I can connect from Windows 10, but cant from linux

dominik
dominik Posts: 5
Friend Collector First Comment
edited April 2021 in Security
Hi all
Company i work for gave me an access to their Zyxel VPN. I got .tgb file, user and password. On Windows 10 I installed Zywall client, imported the file, added user and password in IKEv2 section and connected. It works.
But i dont work on Windows at all. I want to connect from linux so i followed this tutorial
https://support.zyxel.eu/hc/pl/articles/360004131900-Konfiguracja-połączenia-L2TP-w-systemie-Linux-Ubuntu-

On Kubuntu 20.04 i installed both necesary packets, set the gateway,user,password, preshared-key. Also i opened .tgb file with text editor and tried to set Phase1 and Phase2 algorithms according to it. It seems that both use aes256-sha512-modp1024. But it doesnt work. I tried to change them in many different ways. 

.tgb file
# Do not edit this file. It is overwritten by VpnConf.
# SIGNATURE MD5 = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Creation Date : 2021-02-16 at 06:52:37
# Written by VpnConf 6.63
# File format version 2.01

[General]
Shared-SADB = Defined
Retransmits = 2
Exchange-max-time = 15
Default-phase-1-lifetime = 3600,360:28800
Bitblocking = 0
Xauth-interval = 60
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15
XF_LVL = 7,15,3,7,3,2

[Default-phase-2-lifetime]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800

# ==================== PHASES 1 ====================

[Phase 1]
185.15.237.172 = SOMECOMPANY-P1

[SOMECOMPANY_LIFETIME]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,360:28800

[SOMECOMPANY-aggressive-mode]
DOI = IPSEC
EXCHANGE_TYPE = AGGRESSIVE
Transforms = AES256-SHA2_512-GRP2

[AES256-SHA2_512-GRP2]
ENCRYPTION_ALGORITHM = AES_CBC
KEY_LENGTH = 256,128:256
HASH_ALGORITHM = SHA2_512
GROUP_DESCRIPTION = MODP_1024
AUTHENTICATION_METHOD = PRE_SHARED
Life = LIFE_MAIN_MODE

[SOMECOMPANY-P1]
Phase = 1
Family = Auto
Address = 185.15.237.172
Transport = udp
Configuration = SOMECOMPANY-aggressive-mode
Retransmits = 2
Life = SOMECOMPANY_LIFETIME
DPD-interval = 30
DPD_retrans = 5
DPD_wait = 15
Authentication = "deleted"

# ==================== PHASES 2 ====================

[Phase 2]
Manual-connections = SOMECOMPANY-IPSec-P2

[SOMECOMPANY_IPSEC_LIFETIME]
LIFE_TYPE = SECONDS
LIFE_DURATION = 3600,300:28800

[SOMECOMPANY-IPSec-P2]
Phase = 2
ISAKMP-peer = SOMECOMPANY-P1
Remote-ID = IPSec-remote-addr
Configuration = IPSec-quick-mode
AutoStart = 0
GinaAutoStart = 0
GinaPreAuth = 0
GinaPreAuthURL = 
USBStart = 0
Life = SOMECOMPANY_IPSEC_LIFETIME
FallbackTunnelName = 
FallbackUserMsg = 
FallbackUserAgreement = 0

# ==================== Ipsec ID ====================

[IPSec-remote-addr]
ID-type = IPV4_ADDR_SUBNET
Network = 192.168.100.0
Netmask = 255.255.255.0

# ==================== TRANSFORMS ====================

[IPSec-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE = QUICK_MODE
Suites = QM-ESP-AES256-SHA2_512-PFSGRP2-SUITE

[QM-ESP-AES256-SHA2_512-PFSGRP2-SUITE]
Protocols = TGBQM-ESP-AES256-SHA2_512-PFSGRP2-TUN

[TGBQM-ESP-AES256-SHA2_512-PFSGRP2-TUN]
PROTOCOL_ID = IPSEC_ESP
Transforms = TGBQM-ESP-AES256-SHA2_512-PFSGRP2-TUN-XF

[TGBQM-ESP-AES256-SHA2_512-PFSGRP2-TUN-XF]
TRANSFORM_ID = AES
KEY_LENGTH = 256,128:256
AUTHENTICATION_ALGORITHM = HMAC_SHA2_512
GROUP_DESCRIPTION = MODP_1024
ENCAPSULATION_MODE = TUNNEL
Life = Default-phase-2-lifetime

