3

I'm using strongswan on ubuntu 16.04 to connect to a thirdparty L2TP/IPSec VPN.

They provided me a profile file like this:

VPN connection IP : X.X.X.X

IPSEC Authentication : ---------------------
IPSEC Preshared key : SOME^"TH!NG$
L2TP authentication : 
username :  USER
password :  PASS

IPSEC Phase 1 Proposal----------------------
encryption 3DES     Authentication SHA1
encryption AES192   Authentication SHA1
encryption AES256   Authentication MD5
Diffie-Hellman Group 2
Key lifetime (seconds) 86400

IPSEC Phase 2 Proposal----------------------
Local Address 0.0.0.0/0.0.0.0
Remote Address 0.0.0.0/0.0.0.0
encryption 3DES     Authentication SHA1
encryption AES192   Authentication SHA1
encryption AES256   Authentication MD5
Key lifetime (seconds) 86400

I have created /etc/ipsec.conf like this:

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=3des-sha1,AES192-sha1,aes256-md5,modp1024!
  esp=3des-sha1,AES192-sha1,aes256-md5!

conn myvpn
  keyexchange=ikev1
  left=MY.IP.ADD.RESS
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=X.X.X.X

and /etc/ipsec.secrets like:

# empty line
MY.IP.ADD.RES X.X.X.X : PSK 'SOME^"TH!NG$'

(my ip address: MY.IP.ADD.RES and remote server: X.X.X.X)

$ sudo ipsec up myvpn results like below:

initiating Main Mode IKE_SA myvpn[2] to X.X.X.X
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from MY.IP.ADD.RES[500] to X.X.X.X[500] (204 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from MY.IP.ADD.RES[500] to X.X.X.X[500] (204 bytes)
sending retransmit 2 of request message ID 0, seq 1

How I should find out what is wrong with my config file?

Is ike or esp wrong or mismatch with given profile?

I'm new to this section, beside my question, any directions to docs, helpful blogs or informations about given profile might help me.

Improve this question
2
  • 1
    Could you solve the problem finally?
    – ilyas Jumadurdyew
    Commented May 20, 2019 at 15:52
  • 1
    @ilyasJumadurdyew yeah, and thank you for the mention. I posted a fix as an answer.
    – Developia
    Commented May 21, 2019 at 5:56

1 Answer 1

Reset to default
1

It was my fault that I didn't match ike (with IPSEC Phase 1 Proposal) and esp (with IPSEC Phase 2 Proposal) exactly with given VPN profile:

Full list of Cipher Suites available for strongswan IKEv2 is available here.

My corrected /etc/ipsec.conf is:

config setup

conn %default
  ikelifetime=86400s
  keylife=86400s
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=3des-sha1,AES192-sha1,aes256-md5,modp1024!
  esp=3des-sha1,AES192-sha1,aes256-md5!

conn myvpn
  # our public ip
  left=MY.IP.ADD.RES
  auto=add
  authby=secret
  # phase 1
  ike=3des-sha1-modp1024,aes192-sha1-modp1024,aes256-md5-modp1024
  # phase 2
  esp=3des-sha1,aes192-sha1,aes256-md5
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  # remote VPN ip
  right=X.X.X.X

ipsec.conf documentation reference

Improve this answer
1
  • 1
    i think the line esp=3des-sha1,aes192-sha1,aes256-mp5 should actually be esp=3des-sha1,aes192-sha1,aes256-md5 (change the p to a d)
    – mulllhausen
    Commented Nov 19, 2020 at 5:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .