# Setting up L2TP/IPSec VPN connection to Windows server

## LemonadeLlama

Hey everyone. Does anyone here have any experience setting up L2TP/IPSec VPN connections on Gentoo? I've done it on Manjaro before using a NetworkManager plug-in. I'm not using NetworkManager on Gentoo though.

My work allows employees to connect to the office network with an L2TP/IPSec VPN connection. I know there's an article on the arch wiki on setting this up, and it says you can use xl2tpd and openswan if you don't have NetworkManager: https://wiki.archlinux.org/title/Openswan_L2TP/IPsec_VPN_client_setup

I could only see StrongSwan and Libreswan in the Gentoo package list though, not openswan, so I'm not sure the Arch guide will translate 100% to Gentoo.

Does anyone know the best way to achieve an L2TP/IPSec connection?

----------

## salahx

Many years ago, I wrote an article on how to set up a IPSec/L2TP server for Linux: https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server (it could use a update, ipsec-tools is dead and some of the instructions are out of date). Configuring a client is even easier. The basic concepts are covered, so its a good starting point.

----------

## LemonadeLlama

Alright, so I tried using the wiki in addition to a guide I found for Ubuntu (guide is https://howto.lintel.in/configure-ipsecl2tp-vpn-clients-linux-cli/), and I think I'm almost there.

I've installed strongswan and xl2tpd, and configured them, but here's as far as I got:

```
sudo ipsec up vpnconn

initiating Main Mode IKE_SA vpnconn[3] to 122.56.104.6

generating ID_PROT request 0 [ SA V V V V V ]

sending packet: from 192.168.1.65[500] to 122.56.104.6[500] (180 bytes)

received packet: from 122.56.104.6[500] to 192.168.1.65[500] (56 bytes)

parsed INFORMATIONAL_V1 request 3937585212 [ N(NO_PROP) ]

received NO_PROPOSAL_CHOSEN error notify

establishing connection 'vpnconn' failed
```

The syslog doesn't have much help either, just the same output as the console.

```
Feb 14 23:01:58 TuxBox charon: 01[CFG] received stroke: initiate 'vpnconn'

Feb 14 23:01:58 TuxBox charon: 09[IKE] initiating Main Mode IKE_SA vpnconn[3] to 122.56.104.6

Feb 14 23:01:58 TuxBox charon: 09[ENC] generating ID_PROT request 0 [ SA V V V V V ]

Feb 14 23:01:58 TuxBox charon: 09[NET] sending packet: from 192.168.1.65[500] to 122.56.104.6[500] (180 bytes)

Feb 14 23:01:58 TuxBox charon: 07[NET] received packet: from 122.56.104.6[500] to 192.168.1.65[500] (56 bytes)

Feb 14 23:01:58 TuxBox charon: 07[ENC] parsed INFORMATIONAL_V1 request 3937585212 [ N(NO_PROP) ]

Feb 14 23:01:58 TuxBox charon: 07[IKE] received NO_PROPOSAL_CHOSEN error notify
```

----------

## salahx

It could be a a few things. Depending on whether or not your server requires certificate or a PSK, it might be missing (or not in the right place). Second, if you are talking to a Windows server, it might only support weak encryption.  Try adding ike=aes-sha1-modp1024 and if that helps.

You might want to try net-analyzer/ike-scan to get an idea of what the server is looking for.

----------

## LemonadeLlama

 *salahx wrote:*   

> You might want to try net-analyzer/ike-scan to get an idea of what the server is looking for.

 

I tried that, connecting to work's server. It gave me this output.

```
sudo ike-scan 122.56.104.6

Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

122.56.104.6   Main Mode Handshake returned HDR=(CKY-R=2ebda1f9efafb80c) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)

Ending ike-scan 1.9.4: 1 hosts scanned in 0.062 seconds (16.06 hosts/sec).  1 returned handshake; 0 returned notify
```

What am I looking for in the output?

----------

## salahx

Aha! That's clues were looking for. It expects 3des-sha1-modp1024, and it expects a preshared key. So if you;re using strongswan, lets use the new configuration instead of the old:

Create the missing directory:

```
( umask 007; mkdir /etc/swanctl/conf.d )
```

Then createa file in it, like /etc/swanctl/conf.d/work.conf

```

connections {

        work {

                remote_addrs=122.56.104.6

                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default

                version=1

                local-1 {

                        auth=psk

                }

                remote-1 {

                        auth=psk

                }

                children {

                        only {

                                mode=transport

                                local_ts=dynamic[udp/l2tp]

                        }

                }

        }

}

pools {

}

secrets {

        ike-1 {

                id = 122.56.104.6

                secret = "password_pass"

        }

}

authorities {

}

```

If you are using systemd, start the strongswan service.

If you are using something else, start the ipsec service then do 

```
swanctl -q
```

Then connect: 

```
swanctl -i --child only
```

----------

## LemonadeLlama

I think we're almost there.

I added the swanctl file like you asked, and here's what happened:

```
~ $ sudo swanctl -q

opening directory '/etc/swanctl/x509' failed: No such file or directory

opening directory '/etc/swanctl/x509ca' failed: No such file or directory

opening directory '/etc/swanctl/x509ocsp' failed: No such file or directory

opening directory '/etc/swanctl/x509aa' failed: No such file or directory

opening directory '/etc/swanctl/x509ac' failed: No such file or directory

opening directory '/etc/swanctl/x509crl' failed: No such file or directory

opening directory '/etc/swanctl/pubkey' failed: No such file or directory

opening directory '/etc/swanctl/private' failed: No such file or directory

opening directory '/etc/swanctl/rsa' failed: No such file or directory

opening directory '/etc/swanctl/ecdsa' failed: No such file or directory

opening directory '/etc/swanctl/bliss' failed: No such file or directory

opening directory '/etc/swanctl/pkcs8' failed: No such file or directory

opening directory '/etc/swanctl/pkcs12' failed: No such file or directory

loaded ike secret 'ike-1'

no authorities found, 0 unloaded

no pools found, 0 unloaded

loaded connection 'vpnconn'

successfully loaded 1 connections, 0 unloaded

~ $ sudo swanctl -i --child only

[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6

[ENC] generating ID_PROT request 0 [ SA V V V V V ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)

[ENC] parsed ID_PROT response 0 [ SA V V V V ]

[IKE] received XAuth vendor ID

[IKE] received DPD vendor ID

[IKE] received FRAGMENTATION vendor ID

[IKE] received NAT-T (RFC 3947) vendor ID

[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)

[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

[IKE] local host is behind NAT, sending keep alives

[ENC] generating ID_PROT request 0 [ ID HASH ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)

[ENC] parsed ID_PROT response 0 [ ID HASH ]

[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]

[IKE] scheduling rekeying in 13991s

[IKE] maximum IKE_SA lifetime 15431s

[ENC] generating QUICK_MODE request 3673023179 [ HASH SA No ID ID NAT-OA NAT-OA ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (204 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)

[ENC] parsed INFORMATIONAL_V1 request 3464512211 [ HASH N(NO_PROP) ]

[IKE] received NO_PROPOSAL_CHOSEN error notify

initiate failed: establishing CHILD_SA 'only' failed
```

----------

## salahx

OK, so now its choking on the ESP proposal, let's try this:

```

connections {

        work {

                remote_addrs=122.56.104.6

                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default

                version=1

                local-1 {

                        auth=psk

                }

                remote-1 {

                        auth=psk

                }

                children {

                        only {

                                esp_proposals=3des-sha1,default

                                mode=transport

                                local_ts=dynamic[udp/l2tp]

                        }

                }

        }

}

pools {

}

secrets {

        ike-1 {

                id = 122.56.104.6

                secret = "password_pass"

        }

}

authorities {

} 

```

----------

## LemonadeLlama

That's better. but now there's some kind of kernel issue. I'll investigate what I need to change in my config.

```
sudo swanctl -i --child only

[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6

[ENC] generating ID_PROT request 0 [ SA V V V V V ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)

[ENC] parsed ID_PROT response 0 [ SA V V V V ]

[IKE] received XAuth vendor ID

[IKE] received DPD vendor ID

[IKE] received FRAGMENTATION vendor ID

[IKE] received NAT-T (RFC 3947) vendor ID

[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)

[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

[IKE] local host is behind NAT, sending keep alives

[ENC] generating ID_PROT request 0 [ ID HASH ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)

[ENC] parsed ID_PROT response 0 [ ID HASH ]

[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]

[IKE] scheduling rekeying in 14339s

[IKE] maximum IKE_SA lifetime 15779s

[ENC] generating QUICK_MODE request 3316858122 [ HASH SA No ID ID NAT-OA NAT-OA ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)

[ENC] parsed QUICK_MODE response 3316858122 [ HASH SA No ID ID NAT-OA NAT-OA ]

[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

[KNL] received netlink error: Function not implemented (38)

[KNL] unable to add SAD entry with SPI ce559593 (FAILED)

[KNL] received netlink error: Function not implemented (38)

[KNL] unable to add SAD entry with SPI cf5a5c66 (FAILED)

[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

initiate failed: establishing CHILD_SA 'only' failed
```

----------

## LemonadeLlama

Alright, I've checked my kernel config according to Strongswan's website, to make sure I didn't miss any modules (they're listed at https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules).

I still can't get a connection.

```
11[CFG] vici initiate CHILD_SA 'only'

13[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6

13[ENC] generating ID_PROT request 0 [ SA V V V V V ]

13[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)

[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6

[ENC] generating ID_PROT request 0 [ SA V V V V V ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)

03[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)

03[ENC] parsed ID_PROT response 0 [ SA V V V V ]

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)

03[IKE] received XAuth vendor ID

03[IKE] received DPD vendor ID

03[IKE] received FRAGMENTATION vendor ID

03[IKE] received NAT-T (RFC 3947) vendor ID

03[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

03[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

03[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)

[ENC] parsed ID_PROT response 0 [ SA V V V V ]

[IKE] received XAuth vendor ID

[IKE] received DPD vendor ID

[IKE] received FRAGMENTATION vendor ID

[IKE] received NAT-T (RFC 3947) vendor ID

[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)

09[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)

09[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

09[IKE] local host is behind NAT, sending keep alives

09[ENC] generating ID_PROT request 0 [ ID HASH ]

09[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)

[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

[IKE] local host is behind NAT, sending keep alives

[ENC] generating ID_PROT request 0 [ ID HASH ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)

10[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)

10[ENC] parsed ID_PROT response 0 [ ID HASH ]

10[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]

10[IKE] scheduling rekeying in 14120s

10[IKE] maximum IKE_SA lifetime 15560s

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)

[ENC] parsed ID_PROT response 0 [ ID HASH ]

[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]

[IKE] scheduling rekeying in 14120s

[IKE] maximum IKE_SA lifetime 15560s

10[ENC] generating QUICK_MODE request 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]

10[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)

[ENC] generating QUICK_MODE request 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (244 bytes)

07[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)

07[ENC] parsed QUICK_MODE response 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (188 bytes)

07[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

[ENC] parsed QUICK_MODE response 2901841777 [ HASH SA No ID ID NAT-OA NAT-OA ]

[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ

07[KNL] received netlink error: Function not implemented (38)

07[KNL] unable to add SAD entry with SPI c2d555a5 (FAILED)

[KNL] received netlink error: Function not implemented (38)

[KNL] unable to add SAD entry with SPI c2d555a5 (FAILED)

07[KNL] received netlink error: Function not implemented (38)

07[KNL] unable to add SAD entry with SPI c2c7a5db (FAILED)

07[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

[KNL] received netlink error: Function not implemented (38)

07[KNL] deleting policy 122.56.104.6/32[0/l2tp] === 192.168.1.64/32[udp/l2tp] in failed, not found

07[ENC] generating INFORMATIONAL_V1 request 2349652408 [ HASH N(NO_PROP) ]

07[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (76 bytes)

[KNL] unable to add SAD entry with SPI c2c7a5db (FAILED)

[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

initiate failed: establishing CHILD_SA 'only' failed

```

I will contact our office's IT support for further assistance.

----------

## salahx

You're probably missing 3des support in the kernel

```

CONFIG_CRYPTO_DES=m

CONFIG_CRYPTO_DES3_EDE_X86_64=m

CONFIG_CRYPTO_LIB_DES=m

```

You can also use sys-kernel/gentoo-kernel-bin which has this compiled in.  

I don;t know what they are using as a VPN solution, but  you can try

```

proposals=aes128-sha1-modp1024,default 

```

This is normally what Windows proposes. Curiously enough, Windows always accepts the "lowest" proposal, if its offered 3DES it'll take it over AES, perhaps the VPN server acts the same. I find it a little strange the VPN server doesn't offer AES, but perhaps it was configured for maximum compatibility.

----------

## LemonadeLlama

 *salahx wrote:*   

> You're probably missing 3des support in the kernel

 

I have added support and tried again. This is what I got next time:

```
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6

[ENC] generating ID_PROT request 0 [ SA V V V V V ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (272 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)

[ENC] parsed ID_PROT response 0 [ SA V V V V ]

[IKE] received XAuth vendor ID

[IKE] received DPD vendor ID

[IKE] received FRAGMENTATION vendor ID

[IKE] received NAT-T (RFC 3947) vendor ID

[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)

[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

[IKE] local host is behind NAT, sending keep alives

[ENC] generating ID_PROT request 0 [ ID HASH ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)

[ENC] parsed ID_PROT response 0 [ ID HASH ]

[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]

[IKE] scheduling rekeying in 13234s

[IKE] maximum IKE_SA lifetime 14674s

[ENC] generating QUICK_MODE request 2328618335 [ HASH SA No KE ID ID NAT-OA NAT-OA ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (332 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)

[ENC] parsed INFORMATIONAL_V1 request 2856116920 [ HASH N(NO_PROP) ]

[IKE] received NO_PROPOSAL_CHOSEN error notify

```

I don't know if this is a problem on my end or on their end.

