
She needs an rdp access to her windows workstation. I’ve got VPN gateway’s IPv4, ipsec preshared key, plus gateway user and pw.
Connection should originally be established via Raspberry Pi. Ipsec connection works fine, established. But No l2tp tunnel, timed out. No meaningful log, at least not for me.
After trying and trying I’ve switched to my OpenSuse Leap 15.2 box, installed l2tp modules, and tried. Same, time out for l2tp. Please advice if any logs might be helpful.
Tried 3rd to connect via Android device, my experience was before, that Android VPN connections, at least for me, worked smoothly. IF they’re working, no logs or even a hint why not Which was the case again, for my wife.
So three different, unsuccessful tries.
Got the information from my wife’s company’s external network admin, both small companies, that windows to windows VPN connection “works with default settings”.
As I have no windows device available for testing, could anyone tell me these mystic “default windows settings”, or some hints regarding VPN connecting from Linux to Windows?
Thanks,
Michael
FYI /var/log/NetworkManager diff, specific for trying to connect to VPN:
15504,15563d15503
< 2021-01-19T10:43:43.493590+01:00 myhost NetworkManager[729]: <info> [1611049423.4931] audit: op="connection-activate" uuid="1e7c7d52-a1ca-4c89-803b-b54faccc3c35" name="myvpnconnection" pid=7139 uid=1000 result="success"
< 2021-01-19T10:43:43.510276+01:00 myhost NetworkManager[729]: <info> [1611049423.5099] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: Started the VPN service, PID 20960
< 2021-01-19T10:43:43.552238+01:00 myhost NetworkManager[729]: <info> [1611049423.5516] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: Saw the service appear; activating connection
< 2021-01-19T10:43:43.668875+01:00 myhost nm-l2tp-service[20960]: Check port 1701
< 2021-01-19T10:43:43.740261+01:00 myhost NetworkManager[729]: Stopping strongSwan IPsec failed: starter is not running
< 2021-01-19T10:43:45.781580+01:00 myhost NetworkManager[729]: Starting strongSwan 5.8.2 IPsec [starter]...
< 2021-01-19T10:43:45.783612+01:00 myhost NetworkManager[729]: Loading config setup
< 2021-01-19T10:43:45.784844+01:00 myhost NetworkManager[729]: Loading conn '1e7c7d52-a1ca-4c89-803b-b54faccc3c35'
< 2021-01-19T10:43:47.218736+01:00 myhost NetworkManager[729]: initiating Main Mode IKE_SA 1e7c7d52-a1ca-4c89-803b-b54faccc3c35[1] to xxx.xxx.xxx.xxx
< 2021-01-19T10:43:47.219377+01:00 myhost NetworkManager[729]: generating ID_PROT request 0 SA V V V V V ]
< 2021-01-19T10:43:47.219846+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
< 2021-01-19T10:43:47.220290+01:00 myhost NetworkManager[729]: received packet: from xxx.xxx.xxx.xxx[500] to 192.168.2.8[500] (176 bytes)
< 2021-01-19T10:43:47.220833+01:00 myhost NetworkManager[729]: parsed ID_PROT response 0 SA V V V V V ]
< 2021-01-19T10:43:47.221321+01:00 myhost NetworkManager[729]: received strongSwan vendor ID
< 2021-01-19T10:43:47.221753+01:00 myhost NetworkManager[729]: received Cisco Unity vendor ID
< 2021-01-19T10:43:47.222184+01:00 myhost NetworkManager[729]: received XAuth vendor ID
< 2021-01-19T10:43:47.222639+01:00 myhost NetworkManager[729]: received DPD vendor ID
< 2021-01-19T10:43:47.223091+01:00 myhost NetworkManager[729]: received NAT-T (RFC 3947) vendor ID
< 2021-01-19T10:43:47.223591+01:00 myhost NetworkManager[729]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
< 2021-01-19T10:43:47.224069+01:00 myhost NetworkManager[729]: generating ID_PROT request 0 KE No NAT-D NAT-D ]
< 2021-01-19T10:43:47.224592+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[500] to xxx.xxx.xxx.xxx[500] (396 bytes)
< 2021-01-19T10:43:47.225170+01:00 myhost NetworkManager[729]: received packet: from xxx.xxx.xxx.xxx[500] to 192.168.2.8[500] (380 bytes)
< 2021-01-19T10:43:47.225648+01:00 myhost NetworkManager[729]: parsed ID_PROT response 0 KE No NAT-D NAT-D ]
< 2021-01-19T10:43:47.226146+01:00 myhost NetworkManager[729]: local host is behind NAT, sending keep alives
< 2021-01-19T10:43:47.226619+01:00 myhost NetworkManager[729]: generating ID_PROT request 0 ID HASH ]
< 2021-01-19T10:43:47.227093+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[4500] to xxx.xxx.xxx.xxx[4500] (92 bytes)
< 2021-01-19T10:43:47.227559+01:00 myhost NetworkManager[729]: received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.2.8[4500] (76 bytes)
< 2021-01-19T10:43:47.228019+01:00 myhost NetworkManager[729]: parsed ID_PROT response 0 ID HASH ]
< 2021-01-19T10:43:47.228490+01:00 myhost NetworkManager[729]: IKE_SA 1e7c7d52-a1ca-4c89-803b-b54faccc3c35[1] established between 192.168.2.8[192.168.2.8]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
< 2021-01-19T10:43:47.228959+01:00 myhost NetworkManager[729]: scheduling reauthentication in 10026s
< 2021-01-19T10:43:47.229454+01:00 myhost NetworkManager[729]: maximum IKE_SA lifetime 10566s
< 2021-01-19T10:43:47.229928+01:00 myhost NetworkManager[729]: generating QUICK_MODE request 2589582093 HASH SA No ID ID NAT-OA NAT-OA ]
< 2021-01-19T10:43:47.230398+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[4500] to xxx.xxx.xxx.xxx[4500] (268 bytes)
< 2021-01-19T10:43:47.230884+01:00 myhost NetworkManager[729]: received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.2.8[4500] (172 bytes)
< 2021-01-19T10:43:47.231359+01:00 myhost NetworkManager[729]: parsed QUICK_MODE response 2589582093 HASH SA No ID ID ]
< 2021-01-19T10:43:47.231837+01:00 myhost NetworkManager[729]: selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
< 2021-01-19T10:43:47.232314+01:00 myhost NetworkManager[729]: no acceptable traffic selectors found
< 2021-01-19T10:43:47.232776+01:00 myhost NetworkManager[729]: generating INFORMATIONAL_V1 request 1155004185 HASH N(NO_PROP) ]
< 2021-01-19T10:43:47.233280+01:00 myhost NetworkManager[729]: sending packet: from 192.168.2.8[4500] to xxx.xxx.xxx.xxx[4500] (92 bytes)
< 2021-01-19T10:43:47.233750+01:00 myhost NetworkManager[729]: establishing connection '1e7c7d52-a1ca-4c89-803b-b54faccc3c35' failed
< 2021-01-19T10:43:47.397833+01:00 myhost nm-l2tp-service[20960]: xl2tpd started with pid 21015
< 2021-01-19T10:43:47.400271+01:00 myhost NetworkManager[729]: xl2tpd[21015]: setsockopt recvref[30]: Protocol not available
< 2021-01-19T10:43:47.400879+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Using l2tp kernel support.
< 2021-01-19T10:43:47.401438+01:00 myhost NetworkManager[729]: xl2tpd[21015]: xl2tpd version xl2tpd-1.3.10 started on myhost.localdomain PID:21015
< 2021-01-19T10:43:47.401950+01:00 myhost NetworkManager[729]: <info> [1611049427.3999] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: state changed: starting (3)
< 2021-01-19T10:43:47.402463+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
< 2021-01-19T10:43:47.402903+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Forked by Scott Balmos and David Stipp, (C) 2001
< 2021-01-19T10:43:47.403341+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Inherited by Jeff McAdams, (C) 2002
< 2021-01-19T10:43:47.403779+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
< 2021-01-19T10:43:47.404222+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Listening on IP address 0.0.0.0, port 1701
< 2021-01-19T10:43:47.404653+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Connecting to host xxx.xxx.xxx.xxx, port 1701
< 2021-01-19T10:44:01.410756+01:00 myhost NetworkManager[729]: xl2tpd[21015]: death_handler: Fatal signal 15 received
< 2021-01-19T10:44:01.411435+01:00 myhost NetworkManager[729]: xl2tpd[21015]: Connection 0 closed to xxx.xxx.xxx.xxx, port 1701 (Server closing)
< 2021-01-19T10:44:01.412103+01:00 myhost NetworkManager[729]: <warn> [1611049441.4117] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: failed: connect-failed (1)
< 2021-01-19T10:44:01.412791+01:00 myhost NetworkManager[729]: <warn> [1611049441.4118] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: failed: connect-failed (1)
< 2021-01-19T10:44:01.413921+01:00 myhost NetworkManager[729]: <info> [1611049441.4137] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: state changed: stopping (5)
< 2021-01-19T10:44:01.429091+01:00 myhost NetworkManager[729]: Stopping strongSwan IPsec...
< 2021-01-19T10:44:01.541137+01:00 myhost nm-l2tp-service[20960]: ipsec shut down
< 2021-01-19T10:44:01.543853+01:00 myhost NetworkManager[729]: <info> [1611049441.5435] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN plugin: state changed: stopped (6)
< 2021-01-19T10:44:01.551845+01:00 myhost NetworkManager[729]: <info> [1611049441.5515] vpn-connection[0x5568282744e0,1e7c7d52-a1ca-4c89-803b-b54faccc3c35,"myvpnconnection",0]: VPN service disappeared
Do you need PPP Echo packets sending here ?
Try to establish connection without saved password.
Allow needed user or all users to use needed L2TP connection (tab “Main Parameters”).
You may temporarily install Windows 8.1 or 10 to test connection.
I had troubles with saving password for L2TP. It needs KDE Wallet, etc.
Svyatko:
Do you need PPP Echo packets sending here ?
Tried with our without, no change, still connection not established.
Svyatko:
Try to establish connection without saved password.
Tried, no change …
Svyatko:
Allow needed user or all users to use needed L2TP connection (tab “Main Parameters”).
Tried, no change …
Svyatko:
You may temporarily install Windows 8.1 or 10 to test connection.
Created a Win10 VM on my Leap 15.2 box.
Added VPN connection, same basic settings, very long user pw and PSK copied&pasted from same file.
Connection established at once, on first try
I then compared option by option the Win10 Advanced VPN connection settings with my NetworkManager (NM) settings:
“Options” / “idle time until disconnect: NONE”: No idea how to set in NM
“PPP-Settings / LCP-Extensions activated = TRUE”: No idea how to set in NM
“Security” / “Data Encryption - Optional (connection also wtithout encryption)”: No idea how to set in NM
“Accept following protocols” - only “MS-CHAP v2” is default. set the same on NM: No change …
Any more hints or ideas would be cool
Could this behaviour maybe just be a bug??
I had troubles with saving password for L2TP. It needs KDE Wallet, etc.
Too long password with uncommon characters?
Try to connect Linux setup to another L2TP server (with another password).
Wireshark may help you: https://en.wikipedia.org/wiki/Wireshark .
tsu2
January 22, 2021, 8:12am
7
I’ve found and read this thread before opening my own, but afai understood there’s no solution in the other thread
Asked in #suse and got this hint:
|14:34] <DarkMac> did you tried setting manually the left and right proto on the client side? I mean for example to have leftprotoport=udp/l2tp rightprotoport=udp/any?
Unfortunately it’s completely unclear to me WHERE to set this option(s)
https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf mentions /etc/ipsec.conf. Which is completely "empty " on my Leap 15.2, empty=only commented lines.
As doc says, there leftprotoport clauses must be set in context of a “conn” section, how do they interact with NetworkManager connections?
Tried with a /etc/ipsec.conf like this:
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
conn %default
leftprotoport=udp/%any
→ NOT succesful
Found that my NetworkManager connections are stored in /etc/NetworkManager/system-connections, no idea if the leftprotoport can/should be added there?
Found also, that while NetworkManager tries to enable the vpn connection, I can check them with “ipsec status” or “ipsec statusall”, but got no information if my /etc/ipsec.conf modifications above are used