[Swan] Configuring L2TP client using NetworkManager

Fri Jun 3 05:19:18 EEST 2022

Hi Josh,

For Ubuntu I would recommend using the latest version of network-manager-l2tp from the following as it has a number of bug fixes and feature updates :
https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

Regarding "we require IKEv1 peer to have ID 'X.X.X.27', but peer declares 'X.X.X.222'" error, you could set the "Remote ID" to X.X.X.222 in the IPsec config dialog box, assuming it was previously empty.

Cheers,
Doug

-----Original Message-----
From: Josh <jvpn at use.startmail.com> 
Sent: Friday, 3 June 2022 12:01 PM
To: Douglas Kosovic <doug at uq.edu.au>
Cc: swan at lists.libreswan.org
Subject: Re: [Swan] Configuring L2TP client using NetworkManager

Hi Douglas,

Disabling PFS did not help but

sudo systemctl stop ipsec.service && sudo dnf -y erase libreswan && sudo dnf -y install strongswan

resulted in a successful connection!

I did not realize that a switch between swans is that easy.

For a test I switched Ubuntu to libreswan and connection fails.

This time, upon examination

journalctl --since=today -u ipsec.service -u NetworkManager

errors were completely different, from pluto:

#1: Peer ID is ID_IPV4_ADDR: 'X.X.X.222'
#1: we require IKEv1 peer to have ID 'X.X.X.27', but peer declares 'X.X.X.222'
#1: sending encrypted notification INVALID_ID_INFORMATION to X.X.X.27:4500
#1: byte at offset 1 (29) of 'ISAKMP Hash Payload'.'reserved' is 0x33 but should have been zero (ignored)
#1: length of ISAKMP Hash Payload is larger than can fit
#1: malformed payload in packet

above block repeats indefinitely, until 'sudo systemctl stop ipsec.service' is issued.

Gateway hostname corresponds to X.X.X.27

Please advise.
Josh.

On 6/2/22 18:28, Douglas Kosovic wrote:
> Correction, on Ubuntu to switch to libreswan with the network-manager-l2tp package, issue:
>
> sudo apt install libreswan
>
> -----Original Message-----
> From: Douglas Kosovic
> Sent: Friday, 3 June 2022 8:25 AM
> To: Josh <jvpn at use.startmail.com>
> Cc: Swan at lists.libreswan.org
> Subject: RE: [Swan] Configuring L2TP client using NetworkManager
>
> Hi Josh,
>
> As it is failing Quick Mode (phase 2) for libreswan but not strongswan, you try could clicking the "Disable PFS" checkbox in NetworkManager-l2tp's IPsec config dialog box, PFS is enabled by default with libreswan, but not with strongswan (where the option is greyed out).
>
> Unrelated to this issue, but since you are using Fedora, I would recommend removing the blacklistings of L2TP kernel modules, see:
> https://github.com/nm-l2tp/NetworkManager-l2tp/tree/1.20.4#issue-with-
> blacklisting-of-l2tp-kernel-modules
>
> For historical reasons on Ubuntu, the network-manager-l2tp package default dependency is strongswan, to switch to libreswan, issue the following:
>
>     sudo dnf install libreswan
>
> On Fedora, NetworkManager-l2tp will use strongswan if it can't find libreswan.
>
>
>
> Cheers,
> Doug
>
>> On Jun 2, 2022, at 13:49, Josh <jvpn at use.startmail.com> wrote:
>>
>> Hello Paul,
>>
>> You are correct. I found instructions from a random VPN provider:
>>
>> https://www.rapidvpn.com/setup-vpn-l2tp-ubuntu
>> https://www.rapidvpn.com/setup-vpn-l2tp-fedora
>>
>> Ubuntu 20 uses strongswan for l2tp/ipsec and connects to keenetic l2tp server just fine.
>> Fedora 36 uses libreswan and connection to the same instance fails 
>> with error messages matching
>>
>> https://lists.libreswan.org/pipermail/swan/2017/002022.html
>>
>> Could anyone suggest any debugging steps?
>>
>> Josh.
>>
>>> On 5/30/22 17:17, Paul Wouters wrote:
>>>> On Fri, 27 May 2022, Josh wrote:
>>>>
>>>> Subject: [Swan] Configuring L2TP client using NetworkManager On my 
>>>> latest Fedora NetworkManager UI there are many different options.
>>>> I tried to do my best finding places I need to enter four given above but result is still a failure.
>>> Did you use install NetworkManager-l2tp-gnome and then select "add vpn" ?
>>>
>>> gateway is the remote vpn host, username and password is what you 
>>> expect, and under "IPsec settings" at the bottom you can see "enable 
>>> IPsec" and "pre-shared key". Possibly under "advanced" you put in 
>>> the DNS name of the remote vpn server under "remote ID".
>>>
>>>> Is there a manual to setup L2TP connection via NetworkManager UI?
>>> Possibly, but I wouldn't know.