VPN L2TP over IPsec no Linux Mint

Olá, tudo bem?

Estou tentando me conectar com um VPN no local onde trabalho e não estou conseguindo com o meu Linux Mint e Manjaro (tentei nos dois, tudo nas ultimas versões). E para o Windows, eles fornecem uma aplicação, um programa que configura tudo e deixa tudo funcionando.

Abaixo segue os dados de tudo que eu fiz no Linux Mint:

  1. Segui as orientações deste site: How to Setup L2TP VPN Connection on Mint
  2. E deste site: NetworkManager-l2tp/README.md at master · nm-l2tp/NetworkManager-l2tp · GitHub, onde busquei as seguintes informações:
    Phase1 Algorithms : 3des-sha1-modp1024!
    Phase2 Algorithms : 3des-sha1!

Ao tentar conectar ele simplesmente cai, e eu já estou pesquisando a dias e não consigo encontrar um erro evidente e/ou uma boa solução. Abaixo segue os log do sistema:

Jul 18 11:32:50 pc NetworkManager[650]: [1563460370.7086] audit: op=“connection-activate” uuid=“912df4b6-10bf-480c-959a-78071592adcc” name=“Conexão VPN 1” pid=1940 uid=1000 result=“success”
Jul 18 11:32:50 pc NetworkManager[650]: [1563460370.7180] vpn-connection[0x55f402252680,912df4b6-10bf-480c-959a-78071592adcc,“Conexão VPN 1”,0]: Started the VPN service, PID 10420
Jul 18 11:32:50 pc NetworkManager[650]: [1563460370.7394] vpn-connection[0x55f402252680,912df4b6-10bf-480c-959a-78071592adcc,“Conexão VPN 1”,0]: Saw the service appear; activating connection
Jul 18 11:32:50 pc NetworkManager[650]: [1563460370.9215] vpn-connection[0x55f402252680,912df4b6-10bf-480c-959a-78071592adcc,“Conexão VPN 1”,0]: VPN connection: (ConnectInteractive) reply received
Jul 18 11:32:50 pc nm-l2tp-service[10420]: Check port 1701
Jul 18 11:32:50 pc nm-l2tp-service[10420]: Can’t bind to port 1701
Jul 18 11:32:50 pc NetworkManager[650]: Stopping strongSwan IPsec failed: starter is not running
Jul 18 11:32:52 pc NetworkManager[650]: Starting strongSwan 5.6.2 IPsec [starter]…
Jul 18 11:32:52 pc NetworkManager[650]: Loading config setup
Jul 18 11:32:52 pc NetworkManager[650]: Loading conn ‘912df4b6-10bf-480c-959a-78071592adcc’
Jul 18 11:32:52 pc NetworkManager[650]: found netkey IPsec stack
Jul 18 11:32:53 pc charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-54-generic, x86_64)
Jul 18 11:32:53 pc charon: 00[CFG] PKCS11 module ‘’ lacks library path
Jul 18 11:32:53 pc charon: 00[CFG] disabling load-tester plugin, not configured
Jul 18 11:32:53 pc charon: 00[LIB] plugin ‘load-tester’: failed to load - load_tester_plugin_create returned NULL
Jul 18 11:32:53 pc charon: 00[CFG] dnscert plugin is disabled
Jul 18 11:32:53 pc charon: 00[CFG] ipseckey plugin is disabled
Jul 18 11:32:53 pc charon: 00[CFG] attr-sql plugin: database URI not set
Jul 18 11:32:53 pc charon: 00[CFG] loading ca certificates from ‘/etc/ipsec.d/cacerts’
Jul 18 11:32:53 pc charon: 00[CFG] loading aa certificates from ‘/etc/ipsec.d/aacerts’
Jul 18 11:32:53 pc charon: 00[CFG] loading ocsp signer certificates from ‘/etc/ipsec.d/ocspcerts’
Jul 18 11:32:53 pc charon: 00[CFG] loading attribute certificates from ‘/etc/ipsec.d/acerts’
Jul 18 11:32:53 pc charon: 00[CFG] loading crls from ‘/etc/ipsec.d/crls’
Jul 18 11:32:53 pc charon: 00[CFG] loading secrets from ‘/etc/ipsec.secrets’
Jul 18 11:32:53 pc charon: 00[CFG] loading secrets from ‘/etc/ipsec.d/nm-l2tp-ipsec-740c4bd9-b8b4-44e6-9789-cecae234d7db.secrets’
Jul 18 11:32:53 pc charon: 00[CFG] loaded IKE secret for %any
Jul 18 11:32:53 pc charon: 00[CFG] loading secrets from ‘/etc/ipsec.d/nm-l2tp-ipsec-7550c5b0-38f0-4588-ab59-c52596f9075c.secrets’
Jul 18 11:32:53 pc charon: 00[CFG] loaded IKE secret for %any
Jul 18 11:32:53 pc charon: 00[CFG] loading secrets from ‘/etc/ipsec.d/nm-l2tp-ipsec-912df4b6-10bf-480c-959a-78071592adcc.secrets’
Jul 18 11:32:53 pc charon: 00[CFG] loaded IKE secret for %any
Jul 18 11:32:53 pc charon: 00[CFG] loading secrets from ‘/etc/ipsec.d/nm-l2tp-ipsec-f2a2eec3-0566-40fb-9115-25745aa533a2.secrets’
Jul 18 11:32:53 pc charon: 00[CFG] loaded IKE secret for %any
Jul 18 11:32:53 pc charon: 00[CFG] sql plugin: database URI not set
Jul 18 11:32:53 pc charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Jul 18 11:32:53 pc charon: 00[CFG] eap-simaka-sql database URI missing
Jul 18 11:32:53 pc charon: 00[CFG] loaded 0 RADIUS server configurations
Jul 18 11:32:53 pc charon: 00[TNC] MAP server certificate not defined
Jul 18 11:32:53 pc charon: 00[TNC] TNC recommendation policy is ‘default’
Jul 18 11:32:53 pc charon: 00[TNC] loading IMVs from ‘/etc/tnc_config’
Jul 18 11:32:53 pc charon: 00[TNC] opening configuration file ‘/etc/tnc_config’ failed: No such file or directory
Jul 18 11:32:53 pc charon: 00[CFG] missing PDP server name, PDP disabled
Jul 18 11:32:53 pc charon: 00[CFG] HA config misses local/remote address
Jul 18 11:32:53 pc charon: 00[CFG] no threshold configured for systime-fix, disabled
Jul 18 11:32:53 pc charon: 00[CFG] coupling file path unspecified
Jul 18 11:32:53 pc charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Jul 18 11:32:53 pc charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jul 18 11:32:53 pc charon: 00[JOB] spawning 16 worker threads
Jul 18 11:32:53 pc charon: 05[CFG] received stroke: add connection ‘912df4b6-10bf-480c-959a-78071592adcc’
Jul 18 11:32:53 pc charon: 05[CFG] added configuration ‘912df4b6-10bf-480c-959a-78071592adcc’
Jul 18 11:32:54 pc charon: 07[CFG] rereading secrets
Jul 18 11:32:54 pc charon: 07[CFG] loading secrets from ‘/etc/ipsec.secrets’
Jul 18 11:32:54 pc charon: 07[CFG] loading secrets from ‘/etc/ipsec.d/nm-l2tp-ipsec-740c4bd9-b8b4-44e6-9789-cecae234d7db.secrets’
Jul 18 11:32:54 pc charon: 07[CFG] loaded IKE secret for %any
Jul 18 11:32:54 pc charon: 07[CFG] loading secrets from ‘/etc/ipsec.d/nm-l2tp-ipsec-7550c5b0-38f0-4588-ab59-c52596f9075c.secrets’
Jul 18 11:32:54 pc charon: 07[CFG] loaded IKE secret for %any
Jul 18 11:32:54 pc charon: 07[CFG] loading secrets from ‘/etc/ipsec.d/nm-l2tp-ipsec-912df4b6-10bf-480c-959a-78071592adcc.secrets’
Jul 18 11:32:54 pc charon: 07[CFG] loaded IKE secret for %any
Jul 18 11:32:54 pc charon: 07[CFG] loading secrets from ‘/etc/ipsec.d/nm-l2tp-ipsec-f2a2eec3-0566-40fb-9115-25745aa533a2.secrets’
Jul 18 11:32:54 pc charon: 07[CFG] loaded IKE secret for %any
Jul 18 11:32:54 pc charon: 09[CFG] received stroke: initiate ‘912df4b6-10bf-480c-959a-78071592adcc’
Jul 18 11:32:54 pc charon: 11[IKE] initiating Main Mode IKE_SA 912df4b6-10bf-480c-959a-78071592adcc[1] to 177.67.88.210
Jul 18 11:32:54 pc charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jul 18 11:32:54 pc charon: 11[NET] sending packet: from 10.0.2.15[500] to 177.67.88.210[500] (176 bytes)
Jul 18 11:32:54 pc charon: 12[NET] received packet: from 177.67.88.210[500] to 10.0.2.15[500] (272 bytes)
Jul 18 11:32:54 pc charon: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V V V V V V ]
Jul 18 11:32:54 pc charon: 12[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:03:00
Jul 18 11:32:54 pc charon: 12[IKE] received draft-stenberg-ipsec-nat-traversal-01 vendor ID
Jul 18 11:32:54 pc charon: 12[IKE] received draft-stenberg-ipsec-nat-traversal-02 vendor ID
Jul 18 11:32:54 pc charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jul 18 11:32:54 pc charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 18 11:32:54 pc charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 18 11:32:54 pc charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 18 11:32:54 pc charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Jul 18 11:32:54 pc charon: 12[IKE] received XAuth vendor ID
Jul 18 11:32:54 pc charon: 12[IKE] received DPD vendor ID
Jul 18 11:32:54 pc charon: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 18 11:32:54 pc charon: 12[NET] sending packet: from 10.0.2.15[500] to 177.67.88.210[500] (244 bytes)
Jul 18 11:32:54 pc charon: 13[NET] received packet: from 177.67.88.210[500] to 10.0.2.15[500] (228 bytes)
Jul 18 11:32:54 pc charon: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jul 18 11:32:54 pc charon: 13[IKE] local host is behind NAT, sending keep alives
Jul 18 11:32:54 pc charon: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
Jul 18 11:32:54 pc charon: 13[NET] sending packet: from 10.0.2.15[4500] to 177.67.88.210[4500] (68 bytes)
Jul 18 11:32:58 pc charon: 16[IKE] sending retransmit 1 of request message ID 0, seq 3
Jul 18 11:32:58 pc charon: 16[NET] sending packet: from 10.0.2.15[4500] to 177.67.88.210[4500] (68 bytes)
Jul 18 11:33:04 pc NetworkManager[650]: Stopping strongSwan IPsec…
Jul 18 11:33:04 pc charon: 00[DMN] signal of type SIGINT received. Shutting down
Jul 18 11:33:04 pc charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Jul 18 11:33:04 pc NetworkManager[650]: initiating Main Mode IKE_SA 912df4b6-10bf-480c-959a-78071592adcc[1] to 177.67.88.210
Jul 18 11:33:04 pc NetworkManager[650]: generating ID_PROT request 0 [ SA V V V V V ]
Jul 18 11:33:04 pc NetworkManager[650]: sending packet: from 10.0.2.15[500] to 177.67.88.210[500] (176 bytes)
Jul 18 11:33:04 pc NetworkManager[650]: received packet: from 177.67.88.210[500] to 10.0.2.15[500] (272 bytes)
Jul 18 11:33:04 pc NetworkManager[650]: parsed ID_PROT response 0 [ SA V V V V V V V V V V ]
Jul 18 11:33:04 pc NetworkManager[650]: received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:03:00
Jul 18 11:33:04 pc NetworkManager[650]: received draft-stenberg-ipsec-nat-traversal-01 vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: received draft-stenberg-ipsec-nat-traversal-02 vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: received NAT-T (RFC 3947) vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: received XAuth vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: received DPD vendor ID
Jul 18 11:33:04 pc NetworkManager[650]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 18 11:33:04 pc NetworkManager[650]: sending packet: from 10.0.2.15[500] to 177.67.88.210[500] (244 bytes)
Jul 18 11:33:04 pc NetworkManager[650]: received packet: from 177.67.88.210[500] to 10.0.2.15[500] (228 bytes)
Jul 18 11:33:04 pc NetworkManager[650]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jul 18 11:33:04 pc NetworkManager[650]: local host is behind NAT, sending keep alives
Jul 18 11:33:04 pc NetworkManager[650]: generating ID_PROT request 0 [ ID HASH ]
Jul 18 11:33:04 pc NetworkManager[650]: sending packet: from 10.0.2.15[4500] to 177.67.88.210[4500] (68 bytes)
Jul 18 11:33:04 pc NetworkManager[650]: sending retransmit 1 of request message ID 0, seq 3
Jul 18 11:33:04 pc NetworkManager[650]: sending packet: from 10.0.2.15[4500] to 177.67.88.210[4500] (68 bytes)
Jul 18 11:33:04 pc NetworkManager[650]: destroying IKE_SA in state CONNECTING without notification
Jul 18 11:33:04 pc nm-l2tp-service[10420]: g_dbus_method_invocation_take_error: assertion ‘error != NULL’ failed
Jul 18 11:33:04 pc NetworkManager[650]: [1563460384.2670] vpn-connection[0x55f402252680,912df4b6-10bf-480c-959a-78071592adcc,“Conexão VPN 1”,0]: VPN plugin: state changed: stopped (6)
Jul 18 11:33:04 pc NetworkManager[650]: [1563460384.2806] vpn-connection[0x55f402252680,912df4b6-10bf-480c-959a-78071592adcc,“Conexão VPN 1”,0]: VPN service disappeared
Jul 18 11:33:04 pc NetworkManager[650]: [1563460384.2841] vpn-connection[0x55f402252680,912df4b6-10bf-480c-959a-78071592adcc,“Conexão VPN 1”,0]: VPN connection: failed to connect: ‘Message recipient disconnected from message bus without replying’

