VPN IPSEC PSK NO_PROPOSAL_CHOSEN





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







0















In Ubuntu 18.10, I'm trying to set-up a L2TP VPN connection with a WatchGuard server using PSK with SHA1-AES 256bit DH group 2 for Phase 1 and ESP-AES-SHA1 group 1 for Phase 2.



I tried with both Strongswan and Libreswan but always get a NO_PROPOSAL_CHOSEN error, no matter which algorithms I choose in ipsec.conf or in GNOME network manager. Relevant files are shown below. What do you suggest?



ipsec.conf



conn vpn

authby=secret

left=%defaultroute

leftxauthclient=yes

leftmodecfgclient=yes

leftxauthusername=[MY USERNAME]

modecfgpull=yes

right=[SERVER IP]

rightxauthserver=yes

rightmodecfgserver=yes

rekey=no

auto=add

ike_frag=no

ike=aes256-sha-modp2048

esp=aes-sha1-modp1024


ipsec.secrets



[MY SERVER IP] %any : PSK "[MY PSK]"

@[MY USERNAME] : XAUTH "[MY PASSWORD]"


edit new ipsec.conf:



conn myvpn

ikelifetime=8h

keylife=20m

rekeymargin=3m

keyingtries=3

keyexchange=ikev1

authby=psk 

left=%defaultroute

auto=add

authby=secret

type=transport

leftprotoport=17/1701

rightprotoport=17/1701

right=[SERVER_IP]

dpdtimeout=120

dpdaction=clear

rekey=yes

ike=aes256-sha1-modp1024!

esp=aes256-sha1-modp768!


launching ipsec -up myvpn gives:



initiating Main Mode IKE_SA myvpn[1] to [SERVER_IP]

generating ID_PROT request 0 [ SA V V V V V ]

sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (180 bytes)

received packet: from [SERVER_IP][500] to 192.168.1.6[500] (136 bytes)

parsed ID_PROT response 0 [ SA V V V ]

received XAuth vendor ID

received draft-ietf-ipsec-nat-t-ike-02n vendor ID

received DPD vendor ID

generating ID_PROT request 0 [ KE No NAT-D NAT-D ]

sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (244 bytes)

received packet: from [SERVER_IP][500] to 192.168.1.6[500] (220 bytes)

parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]

local host is behind NAT, sending keep alives

generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]

sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (108 bytes)

received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)

parsed ID_PROT response 0 [ ID HASH ]

IKE_SA myvpn[1] established between    192.168.1.6[192.168.1.6]...[SERVER_IP][SERVER_IP]

scheduling reauthentication in 28591s

maximum IKE_SA lifetime 28771s

generating QUICK_MODE request 3496213378 [ HASH SA No KE ID ID NAT-OA NAT-OA ]

sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (300 bytes)

received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)

parsed INFORMATIONAL_V1 request 2157690019 [ HASH N(NO_PROP) ]

received NO_PROPOSAL_CHOSEN error notify

establishing connection 'myvpn' failed


edit
xl2tpd.conf



[lac myvpn]

lns = [SERVER_IP]

ppp debug = yes

pppoptfile = /etc/ppp/options.l2tpd.client

length bit = yes


/etc/ppp/options.l2tpd.client



ipcp-accept-local

ipcp-accept-remote

refuse-eap

require-chap

noccp

noauth

mtu 1280

mru 1280

noipdefault

defaultroute

usepeerdns

connect-delay 5000

name [MY USERNAME]

password [MY PASSWORD]


Trying with network manager returns:



nm-l2tp-service[17266]: xl2tpd started with pid 17340

NetworkManager[1137]: xl2tpd[17340]: Not looking for kernel SAref support.

NetworkManager[1137]: xl2tpd[17340]: Using l2tp kernel support.

NetworkManager[1137]: xl2tpd[17340]: xl2tpd version xl2tpd-1.3.12 started on Ing PID:17340

NetworkManager[1137]: xl2tpd[17340]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.

NetworkManager[1137]: xl2tpd[17340]: Forked by Scott Balmos and David Stipp, (C) 2001

NetworkManager[1137]: xl2tpd[17340]: Inherited by Jeff McAdams, (C) 2002

NetworkManager[1137]: xl2tpd[17340]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016

NetworkManager[1137]: xl2tpd[17340]: Listening on IP address 0.0.0.0, port 1701

NetworkManager[1137]: xl2tpd[17340]: Connecting to host [SERVER_IP], port 1701

NetworkManager[1137]: <info>  [1541422442.3462] vpn-connection[0x55a9be8bc370,c657e7cd-7120-40b6-936c-969ca917c53c,"VPN 1",0]: VPN plugin: state changed: starting (3)

NetworkManager[1137]: xl2tpd[17340]: Connection established to [SERVER_IP], 1701.  Local: 62148, Remote: 1 (ref=0/0).

NetworkManager[1137]: xl2tpd[17340]: Calling on tunnel 62148

NetworkManager[1137]: xl2tpd[17340]: Call established with [SERVER_IP], Local: 47419, Remote: 1, Serial: 1 (ref=0/0)

NetworkManager[1137]: xl2tpd[17340]: start_pppd: I'm running:

NetworkManager[1137]: xl2tpd[17340]: "/usr/sbin/pppd"

NetworkManager[1137]: xl2tpd[17340]: "plugin"

NetworkManager[1137]: xl2tpd[17340]: "pppol2tp.so"

NetworkManager[1137]: xl2tpd[17340]: "pppol2tp"

NetworkManager[1137]: xl2tpd[17340]: "7"

NetworkManager[1137]: xl2tpd[17340]: "passive"

NetworkManager[1137]: xl2tpd[17340]: "nodetach"

NetworkManager[1137]: xl2tpd[17340]: ":"

NetworkManager[1137]: xl2tpd[17340]: "file"

NetworkManager[1137]: xl2tpd[17340]: "/run/nm-l2tp-ppp-options-c657e7cd-7120-40b6-936c-969ca917c53c"

pppd[17341]: Plugin pppol2tp.so loaded.

pppd[17341]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.

pppd[17341]: pppd 2.4.7 started by root, uid 0

pppd[17341]: Using interface ppp0

    pppd[17341]: Connect: ppp0 <--> 

pppd[17341]: Overriding mtu 1500 to 1400

pppd[17341]: Overriding mru 1500 to mtu value 1400

NetworkManager[1137]: <info>  [1541422442.4026] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/19)

systemd-udevd[17344]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.

NetworkManager[1137]: <info>  [1541422442.4117] devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)

NetworkManager[1137]: <info>  [1541422442.4117] device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.

NetworkManager[1137]: xl2tpd[17340]: check_control: Received out of order control packet on tunnel 1 (got 1, expected 2)

NetworkManager[1137]: xl2tpd[17340]: handle_packet: bad control packet!





networking network-manager vpn 18.10







share|improve this question































    0















    In Ubuntu 18.10, I'm trying to set-up a L2TP VPN connection with a WatchGuard server using PSK with SHA1-AES 256bit DH group 2 for Phase 1 and ESP-AES-SHA1 group 1 for Phase 2.



    I tried with both Strongswan and Libreswan but always get a NO_PROPOSAL_CHOSEN error, no matter which algorithms I choose in ipsec.conf or in GNOME network manager. Relevant files are shown below. What do you suggest?



    ipsec.conf



    conn vpn
    
authby=secret
    
left=%defaultroute
    
leftxauthclient=yes
    
leftmodecfgclient=yes
    
leftxauthusername=[MY USERNAME]
    
modecfgpull=yes
    
right=[SERVER IP]
    
rightxauthserver=yes
    
rightmodecfgserver=yes
    
rekey=no
    
auto=add
    
ike_frag=no
    
ike=aes256-sha-modp2048
    
esp=aes-sha1-modp1024


    ipsec.secrets



    [MY SERVER IP] %any : PSK "[MY PSK]"
    
