Fedora 31/32 - IPSec/L2TP problem using strongswan/libreswan

Hi guys,

I’m trying to connect to my clients VPN using L2TP (using SharedSecret). I’ve tried using libreswan and strongswan (becuase of the latest changes to libreswan with modp1024) and I can’t figure out what is wrong. Here are the logs from NetworkManager using strongswan:

maj 21 09:49:29 pc-76.home NetworkManager[1221]: <info>  [1590047369.4124] audit: op="connection-add" uuid="e8ece6a2-2688-4971-ac04-651f53e6cb62" name="VPN 1" pid=107472 uid=1000 result="success"
maj 21 09:49:31 pc-76.home NetworkManager[1221]: <info>  [1590047371.0648] audit: op="connection-activate" uuid="e8ece6a2-2688-4971-ac04-651f53e6cb62" name="VPN 1" pid=107472 uid=1000 result="success"
maj 21 09:49:31 pc-76.home NetworkManager[1221]: <info>  [1590047371.0735] vpn-connection[0x562c9c0340a0,e8ece6a2-2688-4971-ac04-651f53e6cb62,"VPN 1",0]: Started the VPN service, PID 107565
maj 21 09:49:31 pc-76.home NetworkManager[1221]: <info>  [1590047371.0965] vpn-connection[0x562c9c0340a0,e8ece6a2-2688-4971-ac04-651f53e6cb62,"VPN 1",0]: Saw the service appear; activating connection
maj 21 09:49:31 pc-76.home NetworkManager[1221]: <info>  [1590047371.1509] vpn-connection[0x562c9c0340a0,e8ece6a2-2688-4971-ac04-651f53e6cb62,"VPN 1",0]: VPN connection: (ConnectInteractive) reply received
maj 21 09:49:31 pc-76.home nm-l2tp-service[107565]: Check port 1701
maj 21 09:49:31 pc-76.home nm-l2tp-service[107565]: Can't bind to port 1701
maj 21 09:49:31 pc-76.home NetworkManager[107583]: Stopping strongSwan IPsec failed: starter is not running
maj 21 09:49:33 pc-76.home NetworkManager[107580]: Starting strongSwan 5.8.4 IPsec [starter]...
maj 21 09:49:33 pc-76.home NetworkManager[107580]: Loading config setup
maj 21 09:49:33 pc-76.home NetworkManager[107580]: Loading conn 'e8ece6a2-2688-4971-ac04-651f53e6cb62'
maj 21 09:49:33 pc-76.home ipsec_starter[107580]: Starting strongSwan 5.8.4 IPsec [starter]...
maj 21 09:49:33 pc-76.home ipsec_starter[107580]: Loading config setup
maj 21 09:49:33 pc-76.home ipsec_starter[107580]: Loading conn 'e8ece6a2-2688-4971-ac04-651f53e6cb62'
maj 21 09:49:33 pc-76.home ipsec_starter[107592]: Attempting to start charon...
maj 21 09:49:33 pc-76.home charon[107593]: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.4, Linux 5.6.13-300.fc32.x86_64, x86_64)
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] PKCS11 module '<name>' lacks library path
maj 21 09:49:33 pc-76.home charon[107593]: 00[LIB] openssl FIPS mode(2) - enabled
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.d/ipsec.nm-l2tp.secrets'
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG]   loaded IKE secret for %any
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] read 0 triplets from /etc/strongswan/ipsec.d/triplets.dat
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] loaded 0 RADIUS server configurations
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] HA config misses local/remote address
maj 21 09:49:33 pc-76.home charon[107593]: 00[CFG] no script for ext-auth script defined, disabled
maj 21 09:49:33 pc-76.home charon[107593]: 00[LIB] loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm drbg newhope cur>
maj 21 09:49:33 pc-76.home charon[107593]: 00[JOB] spawning 16 worker threads
maj 21 09:49:33 pc-76.home ipsec_starter[107592]: charon (107593) started after 60 ms
maj 21 09:49:33 pc-76.home charon[107593]: 06[CFG] received stroke: add connection 'e8ece6a2-2688-4971-ac04-651f53e6cb62'
maj 21 09:49:33 pc-76.home charon[107593]: 06[CFG] added configuration 'e8ece6a2-2688-4971-ac04-651f53e6cb62'
maj 21 09:49:34 pc-76.home charon[107593]: 07[CFG] rereading secrets
maj 21 09:49:34 pc-76.home charon[107593]: 07[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
maj 21 09:49:34 pc-76.home charon[107593]: 07[CFG] loading secrets from '/etc/strongswan/ipsec.d/ipsec.nm-l2tp.secrets'
maj 21 09:49:34 pc-76.home charon[107593]: 07[CFG]   loaded IKE secret for %any
maj 21 09:49:34 pc-76.home charon[107593]: 09[CFG] received stroke: initiate 'e8ece6a2-2688-4971-ac04-651f53e6cb62'
maj 21 09:49:34 pc-76.home charon[107593]: 11[IKE] initiating Main Mode IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1] to 46.140.117.114
maj 21 09:49:34 pc-76.home charon[107593]: 11[IKE] initiating Main Mode IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1] to 46.140.117.114
maj 21 09:49:34 pc-76.home charon[107593]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
maj 21 09:49:34 pc-76.home charon[107593]: 11[NET] sending packet: from 192.168.1.18[500] to 46.140.117.114[500] (532 bytes)
maj 21 09:49:34 pc-76.home charon[107593]: 12[NET] received packet: from 46.140.117.114[500] to 192.168.1.18[500] (200 bytes)
maj 21 09:49:34 pc-76.home charon[107593]: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
maj 21 09:49:34 pc-76.home charon[107593]: 12[IKE] received NAT-T (RFC 3947) vendor ID
maj 21 09:49:34 pc-76.home charon[107593]: 12[IKE] received DPD vendor ID
maj 21 09:49:34 pc-76.home charon[107593]: 12[IKE] received XAuth vendor ID
maj 21 09:49:34 pc-76.home charon[107593]: 12[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
maj 21 09:49:34 pc-76.home charon[107593]: 12[IKE] received FRAGMENTATION vendor ID
maj 21 09:49:34 pc-76.home charon[107593]: 12[IKE] received FRAGMENTATION vendor ID
maj 21 09:49:34 pc-76.home charon[107593]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
maj 21 09:49:34 pc-76.home charon[107593]: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
maj 21 09:49:34 pc-76.home charon[107593]: 12[NET] sending packet: from 192.168.1.18[500] to 46.140.117.114[500] (396 bytes)
maj 21 09:49:34 pc-76.home charon[107593]: 13[NET] received packet: from 46.140.117.114[500] to 192.168.1.18[500] (380 bytes)
maj 21 09:49:34 pc-76.home charon[107593]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
maj 21 09:49:34 pc-76.home charon[107593]: 13[IKE] local host is behind NAT, sending keep alives
maj 21 09:49:34 pc-76.home charon[107593]: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
maj 21 09:49:34 pc-76.home charon[107593]: 13[NET] sending packet: from 192.168.1.18[4500] to 46.140.117.114[4500] (92 bytes)
maj 21 09:49:34 pc-76.home charon[107593]: 14[NET] received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (92 bytes)
maj 21 09:49:34 pc-76.home charon[107593]: 14[ENC] parsed ID_PROT response 0 [ ID HASH ]
maj 21 09:49:34 pc-76.home charon[107593]: 14[IKE] IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1] established between 192.168.1.18[192.168.1.18]...46.140.117.114[46.140.117.114]
maj 21 09:49:34 pc-76.home charon[107593]: 14[IKE] IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1] established between 192.168.1.18[192.168.1.18]...46.140.117.114[46.140.117.114]
maj 21 09:49:34 pc-76.home charon[107593]: 14[IKE] scheduling reauthentication in 10215s
maj 21 09:49:34 pc-76.home charon[107593]: 14[IKE] maximum IKE_SA lifetime 10755s
maj 21 09:49:34 pc-76.home charon[107593]: 14[ENC] generating QUICK_MODE request 124745516 [ HASH SA No ID ID NAT-OA NAT-OA ]
maj 21 09:49:34 pc-76.home charon[107593]: 14[NET] sending packet: from 192.168.1.18[4500] to 46.140.117.114[4500] (268 bytes)
maj 21 09:49:34 pc-76.home charon[107593]: 15[NET] received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (92 bytes)
maj 21 09:49:34 pc-76.home charon[107593]: 15[IKE] queueing TRANSACTION request as tasks still active
maj 21 09:49:36 pc-76.home charon[107593]: 01[NET] received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (92 bytes)
maj 21 09:49:36 pc-76.home charon[107593]: 01[IKE] ignoring TRANSACTION request, queue full
maj 21 09:49:38 pc-76.home charon[107593]: 07[IKE] sending retransmit 1 of request message ID 124745516, seq 4
maj 21 09:49:38 pc-76.home charon[107593]: 07[NET] sending packet: from 192.168.1.18[4500] to 46.140.117.114[4500] (268 bytes)
maj 21 09:49:39 pc-76.home charon[107593]: 10[NET] received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (108 bytes)
maj 21 09:49:39 pc-76.home charon[107593]: 10[ENC] parsed INFORMATIONAL_V1 request 3603991470 [ HASH N(DPD) ]
maj 21 09:49:40 pc-76.home charon[107593]: 11[NET] received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (92 bytes)
maj 21 09:49:40 pc-76.home charon[107593]: 11[IKE] ignoring TRANSACTION request, queue full
maj 21 09:49:44 pc-76.home NetworkManager[107624]: Stopping strongSwan IPsec...
maj 21 09:49:44 pc-76.home charon[107593]: 00[DMN] signal of type SIGINT received. Shutting down
maj 21 09:49:44 pc-76.home NetworkManager[107621]: initiating Main Mode IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1] to 46.140.117.114
maj 21 09:49:44 pc-76.home NetworkManager[107621]: generating ID_PROT request 0 [ SA V V V V V ]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: sending packet: from 192.168.1.18[500] to 46.140.117.114[500] (532 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received packet: from 46.140.117.114[500] to 192.168.1.18[500] (200 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: parsed ID_PROT response 0 [ SA V V V V V V ]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received NAT-T (RFC 3947) vendor ID
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received DPD vendor ID
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received XAuth vendor ID
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received FRAGMENTATION vendor ID
