Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 3 subscribers
  • Views 5751 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/IPSEC Remote Access from Ubuntu 20.04

Paul Dugas

I have been fiddling with the settings for some time now to no avail.  Android (Samsung) and Windows 10 clients can connect using their default settings but I can't figure out how to get an Ubuntu 20.04 client to connect to my UTM for remote access.

I have the UTM set to use a pre-shared key and am certain it is correctly configured on the Ubuntu machine.  I can see the encoded version of it in /etc/ipsed.d/ipsec.nm-l2tp.secrets when the connection attempt is in progress.

I have looked at the generated /var/sec/hrook-ipsec/etc/ipsec.conf on the UTM and it seems sane:

[snip]
conn L_REF_IpsL2t1_0
 authby="psk"
 auto="add"
 compress="yes"
 esp="aes128-sha1"
 ike="aes128-sha2_256-modp2048"
 ikelifetime="28800"
 keyexchange="ike"
 keyingtries="3"
 keylife="3600"
 left="xx.xx.xx.xx"
 leftid="@remote.example.com"
 leftprotoport="17/1701"
 leftupdown="/usr/libexec/ipsec/updown strict"
 pfs="no"
 rekey="no"
 rekeymargin="540"
 right="0.0.0.0"
 rightid="%any"
 rightprotoport="17/%any"
 rightsubnetwithin="0.0.0.0/0"
 type="transport"
[snip]

The ipsec.conf that NetworkManager is generating seems similarly sane:

conn 4c0a3b28-1a8d-40c1-8667-c68166866f5d
    auto=add
    type=transport
    authby=secret
    left=%defaultroute
    right=xx.xx.xx.xx
    rightid=%any
    rightprotoport=udp/l2tp
    keyingtries=%forever
    ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp384,aes128-sha1-modp1024,aes128-sha1-ecp256,3des-sha1-modp2048,3des-sha1-modp1024!
    esp=aes256-sha1,aes128-sha1,3des-sha1!
    keyexchange=ikev1

I have told NetworkManager to use "@remote.example.com" as the rightid instead of the IP but that didn't fix it. I've also tried explicitly setting the ike and esp algorithms to match the UTMs configs. No joy.

I get errors like so on the Ubuntu side:

parsed INFORMATIONAL_V1 request 2712846937 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify

I get errors like so on the UTM side:

 

cannot respond to IPsec SA request because no connection is known for xx.xx.xx.xx[remote.example.com]:17/1701...10.0.0.100[10.0.0.100]:0/%any

Any ideas what's missing?

 

PS: I've been trying to compare the debug output on the UTM between a working Windows client and the failing Ubuntu client but they're different enough to make it pretty difficult to align.  No luck there yet. 



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML