# IPSec timing out?

## The_Great_Sephiroth

I went ahead and created a dedicated VPN server (Openswan, xl2tpd) and configured it, but I am having trouble making it work. There is no firewall on my laptop or the server during this testing, so I can rule those out. The server has a public interface which I am connecting to and an internal one. My client is behind a NAT router. I am not sure about a few settings in NetworkManager for Openswan, and I am fairly sure that is where my problem lies.

Client log:

```

Oct 31 11:06:37 laptop01 NetworkManager[3466]: <info>  Starting VPN service 'openswan'...

Oct 31 11:06:37 laptop01 NetworkManager[3466]: <info>  VPN service 'openswan' started (org.freedesktop.NetworkManager.openswan), PID 5663

Oct 31 11:06:37 laptop01 NetworkManager[3466]: <info>  VPN service 'openswan' appeared; activating connections

Oct 31 11:06:37 laptop01 NetworkManager[3466]: <info>  VPN plugin state changed: init (1)

Oct 31 11:06:40 laptop01 NetworkManager[3466]: <info>  VPN plugin state changed: starting (3)

Oct 31 11:06:40 laptop01 NetworkManager[3466]: <info>  VPN connection 'Reach Technology FP - L2TP' (Connect) reply received.

Oct 31 11:06:41 laptop01 pluto[5818]: NSS DB directory: sql:/etc/ipsec.d

Oct 31 11:06:41 laptop01 pluto[5818]: NSS initialized

Oct 31 11:06:41 laptop01 pluto[5818]: libcap-ng support [disabled]

Oct 31 11:06:41 laptop01 pluto[5818]: FIPS HMAC integrity support [disabled]

Oct 31 11:06:41 laptop01 pluto[5818]: Linux audit support [disabled]

Oct 31 11:06:41 laptop01 pluto[5818]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:5818

Oct 31 11:06:41 laptop01 pluto[5818]: core dump dir: /var/run/pluto/

Oct 31 11:06:41 laptop01 pluto[5818]: secrets file: /etc/ipsec.secrets

Oct 31 11:06:41 laptop01 pluto[5818]: leak-detective disabled

Oct 31 11:06:41 laptop01 pluto[5818]: NSS crypto [enabled]

Oct 31 11:06:41 laptop01 pluto[5818]: XAUTH PAM support [enabled]

Oct 31 11:06:41 laptop01 pluto[5818]:    NAT-Traversal support  [enabled]

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: starting up 1 crypto helpers

Oct 31 11:06:41 laptop01 pluto[5818]: started thread for crypto helper 0 (master fd 11)

Oct 31 11:06:41 laptop01 pluto[5818]: Using Linux XFRM/NETKEY IPsec interface code on 3.18.16-gentoo

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating aes_ccm_8: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating aes_ccm_12: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: ike_alg_register_enc(): Activating aes_ccm_16: Ok

Oct 31 11:06:41 laptop01 pluto[5818]: | certificate not loaded for this end

Oct 31 11:06:41 laptop01 pluto[5818]: | certificate not loaded for this end

Oct 31 11:06:41 laptop01 pluto[5818]: added connection description "0e2053f6-4a04-405a-a8ef-e19ed9acff62"

Oct 31 11:06:41 laptop01 pluto[5818]: listening for IKE messages

Oct 31 11:06:41 laptop01 pluto[5818]: adding interface enp0s25/enp0s25 10.0.4.101:500

Oct 31 11:06:41 laptop01 pluto[5818]: adding interface enp0s25/enp0s25 10.0.4.101:4500

Oct 31 11:06:41 laptop01 pluto[5818]: adding interface lo/lo 127.0.0.1:500

Oct 31 11:06:41 laptop01 pluto[5818]: adding interface lo/lo 127.0.0.1:4500

Oct 31 11:06:41 laptop01 pluto[5818]: adding interface lo/lo ::1:500

Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface lo:500 fd 23

Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface lo:4500 fd 22

Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface lo:500 fd 21

Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface enp0s25:4500 fd 20

Oct 31 11:06:41 laptop01 pluto[5818]: | setup callback for interface enp0s25:500 fd 18

Oct 31 11:06:41 laptop01 pluto[5818]: loading secrets from "/etc/ipsec.secrets"

Oct 31 11:06:41 laptop01 pluto[5818]: loading secrets from "/etc/ipsec.d/ipsec-0e2053f6-4a04-405a-a8ef-e19ed9acff62.secrets"

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: multiple DH groups in aggressive mode can cause interop failure

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 256) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 128) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 128) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 0) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: initiating Aggressive Mode #1, connection "0e2053f6-4a04-405a-a8ef-e19ed9acff62"

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: multiple DH groups in aggressive mode can cause interop failure

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 256) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 128) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 128) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 0) ignored.

Oct 31 11:06:41 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.

Oct 31 11:06:42 laptop01 pluto[5818]: listening for IKE messages

Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface lo:500 23

Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface lo:500 fd 23

Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface lo:4500 22

Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface lo:4500 fd 22

Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface lo:500 21

Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface lo:500 fd 21

Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface enp0s25:4500 20

Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface enp0s25:4500 fd 20

Oct 31 11:06:42 laptop01 pluto[5818]: | refresh. setup callback for interface enp0s25:500 18

Oct 31 11:06:42 laptop01 pluto[5818]: | setup callback for interface enp0s25:500 fd 18

Oct 31 11:06:42 laptop01 pluto[5818]: forgetting secrets

Oct 31 11:06:42 laptop01 pluto[5818]: loading secrets from "/etc/ipsec.secrets"

Oct 31 11:06:42 laptop01 pluto[5818]: loading secrets from "/etc/ipsec.d/ipsec-0e2053f6-4a04-405a-a8ef-e19ed9acff62.secrets"

Oct 31 11:07:21 laptop01 NetworkManager[3466]: <warn>  VPN connection 'Reach Technology FP - L2TP' connect timeout exceeded.

Oct 31 11:07:21 laptop01 pluto[5818]: shutting down

Oct 31 11:07:21 laptop01 pluto[5818]: forgetting secrets

Oct 31 11:07:21 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62": deleting connection

Oct 31 11:07:21 laptop01 pluto[5818]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: deleting state #1 (STATE_AGGR_I1)

Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface lo/lo ::1:500

Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface lo/lo 127.0.0.1:4500

Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface lo/lo 127.0.0.1:500

Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface enp0s25/enp0s25 10.0.4.101:4500

Oct 31 11:07:21 laptop01 pluto[5818]: shutting down interface enp0s25/enp0s25 10.0.4.101:500

Oct 31 11:07:41 laptop01 NetworkManager[3466]: <info>  VPN service 'openswan' disappeared

```

Now for the server-side settings. I may have messed up here, but I do not believe that I have.

Server /etc/ipsec.conf:

```

version 2

config setup

        dumpdir=/var/run/pluto/

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6$

        protostack=netkey

        force_keepalive=yes

        keep_alive=60

conn L2TP-PSK

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        ikelifetime=8h

        keylife=1h

        ike=aes256-sha1,aes128-sha1,3des-sha1

        phase2alg=aes256-sha1,aes128-sha1,3des-sha1

        type=transport

        left=10.0.0.2

        leftprotoport=17/1701

        right=%any

        rightprotoport=17/%any

        dpddelay=10

        dpdtimeout=20

        dpdaction=clear

```

Server /etc/ipsec.secrest

```

10.0.0.2 %any: PSK "<hidden>"

```

Server /etc/xl2tpd/xl2tpd.conf

```

[global]

ipsec saref = yes

saref refinfo = 30

[lns default]

ip range = 10.0.2.201-10.0.2.250

local ip = 10.0.0.2

refuse pap = yes

require authentication = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

```

Server /etc/ppp/options.xl2tpd

```

ms-dns 10.0.0.1

auth

mtu 1400

mru 1400

crtscts

hide-password

modem

name vpn01

proxyarp

lcp-echo-interval 30

lcp-echo-failure 4

```

Server /etc/ppp/chap-secrets

```

testuser vpn01 password *

```

The server's hostname is "vpn01", the internal (LAN) IP is 10.0.0.2, and the WAN has a public IP which I will not display here for security reasons. The only thing left is to show you my client settings. I use Network Manager in KDE, so below are the fields I have filled in.