# ==================== CERTIFICATES ====================

[TGBIKENG]
<?xml version="1.0" encoding="ISO-8859-1"?>
<tgbconfig>
  <cfg_ikev2>
    <cfg_connectionv2 name="SOMECOMPANY_IKEv2">
      <cfg_ike_sa name="SOMECOMPANY_IKEv2" family="AF_AUTO">
        <server>185.15.237.172</server>
        <port>500</port>
        <port_nat>4500</port_nat>
        <ikeauth_lifetime>86400</ikeauth_lifetime>
        <retries>3</retries>
        <gateway_timeout>5</gateway_timeout>
        <cfg_dynamic_param_lst />
        <cfg_dpd>
          <interval>30</interval>
          <retrans>5</retrans>
          <wait>15</wait>
        </cfg_dpd>
        <cfg_sa>
          <proposal protocol="IKE">
            <transform type="ENCR_ALGO" keylength="256">AES_CBC</transform>
            <transform type="PRF">PRF_HMAC_SHA2_512</transform>
            <transform type="INTEG">AUTH_HMAC_SHA2_512_256</transform>
            <transform type="DH_GROUP">DH_MODP_1024</transform>
          </proposal>
        </cfg_sa>
        <authentication type="eap" sendcertrequest="yes" />
      </cfg_ike_sa>
      <cfg_child_sa name="IPSec_IKEv2" family="AF_INET" requestconfig="yes" tunneltype="client2server">
        <childsa_lifetime>28800</childsa_lifetime>
        <cfg_sa>
          <proposal protocol="ESP">
            <transform type="ENCR_ALGO" keylength="256">AES_CBC</transform>
            <transform type="INTEG">AUTH_HMAC_SHA2_512_256</transform>
            <transform type="DH_GROUP">DH_MODP_1024</transform>
            <transform type="ESN">NO_EXTENDED_SEQ_NUMBER</transform>
          </proposal>
        </cfg_sa>
        <cfg_ts type="IPV4_ADDR_RANGE" location="local">
          <protocol>0</protocol>
          <start_port>0</start_port>
          <end_port>65535</end_port>
          <starting_address>0.0.0.0</starting_address>
          <ending_address>0.0.0.0</ending_address>
        </cfg_ts>
        <cfg_ts type="IPV4_ADDR_RANGE" location="remote">
          <protocol>0</protocol>
          <start_port>0</start_port>
          <end_port>65535</end_port>
          <starting_address>192.168.100.0</starting_address>
          <ending_address>192.168.100.255</ending_address>
        </cfg_ts>
        <cfg_automation />
        <cfg_remotesharing />
        <cfg_dynamic_param_lst />
      </cfg_child_sa>
    </cfg_connectionv2>
  </cfg_ikev2>
  <cfg_cnxpanel>
    <cfg_cnxpanel_connection name="SOMECOMPANY-IPSec" tunnel="SOMECOMPANY-IPSec" />
    <cfg_cnxpanel_connection name="SOMECOMPANY_IKEv2-IPSec_IKEv2" tunnel="SOMECOMPANY_IKEv2-IPSec_IKEv2" />
  </cfg_cnxpanel>
</tgbconfig>







