Hello,

I've configured L2TP/IPSEC on my TP-Link ER6080 router but am having an error when using the Networkmanager-lt2p package. I have confirmed that the router settings are ok since I am able to connect using Mac OS X.

My OS is Opensuse Leap 15.1 .

uname -a
4.12.14-lp151.28.48-default #1 SMP Fri Apr 17 05:38:36 UTC 2020 (18849d1) x86_64 x86_64 x86_64 GNU/Linux

Network topology is

192.168.43.xxx (client LAN IP)/107.77.xxx.x (client WAN IP) ----- INTERNET ----- 70.xx.xx.xx (Router WAN IP)/192.168.0.xxx(Router LAN IP/Subnet is 192.168.0.0/24)

If successfully connected I've configured the Router so that the client machine gets IP similar to 10.10.xx.xx and on the router end of the tunnel the client machine has an IP that appears on the same subnet as the Router's LAN (192.168.0.xxx).

Here's the output of the debug

sudo CHARONDEBUG="knl 4, ike 4, esp 4, lib 4, cfg 4" /usr/lib/nm-l2tp-service --debug
nm-l2tp[1258] <debug> nm-l2tp-service (version 1.2.8-lp151.3.58) starting...
nm-l2tp[1258] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[1258] <info> ipsec enable flag: yes
** Message: Check port 1701
connection
id : "XYZ VPN" (s)
uuid : "386d037b-e241-4570-a513-b4d6d01ca16b" (s)
interface-name : NULL (sd)
type : "vpn" (s)
permissions : ["user:XYZ:"] (s)
autoconnect : TRUE (sd)
autoconnect-priority : 0 (sd)
autoconnect-retries : -1 (sd)
timestamp : 0 (sd)
read-only : FALSE (sd)
zone : "work" (s)
master : NULL (sd)
slave-type : NULL (sd)
autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
secondaries : NULL (sd)
gateway-ping-timeout : 0 (sd)
metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
lldp : -1 (sd)
stable-id : NULL (sd)
auth-retries : -1 (sd)


ipv6
method : "auto" (s)
dns : [] (s)
dns-search : [] (s)
dns-options : NULL (sd)
dns-priority : 0 (sd)
addresses : ((GPtrArray*) 0x564bcf6b9ae0) (s)
gateway : NULL (sd)
routes : ((GPtrArray*) 0x564bcf6b9b00) (s)
route-metric : -1 (sd)
route-table : 0 (sd)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-hostname : NULL (sd)
dhcp-send-hostname : TRUE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)
dad-timeout : -1 (sd)
dhcp-timeout : 0 (sd)
ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
addr-gen-mode : 1 (sd)
token : NULL (sd)


proxy
method : 0 (sd)
browser-only : FALSE (sd)
pac-url : NULL (sd)
pac-script : NULL (sd)


vpn
service-type : "org.freedesktop.NetworkManager.l2tp" (s)
user-name : "XYZ" (s)
persistent : FALSE (sd)
data : ((GHashTable*) 0x7fb7f4006d80) (s)
secrets : ((GHashTable*) 0x7fb7f4006d80) (s)
timeout : 0 (sd)


ipv4
method : "auto" (s)
dns : [] (s)
dns-search : [] (s)
dns-options : NULL (sd)
dns-priority : 0 (sd)
addresses : ((GPtrArray*) 0x564bcf6b9e00) (s)
gateway : NULL (sd)
routes : ((GPtrArray*) 0x564bcf6b9e20) (s)
route-metric : -1 (sd)
route-table : 0 (sd)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-hostname : NULL (sd)
dhcp-send-hostname : TRUE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)
dad-timeout : -1 (sd)
dhcp-timeout : 0 (sd)
dhcp-client-id : NULL (sd)
dhcp-fqdn : NULL (sd)


nm-l2tp[1258] <info> starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.8.2 IPsec [starter]...
Loading config setup
Loading conn '386d037b-e241-4570-a513-b4d6d01ca16b'
nm-l2tp[1258] <info> Spawned ipsec up script with PID 1309.
initiating Main Mode IKE_SA 386d037b-e241-4570-a513-b4d6d01ca16b[1] to 70.xx.xx.xx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.xx.xxx[500] to 70.xx.xx.xx[500] (236 bytes)
received packet: from 70.xx.xx.xx[500] to 192.168.xx.xxx[500] (132 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.xx.xxx[500] to 70.xx.xx.xx[500] (244 bytes)
received packet: from 70.xx.xx.xx[500] to 192.168.xx.xxx[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.xx.xxx[4500] to 70.xx.xx.xx[4500] (68 bytes)
received packet: from 70.xx.xx.xx[500] to 192.168.xx.xxx[500] (68 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 661973262 processing failed
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.xx.xxx[4500] to 70.xx.xx.xx[4500] (68 bytes)
received packet: from 70.xx.xx.xx[500] to 192.168.xx.xxx[500] (68 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 688629832 processing failed
nm-l2tp[1258] <warn> Timeout trying to establish IPsec connection
nm-l2tp[1258] <info> Terminating ipsec script with PID 1309.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
establishing connection '386d037b-e241-4570-a513-b4d6d01ca16b' failed
nm-l2tp[1258] <warn> Could not establish IPsec tunnel.

(nm-l2tp-service:1258): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

I know it is not an incorrect PSK since the connection works fine with the Mac ( https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#invalid-HASH_V1-payload-length-decryption-failed )

I tried checking if the encryption/hash algorithms settings were faulty but I don't think this is the cause.

When probed ( per https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#querying-vpn-server-for-its-ikev1-algorithm-proposals ), the router lists the following allowed algorithms:

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)

SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)

The IPSEC Phase 1 and Phase 2 settings I've tried are 3des-sha1-modp1024 or 3des-md5-modp1024 and 3des-sha1 and 3des-md5 . It doesn't make a difference. I get the same output on the error log. I have tried checking and unchecking the "Force UDP Encapsulation" box on the IPSEC settings and it's the same error.

Any idea how to resolve this issue? I've tried changing the usernames, passwords and PSKs to simpler ones and it's the same error.

Much appreciated. Thanks.