Thanks for sharing this Firas, I had similar looking/behaving problem with strong swan half year ago - in the end, I gave up and setup different VPN instead. Tomas On Mon, 2020-05-04 at 18:49 -0400, Firas Riyazuddin wrote:

NVM SOLVED! -

I did some further digging and found the PSK config file located in /etc/ipsec.secrets which mentions a line include /etc/ipsec.d/

I navigated to this directory and found 3 different files similar to

-rw------- 1 root root 17 May 4 16:28 nm-l2tp-ipsec-7ceaf8f2-8d1a-4e65-906c- d19fecb149d0.secrets

for the same connection. I guess NetworkManager created these profiles for the VPN connection, every time I mucked around with a different setting to make it all work. One of these had an empty PSK string. I deleted that file and everything worked! I got rid of the extra files.

Hope this helps anyone in a similar boat.

On Mon, May 4, 2020 at 6:23 PM Firas Riyazuddin wrote:

...

Hello,

I've configured L2TP/IPSEC on my TP-Link ER6080 router but am having an error when using the Networkmanager-lt2p package. I have confirmed that the router settings are ok since I am able to connect using Mac OS X.

My OS is Opensuse Leap 15.1 .

uname -a 4.12.14-lp151.28.48-default #1 SMP Fri Apr 17 05:38:36 UTC 2020 (18849d1) x86_64 x86_64 x86_64 GNU/Linux

Network topology is

192.168.43.xxx (client LAN IP)/107.77.xxx.x (client WAN IP) ----- INTERNET ----- 70.xx.xx.xx (Router WAN IP)/192.168.0.xxx(Router LAN IP/Subnet is 192.168.0.0/24)

If successfully connected I've configured the Router so that the client machine gets IP similar to 10.10.xx.xx and on the router end of the tunnel the client machine has an IP that appears on the same subnet as the Router's LAN (192.168.0.xxx).

Here's the output of the debug

sudo CHARONDEBUG="knl 4, ike 4, esp 4, lib 4, cfg 4" /usr/lib/nm-l2tp- service --debug nm-l2tp[1258] <debug> nm-l2tp-service (version 1.2.8-lp151.3.58) starting... nm-l2tp[1258] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp" nm-l2tp[1258] <info> ipsec enable flag: yes ** Message: Check port 1701 connection id : "XYZ VPN" (s) uuid : "386d037b-e241-4570-a513-b4d6d01ca16b" (s) interface-name : NULL (sd) type : "vpn" (s) permissions : ["user:XYZ:"] (s) autoconnect : TRUE (sd) autoconnect-priority : 0 (sd) autoconnect-retries : -1 (sd) timestamp : 0 (sd) read-only : FALSE (sd) zone : "work" (s) master : NULL (sd) slave-type : NULL (sd) autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd) secondaries : NULL (sd) gateway-ping-timeout : 0 (sd) metered : ((NMMetered) NM_METERED_UNKNOWN) (sd) lldp : -1 (sd) stable-id : NULL (sd) auth-retries : -1 (sd)

ipv6 method : "auto" (s) dns : [] (s) dns-search : [] (s) dns-options : NULL (sd) dns-priority : 0 (sd) addresses : ((GPtrArray*) 0x564bcf6b9ae0) (s) gateway : NULL (sd) routes : ((GPtrArray*) 0x564bcf6b9b00) (s) route-metric : -1 (sd) route-table : 0 (sd) ignore-auto-routes : FALSE (sd) ignore-auto-dns : FALSE (sd) dhcp-hostname : NULL (sd) dhcp-send-hostname : TRUE (sd) never-default : FALSE (sd) may-fail : TRUE (sd) dad-timeout : -1 (sd) dhcp-timeout : 0 (sd) ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd) addr-gen-mode : 1 (sd) token : NULL (sd)

proxy method : 0 (sd) browser-only : FALSE (sd) pac-url : NULL (sd) pac-script : NULL (sd)

vpn service-type : "org.freedesktop.NetworkManager.l2tp" (s) user-name : "XYZ" (s) persistent : FALSE (sd) data : ((GHashTable*) 0x7fb7f4006d80) (s) secrets : ((GHashTable*) 0x7fb7f4006d80) (s) timeout : 0 (sd)

