[SOLVED] L2TP/IPsec with TLS certificates + PPTP GUI without the headaches

PROBLEMCHYLD · 07-02-2020, 12:29 PM

1. We need to patch the source ppp from Slackware

https://mirrors.slackware.com/slackw...es/source/ppp/ with https://www.nikhef.nl/~janjust/ppp/ install after compile completes

2. Get openssl-1.1.1g-x86_64-1.txz from https://mirrors.slackware.com/slackw...slackware64/n/ We only need to extract the file libcrypto.pc from it

3. Compile the pptp from https://slackbuilds.org/repository/14.2/network/pptp/ I'm using pptp-1.10.0-x86_64-1.txz

4. Compile the NetworkManager-pptp from https://slackbuilds.org/repository/1...kManager-pptp/

5. Backup your original libcrypto.pc to a safe location and replace it with the newer version to /usr/lib64/pkgconfig/

6. Compile the NetworkManager-l2tp from https://slackbuilds.org/repository/1...kManager-l2tp/ I'm using 1.8.2 https://github.com/nm-l2tp/NetworkManager-l2tp
after compile completes, replace newer libcrypto.pc with original from the backup

7. Compile the strongswan from https://slackbuilds.org/repository/1...?search=strong I'm using strongswan-5.8.4-x86_64-1.txz

8. Compile the xl2tpd from https://slackbuilds.org/repository/1.../?search=xl2tp I'm using xl2tpd-1.3.15-x86_64-1.txz

I can enjoy my L2TP/PPTP + IPSec server with a gui. YAY!!

rkelsen · 07-02-2020, 04:54 PM

Well done. I tried a few times to get this going without enjoying the success you have.

In the end, I gave up and set up an OpenVPN server at the office because all the parts were already there. The GUI client for NM was recently added to Slackware-current and seems to work quite well.

PROBLEMCHYLD · 07-02-2020, 07:23 PM

I have been dealing with L2TP Servers for a while and needed to do it with Slackware. Hopefully this will help others out who prefer a gui. Configuring all config files can become tedious on the terminal.

brobr · 08-05-2020, 01:23 PM

@PROBLEMCHYLD

Hi, Thanks for this; they have changed the vpn access at my work to l2p/ipsec, so forced to go down this rabbithole. (Of course they provided unbuntu-only advice of how to set this up...)

Assuming this recipe is for 14.2, have you any idea whether this works on current? And what to do now pam is there (whatever it does; most of this networking access stuff does my head in)?

Ah well, I tried, but did not get far: the most current patches from the nikhef link ( eaptls-mppe-1.201.patch, eaptls-mppe-1.202.patch, eaptls-mppe-1.300.patch, eaptls-mppe-1.301.patch) applied as

Code:

patch -p1 --verbose < $CWD/ppp-2.4.8-eaptls-mppe-1.201.patch ..

after the zcat patch lines at lines 83-84 in the /source/n/ppp.SlackBuild, cause all kinds of -R warnings/errors during patching.

Quote:

...
diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c
|--- ppp-2.4.8/pppd/sys-solaris.c 2019-12-31 02:31:26.000000000 +0100
|+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c 2020-04-03 14:02:19.342905025 +0200
--------------------------
patching file pppd/sys-solaris.c
Using Plan A...
Hunk #1 succeeded at 1550.
done
Hmm...The next patch would create the file README.eap-tls,
which already exists! Assume -R? [n] # huh, cannot see this file in the source folder....so why this error?
..

This is the first of many and it seems pointless to continue....;
What mistake am I making?

Cheers,

rob

PROBLEMCHYLD · 08-05-2020, 02:15 PM

Quote:

Originally Posted by brobr

@PROBLEMCHYLD

Hi, Thanks for this; they have changed the vpn access at my work to l2p/ipsec, so forced to go down this rabbithole. (Of course they provided unbuntu-only advice of how to set this up...)

Assuming this recipe is for 14.2, have you any idea whether this works on current? And what to do now pam is there (whatever it does; most of this networking access stuff does my head in)?

Ah well, I tried, but did not get far: the most current patches from the nikhef link ( eaptls-mppe-1.201.patch, eaptls-mppe-1.202.patch, eaptls-mppe-1.300.patch, eaptls-mppe-1.301.patch) applied as

Code:

patch -p1 --verbose < $CWD/ppp-2.4.8-eaptls-mppe-1.201.patch ..

after the zcat patch lines at lines 83-84 in the /source/n/ppp.SlackBuild, cause all kinds of -R warnings/errors during patching.

This is the first of many and it seems pointless to continue....;
What mistake am I making?

Cheers,
rob

You only need to install one patch v1.301 which is the latest.

Gerard Lally · 08-05-2020, 02:31 PM

I came across this some time ago. I hope it's useful; I'm using OpenBSD for my VPN these days.

It covers L2TP/IPSec and the newer and more secure(?) IPsec VPN type -- IKEv2.

PROBLEMCHYLD · 08-05-2020, 02:36 PM

Quote:

Originally Posted by Gerard Lally

I came across this some time ago. I hope it's useful; I'm using OpenBSD for my VPN these days.

It covers L2TP/IPSec and the newer and more secure(?) IPsec VPN type -- IKEv2.

I used that method as well, but prefer the gui approach, see here https://www.linuxquestions.org/quest...ml#post5882731

brobr · 08-05-2020, 03:28 PM

Quote:

Originally Posted by PROBLEMCHYLD

You only need to install one patch v1.301 which is the latest.

Fab, that worked, thanks.

PROBLEMCHYLD · 08-05-2020, 03:38 PM

Welcome....

brobr · 08-05-2020, 07:20 PM

Ok, I got the gui running, thanks; but that -of course- doesn't mean much when the backends don't communicate... a couple of months ago the gui also started up fine but it did not connect; but this was without the (networkmanager) pptp packages nor the ppp-patch so when I stumbled on this post it gave hope that these were the missing links.... But still there is something not happening even after converting all '.conf.new' in /etc to '.conf' which, at least, made the logs a bit more lively...:

Quote:

/var/log/syslog:
Aug 6 00:44:00 knotsUL pppd[5886]: Overriding mtu 1500 to 1400
Aug 6 00:44:00 knotsUL pppd[5886]: Overriding mru 1500 to mtu value 1400
Aug 6 00:44:01 knotsUL pppd[5886]: MS-CHAP authentication failed: Authentication Fail!
Aug 6 00:44:01 knotsUL pppd[5886]: CHAP authentication failed
Aug 6 00:44:01 knotsUL pppd[5886]: Overriding mtu 1500 to 1400
Aug 6 00:44:01 knotsUL pppd[5886]: Overriding mru 1500 to mtu value 1400
Aug 6 00:44:01 knotsUL NetworkManager[1419]: <warn> [1596671041.2574] vpn-connection[0xc3c710,95..75,"ipsec",0]: VPN plugin: failed: connect-failed (1)

/var/log/secure
Aug 6 00:43:56 knotsUL ipsec_starter[5829]: Starting strongSwan 5.9.0 IPsec [starter]...
Aug 6 00:43:56 knotsUL ipsec_starter[5829]: Loading config setup
Aug 6 00:43:56 knotsUL ipsec_starter[5829]: Loading conn '95..75'
Aug 6 00:43:56 knotsUL ipsec_starter[5840]: Attempting to start charon...
Aug 6 00:43:56 knotsUL ipsec_starter[5840]: charon (5841) started after 20 ms
Aug 6 00:43:57 knotsUL charon: 15[IKE] initiating Main Mode IKE_SA 95..75[1] to 192.xx.xx.xx9
Aug 6 00:43:57 knotsUL charon: 06[IKE] IKE_SA 95..75[1] established between 192.yy.yy.20[192.yy.yy.20]...192.41.103.209[192.41.103.209]
Aug 6 00:43:57 knotsUL charon: 08[IKE] CHILD_SA 95..75{1} established with SPIs ca2a1f42_i f686226b_o and TS 192.yy.yy.20/32[udp/l2f] === 192.xx.xx.xx9/32[udp/l2f]
Aug 6 00:44:01 knotsUL charon: 00[IKE] closing CHILD_SA 95..75{1} with SPIs ca2a1f42_i (573 bytes) f686226b_o (782 bytes) and TS 192.yy.yy.20/32[udp/l2f] === 192.xx.xx.xx9/32[udp/l2f]
Aug 6 00:44:01 knotsUL charon: 00[IKE] deleting IKE_SA 95..75[1] between 192.yy.yy.20[192.yy.yy.20]...192.xx.xx.xx9[192.xx.xx.xx9]
Aug 6 00:44:01 knotsUL ipsec_starter[5840]: child 5841 (charon) has quit (exit code 0)
Aug 6 00:44:01 knotsUL ipsec_starter[5840]:
Aug 6 00:44:01 knotsUL ipsec_starter[5840]: charon stopped after 200 ms
Aug 6 00:44:01 knotsUL ipsec_starter[5840]: ipsec starter stopped

/var/log/messages:
Aug 6 00:43:54 .. NetworkManager[1419]: <info> [1596671034.5062] audit: op="connection-activate" uuid="95..75" name="ipsec" pid=6151 uid=1000 result="success"
Aug 6 00:43:54 .. NetworkManager[1419]: <info> [1596671034.5085] vpn-connection[0xc3c710,95..75,"ipsec",0]: Started the VPN service, PID 5814
Aug 6 00:43:54 .. NetworkManager[1419]: <info> [1596671034.5144] vpn-connection[0xc3c710,95..75,"ipsec",0]: Saw the service appear; activating connection
Aug 6 00:43:54 .. NetworkManager[1419]: <info> [1596671034.5540] vpn-connection[0xc3c710,95..75,"ipsec",0]: VPN connection: (ConnectInteractive) reply received
Aug 6 00:43:56 .. charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.0, Linux 5.4.53, x86_64)
Aug 6 00:43:56 .. charon: 00[CFG] attr-sql plugin: database URI not set
Aug 6 00:43:56 .. charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Aug 6 00:43:56 .. charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Aug 6 00:43:56 .. charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Aug 6 00:43:56 .. charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Aug 6 00:43:56 .. charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 6 00:43:56 .. charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 6 00:43:56 .. charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Aug 6 00:43:56 .. charon: 00[CFG] loaded IKE secret for %any
Aug 6 00:43:56 .. charon: 00[CFG] sql plugin: database URI not set
Aug 6 00:43:56 .. charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Aug 6 00:43:56 .. charon: 00[CFG] eap-simaka-sql database URI missing
Aug 6 00:43:56 .. charon: 00[CFG] loaded 0 RADIUS server configurations
Aug 6 00:43:56 .. charon: 00[CFG] no script for ext-auth script defined, disabled
Aug 6 00:43:56 .. charon: 00[CFG] coupling file path unspecified
Aug 6 00:43:56 .. charon: 00[LIB] loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 xcbc cmac hmac drbg curl files sqlite attr kernel-netlink resolve socket-default bypass-lan connmark farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-simaka-pseudonym eap-simaka-reauth eap-mschapv2 eap-radius eap-tls eap-ttls xauth-generic xauth-eap dhcp lookip unity counters
Aug 6 00:43:56 .. charon: 00[JOB] spawning 16 worker threads
Aug 6 00:43:56 .. charon: 05[IKE] installed bypass policy for 127.0.0.0/8
Aug 6 00:43:56 .. charon: 05[IKE] installed bypass policy for 192.yy.yy.0/24
Aug 6 00:43:56 .. charon: 05[IKE] installed bypass policy for fe80::/64
Aug 6 00:43:56 .. charon: 09[CFG] received stroke: add connection '95..75'
Aug 6 00:43:56 .. charon: 09[CFG] added configuration '95..75'
Aug 6 00:43:57 .. charon: 12[CFG] rereading secrets
Aug 6 00:43:57 .. charon: 12[CFG] loading secrets from '/etc/ipsec.secrets'
Aug 6 00:43:57 .. charon: 12[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Aug 6 00:43:57 .. charon: 12[CFG] loaded IKE secret for %any
Aug 6 00:43:57 .. charon: 13[CFG] received stroke: initiate '95..75'
Aug 6 00:43:57 .. charon: 15[IKE] initiating Main Mode IKE_SA 95..75[1] to 192.xx.xx.xx9
Aug 6 00:43:57 .. charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Aug 6 00:43:57 .. charon: 15[NET] sending packet: from 192.yy.yy.yy0[500] to 192.xx.xx.xx9[500] (308 bytes)
Aug 6 00:43:57 .. charon: 07[NET] received packet: from 192.xx.xx.xx9[500] to 192.yy.yy.yy0[500] (188 bytes)
Aug 6 00:43:57 .. charon: 07[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
Aug 6 00:43:57 .. charon: 07[IKE] received NAT-T (RFC 3947) vendor ID
Aug 6 00:43:57 .. charon: 07[IKE] received DPD vendor ID
Aug 6 00:43:57 .. charon: 07[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Aug 6 00:43:57 .. charon: 07[IKE] received FRAGMENTATION vendor ID
Aug 6 00:43:57 .. last message buffered 1 times
Aug 6 00:43:57 .. charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Aug 6 00:43:57 .. charon: 07[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Aug 6 00:43:57 .. charon: 07[NET] sending packet: from 192.yy.yy.yy0[500] to 192.xx.xx.xx9[500] (236 bytes)
Aug 6 00:43:57 .. charon: 01[NET] received packet: from 192.xx.xx.xx9[500] to 192.yy.yy.yy0[500] (220 bytes)
Aug 6 00:43:57 .. charon: 01[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Aug 6 00:43:57 .. charon: 01[IKE] local host is behind NAT, sending keep alives
Aug 6 00:43:57 .. charon: 01[ENC] generating ID_PROT request 0 [ ID HASH ]
Aug 6 00:43:57 .. charon: 01[NET] sending packet: from 192.yy.yy.yy0[4500] to 192.xx.xx.xx9[4500] (76 bytes)
Aug 6 00:43:57 .. charon: 06[NET] received packet: from 192.xx.xx.xx9[4500] to 192.yy.yy.yy0[4500] (76 bytes)
Aug 6 00:43:57 .. charon: 06[ENC] parsed ID_PROT response 0 [ ID HASH ]
Aug 6 00:43:57 .. charon: 06[IKE] IKE_SA 95..75[1] established between 192.yy.yy.yy0[192.yy.yy.yy0]...192.xx.xx.xx9[192.xx.xx.xx9]
Aug 6 00:43:57 .. charon: 06[IKE] scheduling reauthentication in 10159s
Aug 6 00:43:57 .. charon: 06[IKE] maximum IKE_SA lifetime 10699s
Aug 6 00:43:57 .. charon: 06[ENC] generating QUICK_MODE request 2396684132 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 6 00:43:57 .. charon: 06[NET] sending packet: from 192.yy.yy.yy0[4500] to 192.xx.xx.xx9[4500] (300 bytes)
Aug 6 00:43:57 .. charon: 08[NET] received packet: from 192.xx.xx.xx9[4500] to 192.yy.yy.yy0[4500] (172 bytes)
Aug 6 00:43:57 .. charon: 08[ENC] parsed QUICK_MODE response 2396684132 [ HASH SA No ID ID NAT-OA NAT-OA ]
Aug 6 00:43:57 .. charon: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ
Aug 6 00:43:57 .. charon: 08[IKE] CHILD_SA 95..75{1} established with SPIs ca2a1f42_i f686226b_o and TS 192.yy.yy.yy0/32[udp/l2f] === 192.xx.xx.xx9/32[udp/l2f]
Aug 6 00:43:57 .. charon: 08[ENC] generating QUICK_MODE request 2396684132 [ HASH ]
Aug 6 00:43:57 .. charon: 08[NET] sending packet: from 192.yy.yy.yy0[4500] to 192.xx.xx.xx9[4500] (60 bytes)
Aug 6 00:43:58 .. NetworkManager[1419]: <info> [1596671038.1580] vpn-connection[0xc3c710,95..75,"ipsec",0]: VPN plugin: state changed: starting (3)
Aug 6 00:44:00 .. pppd[5886]: Plugin pppol2tp.so loaded.
Aug 6 00:44:00 .. pppd[5886]: Plugin /usr/lib64/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
Aug 6 00:44:00 .. pppd[5886]: pppd 2.4.8 started by root, uid 0
Aug 6 00:44:00 .. NetworkManager[1419]: <info> [1596671040.0233] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/28)
Aug 6 00:44:00 .. pppd[5886]: Using interface ppp0
Aug 6 00:44:00 .. pppd[5886]: Connect: ppp0 <-->
Aug 6 00:44:01 .. pppd[5886]: Connection terminated.
Aug 6 00:44:01 .. charon: 15[KNL] interface ppp0 deleted
Aug 6 00:44:01 .. NetworkManager[1419]: <info> [1596671041.2575] vpn-connection[0xc3c710,95..75,"ipsec",0]: VPN plugin: state changed: stopping (5)
Aug 6 00:44:01 .. charon: 00[DMN] signal of type SIGINT received. Shutting down
Aug 6 00:44:01 .. charon: 00[IKE] closing CHILD_SA 95..75{1} with SPIs ca2a1f42_i (573 bytes) f686226b_o (782 bytes) and TS 192.yy.yy.yy0/32[udp/l2f] === 192.xx.xx.xx9/32[udp/l2f]
Aug 6 00:44:01 .. charon: 00[IKE] sending DELETE for ESP CHILD_SA with SPI ca2a1f42
Aug 6 00:44:01 .. charon: 00[ENC] generating INFORMATIONAL_V1 request 4061814712 [ HASH D ]
Aug 6 00:44:01 .. charon: 00[NET] sending packet: from 192.yy.yy.yy0[4500] to 192.xx.xx.xx9[4500] (76 bytes)
Aug 6 00:44:01 .. charon: 00[IKE] deleting IKE_SA 95..75[1] between 192.yy.yy.yy0[192.yy.yy.yy0]...192.xx.xx.xx9[192.xx.xx.xx9]
Aug 6 00:44:01 .. charon: 00[IKE] sending DELETE for IKE_SA 95..75[1]
Aug 6 00:44:01 .. charon: 00[ENC] generating INFORMATIONAL_V1 request 1036866037 [ HASH D ]
Aug 6 00:44:01 .. charon: 00[NET] sending packet: from 192.yy.yy.yy0[4500] to 192.xx.xx.xx9[4500] (92 bytes)
Aug 6 00:44:01 .. pppd[5886]: Exit.
Aug 6 00:44:01 .. charon: 00[IKE] uninstalling bypass policy for 127.0.0.0/8
Aug 6 00:44:01 .. charon: 00[IKE] uninstalling bypass policy for 192.yy.yy.0/24
Aug 6 00:44:01 .. charon: 00[IKE] uninstalling bypass policy for fe80::/64
Aug 6 00:44:01 .. NetworkManager[1419]: <info> [1596671041.3633] vpn-connection[0xc3c710,95..75,"ipsec",0]: VPN plugin: state changed: stopped (6)
Aug 6 00:44:01 .. NetworkManager[1419]: <info> [1596671041.3656] vpn-connection[0xc3c710,95..75,"ipsec",0]: VPN service disappeared

The only thing I am suppose to put into the gui is a user name, passphrase, a shared key plus the phase 1 and phase 2 algorithms; no certificates etc.

Why would it stop at the ppp stage; what is missing (apart from my understanding of this all)??

PROBLEMCHYLD · 08-05-2020, 10:33 PM

Are you using certificates or Pre-shared key? I only use certificates because of the security. You have to explain more details for me and others to help. You configure everything in Networkmanager not the .conf files. Look at the screenshots in the first post.

brobr · 08-06-2020, 04:59 AM

As mentioned in the last lines above, it is a preshared key that's used; they possibly want to keep it simple for all the windows users. My setup at home from where I try to access my work is : world <-> modem <-> dd-wrt-router-using-openvpn <-> laptop.
Maybe the line above "Aug 6 00:43:57 .. charon: 01[IKE] local host is behind NAT, sending keep alives " reflects that.

I tried including the google dns addresses in the /etc/stronswan.conf as advised on the link Gerard Lally provided but this did not make a difference.

For the rest I have not done anything else than as described above or in your post (omitted the libcrypto exchange trick as I am on current). But the ppp-error is something I ran into last time I tried this as well. Is there someting that needs setting on the vpn-router (but why; its just the tunnel it goes through...)?

EDIT: found this in /var/log/debug which appears to span the bit where it falters:

Quote:

Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3365] platform: (ppp0) signal: link added: 4: ppp0 <NOARP,DOWN;pointopoint,multicast,noarp> mtu 1500 arp 512 ppp* not-init addrgenmode eui64 driver ppp rx:0,0 tx:0,0
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3366] device[61e1e1faf3b8bc82] (ppp0): constructed (NMDevicePpp)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3366] device[61e1e1faf3b8bc82] (ppp0): start setup of NMDevicePpp, kernel ifindex 4
Aug 6 20:13:46 .. pppd[6287]: PPPoL2TP options: debugmask 0
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3367] platform-linux: error reading net:/sys/class/net/ppp0/phys_port_id: error reading 4096 bytes from file descriptor: Operation not supported
Aug 6 20:13:46 .. pppd[6287]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x160b8ae>]
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3368] platform-linux: sysctl: reading 'net:/sys/class/net/ppp0/dev_id': '0x0'
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3368] platform-linux: error reading net:/sys/class/net/ppp0/device/sriov_numvfs: Failed to open file "device/sriov_numvfs" with openat: No such file or directory
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3368] device[61e1e1faf3b8bc82] (ppp0): unmanaged: flags set to [platform-init,external-down=0x810/0x810/unmanaged/unrealized], set-unmanaged [external-down=0x800])
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3368] device[61e1e1faf3b8bc82] (ppp0): unmanaged: flags set to [platform-init,external-down,!by-type=0x810/0x818/unmanaged/unrealized], set-managed [by-type=0x8])
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3368] device[61e1e1faf3b8bc82] (ppp0): unmanaged: flags set to [platform-init,external-down,!sleeping,!by-type=0x810/0x819/unmanaged/unrealized], set-managed [sleeping=0x1])
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3375] platform: (ppp0) signal: link changed: 4: ppp0 <NOARP,DOWN;pointopoint,multicast,noarp> mtu 1400 arp 512 ppp* not-init addrgenmode eui64 driver ppp rx:0,0 tx:0,0
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3375] device[61e1e1faf3b8bc82] (ppp0): queued link change for ifindex 4
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3398] platform-linux: UDEV event: action 'add' subsys 'net' device 'ppp0' (4); seqnum=5122
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3399] platform: (ppp0) signal: link changed: 4: ppp0 <NOARP,DOWN;pointopoint,multicast,noarp> mtu 1400 arp 512 ppp* init addrgenmode eui64 driver ppp rx:0,0 tx:0,0
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3399] device[61e1e1faf3b8bc82] (ppp0): queued link change for ifindex 4
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3401] device[61e1e1faf3b8bc82] (ppp0): unmanaged: flags set to [platform-init,external-down,!sleeping,!by-type,!user-settings=0x810/0x859/unmanaged], set-managed [user-settings=0x40])