Gateway: Hostname of the VPN's WAN port. It works, I can SSH into the box this way!

Group name: vpn01 (No clue what "group name" is)

User password: The password in /etc/ppp/chap-secrets

Group password: The hex password in /etc/ipsec.secrets

User name: testuser

Phase1 algorithms: aes256-sha1,aes128-sha1,3des-sha1

Phase2 algorithms: aes256-sha1,aes128-sha1,3des-sha1

Domain: vpn01

I am not sue I even need to set "Domain" or "Group name" and am not sure what to set them to. Help?

----------

## The_Great_Sephiroth

In case it matters, I have verified IPSec using the utility.

```

root@vpn01:~# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.6.37/K3.2.0-4-amd64 (netkey)

Checking for IPsec support in kernel                            [OK]

 SAref kernel support                                           [N/A]

 NETKEY:  Testing XFRM related proc values                      [OK]

        [OK]

        [OK]

Checking that pluto is running                                  [OK]

 Pluto listening for IKE on udp 500                             [OK]

 Pluto listening for NAT-T on udp 4500                          [OK]

Two or more interfaces found, checking IP forwarding            [OK]

Checking NAT and MASQUERADEing                                  [OK]

Checking for 'ip' command                                       [OK]

Checking /bin/sh is not /bin/dash                               [WARNING]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]

```

All appears to be good. It just keeps timing out. The only clue I have is that it is listening for IKE messages. I am checking into that now.

----------

## The_Great_Sephiroth

I made some progress. I was using my internal LAN IP for the left setting instead of the WAN IP. Changing the left setting to the WAN IP got me farther, but has not solved the problem. It still fails to connect.

```

Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: responding to Main Mode from unknown peer 9.8.7.6

Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Nov  2 11:08:23 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: STATE_MAIN_R1: sent MR1, expecting MI2

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: STATE_MAIN_R2: sent MR2, expecting MI3

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: Main mode peer ID is ID_IPV4_ADDR: '10.0.2.15'

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[1] 9.8.7.6 #1: switched from "L2TP-PSK" to "L2TP-PSK"

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: deleting connection "L2TP-PSK" instance with peer 9.8.7.6 {isakmp=#0/ipsec=#0}

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: new NAT mapping for #1, was 9.8.7.6:44859, now 9.8.7.6:48552

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: the peer proposed: 108.169.144.180/32:17/1701 -> 10.0.2.15/32:17/0

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: responding to Quick Mode proposal {msgid:01000000}

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2:     us: 10.0.0.0/22===108.169.144.180<108.169.144.180>[+S=C]:17/1701

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2:   them: 9.8.7.6[10.0.2.15,+S=C]:17/1701

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Nov  2 11:08:24 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0x8865c012 <0x74cb73c8 xfrm=AES_128-HMAC_SHA1 NATOA=10.0.2.15 NATD=9.8.7.6:48552 DPD=none}

Nov  2 11:08:59 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: received Delete SA(0x8865c012) payload: deleting IPSEC State #2

Nov  2 11:08:59 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: received and ignored informational message

Nov  2 11:08:59 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6 #1: received Delete SA payload: deleting ISAKMP State #1

Nov  2 11:08:59 vpn01 pluto[30598]: "L2TP-PSK"[2] 9.8.7.6: deleting connection "L2TP-PSK" instance with peer 9.8.7.6 {isakmp=#0/ipsec=#0}

Nov  2 11:08:59 vpn01 pluto[30598]: packet from 9.8.7.6:48552: received and ignored informational message

```

Now I have another issue. My client in this log is Windows 7. If I use Network Manager and OpenSwan, it tries to use aggressive mode, but I cannot figure out how to make it NOT use aggressive mode.

