My Debian 10 box has a Wifi interface, wlx08beac0a6c1d running a WEP AP for old hardware that doens't wupport WPA. My main network is 192.168.1.0/24 and this interface is configured to be 192.168.2.1. For starters that interface is restricted to one MAC and it only allows DHCP on that network

iptables -A INPUT -i wlx08beac0a6c1d -m mac ! --mac-source 00:30:65:05:9F:4D -j DROP
iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -j DROP

(The MAC check is also in hostapd.conf -- where of course it is just as ineffective security measure (although it's probably fairly effective here in Shropshire).) This device (claims to) support L2TP over IPSec. I imagine that by opening another port for this I can get this old machine to join the rest of my network through a tunnel to that port and that once connected the old machine will appear as if it is on my network. Is this so? Or have I got the wrong end of the stick? Is this now secure on the WEP network? It looks like the packages needed are strongswan and xl2tpd? It looks like IPSec is going to encrypt traffic over the WEP network, and that I'll need to open some more ports to allow the encryption to be negotiated and started? It then looks like L2TP will establish a connection a PPP connection to another port on Debia and route all traffic through it? So the old machine will get a second IP address for this PPP connection? And how will it appear in Debian (and be routable between the rest of my network and the Internet)? So: first is strongswan...

# apt-get install strongswan

And now I really don't understand what to do. I've done what it says here https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2 and ended up with this ipsec.conf

config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn wep-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=192.168.2.31
    leftcert=server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=192.168.2.0/24
    rightdns=192.168.2.31
    rightsendcert=never
    eap_identity=%identity

I think that _left_ is correct if you interpret it as being _this_ machine, but not sure about _right_ which presumably is some _other_ thing? Then it goes on to do something with something called _UFW_ but I am using iptables. I think I need

iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 4500 -j ACCEPT

to allow connections to IPsec. Then the next part of the trick is xl2tpd...

# apt-get install xl2tpd

/etc/xl2tpd/xl2tpd.conf

[global]
ipsec saref = yes
access control = no

[lns default]
ip range = 192.168.3.100-192.168.3.254
local ip = 192.168.3.1
refuse chap = yes
refuse pap = yes
require authentication = yes
pppoptfile = /etc/ppp/xl2tpd-options
length bit = yes

/etc/ppp/xl2tpd-options

require-mschap-v2
ms-dns 192.168.3.1

Add to /etc/ppp/chap-secrets And

iptables -A INPUT -i wlx08beac0a6c1d -p udp --dport 1701 -j ACCEPT

Obviously, it doesn't work.

I set up a vpn connection according to this instruction - https://www.rapidvpn.com/setup-vpn-l2tp-mint I establish a vpn connection to my server. The connection is established, but the pings do not go, the pages on the Internet do not open, there is no access to the local network behind the server. As if there are problems with packet routing after I receive the configuration via dhcp from a remote server. After about 60 seconds, the connection is broken. I’ll make a reservation right away, such a connection to the same server from under Windows or MacOS works without problems. I tried to change the connection to the Internet. The problem is not with the ISP. Replaced the xl2tpd plugin in the network manager with kl2tpd. The problem doesn't go away. Before reinstalling Linux, the vpn client worked. What is configured wrong on Linux Mint? Logs from the client are attached Apr 15 20:31:30 LenovoPC charon: 13[IKE] local host is behind NAT, sending keep alives Apr 15 20:31:30 LenovoPC charon: 14[IKE] IKE_SA 955a0158-8008-45b4-b61b-aae634aad51b established between 192.168.1.100[192.168.1.100]...80.80.33.101[80.80.33.101] Apr 15 20:31:30 LenovoPC charon: 15[IKE] CHILD_SA 955a0158-8008-45b4-b61b-aae634aad51b{1} established with SPIs c82f58b7_i ca6daee4_o and TS 192.168.1.100/32[udp/l2f] === 80.80.33.101/32[udp/l2f] Apr 15 20:31:30 LenovoPC nm-l2tp-service: strongSwan IPsec connection is up. Apr 15 20:31:30 LenovoPC pppd: Using interface ppp0 Apr 15 20:31:30 LenovoPC pppd: Connect: ppp0 Apr 15 20:31:30 LenovoPC pppd: Overriding mtu 1500 to 1400 Apr 15 20:31:30 LenovoPC pppd: Overriding mru 1500 to mtu value 1400 Apr 15 20:32:12 LenovoPC pppd: CHAP authentication succeeded Apr 15 20:32:12 LenovoPC charon: 07[KNL] 10.100.20.1 appeared on ppp0 Apr 15 20:32:12 LenovoPC charon: 09[KNL] interface ppp0 activated pr 15 20:32:12 LenovoPC pppd: local IP address 10.100.20.1 Apr 15 20:32:12 LenovoPC pppd: remote IP address 80.80.33.101 Apr 15 20:32:12 LenovoPC NetworkManager: [1681583532.4651] device (ppp0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external') Apr 15 20:32:12 LenovoPC pppd: primary DNS address 1.1.1.1 Apr 15 20:32:12 LenovoPC pppd: secondary DNS address 8.8.8.8 Apr 15 20:32:12 LenovoPC NetworkManager: [1681583532.4662] device (ppp0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external') Apr 15 20:32:12 LenovoPC dbus-daemon: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.16' (uid=0 pid=917 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined") Apr 15 20:32:12 LenovoPC NetworkManager: [1681583532.4861] policy: set 'VPN' (ppp0) as default for IPv4 routing and DNS Apr 15 20:32:12 LenovoPC systemd-resolved: wlp3s0: Bus client set default route setting: no Apr 15 20:32:12 LenovoPC systemd-resolved: wlp3s0: Bus client reset DNS server list. Apr 15 20:32:12 LenovoPC systemd-resolved: ppp0: Bus client set default route setting: yes Apr 15 20:32:12 LenovoPC systemd-resolved: ppp0: Bus client set DNS server list to: 1.1.1.1, 8.8.8.8 Apr 15 20:32:12 LenovoPC nm-dispatcher: /etc/network/if-up.d/resolved: 12: mystatedir: not found Apr 15 20:32:28 LenovoPC systemd-resolved: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 8.8.8.8. Apr 15 20:32:33 LenovoPC systemd-resolved: Using degraded feature set UDP instead of UDP+EDNS0 for DNS server 1.1.1.1. Apr 15 20:33:10 LenovoPC NetworkManager: xl2tpd: check_control: Received out of order control packet on tunnel 56426 (got 2, expected 3) Apr 15 20:33:10 LenovoPC NetworkManager: xl2tpd: handle_control: bad control packet! Apr 15 20:33:12 LenovoPC NetworkManager: xl2tpd: check_control: Received out of order control packet on tunnel 56426 (got 2, expected 3) Apr 15 20:33:12 LenovoPC NetworkManager: xl2tpd: handle_control: bad control packet! Apr 15 20:33:16 LenovoPC NetworkManager: xl2tpd: check_control: Received out of order control packet on tunnel 56426 (got 2, expected 3) Apr 15 20:33:16 LenovoPC NetworkManager: xl2tpd: handle_control: bad control packet! Apr 15 20:33:40 LenovoPC NetworkManager: xl2tpd: Maximum retries exceeded for tunnel 4711. Closing. Apr 15 20:33:40 LenovoPC NetworkManager: xl2tpd: Terminating pppd: sending TERM signal to pid 10628 Apr 15 20:33:40 LenovoPC NetworkManager: xl2tpd: Connection 56426 closed to 80.80.33.101, port 1701 (Timeout) Apr 15 20:33:40 LenovoPC pppd: Terminating on signal 15 Apr 15 20:33:40 LenovoPC pppd: Connect time 1.5 minutes.

