IPSec strongswan “established successfully”, but no ppp0

ipsecstrongswanubuntu-16.04

I'm trying to connect an Ubuntu Server 16.04 to an IPSec L2TP VPN using the strongswan client.

Aparently the connection is established successfully, but the interface ppp0 isn't created.

This is the result of sudo ipsec up myconnection:

initiating Main Mode IKE_SA myconnection[2] to 116.38.129.101
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.0.104[500] to 116.38.129.101[500] (212 bytes)
received packet: from 116.38.129.101[500] to 192.168.0.104[500] (132 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.104[500] to 116.38.129.101[500] (244 bytes)
received packet: from 116.38.129.101[500] to 192.168.0.104[500] (236 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.0.104[4500] to 116.38.129.101[4500] (100 bytes)
received packet: from 116.38.129.101[4500] to 192.168.0.104[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA myconnection[2] established between 192.168.0.104[192.168.0.104]...116.38.129.101[116.38.129.101]
scheduling reauthentication in 10033s
maximum IKE_SA lifetime 10573s
generating QUICK_MODE request 1590491286 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.0.104[4500] to 116.38.129.101[4500] (220 bytes)
received packet: from 116.38.129.101[4500] to 192.168.0.104[4500] (188 bytes)
parsed QUICK_MODE response 1590491286 [ HASH SA No ID ID NAT-OA NAT-OA ]
connection 'myconnection' established successfully

Any hint?.

Best Answer

First of all check with uname -a your Linux kernel version and, if you have the 4.14, I have bad news for you: you have a bugged kernel. The 4.13 seems good, and also the 4.15, but not the 4.14. See this answer in a libreswan bug report.

Anyway you can also try Network Manager. Install the network-manager-l2tp package.

Here an example of a valid NetworkManager VPN file that you can save in /etc/NetworkManager/system-connections/MY_DAMN_VPN:

[connection]
id=MY_DAMN_VPN
uuid=very-random-stuff
type=vpn

[vpn]
gateway=IP_OF_MY_DAMN_VPN
ipsec-enabled=yes
ipsec-esp=aes256-sha1,aes128-sha1,3des-sha1!
ipsec-ike=aes256-sha1-ecp384,aes128-sha1-ecp256,3des-sha1-modp1536!
ipsec-psk=MY_SUPER_SECRET_SHARED_PASSWORD
password-flags=0
user=local-vpn
service-type=org.freedesktop.NetworkManager.l2tp

[vpn-secrets]
password=MY_SUPER_SECRET_PASSWORD

[ipv4]
dns-search=
method=auto
never-default=true

Then restart Network Manager and activate the VPN:

systemctl restart NetworkManager
nmcli connection up MY_DAMN_VPN

This stuff was tested in Debian GNU/Linux buster with a damn Microsoft Windows VPN server.

Good luck!

P.S.

Do not try to use OpenVPN to talk with a proprietary VPN server: OpenVPN is based on TLS technology (because it has security in mind). L2TP/IPsec seems to be not. [1]

[1]: https://en.wikipedia.org/wiki/IPsec From Wikipedia you can further read about the NSA interference in IPsec, thanks to some sources about it.

Related Solutions

Linux – OpenSwan IPSec phase #2 complications

You'll want to get the remote end to enable NAT-T on their end of the connection as well.

IPSec communication cryptographically signs the entire packet - any change to the IP header will invalidate that signature. NAT works by rewriting the source and/or destination IP fields; having NAT on either end of the connection means that every packet is having the header changed in transit; the source is changed on packets leaving your 192.168 network, and the destination is changed on inbound packets.

NAT-T counteracts this by encapsulating the entire ESP packet in a new UDP packet. The UDP packet can safely have its headers mangled to the satisfaction of any NAT devices, while the ESP payload will make the entire trip unchanged. The remote node will need to enable this to protect the packets they're sending your way from the NAT modifications, and you'll both need to be allowing UDP port 4500.

This may not be the only issue in the configuration of the VPN tunnel, but it would certainly explain a malformed payload message; give it a shot, and let us know if any further issues come up!

Connecting to IPSec/L2tp with OpenSwan/xl2tpd from Windows7 to Amazon EC2

I'm running openswan in EC2 with a similar setup, and windows clients are able to connect without issue. Not sure exactly what the issue is, but here are some of the differences between my configs and yours:

openswan 2.6.38

No version 2.0 parameter. The rest of the setup config is more or less the same.

Have the following parameters that differ to yours (adjusted for your config):

leftsubnet=10.117.59.224/32 
leftnexthop=%defaultroute # this might be redundant with netkey stack.
rightprotoport=17/%any
rightid=%any
forceencaps=yes
auth=esp
ike=3des-sha1
phase2alg=3des-sha1

I'm not specifying ikelifetime or keylife.

ipsec.secrets references the public IP, only - no @internal entry.

I am not sure if this fix applies to Win7, but for XP / Vista clients, I needed to edit the registry as per http://support.microsoft.com/kb/926179

My security policy (AWS SG / iptables / etc) allows incoming UDP 1701,500,4500, protocol 50, protocol 51 (ESP & AH).

Best Answer

Related Solutions

Linux – OpenSwan IPSec phase #2 complications

Connecting to IPSec/L2tp with OpenSwan/xl2tpd from Windows7 to Amazon EC2

Related Topic