----------

## The_Great_Sephiroth

Anybody? I am stuck at this point. I feel like I am close to having a working VPN, but it just won't work.

----------

## The_Great_Sephiroth

Still failing here. I am supposed to have this working this week and still no go. I am lost, but I did see a message which seems odd.

```

Nov 23 09:48:02 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Nov 23 09:48:03 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Nov 23 09:48:05 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Nov 23 09:48:09 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Nov 23 09:48:17 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Nov 23 09:48:33 laptop01 pluto[6876]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: ERROR: asynchronous network error report on enp0s25 (sport=500) for message to 1.2.3.4 port 500, complainant 1.2.3.4: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

```

This is logged on my laptop (the remote client). According to the Openswan wiki, this means that the IKE daemon is not running, but ipsec IS indeed running on the server. I am just completely lost at this point. Does nobody know how to setup IPSec/L2TP? Is PPTP really the height of Linux VPN servers?

Here is my current information and configuration.

VPN Server LAN IP: 10.0.0.2/22

VPN Server WAN IP: 10.20.30.40

Default GW is the WAN default GW

/etc/ipsec.conf

```

version 2

config setup

        dumpdir=/var/run/pluto/

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10

        protostack=klips

        force_keepalive=yes

        keep_alive=60

conn L2TP-PSK-NAT

        rightsubnet=vhost:%priv

        also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        ikelifetime=8h

        keylife=1h

        ike=aes256-sha1,aes128-sha1,3des-sha1

        phase2alg=aes256-sha1,aes128-sha1,3des-sha1

        type=transport

        left=10.20.30.40

        leftprotoport=17/1701

        right=%any

        rightprotoport=17/%any

        dpddelay=10

        dpdtimeout=20

        dpdaction=clear

```

/etc/xl2tpd/xl2tpd.conf

```

[global]

listen-addr = 10.0.0.2

port = 1701

ipsec saref = yes

saref refinfo = 30

force userspace = yes

[lns default]

ip range = 10.0.2.201-10.0.2.250

local ip = 10.20.30.40

require-chap = yes

refuse pap = yes

require authentication = yes

name = vpn01

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

```

/etc/ppp/options.xl2tpd

```

ipcp-accept-local

ipcp-accept-remote

ms-dns 10.0.0.1

noccp

auth

mtu 1400

mru 1400

crtscts

nodefaultroute

lock

proxyarp

connect-delay 5000

name vpn01

```

Help?

----------

## salahx

Best way to work on this is one layer at time. I created a Gentoo wiki article IPsec L2TP VPN server that should walk you though create a n VPN server suitable for Windows clients. It covers both PSK and certificate based authentication.

----------

## The_Great_Sephiroth

I followed it once, so I started again and followed it from scratch. No go.

