[Swan] Unable to go further than phase 1 - Zyxel firewall

[Paul Wouters]

On Sat, 11 Apr 2020, venstiven wrote:

> I am new to l2tp/ipsec vpn, i've been trying to connect to a Zyxel USG firewall for hours...
> 
> I was given ikev1 credentials (psk, username, password, public IP) and an IP range I will have access to
> (192.168.157.X). I've tried the credentials on windows, they work.
> 
> I am trying to connect from a Debian 10 VPS. I've tried a lot of settings and none of them let me go further than
> phase 1.
> 
> The first phase uses 3des, sha1, modp1024. I tried that for the esp parameter with no luck, leaving it empty also
> doesn't work.

Recent versions of libreswan no longer support DH (modp1024). It is
simply too insecure to be allowed. Note that 3des-sha1 is also a
configuration from the 1990's and should really be upgraded to something
modern.

> conn lug-vpn
>         ike=3des-sha1;modp1024
>         esp=3des-sha1;modp1024
>         right=12.34.567.89
>         left=98.76.54.321
>         leftprotoport=17/1701
>         rightprotoport=17/1701
>         initial_contact=yes
>         authby=secret
>         auto=add

I assume you might need aggressive=yes if this is really a group PSK
based connection. You should also have your leftprotoport be 17/%any

Try modp1536 instead of modp1024. If that also works, use that.

> 004 "lug-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1
> group=MODP1024}

So phase one is up.

> 002 "lug-vpn" #2: initiating Quick Mode

> 031 "lug-vpn" #2: STATE_QUICK_I1: 60 second timeout exceeded after 7 retransmits.  No acceptable response to our
> first Quick Mode message: perhaps peer likes no proposal

For L2TP those look like the right options. You can try playing with:

 	pfs=no

and

 	type=transport

Paul