Here is the log from connection attempt

Feb 17 09:01:13  Dominik-5510 NetworkManager[13780]: Starting strongSwan 5.8.2 IPsec [starter]...
Feb 17 09:01:13  Dominik-5510 NetworkManager[13780]: Loading config setup
Feb 17 09:01:13  Dominik-5510 NetworkManager[13780]: Loading conn 'ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2'
Feb 17 09:01:13  Dominik-5510 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-65-generic, x86_64)
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] PKCS11 module '<name>' lacks library path
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG]   loaded IKE secret for %any
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG]   loaded IKE secret for %any
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 17 09:01:13  Dominik-5510 charon: 00[CFG] HA config misses local/remote address
Feb 17 09:01:13  Dominik-5510 charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Feb 17 09:01:13  Dominik-5510 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 17 09:01:13  Dominik-5510 charon: 00[JOB] spawning 16 worker threads
Feb 17 09:01:13  Dominik-5510 charon: 06[CFG] received stroke: add connection 'ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2'
Feb 17 09:01:13  Dominik-5510 charon: 06[CFG] added configuration 'ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2'
Feb 17 09:01:14  Dominik-5510 charon: 05[CFG] rereading secrets
Feb 17 09:01:14  Dominik-5510 charon: 05[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 17 09:01:14  Dominik-5510 charon: 05[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Feb 17 09:01:14  Dominik-5510 charon: 05[CFG]   loaded IKE secret for %any
Feb 17 09:01:14  Dominik-5510 charon: 05[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Feb 17 09:01:14  Dominik-5510 charon: 05[CFG]   loaded IKE secret for %any
Feb 17 09:01:14  Dominik-5510 charon: 06[CFG] received stroke: initiate 'ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2'
Feb 17 09:01:14  Dominik-5510 charon: 08[IKE] initiating Main Mode IKE_SA ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2[1] to 185.15.237.172
Feb 17 09:01:14  Dominik-5510 charon: 08[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Feb 17 09:01:14  Dominik-5510 charon: 08[NET] sending packet: from 10.12.181.175[500] to 185.15.237.172[500] (240 bytes)
Feb 17 09:01:14  Dominik-5510 charon: 09[NET] received packet: from 185.15.237.172[500] to 10.12.181.175[500] (64 bytes)
Feb 17 09:01:14  Dominik-5510 charon: 09[ENC] parsed INFORMATIONAL_V1 request 2013311990 [ N(NO_PROP) ]
Feb 17 09:01:14  Dominik-5510 charon: 09[IKE] received NO_PROPOSAL_CHOSEN error notify
Feb 17 09:01:14  Dominik-5510 NetworkManager[13852]: initiating Main Mode IKE_SA ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2[1] to 185.15.237.172
Feb 17 09:01:14  Dominik-5510 NetworkManager[13852]: generating ID_PROT request 0 [ SA V V V V V ]
Feb 17 09:01:14  Dominik-5510 NetworkManager[13852]: sending packet: from 10.12.181.175[500] to 185.15.237.172[500] (240 bytes)
Feb 17 09:01:14  Dominik-5510 NetworkManager[13852]: received packet: from 185.15.237.172[500] to 10.12.181.175[500] (64 bytes)
Feb 17 09:01:14  Dominik-5510 NetworkManager[13852]: parsed INFORMATIONAL_V1 request 2013311990 [ N(NO_PROP) ]
Feb 17 09:01:14  Dominik-5510 NetworkManager[13852]: received NO_PROPOSAL_CHOSEN error notify
Feb 17 09:01:14  Dominik-5510 NetworkManager[13852]: establishing connection 'ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2' failed
Feb 17 09:01:14  Dominik-5510 NetworkManager[13859]: Stopping strongSwan IPsec...
Feb 17 09:01:14  Dominik-5510 charon: 00[DMN] signal of type SIGINT received. Shutting down
Feb 17 09:01:14  Dominik-5510 nm-l2tp-service[13764]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Feb 17 09:01:14  Dominik-5510 NetworkManager[952]: <info>  [1613548874.5820] vpn-connection[0x55d45fc5c140,ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2,"ptx-ipsec",0]: VPN plugin: state changed: stopped (6)
Feb 17 09:01:14  Dominik-5510 NetworkManager[952]: <info>  [1613548874.5843] vpn-connection[0x55d45fc5c140,ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2,"ptx-ipsec",0]: VPN service disappeared
Feb 17 09:01:14  Dominik-5510 NetworkManager[952]: <warn>  [1613548874.5853] vpn-connection[0x55d45fc5c140,ae998d57-c3f0-4bb6-9e0e-b38f2ed124c2,"ptx-ipsec",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
Feb 17 09:01:24  Dominik-5510 systemd-resolved[925]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

All Replies

  • dominik
    dominik Posts: 5
    Friend Collector First Comment
    edited February 2021
    Does this silence means that companies which have linux workstations (Redhat, SUSE, Ubuntu) should avoid Zyxel solutions?

    Maybe at least there are some budget Zyxel routers (home or business) which have Ipsec options and allow to connect to Zywall's VPN as a client? Like NBG-418N v2 maybe?
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @dominik

    Actually Zyxel support L2TP VPN via Linux distribution.

    You may refer to the following previous forum discussions:

    https://community.zyxel.com/en/discussion/1269/l2tp-over-ipsec-vpn-from-linux-any-linux-distribution/p1

    https://community.zyxel.com/en/discussion/2749/vpn-client-for-linux-trying-with-strongswan-network-manager

     

    Could you provide the Monitor > Log screenshot which while your Ubuntu PC try to establish L2TP VPN connection to your Zyxel device?

    It can give us more investigation reference.

    Thanks.

  • gb5102
    gb5102 Posts: 25  Freshman Member
    First Anniversary Friend Collector First Comment
    The .tgp file appears to define a 'straight IPSec' IKEv2 connection, but your screenshots show that you are configuring it as L2TP-over-IPSec on Kubuntu.
    Does Kubuntu support IKEv2 VPN connection?
  • dominik
    dominik Posts: 5
    Friend Collector First Comment
    edited February 2021
    gb5102 said:
    The .tgp file appears to define a 'straight IPSec' IKEv2 connection, but your screenshots show that you are configuring it as L2TP-over-IPSec on Kubuntu.
    Does Kubuntu support IKEv2 VPN connection?
    Thanks for your answer. Yes indeed i was using wrong type. But i installed required things 

    sudo apt install strongswan network-manager-strongswan libcharon-extra-plugins

    ... chose strongswan ike profile ....


    ... and still i cant connect. 

    Feb 22 07:55:42 Dominik-5510 charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.8.2)Feb 22 07:55:42 Dominik-5510 charon-nm: 00[KNL] unable to create IPv4 routing table ruleFeb 22 07:55:42 Dominik-5510 charon-nm: 00[KNL] unable to create IPv6 routing table ruleFeb 22 07:55:42 Dominik-5510 NetworkManager[984]: <info>  [1613976942.3080] vpn-connection[0x5560cd63a130,653d20bf-f9d0-4cba-b658-6828f2134364,"ptx-ike",0]: Saw the service appear; activating connectionFeb 22 07:55:42 Dominik-5510 charon-nm: 00[LIB] loaded plugins: nm-backend charon-nm ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl kernel-netlink socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peapFeb 22 07:55:42 Dominik-5510 charon-nm: 00[LIB] dropped capabilities, running as uid 0, gid 0Feb 22 07:55:42 Dominik-5510 charon-nm: 00[JOB] spawning 16 worker threadsFeb 22 07:55:42 Dominik-5510 charon-nm: 06[IKE] installed bypass policy for 10.12.0.0/16Feb 22 07:55:42 Dominik-5510 charon-nm: 06[IKE] installed bypass policy for 169.254.0.0/16Feb 22 07:55:42 Dominik-5510 charon-nm: 06[IKE] installed bypass policy for 172.17.0.0/16Feb 22 07:55:42 Dominik-5510 charon-nm: 06[KNL] received netlink error: Invalid argument (22)Feb 22 07:55:42 Dominik-5510 charon-nm: 06[KNL] unable to install source route for %any6Feb 22 07:55:42 Dominik-5510 charon-nm: 06[IKE] installed bypass policy for ::1/128Feb 22 07:55:42 Dominik-5510 charon-nm: 06[IKE] installed bypass policy for fe80::/64Feb 22 07:55:42 Dominik-5510 charon-nm: 05[CFG] received initiate for NetworkManager connection ptx-ikeFeb 22 07:55:42 Dominik-5510 charon-nm: 05[LIB]   file coded in unknown format, discardedFeb 22 07:55:42 Dominik-5510 charon-nm: 05[LIB] building CRED_CERTIFICATE - X509 failed, tried 6 buildersFeb 22 07:55:42 Dominik-5510 charon-nm: 05[CFG] loading CA certificate '/etc/ssl/certs/java/cacerts' failedFeb 22 07:55:42 Dominik-5510 charon-nm: 05[CFG] using CA certificate, gateway identity '185.15.237.172'Feb 22 07:55:42 Dominik-5510 charon-nm: 05[IKE] initiating IKE_SA ptx-ike[1] to 185.15.237.172Feb 22 07:55:42 Dominik-5510 charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]Feb 22 07:55:42 Dominik-5510 charon-nm: 05[NET] sending packet: from 10.12.181.175[41495] to 185.15.237.172[500] (1128 bytes)Feb 22 07:55:42 Dominik-5510 NetworkManager[984]: <info>  [1613976942.4493] vpn-connection[0x5560cd63a130,653d20bf-f9d0-4cba-b658-6828f2134364,"ptx-ike",0]: VPN plugin: state changed: starting (3)Feb 22 07:55:46 Dominik-5510 charon-nm: 02[IKE] retransmit 1 of request with message ID 0Feb 22 07:55:46 Dominik-5510 charon-nm: 02[NET] sending packet: from 10.12.181.175[41495] to 185.15.237.172[500] (1128 bytes)Feb 22 07:55:53 Dominik-5510 systemd-resolved[956]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.Feb 22 07:55:53 Dominik-5510 systemd-resolved[956]: message repeated 13 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.]Feb 