I have been fiddling with the settings for some time now to no avail. Android (Samsung) and Windows 10 clients can connect using their default settings but I can't figure out how to get an Ubuntu 20.04 client to connect to my UTM for remote access.
I have the UTM set to use a pre-shared key and am certain it is correctly configured on the Ubuntu machine. I can see the encoded version of it in /etc/ipsed.d/ipsec.nm-l2tp.secrets when the connection attempt is in progress.
I have looked at the generated /var/sec/hrook-ipsec/etc/ipsec.conf on the UTM and it seems sane:
[snip]
conn L_REF_IpsL2t1_0authby="psk"
auto="add"
compress="yes"
esp="aes128-sha1"
ike="aes128-sha2_256-modp2048"
ikelifetime="28800"
keyexchange="ike"
keyingtries="3"
keylife="3600"
left="xx.xx.xx.xx"
leftid="@remote.example.com"
leftprotoport="17/1701"
leftupdown="/usr/libexec/ipsec/updown strict"
pfs="no"
rekey="no"
rekeymargin="540"
right="0.0.0.0"
rightid="%any"
rightprotoport="17/%any"
rightsubnetwithin="0.0.0.0/0"
type="transport"
[snip]
The ipsec.conf that NetworkManager is generating seems similarly sane:
conn 4c0a3b28-1a8d-40c1-8667-c68166866f5d
auto=add
type=transport
authby=secret
left=%defaultroute
right=xx.xx.xx.xx
rightid=%any
rightprotoport=udp/l2tp
keyingtries=%forever
ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp384,aes128-sha1-modp1024,aes128-sha1-ecp256,3des-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,aes128-sha1,3des-sha1!
keyexchange=ikev1
I have told NetworkManager to use "@remote.example.com" as the rightid instead of the IP but that didn't fix it. I've also tried explicitly setting the ike and esp algorithms to match the UTMs configs. No joy.
I get errors like so on the Ubuntu side:
parsed INFORMATIONAL_V1 request 2712846937 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify
I get errors like so on the UTM side:
cannot respond to IPsec SA request because no connection is known for xx.xx.xx.xx[remote.example.com]:17/1701...10.0.0.100[10.0.0.100]:0/%any
Any ideas what's missing?
PS: I've been trying to compare the debug output on the UTM between a working Windows client and the failing Ubuntu client but they're different enough to make it pretty difficult to align. No luck there yet.
This thread was automatically locked due to age.