L2TP Over IPSec VPN from Linux (any linux distribution)

pista
pista Posts: 22  Freshman Member
First Comment Friend Collector First Anniversary
edited April 2021 in Security
Hi folks!

Anyone have any luck w/ L2TP Over IPSec VPN connections from some Linux distribution?

My case (USG-1100) works fine from Windows, macOS and Android. But it doesn't work from Linux distributions (Ubuntu 18.04 doesn't have client, Ubuntu 16.04, Fedora etc. I am receiving ERROR:

"578da8a0-1365-413b-97f2-88322e336242" #1: ERROR: asynchronous network error report on wlp3s0 (sport=500) for message to 176.xx.xx.xx port 500, complainant 176.xx.xx.xx: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] ).

Is it working for somebody? Does anybody know how to? 

Thanks a lot! 
«1

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @pista,
    Can you paste USG VPN phase 1 and phase 2 negotiation log(Monitor > LOG), Maybe we can find some clues by VPN connection Log.
  • pista
    pista Posts: 22  Freshman Member
    First Comment Friend Collector First Anniversary
    edited July 2018
    Hi @Zyxel_Cooldia ,

    thanks for your reply! I tried from two linux devices today (Ubuntu 16.04 and Fedora r27). In the attachment you can find the logs from journalctl from both devices.

    “Phase1 Algorithms” is set to 3des-sha1 in Zyxel settings and in linux connection as well.
    “Phase2 Algorithms” to 3des-sha1 in Zyxel settings and in linux connection as well.

    Looks like IKE in Phase1 are not sync correctly, just wondering why. Should I use some different settings for these algorithms? 

    Do you have please any idea? 

    Thank you!
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @pista,
    Can you provide the USG side VPN connection log, not Linux VPN log.
    1)    Log in USG Web GUI
    2)    Go to menu “Monitor > Log”, take a screen shot for VPN connection log.
  • pista
    pista Posts: 22  Freshman Member
    First Comment Friend Collector First Anniversary
    edited July 2018
    Hi @Zyxel_Cooldia

    It was attached in 'ubuntu_16_04' as well, screenshot in the attachment of this message.

    Thank you for your help in advance.




  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @pista,
    I install Ubuntu 18.04 LTS on lab device to test l2tp over IP sec VPN connection to USG. it works fine on VPN connection.
    It seems phase 1 DH group mismatch with USG phase1 configuration on your site.
    Can you set the phase 1 DH group to 14 (on USG) and try it again.
  • pista
    pista Posts: 22  Freshman Member
    First Comment Friend Collector First Anniversary
    @Zyxel_Cooldia thx, I will do it and I will let you know!

    Can you provide me some manual? Or the best would be to provide me your setting from USG and Ubuntu (to see how did you set it up). I could follow and try as well.

    I appreciate your help! Thank you! 
  • Ed_JCL
    Ed_JCL Posts: 1  Freshman Member
    First Comment Fourth Anniversary
    Olá boa tarde! Alguém tem manual (passo a passo) como configurar a VPN no linux usando USG110 ? Pois no Windows eu consigo fazer esta configuração facilmente. Meu e-mail: edvaldo.silva@jcl-tecnologia.com.br
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @pista,
    The following is lab testing VPN configuration, assume related VPN module installed correctly on Linux, you should only need to modify the DH group on USG phase 1 for VPN connection.
    ~~~~~~~~~~~~~~~~~~~~~ Configuration file~~~~~~~~~~~~~~~~~~~~~~~~~~
    !
    isakmp policy WIZ_L2TP_VPN
    peer-ip 0.0.0.0 0.0.0.0
    local-ip interface wan1
    authentication pre-share
    encrypted-keystring $4$9eOBIIyQ$smPR6vGlxEufdb9dONhlwS6Zi5oT2vxckyi3tK33Gakg/DwtBRF12f8G25E49YXVEbcpBxS32kJSx5xYWRqDXc3D0r4PWG5N9rGVnKzSvss$
    mode main
    transform-set 3des-sha 3des-md5 des-sha
    group14
    lifetime 86400
    dpd-interval 30
    peer-id type any
    !
    crypto map WIZ_L2TP_VPN
    ipsec-isakmp WIZ_L2TP_VPN
    encapsulation transport
    transform-set esp-3des-sha esp-3des-md5 esp-des-sha
    set security-association lifetime seconds 86400
    set pfs none
    scenario remote-access-server
    local-policy WIZ_L2TP_VPN_LOCAL
    remote-policy any
    !
    ........
    ........
    !
    l2tp-over-ipsec crypto WIZ_L2TP_VPN
    l2tp-over-ipsec pool WIZ_L2TP_VPN_IP_ADDRESS_POOL
    l2tp-over-ipsec first-dns-server 8.8.8.8
    l2tp-over-ipsec second-dns-server 168.95.1.1
    !
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Web GUI configuration (Configuration > VPN > IPSec VPN > VPN gateway)

  • pista
    pista Posts: 22  Freshman Member
    First Comment Friend Collector First Anniversary
    @Zyxel_Cooldia, thank you!

    May I ask you what VPN module is installed on your Linux [Ubuntu 18.04 LTS]? And what file 'Configuration file' (name and destination) you meant?

    Appreciate your help! 
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments
    Hi @pista,
    You can setup L2TP connection easily by installed network-manager-l2tp network-manager-l2tp-gnome, as for related VPN module, I will send you the information you need via private message.

Security Highlight