VPN client creation on Ubuntu with strongswan fails

Luca De Fassi

11/7/23, 10:21 AM

I've set up a L2TP VPN server on my home router and the connection between Windows 10 clients works properly. Now I want to set up a VPN client on a Ubuntu 18.04 machine. I've used this configuration (x.x.x.x is the static IP of my home router and y.y.y.y is the private IP of my ubuntu machine):

/etc/ipsec.conf

config setup
     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
     nat_traversal=yes
     protostack=netkey            
     plutoopts="--interface=eth0" 

conn L2TP-PSK
     authby=secret
     pfs=no
     auto=add
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     rekey=yes
     ikelifetime=8h
     keylife=1h
     type=transport
     left=y.y.y.y
     leftprotoport=17/1701
     right=x.x.x.x
     rightprotoport=17/1701

/etc/ipsec.secrets

y.y.y.y x.x.x.x : PSK "pre_shared_key"

/etc/xl2tpd/xl2tpd.conf

[lac vpn-connection]
lns = x.x.x.x
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

/etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name vpn_username
password password

Unfortunately I'm getting the below error:

$ sudo ipsec up L2TP-PSK
initiating IKE_SA L2TP-PSK[5] to x.x.x.x
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from y.y.y.y[500] to x.x.x.x[500] (1302 bytes)
received packet: from x.x.x.x[500] to y.y.y.y[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify error
establishing connection 'L2TP-PSK' failed

Unfortunately I can't find any other logs :(

Thanks a lot! Luca

336

0 + 3

l2tp

strongswan

xl2tpd

vpn-client

ubuntu-18.04

ecdsa

11/7/23, 1:15 PM

A possible issue could be that the router might only support the _modp1024_ DH group, none of the stronger ones strongSwan proposes. So try configuring e.g. `ike=aes128-sha1-modp1024` (you could maybe also check the router config to see what algorithms it actually expects/supports).

Luca De Fassi

11/11/23, 8:38 PM

Hi, unfortunately nothing changed. I'm getting the same error. ANd I can't find any clues of which algorithm my router supports :(

ecdsa

11/28/23, 8:55 AM

The router might not support IKEv2, so try setting `keyexchange=ikev1`.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: VPN client creation on Ubuntu with strongswan fails

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.