1
I am trying to connect from my personal Arch Linux laptop to my office's windows server VPN.
I have followed the instructions of the Arch wiki but I cannot get the IPSec tunnel to connect.
The message I get is:
$sudo ipsec auto --up L2TP-PSK
002 "L2TP-PSK" #16: initiating Main Mode
105 "L2TP-PSK" #16: STATE_MAIN_I1: initiate
003 "L2TP-PSK" #16: Informational Exchange message must be encrypted
010 "L2TP-PSK" #16: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "L2TP-PSK" #16: STATE_MAIN_I1: retransmission; will wait 40s for response
003 "L2TP-PSK" #16: Informational Exchange message must be encrypted
031 "L2TP-PSK" #16: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
000 "L2TP-PSK" #16: starting keying attempt 2 of at most 3, but releasing whack
My config file contains the following:
config setup
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nat_traversal=yes
# default is auto, which will try netkey first
protostack=netkey
# you can left "off" (default value) instead
oe=no
# Replace eth0 with your network interface
plutoopts="--interface=eth0"
conn L2TP-PSK
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
# Replace %any below with your local IP address (private, behind NAT IP is okay as well)
left=192.168.0.***
leftprotoport=17/1701
# Replace IP address with your VPN server's IP
right=***.***.***.*** # My office server IP
rightprotoport=17/1701
And the output of ipsec verify is:
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U/K4.18.12-arch1-1-ARCH (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
ipsec verify: encountered errors
I presume ipsec is not happily installed but I am not familiar at all with it.
This question seem to indicate that the IP forwarding failed test can be ignored.
Does anybody know how I could get this to work?
Jacques Gaudin
Posted 2018-10-13T21:12:18.043
Reputation: 143
Check what you have done against this article.
– harrymc – 2018-10-14T11:21:26.553@harrymc thanks, I read this article and tried the settings but got the same issue. It seems that switching to libreswan is solving the problem above but my ppp device is disappearing after a short while. – Jacques Gaudin – 2018-10-14T12:46:57.043