IPSEC/L2TP VPN Not Connecting with vpnc or StrongSwan
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPSEC/L2TP VPN Not Connecting with vpnc or StrongSwan
Hi,
I've set up a dual boot with Debian and am trying to move completely off having to use Windows. Pretty much the last thing is to do is to set up my VPN connection to the office Cisco router.
I've tried vpnc and StrongSwan and in each case I can log on and get an IP address on the office LAN, but it then fails. The error on the Cisco router is "Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy"
I've been using the same VPN account set up via Windows DUN for years and it's still working. So I know the VPN account is set up correctly server side. I'm not dogmatic about which method I use, I just want it to work on Linux!
If anyone could help me identify where I'm going wrong I would be very grateful. I'm far from an expert on VPNs I'm afraid so I'm hoping it's something obvious I'm doing wrong.
Here are my config files and output for both programs (usernames and IPs redacted):
VPNC
default.conf
Code:
IPSec gateway (remote IP)
IPSec ID (group ID)
IPSec secret (secret)
Xauth username (user)
Xauth password (pass)
IKE Authmode psk
IKE DH Group dh2
NAT Traversal Mode cisco-udp
Local Port 10000
Output:
Code:
vpnc --enable-1des --debug 2
vpnc version 0.5.3r550-2
S1 init_sockaddr
[2016-06-07 10:14:55]
S2 make_socket
[2016-06-07 10:14:55]
S3 setup_tunnel
[2016-06-07 10:14:55]
using interface tun0
S4 do_phase1_am
[2016-06-07 10:14:55]
S4.1 create_nonce
[2016-06-07 10:14:55]
S4.2 dh setup
[2016-06-07 10:14:55]
S4.3 AM packet_1
[2016-06-07 10:14:55]
S4.4 AM_packet2
[2016-06-07 10:14:55]
(Cisco Unity)
(Xauth)
(unknown)
(unknown)
got ike lifetime attributes: 2147483 seconds
IKE SA selected psk+xauth-des-sha1
peer is XAUTH capable (draft-ietf-ipsec-isakmp-xauth-06)
NAT status: no NAT-T VID seen
S4.5 AM_packet3
[2016-06-07 10:14:55]
S4.6 cleanup
[2016-06-07 10:14:55]
S5 do_phase2_xauth
[2016-06-07 10:14:55]
S5.1 xauth_request
[2016-06-07 10:14:55]
S5.2 notice_check
[2016-06-07 10:14:55]
S5.3 type-is-xauth check
[2016-06-07 10:14:55]
S5.4 xauth type check
[2016-06-07 10:14:55]
S5.5 do xauth reply
[2016-06-07 10:14:55]
S5.2 notice_check
[2016-06-07 10:14:55]
S5.3 type-is-xauth check
[2016-06-07 10:14:55]
S5.6 process xauth set
[2016-06-07 10:14:55]
S5.7 send xauth ack
[2016-06-07 10:14:55]
S5.8 xauth done
[2016-06-07 10:14:55]
S6 do_phase2_config
[2016-06-07 10:14:55]
S6.1 phase2_config send modecfg
[2016-06-07 10:14:55]
S6.2 phase2_config receive modecfg
[2016-06-07 10:14:56]
got save password setting: 0
got pfs setting: 0
Remote Application Version: Cisco Systems, Inc ASA5505 Version 7.2(4) built by builders on Sun 06-Apr-08 13:39
got address 172.28.80.13
S7 setup_link (phase 2 + main_loop)
[2016-06-07 10:14:56]
S7.0 run interface setup script
[2016-06-07 10:14:56]
S7.1 QM_packet1
[2016-06-07 10:14:56]
S7.2 QM_packet2 send_receive
[2016-06-07 10:14:56]
S7.3 QM_packet2 validate type
[2016-06-07 10:14:56]
got ike lifetime attributes: 86400 seconds
got delete for old connection, ignoring..