Trying to get Windows 10 (192.168.1.11) to connect to IPSec/L2TP on Debian 10 (192.168.1.31). Windows firewall is off and I have added AssumeUDPEncapsulationContextOnSendRule (value 2) to the registry and rebooted. The only iptables stuff going on on 192.168.1.31 is ip masquerade for the 192.168.1.0/24 network to the Internet. I've got Debian set up as below and have configured the VPN in Windows with the username and password. However Windows will not connect; an error appears in the System part of the Event Viewer which says > The user RWB-LAPTOP-DELL\User dialed a connection named VPN@mini31 which has failed. The error code returned on failure is 809. */etc/ipsec.conf*

config setup

conn wep-ap
        type=transport
        authby=secret
        pfs=no
        rekey=no
        keyingtries=1
        left=%any
        leftid=%any
        right=%any
        auto=add
        esp=aes128-sha1-modp1536
        ike=aes128-sha1-modp1536
        include /var/lib/strongswan/ipsec.conf.inc

*/etc/strongswan.conf*

charon {
    plugins {
        eap_dynamic {
            preferred = eap-mschapv2, eap-tls
        }
    }
}

*/etc/ipsec.secrets*

%any %any : PSK "password"

*/etc/ppp/chap-secrets*

laptop  *       password *

*/etc/ppp/options.xl2tpd*

noccp
auth
mtu 1410
mru 1410
nodefaultroute
proxyarp
silent
debug
ms-dns 192.168.3.31

*/etc/xl2tpd/xl2tpd.conf*

[global]                                                                ; Global parameters:
port = 1701                                                     ; * Bind to port 1701
access control = no
[lns default]                                                   ; Our fallthrough LNS definition
ip range = 192.168.3.100-192.168.3.254                          ; * But this one is okay
local ip = 192.168.3.31                         ; * Our local IP to use
name = mini31                                           ; * Report this as our hostname
pppoptfile = /etc/ppp/options.xl2tpd

In Windows: And in syslog:

