L2TP VPN Client

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
NatLun123
Level 1
Level 1
Posts: 2
Joined: Mon Dec 11, 2017 4:48 am

Mint 18.2... nothing works ... Re: L2TP VPN Client

Post by NatLun123 »

Hi! I have BIG problem to get VPN connection to work. I have tried all steps mentioned in the discussion above with NO result. The https://github.com/nm-l2tp/network-mana ... her-suites helped me to establish connection for ONE minute ..... sudo /usr/lib/NetworkManager/nm-l2tp-service --debug gives the following:

nm-l2tp[29541] <debug> nm-l2tp-service (version 1.2.8) starting...
nm-l2tp[29541] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[29541] <info> ipsec enable flag: yes
** Message: Check port 1701
connection
id : "VPN HK" (s)
uuid : "f7184542-54d2-44aa-aea6-30a585d1036e" (s)
interface-name : NULL (sd)
type : "vpn" (s)
permissions : ["user:natallia:"] (s)
autoconnect : FALSE (s)
autoconnect-priority : 0 (sd)
timestamp : 0 (sd)
read-only : FALSE (sd)
zone : NULL (sd)
master : NULL (sd)
slave-type : NULL (sd)
autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
secondaries : [] (s)
gateway-ping-timeout : 0 (sd)
metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
lldp : -1 (sd)


ipv6
method : "auto" (s)
dns : [] (s)
dns-search : [] (s)
dns-options : NULL (sd)
dns-priority : 0 (sd)
addresses : ((GPtrArray*) 0x23ceb40) (s)
gateway : NULL (sd)
routes : ((GPtrArray*) 0x23ceb60) (s)
route-metric : -1 (sd)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-hostname : NULL (sd)
dhcp-send-hostname : TRUE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)
dad-timeout : -1 (sd)
dhcp-timeout : 0 (sd)
ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
addr-gen-mode : 1 (sd)


ipv4
method : "auto" (s)
dns : [] (s)
dns-search : [] (s)
dns-options : NULL (sd)
dns-priority : 0 (sd)
addresses : ((GPtrArray*) 0x23cec20) (s)
gateway : NULL (sd)
routes : ((GPtrArray*) 0x23cec40) (s)
route-metric : -1 (sd)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-hostname : NULL (sd)
dhcp-send-hostname : TRUE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)
dad-timeout : -1 (sd)
dhcp-timeout : 0 (sd)
dhcp-client-id : NULL (sd)
dhcp-fqdn : NULL (sd)


vpn
service-type : "org.freedesktop.NetworkManager.l2tp" (s)
user-name : "natallia" (s)
persistent : FALSE (sd)
data : ((GHashTable*) 0x7ff058004cc0) (s)
secrets : ((GHashTable*) 0x23b4760) (s)
timeout : 0 (sd)


nm-l2tp[29541] <info> starting ipsec
Redirecting to: systemctl stop ipsec.service
Redirecting to: systemctl start ipsec.service
002 listening for IKE messages
002 adding interface wlp2s0/wlp2s0 192.168.1.250:500
002 adding interface wlp2s0/wlp2s0 192.168.1.250:4500
002 adding interface lo/lo 127.0.0.1:500
002 adding interface lo/lo 127.0.0.1:4500
002 adding interface lo/lo ::1:500
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-f7184542-54d2-44aa-aea6-30a585d1036e.secrets"
opening file: /var/run/nm-l2tp-ipsec-f7184542-54d2-44aa-aea6-30a585d1036e.conf
debugging mode enabled
end of file /var/run/nm-l2tp-ipsec-f7184542-54d2-44aa-aea6-30a585d1036e.conf
Loading conn f7184542-54d2-44aa-aea6-30a585d1036e
starter: left is KH_DEFAULTROUTE
loading named conns: f7184542-54d2-44aa-aea6-30a585d1036e
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst via 192.168.1.1 dev wlp2s0 src table 254
set nexthop: 192.168.1.1
dst 169.254.0.0 via dev wlp2s0 src table 254
dst 192.168.1.0 via dev wlp2s0 src 192.168.1.250 table 254
dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored)
dst 192.168.1.0 via dev wlp2s0 src 192.168.1.250 table 255 (ignored)
dst 192.168.1.250 via dev wlp2s0 src 192.168.1.250 table 255 (ignored)
dst 192.168.1.255 via dev wlp2s0 src 192.168.1.250 table 255 (ignored)

seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst 192.168.1.1 via dev wlp2s0 src 192.168.1.250 table 254
set addr: 192.168.1.250

seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "f7184542-54d2-44aa-aea6-30a585d1036e" modecfgdomain=(null)
conn: "f7184542-54d2-44aa-aea6-30a585d1036e" modecfgbanner=(null)
conn: "f7184542-54d2-44aa-aea6-30a585d1036e" mark-in=(null)
conn: "f7184542-54d2-44aa-aea6-30a585d1036e" mark-out=(null)
conn: "f7184542-54d2-44aa-aea6-30a585d1036e" vti_iface=(null)
002 added connection description "f7184542-54d2-44aa-aea6-30a585d1036e"
nm-l2tp[29541] <info> Spawned ipsec auto --up script with PID 30214.
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: initiating Main Mode
104 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: STATE_MAIN_I1: initiate
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: ignoring unknown Vendor ID payload [b136b34f6dbcbf61e511572b04d6ae50]
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: Main mode peer ID is ID_IPV4_ADDR: '82.183.32.115'
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1024}
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:bfca1e9e proposal=3DES(3)_000-SHA1(2) pfsgroup=no-pfs}
117 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: STATE_QUICK_I1: initiate
003 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=bfca1e9e, length=28
003 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
003 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: our client subnet returned doesn't match my proposal - us:192.168.1.250/32 vs them:85.226.251.187/32
003 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
003 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: our client peer returned port doesn't match my proposal - us:1701 vs them:0
003 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: Allowing bad L2TP/IPsec proposal (see bug #849) anyway
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x63ce9fbf <0x0b681f4d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=82.183.32.115:4500 DPD=passive}
nm-l2tp[29541] <info> Libreswan IPsec tunnel is up.
** Message: xl2tpd started with pid 30225
xl2tpd[30225]: setsockopt recvref[30]: Protocol not available
xl2tpd[30225]: Using l2tp kernel support.
xl2tpd[30225]: xl2tpd version xl2tpd-1.3.6 started on natallia-HP PID:30225
xl2tpd[30225]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[30225]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[30225]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[30225]: Forked again by Xelerance (http://www.xelerance.com) (C) 2006
xl2tpd[30225]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[30225]: get_call: allocating new tunnel for host 82.183.32.115, port 1701.
xl2tpd[30225]: Connecting to host 82.183.32.115, port 1701
xl2tpd[30225]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
xl2tpd[30225]: control_finish: sending SCCRQ
xl2tpd[30225]: handle_avps: handling avp's for tunnel 11742, call 0
xl2tpd[30225]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[30225]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[30225]: framing_caps_avp: supported peer frames: async sync
xl2tpd[30225]: bearer_caps_avp: supported peer bearers: analog digital
xl2tpd[30225]: firmware_rev_avp: peer reports firmware version 4384 (0x1120)
xl2tpd[30225]: hostname_avp: peer reports hostname 'OMGFW02'
xl2tpd[30225]: vendor_avp: peer reports vendor 'Cisco Systems, Inc.'
xl2tpd[30225]: assigned_tunnel_avp: using peer's tunnel 877
xl2tpd[30225]: receive_window_size_avp: peer wants RWS of 16. Will use flow control.
xl2tpd[30225]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 877, call is 0.
xl2tpd[30225]: control_finish: sending SCCCN
xl2tpd[30225]: Connection established to 82.183.32.115, 1701. Local: 11742, Remote: 877 (ref=0/0).
xl2tpd[30225]: Calling on tunnel 11742
xl2tpd[30225]: control_finish: message type is (null)(0). Tunnel is 877, call is 0.
xl2tpd[30225]: control_finish: sending ICRQ
xl2tpd[30225]: handle_avps: handling avp's for tunnel 11742, call 18368
xl2tpd[30225]: message_type_avp: message type 11 (Incoming-Call-Reply)
xl2tpd[30225]: assigned_call_avp: using peer's call 876
xl2tpd[30225]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 877, call is 876.
xl2tpd[30225]: control_finish: Sending ICCN
xl2tpd[30225]: Call established with 82.183.32.115, Local: 18368, Remote: 876, Serial: 1 (ref=0/0)
xl2tpd[30225]: start_pppd: I'm running:
xl2tpd[30225]: "/usr/sbin/pppd"
xl2tpd[30225]: "passive"
xl2tpd[30225]: "nodetach"
xl2tpd[30225]: ":"
xl2tpd[30225]: "debug"
xl2tpd[30225]: "file"
xl2tpd[30225]: "/var/run/nm-l2tp-ppp-options-f7184542-54d2-44aa-aea6-30a585d1036e"
xl2tpd[30225]: "plugin"
xl2tpd[30225]: "pppol2tp.so"
xl2tpd[30225]: "pppol2tp"
xl2tpd[30225]: "7"
xl2tpd[30225]: handle_avps: handling avp's for tunnel 11742, call 18368
xl2tpd[30225]: message_type_avp: message type 16 (Set-Link-Info)
xl2tpd[30225]: ignore_avp : Ignoring AVP
xl2tpd[30225]: control_finish: message type is Set-Link-Info(16). Tunnel is 877, call is 876.
xl2tpd[30225]: Maximum retries exceeded for tunnel 11742. Closing.
xl2tpd[30225]: Terminating pppd: sending TERM signal to pid 30234
xl2tpd[30225]: Connection 877 closed to 82.183.32.115, port 1701 (Timeout)
nm-l2tp[29541] <info> Terminated xl2tpd daemon with PID 30225.
xl2tpd[30225]: death_handler: Fatal signal 15 received
002 "f7184542-54d2-44aa-aea6-30a585d1036e": deleting non-instance connection
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: deleting state (STATE_QUICK_I2)
005 "f7184542-54d2-44aa-aea6-30a585d1036e" #2: ESP traffic information: in=0B out=0B
002 "f7184542-54d2-44aa-aea6-30a585d1036e" #1: deleting state (STATE_MAIN_I4)
** Message: ipsec shut down
nm-l2tp[29541] <warn> xl2tpd exited with error code 1
021 no connection named "f7184542-54d2-44aa-aea6-30a585d1036e"
** Message: ipsec shut down


