[Swan] Configuring L2TP client using NetworkManager
jvpn at use.startmail.com
Fri Jun 3 05:00:38 EEST 2022
Disabling PFS did not help but
sudo systemctl stop ipsec.service && sudo dnf -y erase libreswan && sudo
dnf -y install strongswan
resulted in a successful connection!
I did not realize that a switch between swans is that easy.
For a test I switched Ubuntu to libreswan and connection fails.
This time, upon examination
journalctl --since=today -u ipsec.service -u NetworkManager
errors were completely different, from pluto:
#1: Peer ID is ID_IPV4_ADDR: 'X.X.X.222'
#1: we require IKEv1 peer to have ID 'X.X.X.27', but peer declares
#1: sending encrypted notification INVALID_ID_INFORMATION to X.X.X.27:4500
#1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x33
but should have been zero (ignored)
#1: length of ISAKMP Hash Payload is larger than can fit
#1: malformed payload in packet
above block repeats indefinitely, until 'sudo systemctl stop
ipsec.service' is issued.
Gateway hostname corresponds to X.X.X.27
On 6/2/22 18:28, Douglas Kosovic wrote:
> Correction, on Ubuntu to switch to libreswan with the network-manager-l2tp package, issue:
> sudo apt install libreswan
> -----Original Message-----
> From: Douglas Kosovic
> Sent: Friday, 3 June 2022 8:25 AM
> To: Josh <jvpn at use.startmail.com>
> Cc: Swan at lists.libreswan.org
> Subject: RE: [Swan] Configuring L2TP client using NetworkManager
> Hi Josh,
> As it is failing Quick Mode (phase 2) for libreswan but not strongswan, you try could clicking the "Disable PFS" checkbox in NetworkManager-l2tp's IPsec config dialog box, PFS is enabled by default with libreswan, but not with strongswan (where the option is greyed out).
> Unrelated to this issue, but since you are using Fedora, I would recommend removing the blacklistings of L2TP kernel modules, see:
> For historical reasons on Ubuntu, the network-manager-l2tp package default dependency is strongswan, to switch to libreswan, issue the following:
> sudo dnf install libreswan
> On Fedora, NetworkManager-l2tp will use strongswan if it can't find libreswan.
>> On Jun 2, 2022, at 13:49, Josh <jvpn at use.startmail.com> wrote:
>> Hello Paul,
>> You are correct. I found instructions from a random VPN provider:
>> Ubuntu 20 uses strongswan for l2tp/ipsec and connects to keenetic l2tp server just fine.
>> Fedora 36 uses libreswan and connection to the same instance fails
>> with error messages matching
>> Could anyone suggest any debugging steps?
>>> On 5/30/22 17:17, Paul Wouters wrote:
>>>> On Fri, 27 May 2022, Josh wrote:
>>>> Subject: [Swan] Configuring L2TP client using NetworkManager
>>>> On my latest Fedora NetworkManager UI there are many different options.
>>>> I tried to do my best finding places I need to enter four given above but result is still a failure.
>>> Did you use install NetworkManager-l2tp-gnome and then select "add vpn" ?
>>> gateway is the remote vpn host, username and password is what you
>>> expect, and under "IPsec settings" at the bottom you can see "enable
>>> IPsec" and "pre-shared key". Possibly under "advanced" you put in the
>>> DNS name of the remote vpn server under "remote ID".
>>>> Is there a manual to setup L2TP connection via NetworkManager UI?
>>> Possibly, but I wouldn't know.
More information about the Swan