Client logs

```

Nov 23 13:36:40 laptop01 NetworkManager[3472]: <info>  VPN connection 'Reach Technology FP - L2TP' (Connect) reply received.

Nov 23 13:36:40 laptop01 pluto[13291]: NSS DB directory: sql:/etc/ipsec.d

Nov 23 13:36:40 laptop01 pluto[13291]: NSS initialized

Nov 23 13:36:40 laptop01 pluto[13291]: libcap-ng support [disabled]

Nov 23 13:36:40 laptop01 pluto[13291]: FIPS HMAC integrity support [disabled]

Nov 23 13:36:40 laptop01 pluto[13291]: Linux audit support [disabled]

Nov 23 13:36:40 laptop01 pluto[13291]: Starting Pluto (Libreswan Version 3.15 XFRM(netkey) KLIPS NSS XAUTH_PAM NETWORKMANAGER CURL(non-NSS) LDAP(non-NSS)) pid:13291

Nov 23 13:36:40 laptop01 pluto[13291]: core dump dir: /var/run/pluto/

Nov 23 13:36:40 laptop01 pluto[13291]: secrets file: /etc/ipsec.secrets

Nov 23 13:36:40 laptop01 pluto[13291]: leak-detective disabled

Nov 23 13:36:40 laptop01 pluto[13291]: NSS crypto [enabled]

Nov 23 13:36:40 laptop01 pluto[13291]: XAUTH PAM support [enabled]

Nov 23 13:36:40 laptop01 pluto[13291]:    NAT-Traversal support  [enabled]

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: starting up 1 crypto helpers

Nov 23 13:36:40 laptop01 pluto[13291]: started thread for crypto helper 0 (master fd 11)

Nov 23 13:36:40 laptop01 pluto[13291]: Using Linux XFRM/NETKEY IPsec interface code on 3.18.16-gentoo

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating aes_ccm_8: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating aes_ccm_12: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: ike_alg_register_enc(): Activating aes_ccm_16: Ok

Nov 23 13:36:40 laptop01 pluto[13291]: | certificate not loaded for this end

Nov 23 13:36:40 laptop01 pluto[13291]: | certificate not loaded for this end

Nov 23 13:36:40 laptop01 pluto[13291]: added connection description "0e2053f6-4a04-405a-a8ef-e19ed9acff62"

Nov 23 13:36:40 laptop01 pluto[13291]: listening for IKE messages

Nov 23 13:36:40 laptop01 pluto[13291]: adding interface enp0s25/enp0s25 10.0.4.101:500

Nov 23 13:36:40 laptop01 pluto[13291]: adding interface enp0s25/enp0s25 10.0.4.101:4500

Nov 23 13:36:40 laptop01 pluto[13291]: adding interface lo/lo 127.0.0.1:500

Nov 23 13:36:40 laptop01 pluto[13291]: adding interface lo/lo 127.0.0.1:4500

Nov 23 13:36:40 laptop01 pluto[13291]: adding interface lo/lo ::1:500

Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface lo:500 fd 23

Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface lo:4500 fd 22

Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface lo:500 fd 21

Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface enp0s25:4500 fd 20

Nov 23 13:36:40 laptop01 pluto[13291]: | setup callback for interface enp0s25:500 fd 18

Nov 23 13:36:40 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.secrets"

Nov 23 13:36:40 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.d/ipsec-0e2053f6-4a04-405a-a8ef-e19ed9acff62.secrets"

Nov 23 13:36:40 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.d/ipsec-e5865848-2ea5-446e-ac6a-fa595d53d0a5.secrets"

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: multiple DH groups in aggressive mode can cause interop failure

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 256) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 128) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 128) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 0) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: initiating Aggressive Mode #1, connection "0e2053f6-4a04-405a-a8ef-e19ed9acff62"

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: multiple DH groups in aggressive mode can cause interop failure

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 256) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 128) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 128) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP2048 keylen 0) ignored.

Nov 23 13:36:40 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: transform (OAKLEY_3DES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.

Nov 23 13:36:41 laptop01 pluto[13291]: listening for IKE messages

Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface lo:500 23

Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface lo:500 fd 23

Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface lo:4500 22

Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface lo:4500 fd 22

Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface lo:500 21

Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface lo:500 fd 21

Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface enp0s25:4500 20

Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface enp0s25:4500 fd 20

Nov 23 13:36:41 laptop01 pluto[13291]: | refresh. setup callback for interface enp0s25:500 18

Nov 23 13:36:41 laptop01 pluto[13291]: | setup callback for interface enp0s25:500 fd 18

Nov 23 13:36:41 laptop01 pluto[13291]: forgetting secrets

Nov 23 13:36:41 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.secrets"

Nov 23 13:36:41 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.d/ipsec-0e2053f6-4a04-405a-a8ef-e19ed9acff62.secrets"

Nov 23 13:36:41 laptop01 pluto[13291]: loading secrets from "/etc/ipsec.d/ipsec-e5865848-2ea5-446e-ac6a-fa595d53d0a5.secrets"

Nov 23 13:37:20 laptop01 NetworkManager[3472]: <warn>  VPN connection 'Reach Technology FP - L2TP' connect timeout exceeded.

Nov 23 13:37:20 laptop01 pluto[13291]: shutting down

Nov 23 13:37:20 laptop01 pluto[13291]: forgetting secrets

Nov 23 13:37:20 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62": deleting connection

Nov 23 13:37:20 laptop01 pluto[13291]: "0e2053f6-4a04-405a-a8ef-e19ed9acff62" #1: deleting state #1 (STATE_AGGR_I1)

Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface lo/lo ::1:500

Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface lo/lo 127.0.0.1:4500

Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface lo/lo 127.0.0.1:500

Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface enp0s25/enp0s25 10.0.4.101:4500

Nov 23 13:37:20 laptop01 pluto[13291]: shutting down interface enp0s25/enp0s25 10.0.4.101:500

```

Server log

```

Nov 23 13:36:23 vpn01 pluto[15863]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:15863

Nov 23 13:36:23 vpn01 pluto[15863]: LEAK_DETECTIVE support [disabled]

Nov 23 13:36:23 vpn01 pluto[15863]: OCF support for IKE [disabled]

Nov 23 13:36:23 vpn01 pluto[15863]: SAref support [disabled]: Protocol not available

Nov 23 13:36:23 vpn01 pluto[15863]: SAbind support [disabled]: Protocol not available

Nov 23 13:36:23 vpn01 pluto[15863]: NSS support [disabled]

Nov 23 13:36:23 vpn01 pluto[15863]: HAVE_STATSD notification support not compiled in

Nov 23 13:36:23 vpn01 pluto[15863]: Setting NAT-Traversal port-4500 floating to on

Nov 23 13:36:23 vpn01 pluto[15863]:    port floating activation criteria nat_t=1/port_float=1

Nov 23 13:36:23 vpn01 pluto[15863]:    NAT-Traversal support  [enabled] [Force KeepAlive]

Nov 23 13:36:23 vpn01 pluto[15863]: using /dev/urandom as source of random entropy

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Nov 23 13:36:23 vpn01 pluto[15863]: starting up 1 cryptographic helpers

Nov 23 13:36:23 vpn01 pluto[15863]: started helper pid=15865 (fd:6)

Nov 23 13:36:23 vpn01 pluto[15863]: Using Linux 2.6 IPsec interface code on 3.2.0-4-amd64 (experimental code)

Nov 23 13:36:23 vpn01 pluto[15865]: using /dev/urandom as source of random entropy

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_add(): ERROR: Algorithm already exists

Nov 23 13:36:23 vpn01 pluto[15863]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)

Nov 23 13:36:23 vpn01 pluto[15863]: Changed path to directory '/etc/ipsec.d/cacerts'

Nov 23 13:36:23 vpn01 pluto[15863]: Changed path to directory '/etc/ipsec.d/aacerts'

Nov 23 13:36:23 vpn01 pluto[15863]: Changed path to directory '/etc/ipsec.d/ocspcerts'

Nov 23 13:36:23 vpn01 pluto[15863]: Changing to directory '/etc/ipsec.d/crls'

Nov 23 13:36:23 vpn01 pluto[15863]:   Warning: empty directory

Nov 23 13:36:23 vpn01 pluto[15863]: added connection description "L2TP-PSK-NAT"

Nov 23 13:36:23 vpn01 pluto[15863]: added connection description "L2TP-PSK-noNAT"

Nov 23 13:36:23 vpn01 pluto[15863]: listening for IKE messages

Nov 23 13:36:23 vpn01 pluto[15863]: adding interface eth1/eth1 10.20.30.40:500

Nov 23 13:36:23 vpn01 pluto[15863]: adding interface eth1/eth1 10.20.30.40:4500

Nov 23 13:36:23 vpn01 pluto[15863]: adding interface eth0/eth0 10.0.0.2:500

Nov 23 13:36:23 vpn01 pluto[15863]: adding interface eth0/eth0 10.0.0.2:4500

Nov 23 13:36:23 vpn01 pluto[15863]: adding interface lo/lo 127.0.0.1:500

Nov 23 13:36:23 vpn01 pluto[15863]: adding interface lo/lo 127.0.0.1:4500

Nov 23 13:36:23 vpn01 pluto[15863]: adding interface lo/lo ::1:500

Nov 23 13:36:23 vpn01 pluto[15863]: loading secrets from "/etc/ipsec.secrets"

Nov 23 13:36:23 vpn01 pluto[15863]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc"

Nov 23 13:36:32 vpn01 sshd[15569]: Received disconnect from 1.2.3.4: 11: disconnected by user

Nov 23 13:36:32 vpn01 sshd[15569]: pam_unix(sshd:session): session closed for user root

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 23 13:36:40 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 23 13:36:41 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 23 13:36:42 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 23 13:36:44 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 23 13:36:48 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 23 13:36:57 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Dead Peer Detection]

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [RFC 3947] method set to=109 

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [XAUTH]

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: received Vendor ID payload [Cisco-Unity]

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: ignoring Vendor ID payload [FRAGMENTATION]

Nov 23 13:37:12 vpn01 pluto[15863]: packet from 1.2.3.4:500: initial Aggressive Mode message from 1.2.3.4 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