mini31 # cat -n syslog | tail +3203
  3203  Nov 20 20:24:45 mini31 charon: 13[NET] received packet: from 192.168.1.11 to 192.168.1.31 (408 bytes)
  3204  Nov 20 20:24:45 mini31 charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
  3205  Nov 20 20:24:45 mini31 charon: 13[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
  3206  Nov 20 20:24:45 mini31 charon: 13[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
  3207  Nov 20 20:24:45 mini31 charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
  3208  Nov 20 20:24:45 mini31 charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
  3209  Nov 20 20:24:45 mini31 charon: 13[IKE] received FRAGMENTATION vendor ID
  3210  Nov 20 20:24:45 mini31 charon: 13[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
  3211  Nov 20 20:24:45 mini31 charon: 13[ENC] received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
  3212  Nov 20 20:24:45 mini31 charon: 13[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
  3213  Nov 20 20:24:45 mini31 charon: 13[IKE] 192.168.1.11 is initiating a Main Mode IKE_SA
  3214  Nov 20 20:24:45 mini31 charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
  3215  Nov 20 20:24:45 mini31 charon: 13[ENC] generating ID_PROT response 0 [ SA V V V V ]
  3216  Nov 20 20:24:45 mini31 charon: 13[NET] sending packet: from 192.168.1.31 to 192.168.1.11 (160 bytes)
  3217  Nov 20 20:24:45 mini31 charon: 14[NET] received packet: from 192.168.1.11 to 192.168.1.31 (228 bytes)
  3218  Nov 20 20:24:45 mini31 charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
  3219  Nov 20 20:24:45 mini31 charon: 14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
  3220  Nov 20 20:24:45 mini31 charon: 14[NET] sending packet: from 192.168.1.31 to 192.168.1.11 (212 bytes)
  3221  Nov 20 20:24:45 mini31 charon: 15[NET] received packet: from 192.168.1.11 to 192.168.1.31 (76 bytes)
  3222  Nov 20 20:24:45 mini31 charon: 15[ENC] parsed ID_PROT request 0 [ ID HASH ]
  3223  Nov 20 20:24:45 mini31 charon: 15[CFG] looking for pre-shared key peer configs matching 192.168.1.31...192.168.1.11[192.168.1.11]
  3224  Nov 20 20:24:45 mini31 charon: 15[CFG] selected peer config "wep-ap"
  3225  Nov 20 20:24:45 mini31 charon: 15[IKE] IKE_SA wep-ap established between 192.168.1.31[192.168.1.31]...192.168.1.11[192.168.1.11]
  3226  Nov 20 20:24:45 mini31 charon: 15[ENC] generating ID_PROT response 0 [ ID HASH ]
  3227  Nov 20 20:24:45 mini31 charon: 15[NET] sending packet: from 192.168.1.31 to 192.168.1.11 (76 bytes)
  3228  Nov 20 20:24:45 mini31 charon: 06[NET] received packet: from 192.168.1.11 to 192.168.1.31 (316 bytes)
  3229  Nov 20 20:24:45 mini31 charon: 06[ENC] parsed QUICK_MODE request 1 [ HASH SA No ID ID ]
  3230  Nov 20 20:24:45 mini31 charon: 06[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
  3231  Nov 20 20:24:45 mini31 charon: 06[IKE] received 3600s lifetime, configured 0s
  3232  Nov 20 20:24:45 mini31 charon: 06[IKE] received 250000000 lifebytes, configured 0
  3233  Nov 20 20:24:45 mini31 charon: 06[ENC] generating QUICK_MODE response 1 [ HASH SA No ID ID ]
  3234  Nov 20 20:24:45 mini31 charon: 06[NET] sending packet: from 192.168.1.31 to 192.168.1.11 (188 bytes)
  3235  Nov 20 20:24:45 mini31 charon: 05[NET] received packet: from 192.168.1.11 to 192.168.1.31 (60 bytes)
  3236  Nov 20 20:24:45 mini31 charon: 05[ENC] parsed QUICK_MODE request 1 [ HASH ]
  3237  Nov 20 20:24:45 mini31 charon: 05[IKE] CHILD_SA wep-ap{6} established with SPIs c2b5d044_i 1726a3e2_o and TS 192.168.1.31/32[udp/l2f] === 192.168.1.11/32[udp/l2f]
  3238  Nov 20 20:24:46 mini31 xl2tpd: control_finish: Peer requested tunnel 3 twice, ignoring second one.
  3239  Nov 20 20:24:48 mini31 xl2tpd: control_finish: Peer requested tunnel 3 twice, ignoring second one.
  3240  Nov 20 20:24:52 mini31 xl2tpd: control_finish: Peer requested tunnel 3 twice, ignoring second one.
  3241  Nov 20 20:25:00 mini31 xl2tpd: control_finish: Peer requested tunnel 3 twice, ignoring second one.
  3242  Nov 20 20:25:10 mini31 xl2tpd: control_finish: Peer requested tunnel 3 twice, ignoring second one.
  3243  Nov 20 20:25:16 mini31 xl2tpd: Maximum retries exceeded for tunnel 13486.  Closing.
  3244  Nov 20 20:25:16 mini31 xl2tpd: Connection 3 closed to 192.168.1.11, port 1701 (Timeout)
  3245  Nov 20 20:25:20 mini31 charon: 09[NET] received packet: from 192.168.1.11 to 192.168.1.31 (76 bytes)
  3246  Nov 20 20:25:20 mini31 charon: 09[ENC] parsed INFORMATIONAL_V1 request 3379181600 [ HASH D ]
  3247  Nov 20 20:25:20 mini31 charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI 1726a3e2
  3248  Nov 20 20:25:20 mini31 charon: 09[IKE] closing CHILD_SA wep-ap{6} with SPIs c2b5d044_i (696 bytes) 1726a3e2_o (0 bytes) and TS 192.168.1.31/32[udp/l2f] === 192.168.1.11/32[udp/l2f]
  3249  Nov 20 20:25:20 mini31 charon: 10[NET] received packet: from 192.168.1.11 to 192.168.1.31 (92 bytes)
  3250  Nov 20 20:25:20 mini31 charon: 10[ENC] parsed INFORMATIONAL_V1 request 309590672 [ HASH D ]
  3251  Nov 20 20:25:20 mini31 charon: 10[IKE] received DELETE for IKE_SA wep-ap
  3252  Nov 20 20:25:20 mini31 charon: 10[IKE] deleting IKE_SA wep-ap between 192.168.1.31[192.168.1.31]...192.168.1.11[192.168.1.11]
mini31 #

**Update: eap and ike** If I use

esp=aes-sha1,3des-sha1,aes128-sha1,3des-sha1,aes128-sha256,aes128-sha1-modp1536
ike=aes-sha,3des-sha,aes128-aes256-sha1-modp3072-modp2048,3des-sha1-md5-modp1024,aes128-sha1-modp1536

(How do you find out what values to use?) Then something different happens:

Nov 21 13:40:04 mini31 charon: 07[NET] received packet: from 192.168.1.11 to 192.168.1.31 (408 bytes)
Nov 21 13:40:04 mini31 charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Nov 21 13:40:04 mini31 charon: 07[IKE] no IKE config found for 192.168.1.31...192.168.1.11, sending NO_PROPOSAL_CHOSEN
Nov 21 13:40:04 mini31 charon: 07[ENC] generating INFORMATIONAL_V1 request 1021960079 [ N(NO_PROP) ]
Nov 21 13:40:04 mini31 charon: 07[NET] sending packet: from 192.168.1.31 to 192.168.1.11 (40 bytes)
Nov 21 13:40:05 mini31 charon: 08[NET] received packet: from 192.168.1.11 to 192.168.1.31 (408 bytes)
Nov 21 13:40:05 mini31 charon: 08[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Nov 21 13:40:05 mini31 charon: 08[IKE] no IKE config found for 192.168.1.31...192.168.1.11, sending NO_PROPOSAL_CHOSEN
Nov 21 13:40:05 mini31 charon: 08[ENC] generating INFORMATIONAL_V1 request 440253701 [ N(NO_PROP) ]
Nov 21 13:40:05 mini31 charon: 08[NET] sending packet: from 192.168.1.31 to 192.168.1.11 (40 bytes)
Nov 21 13:40:06 mini31 charon: 09[NET] received packet: from 192.168.1.11 to 192.168.1.31 (408 bytes)
Nov 21 13:40:06 mini31 charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Nov 21 13:40:06 mini31 charon: 09[IKE] no IKE config found for 192.168.1.31...192.168.1.11, sending NO_PROPOSAL_CHOSEN
Nov 21 13:40:06 mini31 charon: 09[ENC] generating INFORMATIONAL_V1 request 101389495 [ N(NO_PROP) ]
Nov 21 13:40:06 mini31 charon: 09[NET] sending packet: from 192.168.1.31 to 192.168.1.11 (40 bytes)
Nov 21 13:40:09 mini31 charon: 10[NET] received packet: from 192.168.1.11 to 192.168.1.31 (408 bytes)
Nov 21 13:40:09 mini31 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Nov 21 13:40:09 mini31 charon: 10[IKE] no IKE config found for 192.168.1.31...192.168.1.11, sending NO_PROPOSAL_CHOSEN
Nov 21 13:40:09 mini31 charon: 10[ENC] generating INFORMATIONAL_V1 request 171333823 [ N(NO_PROP) ]
Nov 21 13:40:09 mini31 charon: 10[NET] sending packet: from 192.168.1.31 to 192.168.1.11 (40 bytes)

**Another update** While Windows is connecting ipsec showall shows a connection, so I think the problem is with xl2tpd and in particular the Maximum retries exceeded for tunnel... Closing thing. **Update again** New evidence in dmesg:

[2106321.117169] audit: type=1400 audit(1611348027.206:30): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/20839/fd/" pid=20839 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2106356.184250] audit: type=1400 audit(1611348062.273:31): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/20858/fd/" pid=20858 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
m

Howerver

# aa-complain /usr/lib/ipsec/charon

made no difference.