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received FRAGMENTATION vendor ID
maj 21 09:49:44 pc-76.home NetworkManager[107621]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
maj 21 09:49:44 pc-76.home NetworkManager[107621]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: sending packet: from 192.168.1.18[500] to 46.140.117.114[500] (396 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received packet: from 46.140.117.114[500] to 192.168.1.18[500] (380 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: local host is behind NAT, sending keep alives
maj 21 09:49:44 pc-76.home NetworkManager[107621]: generating ID_PROT request 0 [ ID HASH ]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: sending packet: from 192.168.1.18[4500] to 46.140.117.114[4500] (92 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (92 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: parsed ID_PROT response 0 [ ID HASH ]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1] established between 192.168.1.18[192.168.1.18]...46.140.117.114[46.140.117.114]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: scheduling reauthentication in 10215s
maj 21 09:49:44 pc-76.home NetworkManager[107621]: maximum IKE_SA lifetime 10755s
maj 21 09:49:44 pc-76.home NetworkManager[107621]: generating QUICK_MODE request 124745516 [ HASH SA No ID ID NAT-OA NAT-OA ]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: sending packet: from 192.168.1.18[4500] to 46.140.117.114[4500] (268 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (92 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: queueing TRANSACTION request as tasks still active
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (92 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: ignoring TRANSACTION request, queue full
maj 21 09:49:44 pc-76.home NetworkManager[107621]: sending retransmit 1 of request message ID 124745516, seq 4
maj 21 09:49:44 pc-76.home NetworkManager[107621]: sending packet: from 192.168.1.18[4500] to 46.140.117.114[4500] (268 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (108 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: parsed INFORMATIONAL_V1 request 3603991470 [ HASH N(DPD) ]
maj 21 09:49:44 pc-76.home charon[107593]: 00[IKE] deleting IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1] between 192.168.1.18[192.168.1.18]...46.140.117.114[46.140.117.114]
maj 21 09:49:44 pc-76.home NetworkManager[107621]: received packet: from 46.140.117.114[4500] to 192.168.1.18[4500] (92 bytes)
maj 21 09:49:44 pc-76.home NetworkManager[107621]: ignoring TRANSACTION request, queue full
maj 21 09:49:44 pc-76.home NetworkManager[107621]: establishing connection 'e8ece6a2-2688-4971-ac04-651f53e6cb62' failed
maj 21 09:49:44 pc-76.home charon[107593]: 00[IKE] deleting IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1] between 192.168.1.18[192.168.1.18]...46.140.117.114[46.140.117.114]
maj 21 09:49:44 pc-76.home charon[107593]: 00[IKE] sending DELETE for IKE_SA e8ece6a2-2688-4971-ac04-651f53e6cb62[1]
maj 21 09:49:44 pc-76.home charon[107593]: 00[ENC] generating INFORMATIONAL_V1 request 3446336222 [ HASH D ]
maj 21 09:49:44 pc-76.home charon[107593]: 00[NET] sending packet: from 192.168.1.18[4500] to 46.140.117.114[4500] (108 bytes)
maj 21 09:49:44 pc-76.home ipsec_starter[107592]: child 107593 (charon) has quit (exit code 0)
maj 21 09:49:44 pc-76.home ipsec_starter[107592]: 
maj 21 09:49:44 pc-76.home ipsec_starter[107592]: charon stopped after 200 ms
maj 21 09:49:44 pc-76.home ipsec_starter[107592]: ipsec starter stopped
maj 21 09:49:44 pc-76.home nm-l2tp-service[107565]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
maj 21 09:49:44 pc-76.home NetworkManager[1221]: <info>  [1590047384.6332] vpn-connection[0x562c9c0340a0,e8ece6a2-2688-4971-ac04-651f53e6cb62,"VPN 1",0]: VPN plugin: state changed: stopped (6)
maj 21 09:49:44 pc-76.home NetworkManager[1221]: <info>  [1590047384.6408] vpn-connection[0x562c9c0340a0,e8ece6a2-2688-4971-ac04-651f53e6cb62,"VPN 1",0]: VPN service disappeared
maj 21 09:49:44 pc-76.home NetworkManager[1221]: <warn>  [1590047384.6444] vpn-connection[0x562c9c0340a0,e8ece6a2-2688-4971-ac04-651f53e6cb62,"VPN 1",0]: VPN connection: failed to connect: 'Remote peer disconnected'

Can you help me with that?

It is successfully using aes256-sha2_256-modp2048 for the phase 1 (main mode) and not a modp1024 based proposal, so it should be okay to use libreswan.

It is failing for phase 2 (quick mode). You could try switching back to libreswan and using Disable PFS in the IPsec config options as the VPN server might not be using PFS for phase 2 (quick mode).