ipv4 method : "auto" (s) dns : [] (s) dns-search : [] (s) dns-options : NULL (sd) dns-priority : 0 (sd) addresses : ((GPtrArray*) 0x564bcf6b9e00) (s) gateway : NULL (sd) routes : ((GPtrArray*) 0x564bcf6b9e20) (s) route-metric : -1 (sd) route-table : 0 (sd) ignore-auto-routes : FALSE (sd) ignore-auto-dns : FALSE (sd) dhcp-hostname : NULL (sd) dhcp-send-hostname : TRUE (sd) never-default : FALSE (sd) may-fail : TRUE (sd) dad-timeout : -1 (sd) dhcp-timeout : 0 (sd) dhcp-client-id : NULL (sd) dhcp-fqdn : NULL (sd)

nm-l2tp[1258] <info> starting ipsec Stopping strongSwan IPsec failed: starter is not running Starting strongSwan 5.8.2 IPsec [starter]... Loading config setup Loading conn '386d037b-e241-4570-a513-b4d6d01ca16b' nm-l2tp[1258] <info> Spawned ipsec up script with PID 1309. initiating Main Mode IKE_SA 386d037b-e241-4570-a513-b4d6d01ca16b[1] to 70.xx.xx.xx generating ID_PROT request 0 [ SA V V V V V ] sending packet: from 192.168.xx.xxx[500] to 70.xx.xx.xx[500] (236 bytes) received packet: from 70.xx.xx.xx[500] to 192.168.xx.xxx[500] (132 bytes) parsed ID_PROT response 0 [ SA V V V ] received XAuth vendor ID received DPD vendor ID received NAT-T (RFC 3947) vendor ID selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 192.168.xx.xxx[500] to 70.xx.xx.xx[500] (244 bytes) received packet: from 70.xx.xx.xx[500] to 192.168.xx.xxx[500] (244 bytes) parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH ] sending packet: from 192.168.xx.xxx[4500] to 70.xx.xx.xx[4500] (68 bytes) received packet: from 70.xx.xx.xx[500] to 192.168.xx.xxx[500] (68 bytes) invalid HASH_V1 payload length, decryption failed? could not decrypt payloads message parsing failed ignore malformed INFORMATIONAL request INFORMATIONAL_V1 request with message ID 661973262 processing failed sending retransmit 1 of request message ID 0, seq 3 sending packet: from 192.168.xx.xxx[4500] to 70.xx.xx.xx[4500] (68 bytes) received packet: from 70.xx.xx.xx[500] to 192.168.xx.xxx[500] (68 bytes) invalid HASH_V1 payload length, decryption failed? could not decrypt payloads message parsing failed ignore malformed INFORMATIONAL request INFORMATIONAL_V1 request with message ID 688629832 processing failed nm-l2tp[1258] <warn> Timeout trying to establish IPsec connection nm-l2tp[1258] <info> Terminating ipsec script with PID 1309. Stopping strongSwan IPsec... destroying IKE_SA in state CONNECTING without notification establishing connection '386d037b-e241-4570-a513-b4d6d01ca16b' failed nm-l2tp[1258] <warn> Could not establish IPsec tunnel.

(nm-l2tp-service:1258): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

I know it is not an incorrect PSK since the connection works fine with the Mac ( https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#invalid-HASH_ V1-payload-length-decryption-failed )

I tried checking if the encryption/hash algorithms settings were faulty but I don't think this is the cause.

When probed ( per https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known- Issues#querying-vpn-server-for-its-ikev1-algorithm-proposals ), the router lists the following allowed algorithms:

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)

SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)

The IPSEC Phase 1 and Phase 2 settings I've tried are 3des-sha1-modp1024 or 3des-md5-modp1024 and 3des-sha1 and 3des-md5 . It doesn't make a difference. I get the same output on the error log. I have tried checking and unchecking the "Force UDP Encapsulation" box on the IPSEC settings and it's the same error.

Any idea how to resolve this issue? I've tried changing the usernames, passwords and PSKs to simpler ones and it's the same error.

Much appreciated. Thanks.