/etc/xl2tpd/xl2tpd.conf: redial = yes redial timeout = 1 autodial = yes Version of xl2tpd default, latest Ubuntu 14.04 ( Trusty ): xl2tpd 1.3.6+dfsg-1 amd64 layer 2 tunneling protocol implementation I'm always pinging some host like Google, default DNS - 8.8.8.8. From time to time I'm losing the connection, ping is silent and xl2tpd doesn't reconnect. Seems like xl2tpd doesn't know that the connection is broken. Is there any option to keep an internet connection alive, to keep xl2tpd redial automatically? Now, I use a raw and dirty bash script wrapper around ping and also service xl2tpd restart to redial xl2tpd. Is there a more program (xl2tpd) friendly way?

My company gave me ip address, username, password & pre-shared key to connect to vpn using L2TP. My workstation: Fedora 32 + Gnome. Installed xl2tpd, NetworkManager-l2tp, NetworkManager-l2tp-gnome, ike-scan packages. enabled L2TP kernel modules by commenting blacklisting lines in modprobe files: /etc/modprobe.d/l2tp_ppp-blacklist.conf & /etc/modprobe.d/l2tp_netlink-blacklist.conf Rebooted. Created VPN connection from Gnome settings. Didn't work. Got this in logs: NO_PROPOSAL_CHOSEN Found out, I was missing Phase1 & Phase2 algorithm config in connection. Ran a script mentioned here to query VPN server for its IKEv1 algorithm proposals. Got output: SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800) Based on above output, used these as Phase1 & Phase2 algorithms respectively: 3des-sha1-modp1024,3des-md5-modp1024 aes256-sha1,aes128-sha1,3des-sha1,3des-md5 Still doesn't work. Fetched this from journalctl logs: Jun 29 19:19:40 localhost.localdomain NetworkManager: [1593438580.8130] audit: op="connection-activate" uuid="4dd9b863-c9f3-4c0a-9f41-240078fa51d1" name="RMP" pid=6295 uid=1000 result="success" Jun 29 19:19:40 localhost.localdomain NetworkManager: [1593438580.8190] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: Started the VPN service, PID 6406 Jun 29 19:19:40 localhost.localdomain NetworkManager: [1593438580.8288] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: Saw the service appear; activating connection Jun 29 19:19:40 localhost.localdomain NetworkManager: [1593438580.8839] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN connection: (ConnectInteractive) reply received Jun 29 19:19:40 localhost.localdomain nm-l2tp-service: Check port 1701 Jun 29 19:19:40 localhost.localdomain NetworkManager: whack: Pluto is not running (no "/run/pluto/pluto.ctl") Jun 29 19:19:40 localhost.localdomain NetworkManager: Redirecting to: systemctl restart ipsec.service Jun 29 19:19:41 localhost.localdomain NetworkManager: 002 listening for IKE messages Jun 29 19:19:41 localhost.localdomain NetworkManager: 002 forgetting secrets Jun 29 19:19:41 localhost.localdomain NetworkManager: 002 loading secrets from "/etc/ipsec.secrets" Jun 29 19:19:41 localhost.localdomain NetworkManager: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets" Jun 29 19:19:41 localhost.localdomain NetworkManager: debugging mode enabled Jun 29 19:19:41 localhost.localdomain NetworkManager: end of file /var/run/nm-l2tp-4dd9b863-c9f3-4c0a-9f41-240078fa51d1/ipsec.conf Jun 29 19:19:41 localhost.localdomain NetworkManager: Loading conn 4dd9b863-c9f3-4c0a-9f41-240078fa51d1 Jun 29 19:19:41 localhost.localdomain NetworkManager: starter: left is