22 07:55:53 Dominik-5510 charon-nm: 11[IKE] retransmit 2 of request with message ID 0Feb 22 07:55:53 Dominik-5510 charon-nm: 11[NET] sending packet: from 10.12.181.175[41495] to 185.15.237.172[500] (1128 bytes)Feb 22 07:56:06 Dominik-5510 charon-nm: 13[IKE] retransmit 3 of request with message ID 0Feb 22 07:56:06 Dominik-5510 charon-nm: 13[NET] sending packet: from 10.12.181.175[41495] to 185.15.237.172[500] (1128 bytes)Feb 22 07:56:26 Dominik-5510 systemd[1]: Starting Cleanup of Temporary Directories...Feb 22 07:56:26 Dominik-5510 systemd[1]: systemd-tmpfiles-clean.service: Succeeded.Feb 22 07:56:26 Dominik-5510 systemd[1]: Finished Cleanup of Temporary Directories.Feb 22 07:56:29 Dominik-5510 charon-nm: 07[IKE] retransmit 4 of request with message ID 0Feb 22 07:56:29 Dominik-5510 charon-nm: 07[NET] sending packet: from 10.12.181.175[41495] to 185.15.237.172[500] (1128 bytes)Feb 22 07:56:42 Dominik-5510 NetworkManager[984]: <warn>  [1613977002.9826] vpn-connection[0x5560cd63a130,653d20bf-f9d0-4cba-b658-6828f2134364,"ptx-ike",0]: VPN connection: connect timeout exceeded.Feb 22 07:56:42 Dominik-5510 charon-nm[10520]: Connect timer expired, disconnecting.Feb 22 07:56:42 Dominik-5510 charon-nm: 01[IKE] destroying IKE_SA in state CONNECTING without notificationFeb 22 07:56:42 Dominik-5510 NetworkManager[984]: <warn>  [1613977002.9874] vpn-connection[0x5560cd63a130,653d20bf-f9d0-4cba-b658-6828f2134364,"ptx-ike",0]: VPN plugin: failed: connect-failed (1)Feb 22 07:56:42 Dominik-5510 NetworkManager[984]: <info>  [1613977002.9875] vpn-connection[0x5560cd63a130,653d20bf-f9d0-4cba-b658-6828f2134364,"ptx-ike",0]: VPN plugin: state changed: stopping (5)Feb 22 07:56:42 Dominik-5510 NetworkManager[984]: <info>  [1613977002.9875] vpn-connection[0x5560cd63a130,653d20bf-f9d0-4cba-b658-6828f2134364,"ptx-ike",0]: VPN plugin: state changed: stopped (6)
    Also i tried to use old mac mini (high sierra) with its ike profile but i failed too. Offcourse tried again Windows client and both "preshared key" profile and user-password profiles work.
  • Ok, i just give up. Its my second attempt to configure this vpn and another which failed. I spent way too much time on this problem. And this is ridiculous because so far i used:
    Openvpn - many different setups and configs - slow but always work flawlesly
    Wireguard - even easier and faster
    Fortigate - they have linux client - no problem with that
    Mikrotik - initially i failed with strongswan but i bought their cheapest router, set it up and worked flawlesly as gateway
    Cisco - i failed with network-manager but then i tried some docker image and it works ok. 

    And only Zyxel is the one i cant manage to get work with my linux machine. You dont provide linux client (free or paid) and AFAIK your devices which are able to be IKEv2 client are much more expensive than cheapest Mikrotik (60-70$ or so). So your vpn solution is utterly useless for any company which uses linux workstations. 
  • gb5102
    gb5102 Posts: 25  Freshman Member
    First Anniversary Friend Collector First Comment
    In strongswan ike profile, did you try to enable 'Enforce UDP encapsulation' option?
    The .tgp file appears to specify UDP transport
  • dominik
    dominik Posts: 5
    Friend Collector First Comment
    edited February 2021
    yes i did with and without it. 

    Anyway i really want to thank you @gb5102 for you inputs. You seem to be most interested in solving this problem.. Even though i failed i really appreciate that you tried to help.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,039  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2021
    Hi 

    Here we have an example which guides users how to establish VPN connection with Linux StrongSwan. Hope this material helps. Thanks.

Security Highlight