Configuring L2TP VPN to use with iOS 14 and macOS Big Sur

Question

After Apple did this in Big Sur OS I can't connect to my own VPN on Libreswan 3.27 (netkey) on 3.10.0-1160.6.1.el7.x86_64

Starting with iOS 14 and macOS Big Sur (coming soon), IPsec supports HMAC-SHA-256 with L2TP VPN. To make sure that VPN client devices running iOS 14 and macOS Big Sur can connect to your L2TP VPN server, configure the server to truncate the output of the SHA-256 hash to 128 bits. Truncating to fewer than 128 bits will result in L2TP VPN failing to connect.

I'm not a professional server admin or Unix geek so I still can't understand what should I need to change in config to solve the situation.

Now my ipsec.conf is looks kinda this:

version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  protostack=netkey
  interfaces=%defaultroute
  uniqueids=no

conn shared
  left=%defaultroute
  leftid=#serverIP#
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  sha2-truncbug=yes

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  phase2=esp
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.10-192.168.43.250
  modecfgdns="8.8.8.8 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  xauthby=file
  ike-frag=yes
  ikev2=never
  cisco-unity=yes
  also=shared

Thank you for any help you can offer.

When using a quote in a question/answer, please always include a link to the quote source or a detailed description of the source (e.g. if it is from a book). This is common practice and also for legal reasons. Quoting small snippets of text is legal in most parts of the world (fair use) and is not considered copyright infringement, but only if a quote is also clearly marked as such, and in doing so, citation of the source is generally expected. If you simply copy content from anywhere, this can be considered copyright infringement if the author wants to be picky. — Mecki, Jan 28 '21 at 15:37

score 8 · Accepted Answer · answered Dec 14 '20 at 19:12

8

I was having this same problem after updating,

change sha2-truncbug=yes > sha2-truncbug=no

Using IPsec and xl2tpd for L2TP over IPsec server. The client is macOS Big Sur Version 11.0.1

Unfortunately, I have not figured out what that configuration key does, and it's not documented anywhere so I cant give you a good explanation why this works.

Make sure to do a systemctl restart ipsec after updating the config file.

Edit: Found it documented on github

answered Dec 14 '20 at 19:12

Joe

206
1
2
5

2

Man, you helps lots of people right now sharing this. Thank you very much! PS I can't upvote your solution because of low reputation ( – megamosk Dec 16 '20 at 10:55
np do you mind marking it as the accepted solution? – Joe Dec 16 '20 at 21:36

Configuring L2TP VPN to use with iOS 14 and macOS Big Sur

1 Answers1