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3401] device[61e1e1faf3b8bc82] (ppp0): unmanaged: flags set to [external-down,!sleeping,!by-type,!platform-init,!user-settings=0x800/0x859/manageable], set-managed [platform-init=0x10], reason managed)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3401] device[61e1e1faf3b8bc82] (ppp0): ip4-config: update (commit=0, new-config=0x22cd6e0)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3403] device[61e1e1faf3b8bc82] (ppp0): ip4-config: set IP Config instance (/org/freedesktop/NetworkManager/IP4Config/5)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3403] dns-mgr: (device_ip_config_changed): queueing DNS updates (1)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3403] dns-mgr: (device_ip_config_changed): DNS configuration did not change
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3403] dns-mgr: (device_ip_config_changed): no DNS changes to commit (0)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3404] platform-linux: sysctl: reading '/proc/sys/net/ipv6/conf/ppp0/disable_ipv6': '0'
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3405] device[61e1e1faf3b8bc82] (ppp0): ip6-config: update (commit=0, new-config=0x22d20a0)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3406] device[61e1e1faf3b8bc82] (ppp0): ip6-config: set IP Config instance (/org/freedesktop/NetworkManager/IP6Config/5)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3407] dns-mgr: (device_ip_config_changed): queueing DNS updates (1)
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3407] dns-mgr: (device_ip_config_changed): DNS configuration did not change
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3407] dns-mgr: (device_ip_config_changed): no DNS changes to commit (0)
Aug 6 20:13:46 .. pppd[6287]: rcvd [LCP ConfReq id=0x1 <mru 1300> <asyncmap 0x0> <auth chap MS-v2> <magic 0x9c4fd6d3> <pcomp> <accomp>]
Aug 6 20:13:46 .. pppd[6287]: sent [LCP ConfAck id=0x1 <mru 1300> <asyncmap 0x0> <auth chap MS-v2> <magic 0x9c4fd6d3> <pcomp> <accomp>]
Aug 6 20:13:46 .. pppd[6287]: rcvd [LCP ConfAck id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x160b8ae>]
Aug 6 20:13:46 .. pppd[6287]: PPPoL2TP options: debugmask 0
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3957] platform: (ppp0) signal: link changed: 4: ppp0 <NOARP,DOWN;pointopoint,multicast,noarp> mtu 1300 arp 512 ppp* init addrgenmode eui64 driver ppp rx:0,0 tx:0,0
Aug 6 20:13:46 .. NetworkManager[1456]: <debug> [1596741226.3957] device[61e1e1faf3b8bc82] (ppp0): queued link change for ifindex 4
Aug 6 20:13:46 .. pppd[6287]: rcvd [LCP EchoReq id=0x0 magic=0x9c4fd6d3]
Aug 6 20:13:46 .. pppd[6287]: sent [LCP EchoRep id=0x0 magic=0x160b8ae]
Aug 6 20:13:46 .. pppd[6287]: rcvd [CHAP Challenge id=0x1 <283a03e3e12b7ac16cb6c74b8d2e26c2>, name = "KBS-PFW-01"]
Aug 6 20:13:46 .. pppd[6287]: added response cache entry 0
Aug 6 20:13:46 .. pppd[6287]: sent [CHAP Response id=0x1 <e74e76b51789908fbd3e8c8e61ae01b40000000000000000570f895c9070915ae54d1887a87ebc421f9cbe366148280500> , name = "uun"]
Aug 6 20:13:47 .. pppd[6287]: rcvd [CHAP Failure id=0x1 "Authentication Fail!"]
Aug 6 20:13:47 .. pppd[6287]: PPPoL2TP options: debugmask 0
Aug 6 20:13:47 .. pppd[6287]: sent [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Aug 6 20:13:47 .. NetworkManager[1456]: <debug> [1596741227.5120] platform: (ppp0) signal: link changed: 4: ppp0 <NOARP,DOWN;pointopoint,multicast,noarp> mtu 1400 arp 512 ppp* init addrgenmode eui64 driver ppp rx:0,0 tx:0,0
Aug 6 20:13:47 .. NetworkManager[1456]: <debug> [1596741227.5120] device[61e1e1faf3b8bc82] (ppp0): queued link change for ifindex 4
Aug 6 20:13:47 .. pppd[6287]: rcvd [LCP TermReq id=0x2 "Authentication failed"]
Aug 6 20:13:47 .. pppd[6287]: sent [LCP TermAck id=0x2]
Aug 6 20:13:47 .. pppd[6287]: rcvd [LCP TermAck id=0x2]
Aug 6 20:13:47 .. NetworkManager[1456]: <debug> [1596741227.5695] platform: signal: link removed: 4: ppp0 <NOARP,DOWN;pointopoint,multicast,noarp> mtu 1400 arp 512 ppp* init addrgenmode eui64 driver ppp rx:0,0 tx:0,0

EDIT-3 removed previous nonsense; it fails on the ppp exchange

PROBLEMCHYLD · 08-07-2020, 04:33 PM

I'm not sure if I can be of any more help since I'm not on current and don't use PSK. Try downgrading strongswan to and older version. I know 5.9.0 is new but I use 5.8.4, also try configuring your ppp/ipsec vpn adapter settings in NetworkManager instead of .conf. I have never gotten PSKs to work is why I use certificates.

brobr · 08-10-2020, 05:44 PM

Hi, thanks for the suggestions. Your last line tells all. Seems sufficient reason not to waste more time on trying to make this work (it seems more sense to change the PSK policy...).

PROBLEMCHYLD · 08-11-2020, 07:59 PM

Quote:

Originally Posted by brobr

Hi, thanks for the suggestions. Your last line tells all. Seems sufficient reason not to waste more time on trying to make this work (it seems more sense to change the PSK policy...).

strongswan 5.9.0 seems to work, set all your configs to default PPP, L2TP IPSEC XL2TPD strongswan etc... and configure like so in the screenshot, as you can see, I have an active connection but with certificates.