----------

## salahx

Its still got a problem with the ESP connection. Try this:

Try this:

```
connections {

        work {

                remote_addrs=122.56.104.6

                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default

                version=1

                local-1 {

                        auth=psk

                }

                remote-1 {

                        auth=psk

                }

                children {

                        only {

                                esp_proposals=3des-md5,3des-sha1,default

                                mode=transport

                                local_ts=dynamic[udp/l2tp]

                        }

                }

        }

}

pools {

}

secrets {

        ike-1 {

                id = 122.56.104.6

                secret = "password_pass"

        }

}

authorities {

} 
```

IF that fails, it could have something to do with the traffic selectors.In that case, try this:

```
connections {

        work {

                remote_addrs=122.56.104.6

                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default

                version=1

                local-1 {

                        auth=psk

                }

                remote-1 {

                        auth=psk

                }

                children {

                        only {

                                esp_proposals=3des-md5,3des-sha1,default

                                mode=transport

                                local_ts=dynamic[udp/l2tp]

                                remote_ts=122.56.104.6[udp/l2tp]

                        }

                }

        }

}

pools {

}

secrets {

        ike-1 {

                id = 122.56.104.6

                secret = "password_pass"

        }

}

authorities {

} 
```

If that fails, we'll need to turn up the verbosity an see where its failing it. See https://docs.strongswan.org/docs/5.9/config/logging.html for turning up the verbosity (we want verbosity at level 2) which should let us see the ESP proposal.

----------

## LemonadeLlama

I enabled logging and changes the settings as you said. It generated a lot of log information.

Here's what my output looks like now:

```
[IKE] initiating Main Mode IKE_SA vpnconn[1] to 122.56.104.6

[ENC] generating ID_PROT request 0 [ SA V V V V V ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (308 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (156 bytes)

[ENC] parsed ID_PROT response 0 [ SA V V V V ]

[IKE] received XAuth vendor ID

[IKE] received DPD vendor ID

[IKE] received FRAGMENTATION vendor ID

[IKE] received NAT-T (RFC 3947) vendor ID

[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

[NET] sending packet: from 192.168.1.64[500] to 122.56.104.6[500] (244 bytes)

[NET] received packet: from 122.56.104.6[500] to 192.168.1.64[500] (244 bytes)

[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

[IKE] local host is behind NAT, sending keep alives

[ENC] generating ID_PROT request 0 [ ID HASH ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (68 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (68 bytes)

[ENC] parsed ID_PROT response 0 [ ID HASH ]

[IKE] IKE_SA vpnconn[1] established between 192.168.1.64[192.168.1.64]...122.56.104.6[122.56.104.6]

[IKE] scheduling rekeying in 13842s

[IKE] maximum IKE_SA lifetime 15282s

[ENC] generating QUICK_MODE request 2205505520 [ HASH SA No KE ID ID NAT-OA NAT-OA ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (332 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)

[ENC] parsed INFORMATIONAL_V1 request 1582596256 [ HASH N(NO_PROP) ]

[IKE] received NO_PROPOSAL_CHOSEN error notify

initiate failed: establishing CHILD_SA 'only' failed
```

Here's what the new log says:

https://docs.google.com/document/d/1KdXlkc1X74rlRgk_vqlHsMrn_arEz5Po7WGJEVSSpZE/edit?usp=sharing

----------

## salahx

Ok, after some experimenting i have some idea what the problem might be. I screwed up the original configuration, local_ts should be remote_ts (on server. its local_ts. But on the client it has to be flipped). So it should really be this:

```

connections {

        work {

                remote_addrs=122.56.104.6

                proposals=3des-sha1-modp1024,aes256-sha1-modp1024,default

                version=1

                local-1 {

                        auth=psk

                }

                remote-1 {

                        auth=psk

                }

                children {

                        only {

                                mode=transport

                                remote_ts=dynamic[udp/l2tp]

                        }

                }

        }

}

pools {

}

secrets {

        ike-1 {

                id = 122.56.104.6

                secret = "password_pass"

        }

}

authorities {

} 

```

As far I can figure out, Strongswan either doesn't log the server's offering (or it never makes one) of the ESP proposals. At that point you'll have to start guessing what it wants for ESP. Some guesses to make for esp_proposals:

```

3des-md5

3des-sha1

aes-sha1 # I think this one has the highest chance of working

3des-md5-modp768 # [ Unlikely, Windows can't handle PFS ]

3des-sha1-modp1024 # [ Unlikely, Windows can't handle PFS ]

aes-sha1-modp1024 # [Unlikely, Windows can't handle PFS ]

```

----------

## LemonadeLlama

No luck so far.

If it helps, I can get a working connection on my laptop running Manjaro, using the networkmanager-l2tp plugin. I am trying to work out how to copy the configuration from the laptop to my Gentoo PC, since the laptop is using networkmanager and the PC is using strongswan directly.

Looking at the log output of both computers, here's the point where the PC fails the connection

```
[ENC] generating QUICK_MODE request 4123384968 [ HASH SA No KE ID ID NAT-OA NAT-OA ]

[NET] sending packet: from 192.168.1.64[4500] to 122.56.104.6[4500] (356 bytes)

[NET] received packet: from 122.56.104.6[4500] to 192.168.1.64[4500] (76 bytes)

[ENC] parsed INFORMATIONAL_V1 request 3731827052 [ HASH N(NO_PROP) ]

[IKE] received NO_PROPOSAL_CHOSEN error notify

initiate failed: establishing CHILD_SA 'only' failed
```

And here's the same point of the connection on the laptop, but it succeeds

```
Aug 07 20:07:38 laptop charon[27856]: 07[ENC] generating QUICK_MODE request 3231029717 [ HASH SA No ID ID NAT-OA NAT-OA ]

Aug 07 20:07:38 laptop charon[27856]: 07[NET] sending packet: from 192.168.1.71[4500] to 122.56.104.6[4500] (244 bytes)

Aug 07 20:07:38 laptop charon[27856]: 08[NET] received packet: from 122.56.104.6[4500] to 192.168.1.71[4500] (196 bytes)

Aug 07 20:07:38 laptop charon[27856]: 08[ENC] parsed QUICK_MODE response 3231029717 [ HASH SA No ID ID NAT-OA NAT-OA ]

Aug 07 20:07:38 laptop charon[27856]: 08[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ

Aug 07 20:07:38 laptop charon[27856]: 08[IKE] CHILD_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0{1} established with SPIs c1139af9_i c41e7779_o and TS 192.168.1.71/32[udp/l2f] === 122.56.104.6/32[udp/l2f]

Aug 07 20:07:38 laptop charon[27856]: 08[IKE] CHILD_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0{1} established with SPIs c1139af9_i c41e7779_o and TS 192.168.1.71/32[udp/l2f] === 122.56.104.6/32[udp/l2f]

Aug 07 20:07:38 laptop charon[27856]: 08[ENC] generating QUICK_MODE request 3231029717 [ HASH ]

Aug 07 20:07:38 laptop charon[27856]: 08[NET] sending packet: from 192.168.1.71[4500] to 122.56.104.6[4500] (60 bytes)

Aug 07 20:07:38 laptop NetworkManager[27883]: initiating Main Mode IKE_SA 04287ff7-3c89-42fd-b3d2-269d2da8b4f0[1] to 122.56.104.6

Aug 07 20:07:38 laptop NetworkManager[27883]: generating ID_PROT request 0 [ SA V V V V V ]

Aug 07 20:07:38 laptop NetworkManager[27883]: sending packet: from 192.168.1.71[500] to 122.56.104.6[500] (532 bytes)

Aug 07 20:07:38 laptop NetworkManager[27883]: received packet: from 122.56.104.6[500] to 192.168.1.71[500] (156 bytes)

... and so on ...
```

What is the difference that I'm missing? The first line that changes in the laptop log is

```
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
```

But what does that mean for my PC configuration?

I have the full systemd logs from a successful connection on the laptop if requested.

----------

## salahx

Probably you need to do something like this:

```
connections {

        work {

                remote_addrs=122.56.104.6

                proposals=aes-sha1-modp1024,default

                version=1

                local-1 {

                        auth=psk

                }

                remote-1 {

                        auth=psk

                }

                children {

                        only {

                                esp_proposals=aes-sha1,default

                                mode=transport

                                remote_ts=dynamic[udp/l2tp]

                        }

                }

        }

}

pools {

}

secrets {

        ike-1 {

                id = 122.56.104.6

                secret = "password_pass"

        }

}

authorities {

}
```

----------

