[Swan] Unable to go further than phase 1 - Zyxel firewall
Paul Wouters
paul at nohats.ca
Tue Apr 14 00:51:52 UTC 2020
On Sat, 11 Apr 2020, venstiven wrote:
> I am new to l2tp/ipsec vpn, i've been trying to connect to a Zyxel USG firewall for hours...
>
> I was given ikev1 credentials (psk, username, password, public IP) and an IP range I will have access to
> (192.168.157.X). I've tried the credentials on windows, they work.
>
> I am trying to connect from a Debian 10 VPS. I've tried a lot of settings and none of them let me go further than
> phase 1.
>
> The first phase uses 3des, sha1, modp1024. I tried that for the esp parameter with no luck, leaving it empty also
> doesn't work.
Recent versions of libreswan no longer support DH (modp1024). It is
simply too insecure to be allowed. Note that 3des-sha1 is also a
configuration from the 1990's and should really be upgraded to something
modern.
> conn lug-vpn
> ike=3des-sha1;modp1024
> esp=3des-sha1;modp1024
> right=12.34.567.89
> left=98.76.54.321
> leftprotoport=17/1701
> rightprotoport=17/1701
> initial_contact=yes
> authby=secret
> auto=add
I assume you might need aggressive=yes if this is really a group PSK
based connection. You should also have your leftprotoport be 17/%any
Try modp1536 instead of modp1024. If that also works, use that.
> 004 "lug-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1
> group=MODP1024}
So phase one is up.
> 002 "lug-vpn" #2: initiating Quick Mode
> 031 "lug-vpn" #2: STATE_QUICK_I1: 60 second timeout exceeded after 7 retransmits. No acceptable response to our
> first Quick Mode message: perhaps peer likes no proposal
For L2TP those look like the right options. You can try playing with:
pfs=no
and
type=transport
Paul
More information about the Swan
mailing list