vpnc: no response from target
StrongSwan
ipsec.conf:
Code:
version 2
config setup
strictcrlpolicy=no
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=xauthpsk
type=tunnel
conn "ADSL"
keyexchange=ikev1
ikelifetime=1440m
keylife=60m
aggressive=yes
ike=des-sha1-modp1024
esp=des-sha1-modp1024
xauth=client #Xauth client mode
left=(local IP) #local IP used to connect to IOS
leftsubnet=(local subnet/24)
leftid=(group)
leftsourceip=%config #apply received IP
leftauth=psk
rightauth=psk
leftauth2=xauth #use PSK for group RA and Xauth for user
right=(remote IP) #gateway IP
rightsubnet=172.28.0.0/16
xauth_identity=(user) #identity for Xauth, password in ipsec.secrets
auto=add
Output:
Code:
initiating Aggressive Mode IKE_SA ADSL[1] to (remote IP)
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from (local IP)[500] to (remote IP)[500] (434 bytes)
received packet: from (remote IP)[500] to (local IP)[500] (420 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (108 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (76 bytes)
parsed TRANSACTION request 2798627525 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 2798627525 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (84 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (68 bytes)
parsed TRANSACTION request 3033165335 [ HASH CPS(X_STATUS) ]
XAuth authentication of '(user)' (myself) successful
IKE_SA ADSL[1] established between (local IP)[(group)]...(remote IP)[(remote IP)]
scheduling reauthentication in 86082s
maximum IKE_SA lifetime 86262s
generating TRANSACTION response 3033165335 [ HASH CPA(X_STATUS) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (68 bytes)
generating TRANSACTION request 2611185267 [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (84 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (68 bytes)
parsed TRANSACTION response 2611185267 [ HASH CPRP(ADDR) ]
installing new virtual IP 172.28.80.12
generating QUICK_MODE request 1009442552 [ HASH SA No KE ID ID ]
sending packet: from (local IP)[4500] to (remote IP)[4500] (308 bytes)
received packet: from (remote IP)[4500] to (local IP)[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3691512445 [ HASH D ]
received DELETE for IKE_SA ADSL[1]
deleting IKE_SA ADSL[1] between (local IP)[(group)]...(remote IP)[(remote IP)]
installing new virtual IP 172.28.80.12
initiating Aggressive Mode IKE_SA ADSL[2] to (remote IP)
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from (local IP)[500] to (remote IP)[500] (434 bytes)
establishing connection 'ADSL' failed
According to Cisco it's probably your tunnel group or group name.
If you know your tunnel group/group name is correct and you copied your configuration information from a windows configuration, retype the same line directly below it and then delete the original line. Windows encodes endline differently than Linux so even cutting and pasting from one platform to the other can cause problems.
I typed the group name manually I'm afraid. I don't know how to find the group name from a Windows configuration. It didn't seem to be in the ".pbk" file.
That group name is the one assigned to my user in the router's configuration. It's capitalised correctly and everything. It must be correct as I tried using the only other group name configured on the router and it failed almost straight away.
Is there any other logging I could check or something?
grep charon /var/log/* and pull /var/log/authlog and /var/log/deamonlog (if it's there).
If you don't find anything there, you can turn up the logging in the configuration (or the command line if it's running in daemon mode)
I couldn't find anything further in the logs than was reported at the command line. I've set my user profile to specify the VPN Group Policy and VPN Group Lock (rather than having them as "Inherit") on the VPN server and have got a little further. Now the vpnc command shows the following:
Code:
.....
S7 setup_link (phase 2 + main_loop)
[2016-08-12 11:20:20]
S7.0 run interface setup script
[2016-08-12 11:20:20]
S7.1 QM_packet1
[2016-08-12 11:20:20]
S7.2 QM_packet2 send_receive
[2016-08-12 11:20:20]
S7.3 QM_packet2 validate type
[2016-08-12 11:20:20]
got ike lifetime attributes: 86400 seconds
received notice of type (ISAKMP_N_NO_PROPOSAL_CHOSEN)(14), giving up
S7.5 QM_packet2 check reject offer
[2016-08-12 11:20:20]
---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
S7.11 send isakmp termination message
[2016-08-12 11:20:20]
vpnc: quick mode response rejected: (ISAKMP_N_INVALID_MESSAGE_ID)(9)
this means the concentrator did not like what we had to offer.
Possible reasons are:
* concentrator configured to require a firewall
this locks out even Cisco clients on any platform except windows
which is an obvious security improvement. There is no workaround (yet).
* concentrator configured to require IP compression
this is not yet supported by vpnc.
Note: the Cisco Concentrator Documentation recommends against using
compression, except on low-bandwith (read: ISDN) links, because it
uses much CPU-resources on the concentrator
The server logging indicates (read from bottom up):
Code:
4 Sep 20 2008 01:58:54 113019 Group = (redacted), Username = (redacted), IP = (redacted), Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
3 Sep 20 2008 01:58:54 713902 Group = (redacted), Username = (redacted), IP = (redacted), Removing peer from correlator table failed, no match!
3 Sep 20 2008 01:58:54 713902 Group = (redacted), Username = (redacted), IP = (redacted), QM FSM error (P2 struct &0xd11b5a8, mess id 0x25b8cb0d)!
5 Sep 20 2008 01:58:54 713904 Group = (redacted), Username = (redacted), IP = (redacted), All IPSec SA proposals found unacceptable!
3 Sep 20 2008 01:58:54 713119 Group = (redacted), Username = (redacted), IP = (redacted), PHASE 1 COMPLETED
Does anyone know what might be causing this? Thanks in advance.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.