KH_DEFAULTROUTE Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgdns= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgdomains= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgbanner= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark-in= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark-out= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" vti_iface= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" redirect-to= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" accept-redirect-to= Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" esp=aes256-sha1,aes128-sha1,3des-sha1,3des-md5 Jun 29 19:19:41 localhost.localdomain NetworkManager: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" ike=3des-sha1-modp1024,3des-md5-modp1024 Jun 29 19:19:41 localhost.localdomain NetworkManager: opening file: /var/run/nm-l2tp-4dd9b863-c9f3-4c0a-9f41-240078fa51d1/ipsec.conf Jun 29 19:19:41 localhost.localdomain NetworkManager: loading named conns: 4dd9b863-c9f3-4c0a-9f41-240078fa51d1 Jun 29 19:19:41 localhost.localdomain NetworkManager: seeking_src = 1, seeking_gateway = 1, has_peer = 1 Jun 29 19:19:41 localhost.localdomain NetworkManager: seeking_src = 0, seeking_gateway = 1, has_dst = 1 Jun 29 19:19:41 localhost.localdomain NetworkManager: dst via 192.168.0.1 dev wlp3s0 src table 254 Jun 29 19:19:41 localhost.localdomain NetworkManager: set nexthop: 192.168.0.1 Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.0.0 via dev wlp3s0 src 192.168.0.107 table 254 Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.122.0 via dev virbr0 src 192.168.122.1 table 254 Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.0.0 via dev wlp3s0 src 192.168.0.107 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.0.107 via dev wlp3s0 src 192.168.0.107 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.0.255 via dev wlp3s0 src 192.168.0.107 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.122.0 via dev virbr0 src 192.168.122.1 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.122.1 via dev virbr0 src 192.168.122.1 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.122.255 via dev virbr0 src 192.168.122.1 table 255 (ignored) Jun 29 19:19:41 localhost.localdomain NetworkManager: seeking_src = 1, seeking_gateway = 0, has_peer = 1 Jun 29 19:19:41 localhost.localdomain NetworkManager: seeking_src = 1, seeking_gateway = 0, has_dst = 1 Jun 29 19:19:41 localhost.localdomain NetworkManager: dst 192.168.0.1 via dev wlp3s0 src 192.168.0.107 table 254 Jun 29 19:19:41 localhost.localdomain NetworkManager: set addr: 192.168.0.107 Jun 29 19:19:41 localhost.localdomain NetworkManager: seeking_src = 0, seeking_gateway = 0, has_peer = 1 Jun 29 19:19:41 localhost.localdomain nm-l2tp-service: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed Jun 29 19:19:41 localhost.localdomain NetworkManager: [1593438581.3082] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN plugin: state changed: stopped (6) Jun 29 19:19:41 localhost.localdomain NetworkManager: [1593438581.3107] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN service disappeared Jun 29 19:19:41 localhost.localdomain NetworkManager: [1593438581.3118] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN connection: failed to connect: 'Remote peer disconnected' Don't understand what I'm doing wrong here. Any help on resolving this is highly appreciated! I have to connect to vpn asap to resume my work. The same connection properties work in Windows without any issues. I don't even have to configure any deciphering algorithms. It just works out of the box. My company wants me to use Windows in that case and I cannot stand that OS. It brings my machine to grinding halt and thrashes on my HDD non-stop. Please help me connect to the VPN.

