[Swan] Configuring L2TP client using NetworkManager

Fri Jun 3 05:00:38 EEST 2022

Hi Douglas,

Disabling PFS did not help but

sudo systemctl stop ipsec.service && sudo dnf -y erase libreswan && sudo 
dnf -y install strongswan

resulted in a successful connection!

I did not realize that a switch between swans is that easy.

For a test I switched Ubuntu to libreswan and connection fails.

This time, upon examination

journalctl --since=today -u ipsec.service -u NetworkManager

errors were completely different, from pluto:

#1: Peer ID is ID_IPV4_ADDR: 'X.X.X.222'
#1: we require IKEv1 peer to have ID 'X.X.X.27', but peer declares 
'X.X.X.222'
#1: sending encrypted notification INVALID_ID_INFORMATION to X.X.X.27:4500
#1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x33 
but should have been zero (ignored)
#1: length of ISAKMP Hash Payload is larger than can fit
#1: malformed payload in packet

above block repeats indefinitely, until 'sudo systemctl stop 
ipsec.service' is issued.

Gateway hostname corresponds to X.X.X.27

Please advise.
Josh.

On 6/2/22 18:28, Douglas Kosovic wrote:
> Correction, on Ubuntu to switch to libreswan with the network-manager-l2tp package, issue:
>
> sudo apt install libreswan
>
> -----Original Message-----
> From: Douglas Kosovic
> Sent: Friday, 3 June 2022 8:25 AM
> To: Josh <jvpn at use.startmail.com>
> Cc: Swan at lists.libreswan.org
> Subject: RE: [Swan] Configuring L2TP client using NetworkManager
>
> Hi Josh,
>
> As it is failing Quick Mode (phase 2) for libreswan but not strongswan, you try could clicking the "Disable PFS" checkbox in NetworkManager-l2tp's IPsec config dialog box, PFS is enabled by default with libreswan, but not with strongswan (where the option is greyed out).
>
> Unrelated to this issue, but since you are using Fedora, I would recommend removing the blacklistings of L2TP kernel modules, see:
> https://github.com/nm-l2tp/NetworkManager-l2tp/tree/1.20.4#issue-with-blacklisting-of-l2tp-kernel-modules
>
> For historical reasons on Ubuntu, the network-manager-l2tp package default dependency is strongswan, to switch to libreswan, issue the following:
>
>     sudo dnf install libreswan
>
> On Fedora, NetworkManager-l2tp will use strongswan if it can't find libreswan.
>
>
>
> Cheers,
> Doug
>
>> On Jun 2, 2022, at 13:49, Josh <jvpn at use.startmail.com> wrote:
>>
>> Hello Paul,
>>
>> You are correct. I found instructions from a random VPN provider:
>>
>> https://www.rapidvpn.com/setup-vpn-l2tp-ubuntu
>> https://www.rapidvpn.com/setup-vpn-l2tp-fedora
>>
>> Ubuntu 20 uses strongswan for l2tp/ipsec and connects to keenetic l2tp server just fine.
>> Fedora 36 uses libreswan and connection to the same instance fails
>> with error messages matching
>>
>> https://lists.libreswan.org/pipermail/swan/2017/002022.html
>>
>> Could anyone suggest any debugging steps?
>>
>> Josh.
>>
>>> On 5/30/22 17:17, Paul Wouters wrote:
>>>> On Fri, 27 May 2022, Josh wrote:
>>>>
>>>> Subject: [Swan] Configuring L2TP client using NetworkManager
>>>> On my latest Fedora NetworkManager UI there are many different options.
>>>> I tried to do my best finding places I need to enter four given above but result is still a failure.
>>> Did you use install NetworkManager-l2tp-gnome and then select "add vpn" ?
>>>
>>> gateway is the remote vpn host, username and password is what you
>>> expect, and under "IPsec settings" at the bottom you can see "enable
>>> IPsec" and "pre-shared key". Possibly under "advanced" you put in the
>>> DNS name of the remote vpn server under "remote ID".
>>>
>>>> Is there a manual to setup L2TP connection via NetworkManager UI?
>>> Possibly, but I wouldn't know.