PLEASE, help.
mrGromov
Level 1
Level 1
Posts: 1
Joined: Sat Feb 10, 2018 11:48 am

Re: L2TP VPN Client

Post by mrGromov »

rickcr wrote:
Thu Sep 14, 2017 3:57 pm
/bump. Real shame since linux is much slower in my VM than native, I really want to get this VPN thing worked out.
A bit late , but may by useful for someone.

Try to use libreswan instead of strongswan.

Code: Select all

sudo apt install libreswan
Mint 18 KDE.
NatLun123
Level 1
Level 1
Posts: 2
Joined: Mon Dec 11, 2017 4:48 am

Re: L2TP VPN Client

Post by NatLun123 »

Hm, I tried them both, libreswan and strongswan, but nothing worked for me....
psg9196
Level 1
Level 1
Posts: 12
Joined: Wed Apr 26, 2017 2:24 am

Re: L2TP VPN Client

Post by psg9196 »

Hi NatLun123,

There are some posts from Apr 26, 2017 on in this thread that may help you. If you are using Microsoft domain authentication, you may need to check only the MSCHAPv2 authentication method in the L2TP PPP Options.
You can also scan the vpn gateway (using the method described in my earlier post - May 20, 2017) and set the Phase1/Phase2 algorithms in the IPSec Settings accordingly.
GamesBond
Level 1
Level 1
Posts: 10
Joined: Sun Dec 15, 2013 4:22 am

Re: L2TP VPN Client

Post by GamesBond »

Confirm that the solution by canove » Wed Jun 07, 2017 2:35 pm works on Linux Mint 18.3!!!

(the post by by psg9196 @ Wed Apr 26, 2017 3:10 pm doesn´t work on LM 18.3 but was written for LM 18.1)

I managed to connect to a Draytek VPN router using L2TP over IPSEC, thanks!!!
araknafobia
Level 1
Level 1
Posts: 2
Joined: Mon Jun 12, 2017 7:52 pm

Re: L2TP VPN Client

Post by araknafobia »

Hi all,
I just found this and it worked like a charm. Hope it helps someone.
http://stuffjasondoes.com/2018/08/16/co ... k-manager/
Ohmu93
Level 1
Level 1
Posts: 6
Joined: Mon Apr 01, 2019 4:43 pm

Re: L2TP VPN Client

Post by Ohmu93 »

araknafobia wrote:
Tue Sep 18, 2018 5:13 pm
Hi all,
I just found this and it worked like a charm. Hope it helps someone.
http://stuffjasondoes.com/2018/08/16/co ... k-manager/
You sir saved my day, thank you!
Post Reply

Return to “Newbie Questions”