vpn on leap 15.1 doesn't works (from windows 10 italian instructions)

to create a vpn connection rightclick on networkmanager icon>Configure Network Connections…
click on “+” icon and add a connection

1)the instructions in italian of my company for windows 10 says:
“in “Centro connessioni di rete e condivisione”cliccare su Modifica impostazioni scheda”
that translated should be:
“in “Cconnection and sharing” click on modify board settings”
https://susepaste.org/64653584

2)“Seleziona Tipo di VPN: L2TP/IPSec e cliccare su Impostazioni avanzate”
that translated should be:
“select VPN type L2TP/IPSec and click on Advanced Settings”

so in leap 15.1 I chose “Layer 2 Tunneling Protocol (L2TP)” connection
then insert Gateway, User name, Password given in instructions,
chose store password for all users
remain empty NT Domain
remain unchecked Use Certificate
remain empty CA cerificate, Certificate, Private key
https://susepaste.org/76742077

3)the instruction for windows 10 says (after have clicked on advanced settings) says:
“Riempire il campo “Usa chiave già condivisa per l’autenticazione” con “thekey” e Cliccare OK”
that translated should be:
“fill the field “use the already shared key for authentication” with “thekey” and click OK”
https://susepaste.org/78900645

in the instructions fo macintos they call “segreto condiviso”
that translated should be:
“shared secret”
so I supposed to insert “thekey” in IPsec settings Pre-Shared Key
https://susepaste.org/22630547

4)then the instructions says:
" Seleziona Consenti i protocolli seguenti e Microsoft CHAP versione 2 (MS-CHAPV2) e Cliccare OK"
that translated should be:
“select “allow the following protocols” and “Microsoft CHAP versione 2 (MS-CHAPV2)” and cliko OK”
so in leap I clicked on PPP Settings… and selected only MSCHAPv2
and leaved as they was the other settings
https://susepaste.org/31825063

but it doesn’t works :frowning:

From what you described,
The essential parts to get started are

  • You will be setting up a L2TP VPN.
    This means you need to install the L2TP VPN components because NM is only a configurator, and does not automatically install the needed components for your choice of VPN
    Sepending on your Desktop, there may be “helper” apps… eg KDE/Plasma. The following is the software search, but you may be able to install necessary components just by using zypper or YaST Software Manager. The package names are usually descriptive, you won’t need anything that’s a daemon, but you will want to install the client package(s) appropriate for you system

https://software.opensuse.org/search?utf8=✓&baseproject=ALL&q=L2TP

  • When MS-CHAP is mentioned, that’s usually (but not necessarily) related to setting up an 802.1x VPN. I don’t know if that’s the case here. Verify from your SysAdmins you’re not setting up 802.1x and only a normal, plain L2TP VPN.

  • PSK. Pretty self-explanatory. You’re issued a “secret” password just to initiate the VPN. It may be specific to you or it may be simply to provide preliminary access when you would be issued your actual credentials later. Again, this will depend on whether you are setting up an 802.1x or regular L2TP VPN.

So,
I’d probably start with verifying with your SysAdmins that your VPN is either an 802.1x or a regular L2TP VPN, you don’t need any other things than what you describe which seems to be a shared private certificate and a password.


Don’t know if the following is helpful to you,
But I’ve set up some VPNs manually on Win10,
And your given instructions are different than what I find on English language Win10 machines. I’d be surprised if there’s that much difference between English and Italian Win10 so I wonder if perhaps your procedure is incorrect.

My steps…
Create an “empty” VPN connection by following the normal guided steps, do not click on any options in the left navigation panel like what you describe. The result will be a VPN bound to a specific hardware network adapter with default settings which I never pay attention to.
Once your VPN is created, <now> you can display your network adapters (One way is one of the links you describe, but not a “board”). There many ways to browse the File Explorer or through Settings or the Control Panel, but the end result is that you want all your network adapters displayed which will include any wired ethernet, wireless, and VPN connections (and rarely other types as well).
Now you can rt-click on your newly created VPN adapter and click “properties” to access the advanced settings, modify as required and it “just works.”

If you have a spare Win10 machine,
You can follow my steps to verify what you have works (Everything you describe can be configured except for the shared certificate, which is a sign you may not be setting up an ordinary L2TP).

