VPN L2TP/ipsec linux client problems | Best practice settings for firebox

Hi,

I have been trying for a long time to solve the following problem. L2PT/IPSEC VPN works fine with windows and mac clients. Watchguard does not have documents for settings this right way for linux clients.

With Linux clients (ubuntu), the tunnel refuses to connect.
Clients have downloaded normal " network-manager-l2tp-gnome package"
Preshared key + usernames are set right.

clients syslog looks like this when attempt to connect:
4-06-15T14:28:42.305799+03:00 teppo-Latitude-E5470 NetworkManager[4013]: initiating IKE_SA 5e130a30-efa4-4145-b920-545fdfbf0108[1] to 79.134.102.194
2024-06-15T14:28:42.305912+03:00 teppo-Latitude-E5470 NetworkManager[4013]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-06-15T14:28:42.305986+03:00 teppo-Latitude-E5470 NetworkManager[4013]: sending packet: from 192.168.32.105[500] to 79.134.XXX.XX[500] (972 bytes)
2024-06-15T14:28:42.306055+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received packet: from 79.134.XXX.XX[500] to 192.168.32.105[500] (38 bytes)
2024-06-15T14:28:42.306119+03:00 teppo-Latitude-E5470 NetworkManager[4013]: parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
2024-06-15T14:28:42.306182+03:00 teppo-Latitude-E5470 NetworkManager[4013]: peer didn't accept DH group ECP_256, it requested MODP_2048
2024-06-15T14:28:42.306247+03:00 teppo-Latitude-E5470 NetworkManager[4013]: initiating IKE_SA 5e130a30-efa4-4145-b920-545fdfbf0108[1] to 79.134.102.194
2024-06-15T14:28:42.306336+03:00 teppo-Latitude-E5470 NetworkManager[4013]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-06-15T14:28:42.306400+03:00 teppo-Latitude-E5470 NetworkManager[4013]: sending packet: from 192.168.32.105[500] to 79.134.XXX.XX[500] (1164 bytes)
2024-06-15T14:28:42.306462+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received packet: from 79.134.XXX.XX[500] to 192.168.32.105[500] (512 bytes)
2024-06-15T14:28:42.306524+03:00 teppo-Latitude-E5470 NetworkManager[4013]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
2024-06-15T14:28:42.306590+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4d:54:41:75:4d:79:42:43:54:6a:30:32:4f:54:51:35:4f:54:51:3d
2024-06-15T14:28:42.306657+03:00 teppo-Latitude-E5470 NetworkManager[4013]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
2024-06-15T14:28:42.306721+03:00 teppo-Latitude-E5470 NetworkManager[4013]: local host is behind NAT, sending keep alives
2024-06-15T14:28:42.306784+03:00 teppo-Latitude-E5470 NetworkManager[4013]: authentication of '192.168.32.105' (myself) with pre-shared key
2024-06-15T14:28:42.306887+03:00 teppo-Latitude-E5470 NetworkManager[4013]: establishing CHILD_SA 5e130a30-efa4-4145-b920-545fdfbf0108{1}
2024-06-15T14:28:42.306956+03:00 teppo-Latitude-E5470 NetworkManager[4013]: generating IKE_AUTH request 1 [ IDi AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2024-06-15T14:28:42.307021+03:00 teppo-Latitude-E5470 NetworkManager[4013]: sending packet: from 192.168.32.105[4500] to 79.134.XXX.XX[4500] (408 bytes)
2024-06-15T14:28:42.307087+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received packet: from 79.134.XXX.XX[4500] to 192.168.32.105[4500] (88 bytes)
2024-06-15T14:28:42.307152+03:00 teppo-Latitude-E5470 NetworkManager[4013]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2024-06-15T14:28:42.307215+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received AUTHENTICATION_FAILED notify error
2024-06-15T14:28:42.307298+03:00 teppo-Latitude-E5470 NetworkManager[4013]: establishing connection '5e130a30-efa4-4145-b920-545fdfbf0108' failed
2024-06-15T14:28:42.416648+03:00 teppo-Latitude-E5470 NetworkManager[4020]: Stopping strongSwan IPsec...
2024-06-15T14:28:42.417706+03:00 teppo-Latitude-E5470 charon: 00[DMN] SIGINT received, shutting down
2024-06-15T14:28:42.523796+03:00 teppo-Latitude-E5470 nm-l2tp-service[3802]: Could not establish IPsec connection.
2024-06-15T14:28:42.524078+03:00 teppo-Latitude-E5470 nm-l2tp-service[3802]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

I have tried change lot of settings without any success.
Does someone have best practice L2TP/IPSEC settings for firebox that would work linux devices?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The client settings would need to match what you have configured in your L2TP settings on the firewall.