Se for possível me ajudar, agradeço!

Nunca usei VPN no Mint… Mas vc tentou parar o serviço xl2tpd como descreve ali no GitHub?

Pelo log o problema começa quando ele vai checar a porta 1701…

Issue with not stopping system xl2tpd service

NetworkManager-l2tp starts its own instance of xl2tpd and if the system xl2tpd service is running, its own xl2tpd instance will not be able to use UDP port 1701, so will use an ephemeral port (i.e. random high port).

Although the use of an ephemeral port is considered acceptable in RFC3193, the L2TP/IPsec standard co-authored by Microsoft and Cisco, there are some L2TP/IPsec servers and/or firewalls that will have issues if an ephemeral port is used.

Stopping the system xl2tpd service should free UDP port 1701 and on systemd based Linux distributions, the xl2tpd service can be stopped with the following:

sudo systemctl stop xl2tpd

If stopping the xl2tpd service fixes your VPN connection issue, you can disable the xl2tpd service from starting at boot time with :

sudo systemctl disable xl2tpd

Roldon, obrigado pela resposta.

Mas não tinha tentado, porem acabei de executar, ele agora não apresenta mais, no log, a mensagem “Can’t bind to port 1701”, mas o resultado continua o mesmo, sem mais nenhuma alteração no log.

1 Curtida

Encontrei uma informação interessante aqui…

Neste link:

Ele fala sobre os algoritmos que foram removidos do conjunto padrão do strongSwan, por estarem defazados/fracos. Se lá na outra ponta estiver usando 3des, Blowfish, MD5 e MODP768 ou 1024, esse link mostra como especificar eles nas opções do IPSec:

Olha, pelo que vi, pode ser algo assim, pois eu fiz o teste aqui e realmente os algoritmos de validação encontra-se legado, o script que eles indicam no site realmente retorna que no servidor esta usando algoritmos antigos. Porem ao atualizar como o indicado no site, no meu caso, não funcionou, ainda!

Mas não vou desistir, esta é uma linha de pensamento que vale ser seguida e assim que eu tiver os resultado, positivos ou não, eu volto a postar aqui.

Muito obrigado, já me indicou o norte.

1 Curtida

Opa, imagina. Assim que tiver mais um tempo, continuo dando uma olhada. Fiquei interessado na solução também. kkk

Vi mais algumas coisas no log, que seria interessante verificar nos links, por exemplo:
Jul 18 11:32:53 pc charon: 00[TNC] MAP server certificate not defined
Jul 18 11:32:53 pc charon: 00[TNC] TNC recommendation policy is ‘default’
Jul 18 11:32:53 pc charon: 00[TNC] loading IMVs from ‘/etc/tnc_config’
Jul 18 11:32:53 pc charon: 00[TNC] opening configuration file ‘/etc/tnc_config’ failed: No such file or directory

E aqui os plugins que ele carrega, da pra ver que não tem alguns algoritmos:
Jul 18 11:32:53 pc charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters

Seria interessante saber exatamente a configuração lá da outra ponta.

Opa, eu tenho uma certa dificuldade de falar com o suporte da empresa que trabalho, visto que eles estão bem resistentes com isso, vou conversar aqui com o meu coordenador, de repente conseguimos forçar alguma informação deste aplicativo do windows, já seria alguma coisa. E eu posto a informação aqui.

Estes plugin também me intrigam, pois passa a impressão de que é o servidor que nega a conexão.

Enfim, sabe o caso dos algortimos phase1 e phase2, aquele que o site indica para usar um diferente caso seja uma VPN “legada”, o que parece ser o caso, bem tem um script que executamos e abaixo segue o resultado, pode trazer mais alguma lux:
sudo ./ikescan.sh 177.67.88.210 | grep SA=
SA=(Enc=3DES Hash=MD5 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=2:modp1024 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=2:modp1024 KeyLength=192 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 KeyLength=192 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=2:modp1024 KeyLength=256 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 KeyLength=256 LifeType=Seconds LifeDuration(4)=0x00007080)

Abraços

O ruim é que eu não tenho acesso para poder ajudar melhor, to tentando imaginar o cenário. kkk
Mas da uma olhada nesse post… Eles mostram como limpar o nomes dos grupos e mudar os algoritmos das fases 1 e 2, eles tem que estar especificados exatamente como está lá na outra ponta. O problema era parecido, depois da alteração ele conseguiu conectar.

https://bugs.launchpad.net/l2tp-ipsec-vpn/+bug/1746013

Outro caso, seria esse:

vc conseguiu resolver? se sim, passa ai a dica