And, once you’ve set up successfully, you should be able to apply the same principles and parts to setting up NM on your openSUSE.

TSU

I see L2TP/IPsec is using openswan/xl2tpd under the hood.

Your description of what you did is very clear, but in this case I would also want to see some log on why it does not work and looking for that I stumbled on:

https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup#Troubleshooting

That section also gives a hint on a possible work-around, “refuse-chap”, but first check if the log indeed shows these kind of messages.

I tried to connect and taken this log from /var/log/NetworkManager, or could you please tell me how to get a more useful log?

2020-05-23T13:13:07.959855+02:00 pla4ST NetworkManager[1083]: <info>  [1590232387.9596] device (wlan1): set-hw-addr: set MAC address to 8E:1A:14:36:3A:42 (scanning)
2020-05-23T13:13:07.991706+02:00 pla4ST NetworkManager[1083]: <info>  [1590232387.9914] device (wlan1): supplicant interface state: inactive -> disconnected
2020-05-23T13:13:07.997111+02:00 pla4ST NetworkManager[1083]: <info>  [1590232387.9969] device (wlan1): supplicant interface state: disconnected -> inactive
2020-05-23T13:17:18.570023+02:00 pla4ST NetworkManager[1083]: <info>  [1590232638.5697] audit: op="connection-activate" uuid="607fba76-3bf0-447e-acce-82a5c544296a" name="VPN_ENEA pla" pid=1647 uid=1000 result="success"
2020-05-23T13:17:18.578847+02:00 pla4ST NetworkManager[1083]: <info>  [1590232638.5785] vpn-connection[0x563e04416430,607fba76-3bf0-447e-acce-82a5c544296a,"VPN_ENEA pla",0]: Started the VPN service, PID 7387
2020-05-23T13:17:18.596477+02:00 pla4ST NetworkManager[1083]: <info>  [1590232638.5963] vpn-connection[0x563e04416430,607fba76-3bf0-447e-acce-82a5c544296a,"VPN_ENEA pla",0]: Saw the service appear; activating connection
2020-05-23T13:17:18.614958+02:00 pla4ST nm-l2tp-service[7387]: Check port 1701
2020-05-23T13:17:18.627329+02:00 pla4ST NetworkManager[1083]: Stopping strongSwan IPsec failed: starter is not running
2020-05-23T13:17:20.648367+02:00 pla4ST NetworkManager[1083]: Starting strongSwan 5.8.2 IPsec [starter]...
2020-05-23T13:17:20.648724+02:00 pla4ST NetworkManager[1083]: Loading config setup
2020-05-23T13:17:20.649031+02:00 pla4ST NetworkManager[1083]: Loading conn '607fba76-3bf0-447e-acce-82a5c544296a'
2020-05-23T13:17:21.707275+02:00 pla4ST NetworkManager[1083]: initiating Main Mode IKE_SA 607fba76-3bf0-447e-acce-82a5c544296a[1] to 192.107.100.236
2020-05-23T13:17:21.707426+02:00 pla4ST NetworkManager[1083]: generating ID_PROT request 0  SA V V V V V ]
2020-05-23T13:17:21.707567+02:00 pla4ST NetworkManager[1083]: sending packet: from 192.168.1.11[500] to 192.107.100.236[500] (204 bytes)
2020-05-23T13:17:21.707701+02:00 pla4ST NetworkManager[1083]: received packet: from 192.107.100.236[500] to 192.168.1.11[500] (56 bytes)
2020-05-23T13:17:21.707831+02:00 pla4ST NetworkManager[1083]: parsed INFORMATIONAL_V1 request 2460868336  N(NO_PROP) ]
2020-05-23T13:17:21.707960+02:00 pla4ST NetworkManager[1083]: received NO_PROPOSAL_CHOSEN error notify
2020-05-23T13:17:21.708089+02:00 pla4ST NetworkManager[1083]: establishing connection '607fba76-3bf0-447e-acce-82a5c544296a' failed
2020-05-23T13:17:21.948632+02:00 pla4ST NetworkManager[1083]: Stopping strongSwan IPsec...
2020-05-23T13:17:22.053068+02:00 pla4ST nm-l2tp-service[7387]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
2020-05-23T13:17:22.053826+02:00 pla4ST NetworkManager[1083]: <info>  [1590232642.0537] vpn-connection[0x563e04416430,607fba76-3bf0-447e-acce-82a5c544296a,"VPN_ENEA pla",0]: VPN plugin: state changed: stopped (6)
2020-05-23T13:17:22.055599+02:00 pla4ST NetworkManager[1083]: <info>  [1590232642.0555] vpn-connection[0x563e04416430,607fba76-3bf0-447e-acce-82a5c544296a,"VPN_ENEA pla",0]: VPN service disappeared
2020-05-23T13:17:22.056266+02:00 pla4ST NetworkManager[1083]: <warn>  [1590232642.0561] vpn-connection[0x563e04416430,607fba76-3bf0-447e-acce-82a5c544296a,"VPN_ENEA pla",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

manythanks tsu :slight_smile: yes, I’m using KDE plasma standard for leap 15.1, before to start to set the vpn I had already installed this software using yast:
https://susepaste.org/4112271
are them enough?

Hi tsu :slight_smile: me also set up the vpn connections following the instructions and it worked, in the thread I omitted some part of instructions that seemed to me obvious to not to be too much dispersive and to focus on what I had doubts or didn’t understood, but yes, your instructions are the same I followed

I did, but it doesn’t works, maybe for

(Everything you describe can be configured except for the shared certificate, which is a sign you may not be setting up an ordinary L2TP)

I don’t know how to verify it, I’try to ask to sysadmins but in this coronavirus-time it’s a bit not easy :wink:

If you were able to setup on a Win10 as I described, then you’re setting up an ordinary L2TP, but my instructions don’t include the private certificate you described. I’d want to know then what that certificate is for, whether it’s essential to set up or not.

I would recommend trying to set up your L2TP client in YaST first, that looks easiest to me first.

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha-security-vpnserver.html#sec-security-yastvpn

Should that not work, I’d recommend setting up in NM.

Interesting, been a bit since I’ve set up ia new VPN in NM, I see changes.
Changes should not affect functionality, will have to think about whether the changes are truly useful or not.

TSU

tried:
but without success, connecting to the site where vpn should give me acces I don’t get it.

first warning:

ipsec.conf and ipsec.secrets have been manipulated outside of this module. Continue using the module will remove your customisation.

second warning:

Both VPN gateway and clients require special SuSE firewall configuration. SuSE firewall is not enabled, therefore you must manually run the configuration script on every reboot. The script will be run now. The script is located at /etc/YaST2/vpn_firewall_rules

after all gives me the daemon status:

● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-05-23 16:32:03 CEST; 1min 56s ago
Process: 19142 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 19125 (charon-systemd)
Status: “charon-systemd running, strongSwan 5.8.2, Linux 4.12.14-lp151.28.48-default, x86_64”
Tasks: 17
CGroup: /system.slice/strongswan.service
└─19125 /usr/sbin/charon-systemd

mag 23 16:32:03 pla4ST.homenet.telecomitalia.it swanctl[19142]: opening directory ‘/etc/swanctl/ecdsa’ failed: No such file or directory
mag 23 16:32:03 pla4ST.homenet.telecomitalia.it swanctl[19142]: opening directory ‘/etc/swanctl/bliss’ failed: No such file or directory
mag 23 16:32:03 pla4ST.homenet.telecomitalia.it swanctl[19142]: opening directory ‘/etc/swanctl/pkcs8’ failed: No such file or directory
mag 23 16:32:03 pla4ST.homenet.telecomitalia.it swanctl[19142]: opening directory ‘/etc/swanctl/pkcs12’ failed: No such file or directory
mag 23 16:32:03 pla4ST.homenet.telecomitalia.it swanctl[19142]: no authorities found, 0 unloaded
mag 23 16:32:03 pla4ST.homenet.telecomitalia.it swanctl[19142]: no pools found, 0 unloaded
mag 23 16:32:03 pla4ST.homenet.telecomitalia.it swanctl[19142]: no connections found, 0 unloaded
mag 23 16:32:03 pla4ST.homenet.telecomitalia.it systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
mag 23 16:32:56 pla4ST.homenet.telecomitalia.it charon-systemd[19125]: interface wlan1 deactivated
mag 23 16:32:56 pla4ST.homenet.telecomitalia.it charon-systemd[19125]: interface wlan1 activated

view connection status gives this:

● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2020-05-23 16:38:13 CEST; 3min 26s ago
Process: 20511 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 20494 (charon-systemd)
Status: “charon-systemd running, strongSwan 5.8.2, Linux 4.12.14-lp151.28.48-default, x86_64”
Tasks: 17
CGroup: /system.slice/strongswan.service
└─20494 /usr/sbin/charon-systemd

mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: opening directory ‘/etc/swanctl/private’ failed: No such file or directory
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: opening directory ‘/etc/swanctl/rsa’ failed: No such file or directory
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: opening directory ‘/etc/swanctl/ecdsa’ failed: No such file or directory
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: opening directory ‘/etc/swanctl/bliss’ failed: No such file or directory
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: opening directory ‘/etc/swanctl/pkcs8’ failed: No such file or directory
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: opening directory ‘/etc/swanctl/pkcs12’ failed: No such file or directory
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: no authorities found, 0 unloaded
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: no pools found, 0 unloaded
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it swanctl[20511]: no connections found, 0 unloaded
mag 23 16:38:13 pla4ST.homenet.telecomitalia.it systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

The relevant part of the log is:

-23T13:17:20.648367+02:00 pla4ST NetworkManager[1083]: Starting strongSwan 5.8.2 IPsec [starter]...
2020-05-23T13:17:20.648724+02:00 pla4ST NetworkManager[1083]: Loading config setup
2020-05-23T13:17:20.649031+02:00 pla4ST NetworkManager[1083]: Loading conn '607fba76-3bf0-447e-acce-82a5c544296a'
2020-05-23T13:17:21.707275+02:00 pla4ST NetworkManager[1083]: initiating Main Mode IKE_SA 607fba76-3bf0-447e-acce-82a5c544296a[1] to 192.107.100.236
2020-05-23T13:17:21.707426+02:00 pla4ST NetworkManager[1083]: generating ID_PROT request 0  SA V V V V V ]
2020-05-23T13:17:21.707567+02:00 pla4ST NetworkManager[1083]: sending packet: from 192.168.1.11[500] to 192.107.100.236[500] (204 bytes)
2020-05-23T13:17:21.707701+02:00 pla4ST NetworkManager[1083]: received packet: from 192.107.100.236[500] to 192.168.1.11[500] (56 bytes)
2020-05-23T13:17:21.707831+02:00 pla4ST NetworkManager[1083]: parsed INFORMATIONAL_V1 request 2460868336  N(NO_PROP) ]
2020-05-23T13:17:21.707960+02:00 pla4ST NetworkManager[1083]: received NO_PROPOSAL_CHOSEN error notify
2020-05-23T13:17:21.708089+02:00 pla4ST NetworkManager[1083]: establishing connection '607fba76-3bf0-447e-acce-82a5c544296a' failed
2020-05-23T13:17:21.948632+02:00 pla4ST NetworkManager[1083]: Stopping strongSwan IPsec...

The problem seems to be that the crypto suite proposal by your machine (see /etc/ipsec.conf) is not supported by the remote VPN.

To find out which cypto suite the remote VPN supports, following https://unix.stackexchange.com/questions/355848/ipsec-over-l2tp-received-no-proposal-chosen-error-notify, you could try to install ike-scan and try:

sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan YOUR.GATEWAY.IP

To install ike-scan, see https://software.opensuse.org//download.html?project=security&package=ike-scan

I tried but this is the response:

pla@pla4ST:~> sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan mygateway.vpnserver
[sudo] password for root: 
Stopping strongSwan IPsec failed: starter is not running
ERROR: Could not bind network socket to local port 500
Only one process may bind to the source port at any one time.
ERROR: bind: Address already in use
pla@pla4ST:~> 

and this is my /etc/ipsec.conf

conn VPN_ENEA_pla_presharedkey
    auto = start
    keyexchange = ikev2
    left = %defaultroute
    leftauth = psk
    leftsourceip = %config
    right = mygateway.vpnserver
    rightsubnet = 0.0.0.0/0
    rightauth = psk
    fragmentation = yes
    dpdtimeout = 600
    dpddelay = 60
    dpdaction = restart
    closeaction = restart
    keyingtries = %forever
    forceencaps = yes
    # strictcrlpolicy=yes
    # uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start
#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

The first reported problem can be ignored I think, stopping a service that is not running.