    Messages like "NetworkManager[4013]: peer didn't accept DH group ECP_256, it requested MODP_2048" can help you pick out specific settings one at a time, but it would be easier to look at the settings in your L2TP VPN on the firewall.

    By default on v12.10.3, the firebox will have the following 3 proposals.

    Phase 1
    -Preshared key (as defined when L2TP is set up)

    --Authentication: SHA1, Encryption: AES 256-bit, SA life: 8 hours, Key group DH Group 2
    or
    --Authentication: SHA1, Encryption: AES 256-bit, SA life: 8 hours, Key group DH Group 20
    or
    --Authentication: SHA2-256, Encryption: AES 256-bit, SA life: 8 hours, Key group DH Group 14

    Phase 2
    -PFS: Off

    --Type: ESP, Authentication: SHA1, Encryption: AES 256-bit
    or
    --Type: ESP, Authentication: SHA1, Encryption: AES 128-bit
    or
    --Type: ESP, Authentication: SHA2-256, Encryption: AES 256-bit

    If you have set another proposal, please open your configuration on the firebox, note what is it, and set the settings on your Linux workstation to the same.

    -James Carson
    WatchGuard Customer Support

  • Than> @james.carson said:

    The client settings would need to match what you have configured in your L2TP settings on the firewall.

    Messages like "NetworkManager[4013]: peer didn't accept DH group ECP_256, it requested MODP_2048" can help you pick out specific settings one at a time, but it would be easier to look at the settings in your L2TP VPN on the firewall.

    By default on v12.10.3, the firebox will have the following 3 proposals.

    Phase 1
    -Preshared key (as defined when L2TP is set up)

    --Authentication: SHA1, Encryption: AES 256-bit, SA life: 8 hours, Key group DH Group 2
    or
    --Authentication: SHA1, Encryption: AES 256-bit, SA life: 8 hours, Key group DH Group 20
    or
    --Authentication: SHA2-256, Encryption: AES 256-bit, SA life: 8 hours, Key group DH Group 14

    Phase 2
    -PFS: Off

    --Type: ESP, Authentication: SHA1, Encryption: AES 256-bit
    or
    --Type: ESP, Authentication: SHA1, Encryption: AES 128-bit
    or
    --Type: ESP, Authentication: SHA2-256, Encryption: AES 256-bit

    If you have set another proposal, please open your configuration on the firebox, note what is it, and set the settings on your Linux workstation to the same.

    Thank you James for reply.

    If i understand right first the peer didn't accept DH group ECP_256,
    but after that it selected new proposal:

    NetworkManager[4013]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048

    My firebox has exactly same default phase settings that you writed.
    Can it be problematic with ubuntu i dont know. It uses strongSwan ipsec.

    Do you think i should add some other phase value settings to firebox that could work better with linux distros?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @vnuser

    If you'd like to add another proposal, you can do that in the L2TP VPN settings.

    I would suggest configuring the VPN client you downloaded to what's already set on the firewall. Depending on what package and version of strongswan you've downloaded, the default proposals may be completely different.

    Strongswan provides documentation here on how to configure it:
    https://wiki.strongswan.org/projects/strongswan/wiki/Connsection

    -James Carson
    WatchGuard Customer Support

  • @james.carson said:
    Hi @vnuser

    If you'd like to add another proposal, you can do that in the L2TP VPN settings.

    I would suggest configuring the VPN client you downloaded to what's already set on the firewall. Depending on what package and version of strongswan you've downloaded, the default proposals may be completely different.

    Strongswan provides documentation here on how to configure it:
    https://wiki.strongswan.org/projects/strongswan/wiki/Connsection

    I changed client settings to match WG l2TP Settings. Still same problem.
    I really think problem is that client not like default phase settings of firebox.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @vnuser
    I'd suggest opening a support case. You can use the support center link at the top right of this page to do this. This will allow us to take a look at the logs on your firewall as well as assist directly.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.