Environment: # uname -a Linux shrimpwagon 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux I have already installed: # apt-get install strongswan xl2tpd I'm trying to connect to a Meraki VPN. I spoke to a Meraki tech and he said that it looks like it is not authenticating but didn't give me much more detail: # ipsec up L2TP-PSK generating QUICK_MODE request 2711688330 [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from 10.0.0.4 to 50.123.152.194 (252 bytes) received packet: from 50.123.152.194 to 10.0.0.4 (68 bytes) parsed INFORMATIONAL_V1 request 2555305796 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'L2TP-PSK' failed ipsec.conf: config setup virtual_private=%v4:10.0.0.0/8 # nat_traversal=yes protostack=auto oe=off plutoopts="--interface=eth0" conn L2TP-PSK keyexchange=ikev1 ike=aes128-sha1-modp1024,3des-sha1-modp1024! phase2=ah phase2alg=aes128-sha1-modp1024,3des-sha1-modp1024! authby=secret aggrmode=yes pfs=no auto=add keyingtries=2 # dpddelay=30 # dpdtimeout=120 # dpdaction=clear # rekey=yes ikelifetime=8h keylife=1h type=transport left=%defaultroute # leftnexthop=%defaultroute # leftprotoport=udp/l2tp right=50.123.152.194 rightsubnet=10.2.150.0/24 ipsec.secrets: %any %any : PSK "****" xl2tpd.conf: [lac vpn-connection] lns = 50.123.152.194 ;refuse chap = yes ;refuse pap = no ;require authentication = yes ;name = vpn-server ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes options.l2tpd.client: ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug lock connect-delay 5000 name swelch password **** I have gotten most of my instructions from this site: https://www.elastichosts.com/blog/linux-l2tpipsec-vpn-client/ I did have to put it into aggresive mode, specify ikev1 and set the ike algorithms. Once I did that then I was able to start communicating to the MX. But I'm getting this error now and I am at a total loss. Thanks in advance!

I have PC2 connected to a VPN (L2TP/IPsec) server I have setup on R2. I need PC2 to be able to ping PC3 and PC4, but it's not working. When I use a Windows machine to connect to the VPN I can ping hosts under R2, but that is not the case with my Linux machine (Raspbian Jessie). I believe the solution has to do with the routing table but I have no idea what I am doing there. I know that I am connected to R2 from PC2 because when I type 192.168.1.1 into the browser I am greeted with the remote router's login screen. PC2 is 192.168.1.125 under R1, and it is 192.168.1.69 under R2. The public IP for R2 is 76.73.240.120. Here is the current routing information: root@raspberrypi:/home/pi# ip route show default dev ppp0 scope link default via 192.168.1.1 dev wlan0 metric 303 76.73.240.120 via 192.168.1.1 dev wlan0 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.125 metric 303 192.168.1.1 dev ppp0 proto kernel scope link src 192.168.1.69 What do I need to do in order to get PC2 to be able to ping the hosts under R2?

I have a router that runs debian and is used to connect to my ISP using L2TP (over a cable modem). xl2tpd is configured to redial if the connection fails (and pppd is configured to do a LCP ping all the time), but sometimes when the connection dies it just randomly sits there and doesn't attempt to reconnect. Here's some excerpts from my log and config files: https://gist.github.com/bdew/b812d2608d59ee6a7d14 versions used: xl2tpd-1.3.6, pppd 2.4.6

I have two ubuntu 12.04 32 Bit PCs between which I want IPSec Tunnel to be setup. I have setup ipsec in both systems and ipsec verify runs fine on both. Since I have no prior experience of openswan, I am finding it hard to set config files. Here is the snippet of ipsec.config config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey # Use this to log to a file, or disable logging on embedded systems (like openwrt) #plutostderrlog=/dev/null # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ conn linux-to-linux # # Left security gateway, subnet behind it, nexthop toward right. left=192.168.58.17 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. right=192.168.58.32 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. auto=start Queries: 1. Now based on the given topology (see image) of my network, is the above config correct for both the PCs. 2. Is it have to be same for both left and right PCs. 3. After it is setup how do I confirm that secure tunnel is working, what is the best tool to check the algos being used and packet's content. 4. Inside LAN the secure ipsec tunnel is called host-to-host tunnel and the site-to-site connection refers to when VPN kicks in, right?

I have found several guides to set up a l2tp VPN using openSwan, but I'd like to use strongSwan because I'm setting up a ikev2 VPN aswell, and I can't do it with openSwan. Do you know if there's a way to apply openSwan settings to strongSwan to set up a l2tp vpn? I can post the link of the guide if required. I am using Debian.