Debian 11: setting up L2TP + IPSec - IPSec fails?
0
votes
0
answers
773
views
I'm trying to configure a new VPN client (L2TP and IPSec) on a very small AWS EC2 system running Debian 11 without a desktop. I've got as far as getting NetworkManager to work, but the VPN connection doesn't start, apparently because of an error to do with IPSec. This is what I did - in one terminal window (IP addresses etc have been changed):
root@client# /run/network/interfaces.d# /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp nm-l2tp-service (version 1.2.18) starting...
nm-l2tp uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp ipsec enable flag: yes
** Message: 13:01:51.414: Check port 1701
** Message: 13:01:51.414: Can't bind to port 1701
nm-l2tp L2TP port 1701 is busy, using ephemeral.
connection
autoconnect : false
id : 'vpnname'
interface-name : '--'
permissions : []
type : 'vpn'
uuid : '542b35f3-fadc-4df1-b340-a68eec3a9c3f'
proxy
ipv6
address-data : []
dns : []
dns-search : []
method : 'auto'
route-data : []
vpn
data : {'gateway': '123.456.789.012', 'ipsec-enabled': 'yes', 'ipsec-psk': '0sTiFSU190ZWNobjBsMGczCg==', 'mru': '1400', 'mtu': '1400', 'password-flags': '0', 'refuse-chap': 'yes', 'refuse-mschap': 'yes', 'refuse-pap': 'yes', 'require-mppe': 'yes', 'user': 'vpntest'}
secrets : {'password': 'vPnt35t'}
service-type : 'org.freedesktop.NetworkManager.l2tp'
ipv4
address-data : []
dns : []
dns-search : []
method : 'auto'
route-data : []
nm-l2tp starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.9.1 IPsec [starter]...
Loading config setup
Loading conn '542b35f3-fadc-4df1-b340-a68eec3a9c3f'
nm-l2tp Spawned ipsec up script with PID 13126.
initiating Main Mode IKE_SA 542b35f3-fadc-4df1-b340-a68eec3a9c3f to 123.456.789.012
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 111.222.333.444 to 123.456.789.012 (532 bytes)
received packet: from 123.456.789.012 to 111.222.333.444 (132 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 111.222.333.444 to 123.456.789.012 (244 bytes)
received packet: from 123.456.789.012 to 111.222.333.444 (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 111.222.333.444 to 123.456.789.012 (68 bytes)
received packet: from 123.456.789.012 to 111.222.333.444 (68 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 1308603116 processing failed
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 111.222.333.444 to 123.456.789.012 (68 bytes)
received packet: from 123.456.789.012 to 111.222.333.444 (68 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 3696528349 processing failed
nm-l2tp Timeout trying to establish IPsec connection
nm-l2tp Terminating ipsec script with PID 13126.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
nm-l2tp Could not establish IPsec tunnel.
(nm-l2tp-service:13017): GLib-GIO-CRITICAL **: 13:02:04.565: g_dbus_method_invocation_take_error: assertion 'error != NULL' failedroot@client# nmcli c up vpnname
Error: Connection activation failed: Unknown reason
Hint: use 'journalctl -xe NM_CONNECTION=542b35f3-fadc-4df1-b340-a68eec3a9c3f + NM_DEVICE=eth0' to get more details.
Asked by j4nd3r53n
(779 rep)
Jun 8, 2023, 01:26 PM
Last activity: Mar 18, 2025, 11:33 AM
Last activity: Mar 18, 2025, 11:33 AM