```

As you can see, it just isn't working. I am just not sure what is wrong. I believe part of this is that I've become frazzled working on it for two weeks with no success.

----------

## salahx

Something is seriously wrong here. I think the problem here is the client, not the server. What software are you trying to connect with on the client?

----------

## The_Great_Sephiroth

LibreS/WAN. I use KDE (no systemd) and NetworkManager to configure my stuff inside KDE. Works great so far. Also, thank you VERY much for helping me with this.

----------

## salahx

I think I see the mistake you've been making. The openswan plugin for NetworkManager doesn't make standard RFC-style ipsec/l2tp connection, it makes Cisco-style one (that's what that "group name" stuff is all about) 

Unfortunately, there are no NetworkManager plugins for this style of connection. It has to be done "by hand"

Something like this should suffice:on the client

```

conn vpnclient

        left=%defaultroute

        leftprotoport=udp

        right=192.168.10.17

        rightprotoport=udp/l2tp

        type=transport

        authby=secret

        pfs=no

        rekey=no

        keyingtries=0

        auto=add

```

then bring it up with "ipsec auto --up vpnclient". Once you have the ipsec connection side up, you can then configure xl2tpd for teh client side, and use xl2tpd-control to connect to it.

----------

## The_Great_Sephiroth

Not good. This needs to work for your average computer user. I can easily do as you say, but I am the administrator. The average user needs something simple. How can I create a standard, easy to use connection for both Windows and Linux clients? Note that I have been testing this in Windows 7 also, and Windows 7 gets either an 807 or an 809 and mentions the server being behind NAT, but the server is NOT behind NAT.

This is my one big complaint with Linux for the average user right now. NetworkManager is very easy to use and also very flexible, but the only STANDARD thing it supports is PPTP. I need something that works in Windows AND Linux. In Windows setting up L2TP/IPSec is cake and any idiot can use it. In Linux, nothing which has a GUI is standard.

What else can I do for a secure VPN that works with Windows 7 out of the box but is also easy to use in Linux? Why does it have to be integrated with 7? Simple! The Windows 7 clients can logon to the domain via VPN while out on the road. They simply click the "logon with VPN" button, enter their domain name and password, it connects first, pulls GPOs, and then logs onto the laptop as though they're in the office, with access to shares, printers, etc. I do not want to run two separate VPN servers at each location if possible. By two I mean one for Linux and one for Windows.

So if L2TP/IPSec is impossible in Linux, what options do I have? SSTP?

----------

## salahx

Openvpn might be a better choice here, then, if you need to support both kinds of clients.There's a NetworkManager openvpn client, and openvpn has a GUI client for Windows too. However openvpn doesn't use username/password, it uses certificates, so requires a PKI.

----------