The second reported problem means we have to figure out what is using port 500, so


> sudo ss -tulpn | grep :500
udp   UNCONN 0      0                 0.0.0.0:500        0.0.0.0:*    users:(("charon-systemd",pid=1202,fd=15))
udp   UNCONN 0      0                       *:500              *:*    users:(("charon-systemd",pid=1202,fd=13))
> sudo ls -l /proc/1202/exe
lrwxrwxrwx 1 root root 0 May 30 20:56 /proc/1202/exe -> /usr/sbin/charon-system

Never heard about charon-system but a search popped up https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd

Reading there is it coupled to a systemd service called strongswan so you can stop that service using:

> sudo systemctl stop strongswan

Please try again ike-scan after doing this.

Hi marel manythanks :slight_smile:
here is the result:

pla@pla4ST:~> sudo systemctl stop strongswan
[sudo] password for root: 
pla@pla4ST:~> sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan mygateway.vpnserver
Stopping strongSwan IPsec failed: starter is not running
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.107.100.236 Main Mode Handshake returned HDR=(CKY-R=bfb39facaf91cd3b) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080) VID=1e2b516905991c7d7c96fcbfb587e46100000009 (MS NT5 ISAKMPOAKLEY) VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02
) VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation) VID=fb1de3cdf341b7ea16b7e5be0855f120 VID=e3a5966a76379fe707228231e5ce8652

Ending ike-scan 1.9: 1 hosts scanned in 0.024 seconds (41.27 hosts/sec).  1 returned handshake; 0 returned notify
pla@pla4ST:~> 

you was right, now works :slight_smile: but I cannot understand the result… is it useful to solve?

Yes, it is useful although I do not immediately understand all information returned but I recognized some things and I know you to operate a search engine efficiently.

Lets first reformat things:


HDR=(CKY-R=bfb39facaf91cd3b)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024  Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)  
VID=1e2b516905991c7d7c96fcbfb587e46100000009 (MS NT5 ISAKMPOAKLEY)  
VID=4a131c81070358455c5728f20e95452f (RFC 3947 NAT-T)  
VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02
)  
VID=4048b7d56ebce88525e7de7f00d6c2d3 (IKE Fragmentation)  
VID=fb1de3cdf341b7ea16b7e5be0855f120  
VID=e3a5966a76379fe707228231e5ce8652

The SA line seems moist interesting to me as it list a encryption and hashing protocol. Searching for “IKE SA” I see on https://en.wikipedia.org/wiki/Internet_Key_Exchange that SA means Security Association.

Back to the link that I posted earlier I more or less what to do and that is changing keys in config according to what you can find in the SA line and maybe the first VID line, how exactly, would require more digging.

Congrats on the progress you guys made.
I’m guessing a bit, but it’s likely the charon service is implemented so as to be able to start up the ipsec VPN on bootup.

If you prefer to start your VPN manually, I’d recommend disabling the service and connecting as you are now doing.
Disabling a systemd service is easy…

systemctl disable *systemd-Unit* 

The conflict using ike-scan can be expected, not only is it a manual ipsec scanner, it appears to be a useful standalone tool that’s not part of the ipsec projects (AFAIK).

If you want to implement the charon service, the specific configuration files that should be modified are in the reference link. I assume if you inpsect the configuration file, you’ll find the encryption mis-match which caused your original problem.

TSU

Hi :slight_smile: in your link I’m investigating what to change and I will post what I’ll do :slight_smile: :

but in the meantime I found this link and also I found in the italian instructions a specific setting for windows old version where is said to refuse CHAP , I unchecked it in the PPP settings in networkmanager but maybe isn’t enough, so I’m trying to follow these instructions:

then you are authenticating against a SonicWALL LNS that does not know how to handle CHAP-style authentication correctly.

The solution to this is to add the following to your options.l2tp.client file:

   refuse-chap

This will cause the SonicWALL to default to the next authentication mechanism, namely MSCHAP-v2. This should authenticate successfully, and from this point xl2tpd should successfully construct a tunnel between you and the remote L2TP server.

I supposed that the file is this:

/etc/xl2tpd/xl2tpd.conf

and supposing that “;” is a comment marker and that the simply

refuse-chap

should be modified in

refuse chap = yes

I changed this

require chap = yes

in this:

;require chap = yes

and added this

refuse chap = yes

so the result is this:

;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.
;
; The idea is to provide an L2TP daemon to which remote Windows L2TP/IPsec
; clients connect. In this example, the internal (protected) network 
; is 192.168.1.0/24.  A special IP range within this network is reserved
; for the remote clients: 192.168.1.128/25
; (i.e. 192.168.1.128 ... 192.168.1.254)
;
; The listen-addr parameter can be used if you want to bind the L2TP daemon
; to a specific IP address instead of to all interfaces. For instance,
; you could bind it to the interface of the internal LAN (e.g. 192.168.1.98
; in the example below). Yet another IP address (local ip, e.g. 192.168.1.99)
; will be used by xl2tpd as its address on pppX interfaces.

[global]
; listen-addr = 192.168.1.98
;
; requires openswan-2.5.18 or higher - Also does not yet work in combination
; with kernel mode l2tp as present in linux 2.6.23+
; ipsec saref = yes
; Use refinfo of 22 if using an SAref kernel patch based on openswan 2.6.35 or
;  when using any of the SAref kernel patches for kernels up to 2.6.35.
; saref refinfo = 30
;
; force userspace = yes
;
; debug tunnel = yes

[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
;require chap = yes
refuse chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes


do you think I supposed right and the changes are ok?

in the link you posted I found this /etc/ipsec.config

config setup
    virtual_private=%v4:10.0.0.0/8
#   nat_traversal=yes
    protostack=auto
    oe=off
    plutoopts="--interface=eth0"

conn L2TP-PSK
    keyexchange=ikev1
    ike=aes128-sha1-modp1024,3des-sha1-modp1024!
    phase2=ah
    phase2alg=aes128-sha1-modp1024,3des-sha1-modp1024!
    authby=secret
    aggrmode=yes
    pfs=no
    auto=add
    keyingtries=2
#   dpddelay=30
#   dpdtimeout=120
#   dpdaction=clear
#   rekey=yes
    ikelifetime=8h
    keylife=1h
    type=transport
    left=%defaultroute
#   leftnexthop=%defaultroute
#   leftprotoport=udp/l2tp
    right=50.123.152.194
    rightsubnet=10.2.150.0/24

that is quite different from mine:

conn VPN_ENEA_pla_presharedkey
    auto = start
    keyexchange = ikev2
    left = %defaultroute
    leftauth = psk
    leftsourceip = %config
    right = mygateway.vpnserver
    rightsubnet = 0.0.0.0/0
    rightauth = psk
    fragmentation = yes
    dpdtimeout = 600
    dpddelay = 60
    dpdaction = restart
    closeaction = restart
    keyingtries = %forever
    forceencaps = yes
    # strictcrlpolicy=yes
    # uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start
#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

what I have to change?

and /etc/ipsec.secrets seems ok

mygateway.vpnserver : PSK "myprivatekey"

# Following line was added by NetworkManager-l2tp
include /etc/ipsec.d/*.secrets


and I cannot find “options.l2tpd.client” file, not in /etc and not in /etc/xl2tpd/

Sorry, I am really not into IPSEC / this type of VPN, but maybe I can give some relevant pointers.

One your question where/how to disable chap I found L2tp-ipsec-configuration-using-openswan-and-xl2tpd and there I see “require chap = yes” so I guess you have to create a file with “require chap = no”

Does you know what equipment resides on the other side, based on “VID=1e2b516905991c7d7c96fcbfb587e46100000009 (MS NT5 ISAKMPOAKLEY)” I think it is a Microsoft product, but would be good to know which, that makes searching for a solution/example easier. The Openswan github site has some examples.

There was, and I think still is, a mismatch between Stongswan V5-8-2 and the YaST applet (previous versions of Strongswan are fine). Essentially they changed the service name in V5-8-2 and the YaST VPN configuration applet does not reflect this change. See this thread:

https://forums.opensuse.org/showthread.php/540006-IPsec-VPN-broken-with-Strongswan-V5-8-2