6

I'm trying to connect an Ubuntu Server 16.04 to an IPSec L2TP VPN using the strongswan client.

Aparently the connection is established successfully, but the interface ppp0 isn't created.

This is the result of sudo ipsec up myconnection:

initiating Main Mode IKE_SA myconnection[2] to 116.38.129.101
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.0.104[500] to 116.38.129.101[500] (212 bytes)
received packet: from 116.38.129.101[500] to 192.168.0.104[500] (132 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.104[500] to 116.38.129.101[500] (244 bytes)
received packet: from 116.38.129.101[500] to 192.168.0.104[500] (236 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.0.104[4500] to 116.38.129.101[4500] (100 bytes)
received packet: from 116.38.129.101[4500] to 192.168.0.104[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA myconnection[2] established between 192.168.0.104[192.168.0.104]...116.38.129.101[116.38.129.101]
scheduling reauthentication in 10033s
maximum IKE_SA lifetime 10573s
generating QUICK_MODE request 1590491286 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.0.104[4500] to 116.38.129.101[4500] (220 bytes)
received packet: from 116.38.129.101[4500] to 192.168.0.104[4500] (188 bytes)
parsed QUICK_MODE response 1590491286 [ HASH SA No ID ID NAT-OA NAT-OA ]
connection 'myconnection' established successfully

Any hint?.

leonardorame
  • 317
  • 3
  • 14
  • StrongSwan will establish the 1st layer: IPSec, then you need a tool for the L2TP layer (and there's the 3rd layer PPP that gives the ppp0 interface) – A.B Jun 26 '18 at 23:26
  • 1
    Hi @A.B, yes I followed this tutorial: http://www.jasonernst.com/2016/06/21/l2tp-ipsec-vpn-on-ubuntu-16-04/ and after `sudo ipsec up myconnection` I issued `sudo echo "c myconnection" > /var/run/xl2tpd/l2tp-control`. I think that's the 2nd layer. I suppose I need one more command to enable ppp0?. – leonardorame Jun 27 '18 at 09:24
  • Well that was just a comment. It's possible the 2nd runs the 3rd. But you didn't write anything in the question allowing somebody knowing this subject (I don't) to help you – A.B Jun 27 '18 at 12:05
  • 2
    There's no reason to use PPP if you're already using IPsec, the kernel will handle the packets to and from the IPsec connection. – wurtel Jun 27 '18 at 14:47
  • @leonardorame did you find any solution? – rev Apr 11 '19 at 15:07
  • @wurtel: but how do I define routing if I do not have ppp0 device? I would like to route some traffic through VPN and the rest just normal. I want to use `iptables` for that, but I need a device... – Michal B. May 29 '19 at 06:26
  • That's the point, with IPsec the traffic simply goes through the interface that IPsec uses to reach the other side. So if your internet connection is on eth0, then that is the interface you have to route the traffic through. Make sure that it is *not* NATed, IPsec diverts those packets just before they leave the physical interface. Also ensure that you allow that traffic in your iptables forwarding rules. – wurtel May 29 '19 at 11:10

1 Answers1

1

First of all check with uname -a your Linux kernel version and, if you have the 4.14, I have bad news for you: you have a bugged kernel. The 4.13 seems good, and also the 4.15, but not the 4.14. See this answer in a libreswan bug report.

Anyway you can also try Network Manager. Install the network-manager-l2tp package.

Here an example of a valid NetworkManager VPN file that you can save in /etc/NetworkManager/system-connections/MY_DAMN_VPN:

[connection]
id=MY_DAMN_VPN
uuid=very-random-stuff
type=vpn

[vpn]
gateway=IP_OF_MY_DAMN_VPN
ipsec-enabled=yes
ipsec-esp=aes256-sha1,aes128-sha1,3des-sha1!
ipsec-ike=aes256-sha1-ecp384,aes128-sha1-ecp256,3des-sha1-modp1536!
ipsec-psk=MY_SUPER_SECRET_SHARED_PASSWORD
password-flags=0
user=local-vpn
service-type=org.freedesktop.NetworkManager.l2tp

[vpn-secrets]
password=MY_SUPER_SECRET_PASSWORD

[ipv4]
dns-search=
method=auto
never-default=true

Then restart Network Manager and activate the VPN:

systemctl restart NetworkManager
nmcli connection up MY_DAMN_VPN

This stuff was tested in Debian GNU/Linux buster with a damn Microsoft Windows VPN server.

Good luck!

P.S.

Do not try to use OpenVPN to talk with a proprietary VPN server: OpenVPN is based on TLS technology (because it has security in mind). L2TP/IPsec seems to be not. [1]

[1]: https://en.wikipedia.org/wiki/IPsec From Wikipedia you can further read about the NSA interference in IPsec, thanks to some sources about it.

Valerio Bozzolan
  • 279
  • 2
  • 10