0

I have been trying for a long time to solve the following problem. L2PT/IPSEC VPN works fine with windows and mac clients. Watchguard firewall does not have documents for settings this right way for linux clients.

With Linux clients (ubuntu), the tunnel refuses to connect. Clients have downloaded normal "network-manager-l2tp-gnome package" Preshared key + usernames are set right.

Client's syslog looks like this when attempt to connect:

NetworkManager[4013]: initiating IKE_SA 5e130a30-efa4-4145-b920-545fdfbf0108[1]to79.134.102.194
2024-06-15T14:28:42.305912+03:00 teppo-Latitude-E5470 NetworkManager[4013]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-06-15T14:28:42.305986+03:00 teppo-Latitude-E5470 NetworkManager[4013]: sending packet: from 192.168.32.105[500] to 79.134.XXX.XX[500] (972 bytes)
2024-06-15T14:28:42.306055+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received packet: from 79.134.XXX.XX[500] to 192.168.32.105[500] (38 bytes)
2024-06-15T14:28:42.306119+03:00 teppo-Latitude-E5470 NetworkManager[4013]: parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
2024-06-15T14:28:42.306182+03:00 teppo-Latitude-E5470 NetworkManager[4013]: peer didn't accept DH group ECP_256, it requested MODP_2048
2024-06-15T14:28:42.306247+03:00 teppo-Latitude-E5470 NetworkManager[4013]: initiating IKE_SA 5e130a30-efa4-4145-b920-545fdfbf0108[1] to 79.134.102.194
2024-06-15T14:28:42.306336+03:00 teppo-Latitude-E5470 NetworkManager[4013]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-06-15T14:28:42.306400+03:00 teppo-Latitude-E5470 NetworkManager[4013]: sending packet: from 192.168.32.105[500] to 79.134.XXX.XX[500] (1164 bytes)
2024-06-15T14:28:42.306462+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received packet: from 79.134.XXX.XX[500] to 192.168.32.105[500] (512 bytes)
2024-06-15T14:28:42.306524+03:00 teppo-Latitude-E5470 NetworkManager[4013]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
2024-06-15T14:28:42.306590+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4d:54:41:75:4d:79:42:43:54:6a:30:32:4f:54:51:35:4f:54:51:3d
2024-06-15T14:28:42.306657+03:00 teppo-Latitude-E5470 NetworkManager[4013]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
2024-06-15T14:28:42.306721+03:00 teppo-Latitude-E5470 NetworkManager[4013]: local host is behind NAT, sending keep alives
2024-06-15T14:28:42.306784+03:00 teppo-Latitude-E5470 NetworkManager[4013]: authentication of '192.168.32.105' (myself) with pre-shared key
2024-06-15T14:28:42.306887+03:00 teppo-Latitude-E5470 NetworkManager[4013]: establishing CHILD_SA 5e130a30-efa4-4145-b920-545fdfbf0108{1}
2024-06-15T14:28:42.306956+03:00 teppo-Latitude-E5470 NetworkManager[4013]: generating IKE_AUTH request 1 [ IDi AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2024-06-15T14:28:42.307021+03:00 teppo-Latitude-E5470 NetworkManager[4013]: sending packet: from 192.168.32.105[4500] to 79.134.XXX.XX[4500] (408 bytes)
2024-06-15T14:28:42.307087+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received packet: from 79.134.XXX.XX[4500] to 192.168.32.105[4500] (88 bytes)
2024-06-15T14:28:42.307152+03:00 teppo-Latitude-E5470 NetworkManager[4013]: parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2024-06-15T14:28:42.307215+03:00 teppo-Latitude-E5470 NetworkManager[4013]: received AUTHENTICATION_FAILED notify error
2024-06-15T14:28:42.307298+03:00 teppo-Latitude-E5470 NetworkManager[4013]: establishing connection '5e130a30-efa4-4145-b920-545fdfbf0108' failed
2024-06-15T14:28:42.416648+03:00 teppo-Latitude-E5470 NetworkManager[4020]: Stopping strongSwan IPsec...
2024-06-15T14:28:42.417706+03:00 teppo-Latitude-E5470 charon: 00[DMN] SIGINT received, shutting down
2024-06-15T14:28:42.523796+03:00 teppo-Latitude-E5470 nm-l2tp-service[3802]: Could not establish IPsec connection.
2024-06-15T14:28:42.524078+03:00 teppo-Latitude-E5470 nm-l2tp-service[3802]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

I have tried change lot of settings without any success.
Does someone have best practice L2TP/IPSEC settings for firebox that would work with linux devices?

Improve this question

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .