Need help with AES

Folks
I have an L2TP VPN setup on my work XTM33, which works flawlessly with Windows10, IOS & Android devices.
Last night I tried to configure a Linux device from home, and ran in to problems.

Some settings on the Linux device are for Phase 1 and Phase 2 algorthims.
I've never encountered these on Windows, Ios Android.

Something I found online suggested to input some 3DES settings.

I tried to connect, and failed.
My Firebox log said something along the lines of expected AES, received 3DES.

So before I can go any further, I'm guessing I need to at least look at these settings.

Back in the office this morning and I can see that the VPN config on the firebox is using a phase 1 transform, with 3 different AES settings.

Can anyone suggest which one of these I may input on my Linux config, considering there are 3 settings, and I have only room for one parameter.

Also any ideas on phase 2 ???

Name XTM_3_Series
Model XTM33
Version 12.1.3.B586018

Comments

  • Your settings for the Linux machine should match the Phase1 & Phase 2 settings which are set up for your L2TP settings on your firewall.

    Mine shows SHA1-3DES for Phase 1 in WSM Policy Manager.
    There are 2 entries in Phase 2, with the 1st one being the highest precedence. Try using the 1st entry on your Linux machine. Mine is ESP-AES-SHA1

  • edited November 28

    The highest entries on my L2TP config on the firebox shows

    PH1 = SHA1-AES(256-bit)
    and
    PH2 = ESP-AES-SHA1

    I assume these are the settings I need for the Linux config.
    If so, do I also need to input the (256-bit) portion.

  • You need to select the AES-256 option

  • Really struggling here.
    If I input any of the SHA1 settings in my linux device, it fails to connect, and nothing is echod in the firebox log.
    If I leave the config empty, then I see this:

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IKE phase-1 negotiation from 192.168.1.253:500 to xxx.xxx.129.156:56490 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 128, expecting 256

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IKE Proposal : peer propose EncryptAlgo AES

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IKE phase-1 negotiation from 192.168.1.253:500 to xxx.xxx.129.156:56490 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 128, expecting 256

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IKE Proposal : peer propose EncryptAlgo AES

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IKE phase-1 negotiation from 192.168.1.253:500 to xxx.xxx.129.156:56490 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received AES key length 128, expecting 256

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IkeXformNtoH (AES) : numAttribs 4

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IKE phase-1 negotiation from 192.168.1.253:500 to xxx.xxx.129.156:56490 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received DH group 19, expecting 2

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IKE phase-1 negotiation from 192.168.1.253:500 to xxx.xxx.129.156:56490 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received DH group 19, expecting 20

    2019-11-28 18:22:09 iked (192.168.1.253<->xxx.xxx.129.156)IKE phase-1 negotiation from 192.168.1.253:500 to xxx.xxx.129.156:56490 failed. Gateway-Endpoint='L2TP-IPSec_l2' Reason=Received DH group 19, expecting 14

  • The logs show that the firewall is looking for AES256 but is getting AES128 on Phase 1.
    The firewall is looking for Diffe-Hellman group 2, but is getting 19

    Try those.

  • Having never experienced these settings before, I'm working blind and don't mind admitting to being a bit thick.

    Could you suggest where I might obtain the correct string, or suggest the string to use.

  • Are you using Linux Openswan IKE ?

    If so - see the IKE section:
    https://linux.die.net/man/5/ipsec.conf

    ike=aes256-sha1;dh2

  • It's Linux Mint (Cinnamon). It looks like L2TP isn't installed as a native protocol, so I followed instructions found here.
    http://stuffjasondoes.com/2018/08/16/configuring-meraki-client-vpn-on-linux-mint-19-network-manager/
    Of course I quickly found out that the phase 1 & 2 on that link don't apply to me.
    I'm just struggling to figure out what to input to get it to connect.

  • What does your MAN page for IPSEC show ?

  • If you mean the Phase 1 & 2 strings, then I originally, I unput those 3DES settings, but of course it wouldn't connect as my L2TP config is using SHA1-AES(256-bit). However, when I input SHA1-AES(256-bit), nothing appears to happen. The firebox log doesn't even see any attempts to connect. The plugins must work, as I see errors on the firebox is I leave the config empty.
    Confused ...

  • Did you enter this?

    ike=aes256-sha1;dh2

  • This is where I'm struggling.
    This is the first time i've seen such a string.

    So I input that as my phase 1 string, but the same thing happens.
    The device quickly fails to connect.
    I see nothing echod in the firebox traffic monitor.

    Running sudo journalctl -f I can see some errors around unable to start stronSwan, fatal errors in config.

    So now I'm guessing this plugin doesn't work with anything other than 3DES or the strings i'm inuptting are confusing it.

  • maybe i'll take this to a Linux forum, as my VPN works ok on other OS's

  • I think I've given in trying to get this to work.
    After spending hours, I finally guessed the string to use, then hit in to another issue.
    Two pieces of software fighting for port 1701.
    I got past this and though that I was finally making headway.

    My Linux device now makes a connection with the firebox, but I receive an error along the lines of
    "check_control: Received out of order control packet on tunnel 1 (got 1, expected 2)"

    After wasting most of Sunday trying to establish a connection , I came across this.

    https://github.com/xelerance/xl2tpd/issues/136

Sign In to comment.