@[MY USERNAME] : XAUTH "[MY PASSWORD]"


    edit new ipsec.conf:



    conn myvpn
    
ikelifetime=8h
    
keylife=20m
    
rekeymargin=3m
    
keyingtries=3
    
keyexchange=ikev1
    
authby=psk 
    
left=%defaultroute
    
auto=add
    
authby=secret
    
type=transport
    
leftprotoport=17/1701
    
rightprotoport=17/1701
    
right=[SERVER_IP]
    
dpdtimeout=120
    
dpdaction=clear
    
rekey=yes
    
ike=aes256-sha1-modp1024!
    
esp=aes256-sha1-modp768!


    launching ipsec -up myvpn gives:



    initiating Main Mode IKE_SA myvpn[1] to [SERVER_IP]
    
generating ID_PROT request 0 [ SA V V V V V ]
    
sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (180 bytes)
    
received packet: from [SERVER_IP][500] to 192.168.1.6[500] (136 bytes)
    
parsed ID_PROT response 0 [ SA V V V ]
    
received XAuth vendor ID
    
received draft-ietf-ipsec-nat-t-ike-02n vendor ID
    
received DPD vendor ID
    
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    
sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (244 bytes)
    
received packet: from [SERVER_IP][500] to 192.168.1.6[500] (220 bytes)
    
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    
local host is behind NAT, sending keep alives
    
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    
sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (108 bytes)
    
received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)
    
parsed ID_PROT response 0 [ ID HASH ]
    
IKE_SA myvpn[1] established between    192.168.1.6[192.168.1.6]...[SERVER_IP][SERVER_IP]
    
scheduling reauthentication in 28591s
    
maximum IKE_SA lifetime 28771s
    
generating QUICK_MODE request 3496213378 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
    
sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (300 bytes)
    
received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)
    
parsed INFORMATIONAL_V1 request 2157690019 [ HASH N(NO_PROP) ]
    
received NO_PROPOSAL_CHOSEN error notify
    
establishing connection 'myvpn' failed


    edit
    xl2tpd.conf



    [lac myvpn]
    
lns = [SERVER_IP]
    
ppp debug = yes
    
pppoptfile = /etc/ppp/options.l2tpd.client
    
length bit = yes


    /etc/ppp/options.l2tpd.client



    ipcp-accept-local
    
ipcp-accept-remote
    
refuse-eap
    
require-chap
    
noccp
    
noauth
    
mtu 1280
    
mru 1280
    
noipdefault
    
defaultroute
    
usepeerdns
    
connect-delay 5000
    
name [MY USERNAME]
    
password [MY PASSWORD]


    Trying with network manager returns:



    nm-l2tp-service[17266]: xl2tpd started with pid 17340
    
NetworkManager[1137]: xl2tpd[17340]: Not looking for kernel SAref support.
    
NetworkManager[1137]: xl2tpd[17340]: Using l2tp kernel support.
    
NetworkManager[1137]: xl2tpd[17340]: xl2tpd version xl2tpd-1.3.12 started on Ing PID:17340
    
NetworkManager[1137]: xl2tpd[17340]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    
NetworkManager[1137]: xl2tpd[17340]: Forked by Scott Balmos and David Stipp, (C) 2001
    
NetworkManager[1137]: xl2tpd[17340]: Inherited by Jeff McAdams, (C) 2002
    
NetworkManager[1137]: xl2tpd[17340]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
    
NetworkManager[1137]: xl2tpd[17340]: Listening on IP address 0.0.0.0, port 1701
    
NetworkManager[1137]: xl2tpd[17340]: Connecting to host [SERVER_IP], port 1701
    
NetworkManager[1137]: <info>  [1541422442.3462] vpn-connection[0x55a9be8bc370,c657e7cd-7120-40b6-936c-969ca917c53c,"VPN 1",0]: VPN plugin: state changed: starting (3)
    
NetworkManager[1137]: xl2tpd[17340]: Connection established to [SERVER_IP], 1701.  Local: 62148, Remote: 1 (ref=0/0).
    
NetworkManager[1137]: xl2tpd[17340]: Calling on tunnel 62148
    
NetworkManager[1137]: xl2tpd[17340]: Call established with [SERVER_IP], Local: 47419, Remote: 1, Serial: 1 (ref=0/0)
    
NetworkManager[1137]: xl2tpd[17340]: start_pppd: I'm running:
    
NetworkManager[1137]: xl2tpd[17340]: "/usr/sbin/pppd"
    
NetworkManager[1137]: xl2tpd[17340]: "plugin"
    
NetworkManager[1137]: xl2tpd[17340]: "pppol2tp.so"
    
NetworkManager[1137]: xl2tpd[17340]: "pppol2tp"
    
NetworkManager[1137]: xl2tpd[17340]: "7"
    
NetworkManager[1137]: xl2tpd[17340]: "passive"
    
NetworkManager[1137]: xl2tpd[17340]: "nodetach"
    
NetworkManager[1137]: xl2tpd[17340]: ":"
    
NetworkManager[1137]: xl2tpd[17340]: "file"
    
NetworkManager[1137]: xl2tpd[17340]: "/run/nm-l2tp-ppp-options-c657e7cd-7120-40b6-936c-969ca917c53c"
    
pppd[17341]: Plugin pppol2tp.so loaded.
    
pppd[17341]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
    
pppd[17341]: pppd 2.4.7 started by root, uid 0
    
pppd[17341]: Using interface ppp0
    
    pppd[17341]: Connect: ppp0 <--> 
    
pppd[17341]: Overriding mtu 1500 to 1400
    
pppd[17341]: Overriding mru 1500 to mtu value 1400
    
NetworkManager[1137]: <info>  [1541422442.4026] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/19)
    
systemd-udevd[17344]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
    
NetworkManager[1137]: <info>  [1541422442.4117] devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
    
NetworkManager[1137]: <info>  [1541422442.4117] device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
    
NetworkManager[1137]: xl2tpd[17340]: check_control: Received out of order control packet on tunnel 1 (got 1, expected 2)
    
NetworkManager[1137]: xl2tpd[17340]: handle_packet: bad control packet!





    networking network-manager vpn 18.10







    share|improve this question



























      0












      0








      0








      In Ubuntu 18.10, I'm trying to set-up a L2TP VPN connection with a WatchGuard server using PSK with SHA1-AES 256bit DH group 2 for Phase 1 and ESP-AES-SHA1 group 1 for Phase 2.



      I tried with both Strongswan and Libreswan but always get a NO_PROPOSAL_CHOSEN error, no matter which algorithms I choose in ipsec.conf or in GNOME network manager. Relevant files are shown below. What do you suggest?



      ipsec.conf



      conn vpn
      
authby=secret
      
left=%defaultroute
      
leftxauthclient=yes
      
leftmodecfgclient=yes
      
leftxauthusername=[MY USERNAME]
      
modecfgpull=yes
      
right=[SERVER IP]
      
rightxauthserver=yes
      
rightmodecfgserver=yes
      
rekey=no
      
auto=add
      
ike_frag=no
      
ike=aes256-sha-modp2048
      
esp=aes-sha1-modp1024


      ipsec.secrets



      [MY SERVER IP] %any : PSK "[MY PSK]"
      
@[MY USERNAME] : XAUTH "[MY PASSWORD]"


      edit new ipsec.conf:



      conn myvpn
      
ikelifetime=8h
      
keylife=20m
      
rekeymargin=3m
      
keyingtries=3
      
keyexchange=ikev1
      
authby=psk 
      
left=%defaultroute
      
auto=add
      
authby=secret
      
type=transport
      
leftprotoport=17/1701
      
rightprotoport=17/1701
      
right=[SERVER_IP]
      
dpdtimeout=120
      
dpdaction=clear
      
rekey=yes
      
ike=aes256-sha1-modp1024!
      
esp=aes256-sha1-modp768!


      launching ipsec -up myvpn gives:



      initiating Main Mode IKE_SA myvpn[1] to [SERVER_IP]
      
generating ID_PROT request 0 [ SA V V V V V ]
      
sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (180 bytes)
      
received packet: from [SERVER_IP][500] to 192.168.1.6[500] (136 bytes)
      
parsed ID_PROT response 0 [ SA V V V ]
      
received XAuth vendor ID
      
received draft-ietf-ipsec-nat-t-ike-02n vendor ID
      
received DPD vendor ID
      
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
      
sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (244 bytes)
      
received packet: from [SERVER_IP][500] to 192.168.1.6[500] (220 bytes)
      
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
      
local host is behind NAT, sending keep alives
      
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      
sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (108 bytes)
      
received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)
      
parsed ID_PROT response 0 [ ID HASH ]
      
IKE_SA myvpn[1] established between    192.168.1.6[192.168.1.6]...[SERVER_IP][SERVER_IP]
      
scheduling reauthentication in 28591s
      
maximum IKE_SA lifetime 28771s
      
generating QUICK_MODE request 3496213378 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
      
sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (300 bytes)
      
received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)
      
parsed INFORMATIONAL_V1 request 2157690019 [ HASH N(NO_PROP) ]
      
received NO_PROPOSAL_CHOSEN error notify
      
establishing connection 'myvpn' failed


      edit
      xl2tpd.conf



      [lac myvpn]
      
lns = [SERVER_IP]
      
ppp debug = yes
      
pppoptfile = /etc/ppp/options.l2tpd.client
      
length bit = yes


      /etc/ppp/options.l2tpd.client



      ipcp-accept-local
      
ipcp-accept-remote
      
refuse-eap
      
require-chap
      
noccp
      
noauth
      
mtu 1280
      
mru 1280
      
noipdefault
      
defaultroute
      
usepeerdns
      
connect-delay 5000
      
name [MY USERNAME]
      
password [MY PASSWORD]


      Trying with network manager returns:



      nm-l2tp-service[17266]: xl2tpd started with pid 17340
      
NetworkManager[1137]: xl2tpd[17340]: Not looking for kernel SAref support.
      
NetworkManager[1137]: xl2tpd[17340]: Using l2tp kernel support.
      
NetworkManager[1137]: xl2tpd[17340]: xl2tpd version xl2tpd-1.3.12 started on Ing PID:17340
      
NetworkManager[1137]: xl2tpd[17340]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
      
NetworkManager[1137]: xl2tpd[17340]: Forked by Scott Balmos and David Stipp, (C) 2001
      
NetworkManager[1137]: xl2tpd[17340]: Inherited by Jeff McAdams, (C) 2002
      
NetworkManager[1137]: xl2tpd[17340]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
      
NetworkManager[1137]: xl2tpd[17340]: Listening on IP address 0.0.0.0, port 1701
      
NetworkManager[1137]: xl2tpd[17340]: Connecting to host [SERVER_IP], port 1701
      
NetworkManager[1137]: <info>  [1541422442.3462] vpn-connection[0x55a9be8bc370,c657e7cd-7120-40b6-936c-969ca917c53c,"VPN 1",0]: VPN plugin: state changed: starting (3)
      
NetworkManager[1137]: xl2tpd[17340]: Connection established to [SERVER_IP], 1701.  Local: 62148, Remote: 1 (ref=0/0).
      
NetworkManager[1137]: xl2tpd[17340]: Calling on tunnel 62148
      
NetworkManager[1137]: xl2tpd[17340]: Call established with [SERVER_IP], Local: 47419, Remote: 1, Serial: 1 (ref=0/0)
      
NetworkManager[1137]: xl2tpd[17340]: start_pppd: I'm running:
      
NetworkManager[1137]: xl2tpd[17340]: "/usr/sbin/pppd"
      
NetworkManager[1137]: xl2tpd[17340]: "plugin"
      
NetworkManager[1137]: xl2tpd[17340]: "pppol2tp.so"
      
NetworkManager[1137]: xl2tpd[17340]: "pppol2tp"
      
NetworkManager[1137]: xl2tpd[17340]: "7"
      
NetworkManager[1137]: xl2tpd[17340]: "passive"
      
NetworkManager[1137]: xl2tpd[17340]: "nodetach"
      
NetworkManager[1137]: xl2tpd[17340]: ":"
      
NetworkManager[1137]: xl2tpd[17340]: "file"
      
NetworkManager[1137]: xl2tpd[17340]: "/run/nm-l2tp-ppp-options-c657e7cd-7120-40b6-936c-969ca917c53c"
      
pppd[17341]: Plugin pppol2tp.so loaded.
      
pppd[17341]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
      
pppd[17341]: pppd 2.4.7 started by root, uid 0
      
pppd[17341]: Using interface ppp0
      
    pppd[17341]: Connect: ppp0 <--> 
      
pppd[17341]: Overriding mtu 1500 to 1400
      
pppd[17341]: Overriding mru 1500 to mtu value 1400
      
NetworkManager[1137]: <info>  [1541422442.4026] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/19)
      
systemd-udevd[17344]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
      
NetworkManager[1137]: <info>  [1541422442.4117] devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
      
NetworkManager[1137]: <info>  [1541422442.4117] device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
      
NetworkManager[1137]: xl2tpd[17340]: check_control: Received out of order control packet on tunnel 1 (got 1, expected 2)
      
NetworkManager[1137]: xl2tpd[17340]: handle_packet: bad control packet!





      networking network-manager vpn 18.10







      share|improve this question
















      In Ubuntu 18.10, I'm trying to set-up a L2TP VPN connection with a WatchGuard server using PSK with SHA1-AES 256bit DH group 2 for Phase 1 and ESP-AES-SHA1 group 1 for Phase 2.



      I tried with both Strongswan and Libreswan but always get a NO_PROPOSAL_CHOSEN error, no matter which algorithms I choose in ipsec.conf or in GNOME network manager. Relevant files are shown below. What do you suggest?



      ipsec.conf



      conn vpn
      
authby=secret
      
left=%defaultroute
      
leftxauthclient=yes
      
leftmodecfgclient=yes
      
leftxauthusername=[MY USERNAME]
      
modecfgpull=yes
      
right=[SERVER IP]
      
rightxauthserver=yes
      
rightmodecfgserver=yes
      
rekey=no
      
auto=add
      
ike_frag=no
      
ike=aes256-sha-modp2048
      
esp=aes-sha1-modp1024


      ipsec.secrets



      [MY SERVER IP] %any : PSK "[MY PSK]"
      
@[MY USERNAME] : XAUTH "[MY PASSWORD]"


      edit new ipsec.conf:



      conn myvpn
      
ikelifetime=8h
      
keylife=20m
      
rekeymargin=3m
      
keyingtries=3
      
keyexchange=ikev1
      
authby=psk 
      
left=%defaultroute
      
auto=add
      
authby=secret
      
type=transport
      
leftprotoport=17/1701
      
rightprotoport=17/1701
      
right=[SERVER_IP]
      
dpdtimeout=120
      
dpdaction=clear
      
rekey=yes
      
ike=aes256-sha1-modp1024!
      
esp=aes256-sha1-modp768!


      launching ipsec -up myvpn gives:



      initiating Main Mode IKE_SA myvpn[1] to [SERVER_IP]
      
generating ID_PROT request 0 [ SA V V V V V ]
      
sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (180 bytes)
      
received packet: from [SERVER_IP][500] to 192.168.1.6[500] (136 bytes)
      
parsed ID_PROT response 0 [ SA V V V ]
      
received XAuth vendor ID
      
received draft-ietf-ipsec-nat-t-ike-02n vendor ID
      
received DPD vendor ID
      
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
      
sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (244 bytes)
      
received packet: from [SERVER_IP][500] to 192.168.1.6[500] (220 bytes)
      
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
      
local host is behind NAT, sending keep alives
      
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      
sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (108 bytes)
      
received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)
      
parsed ID_PROT response 0 [ ID HASH ]
      
IKE_SA myvpn[1] established between    192.168.1.6[192.168.1.6]...[SERVER_IP][SERVER_IP]
      
scheduling reauthentication in 28591s
      
maximum IKE_SA lifetime 28771s
      
generating QUICK_MODE request 3496213378 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
      
sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (300 bytes)
      
received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)
      
parsed INFORMATIONAL_V1 request 2157690019 [ HASH N(NO_PROP) ]
      
received NO_PROPOSAL_CHOSEN error notify
      
establishing connection 'myvpn' failed


      edit
      xl2tpd.conf



      [lac myvpn]
      
lns = [SERVER_IP]
      
ppp debug = yes
      
pppoptfile = /etc/ppp/options.l2tpd.client
      
length bit = yes


      /etc/ppp/options.l2tpd.client



      ipcp-accept-local
      
ipcp-accept-remote
      
refuse-eap
      
require-chap
      
noccp
      
noauth
      
mtu 1280
      
mru 1280
      
noipdefault
      
defaultroute
      
usepeerdns
      
connect-delay 5000
      
name [MY USERNAME]
      
password [MY PASSWORD]


      Trying with network manager returns:



      nm-l2tp-service[17266]: xl2tpd started with pid 17340
      
NetworkManager[1137]: xl2tpd[17340]: Not looking for kernel SAref support.
      
NetworkManager[1137]: xl2tpd[17340]: Using l2tp kernel support.
      
NetworkManager[1137]: xl2tpd[17340]: xl2tpd version xl2tpd-1.3.12 started on Ing PID:17340
      
NetworkManager[1137]: xl2tpd[17340]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
      
NetworkManager[1137]: xl2tpd[17340]: Forked by Scott Balmos and David Stipp, (C) 2001
      
NetworkManager[1137]: xl2tpd[17340]: Inherited by Jeff McAdams, (C) 2002
      
NetworkManager[1137]: xl2tpd[17340]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
      
NetworkManager[1137]: xl2tpd[17340]: Listening on IP address 0.0.0.0, port 1701
      
NetworkManager[1137]: xl2tpd[17340]: Connecting to host [SERVER_IP], port 1701
      
NetworkManager[1137]: <info>  [1541422442.3462] vpn-connection[0x55a9be8bc370,c657e7cd-7120-40b6-936c-969ca917c53c,"VPN 1",0]: VPN plugin: state changed: starting (3)
      
NetworkManager[1137]: xl2tpd[17340]: Connection established to [SERVER_IP], 1701.  Local: 62148, Remote: 1 (ref=0/0).
      
NetworkManager[1137]: xl2tpd[17340]: Calling on tunnel 62148
      
NetworkManager[1137]: xl2tpd[17340]: Call established with [SERVER_IP], Local: 47419, Remote: 1, Serial: 1 (ref=0/0)
      
NetworkManager[1137]: xl2tpd[17340]: start_pppd: I'm running:
      
NetworkManager[1137]: xl2tpd[17340]: "/usr/sbin/pppd"
      
NetworkManager[1137]: xl2tpd[17340]: "plugin"
      
NetworkManager[1137]: xl2tpd[17340]: "pppol2tp.so"
      
NetworkManager[1137]: xl2tpd[17340]: "pppol2tp"
      
NetworkManager[1137]: xl2tpd[17340]: "7"
      
NetworkManager[1137]: xl2tpd[17340]: "passive"
      
NetworkManager[1137]: xl2tpd[17340]: "nodetach"
      
NetworkManager[1137]: xl2tpd[17340]: ":"
      
NetworkManager[1137]: xl2tpd[17340]: "file"
      
NetworkManager[1137]: xl2tpd[17340]: "/run/nm-l2tp-ppp-options-c657e7cd-7120-40b6-936c-969ca917c53c"
      
pppd[17341]: Plugin pppol2tp.so loaded.
      
pppd[17341]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
      
pppd[17341]: pppd 2.4.7 started by root, uid 0
      
pppd[17341]: Using interface ppp0
      
    pppd[17341]: Connect: ppp0 <--> 
      
pppd[17341]: Overriding mtu 1500 to 1400
      
pppd[17341]: Overriding mru 1500 to mtu value 1400
      
NetworkManager[1137]: <info>  [1541422442.4026] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/19)
      
systemd-udevd[17344]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
      
NetworkManager[1137]: <info>  [1541422442.4117] devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
      
NetworkManager[1137]: <info>  [1541422442.4117] device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
      
NetworkManager[1137]: xl2tpd[17340]: check_control: Received out of order control packet on tunnel 1 (got 1, expected 2)
      
NetworkManager[1137]: xl2tpd[17340]: handle_packet: bad control packet!





      networking network-manager vpn 18.10




      networking network-manager vpn 18.10






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 5 '18 at 13:02







      Adriano Di Cara

















      asked Nov 1 '18 at 12:44









      Adriano Di CaraAdriano Di Cara

      34




      34






















          1 Answer
          1






          active

          oldest

          votes


















          0














          Your ipsec.conf seems to be for IPsec IKEv1 XAuth, not for L2TP/IPsec, but you mentioned L2TP. What kind of VPN service is the WatchGuard server offering?



          If you are using strongswan I would try adding an exclamation mark (!) to the end, also your esp syntax was wrong. Try offering the following proposals in the ipsec.conf file and see if the VPN server is happy :




          • ike=aes256-sha1-modp2048!

          • esp=aes-sha1!






          share|improve this answer
























          • aes is an alias for aes128, so I don't know for the Phase 2 or esp line if it should be esp=aes256-sha1! as it is odd to use a different number of bits between phase 1 & 2. See the following page for the encryption algorithm keywords wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

            – Douglas Kosovic
            Nov 3 '18 at 7:37











          • I'm totally sure the server is offering L2TP with those algorithms. Following various guides i edited ipsec.conf as shown in my edited question. Still getting the same error... What's the difference between a IKEv1 and a L2TP configuration in ipsec.conf?

            – Adriano Di Cara
            Nov 4 '18 at 11:52













          • L2TP/IPsec is also IKEv1, but uses L2TP (or more precisely PPP) for the user authentication, while IPsec XAuth does the user authentication by itself and doesn't need L2TP. For a L2TP ipsec.conf you would normally find leftprotoport and rightprotoport=udp/L2TP (or =17/1701 if you prefer numerical values like your example), there is no XAuth, there are also config files for xl2tpd and pppd. From the logs IKE Phase 1 has been established, but ESP Quick Mode is failing. I would recommend using esp=aes256-sha1! as it is usually esp=encryption-integrity!

            – Douglas Kosovic
            Nov 5 '18 at 6:22













          • Connection successful using esp=aes256-sha1! Thank you very much! The problem is now with xl2tpd, launching echo "c myvpn" > /var/run/xl2tpd/l2tp-control doesn't make available the ppp0 device I expect.

            – Adriano Di Cara
            Nov 5 '18 at 9:40













          • Or you could use network-manager-l2tp and in the IPsec config dialog box enter aes256-sha1-modp1024! for phase 1 and aes256-sha1! for phase 2. If you do use network-manager-l2tp, you might need to stop the system xl2tpd service, see the README.md file for issue with not stopping system xl2tpd service github.com/nm-l2tp/network-manager-l2tp/tree/nm-1-2

            – Douglas Kosovic
            Nov 5 '18 at 12:45












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1089199%2fvpn-ipsec-psk-no-proposal-chosen%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Your ipsec.conf seems to be for IPsec IKEv1 XAuth, not for L2TP/IPsec, but you mentioned L2TP. What kind of VPN service is the WatchGuard server offering?



          If you are using strongswan I would try adding an exclamation mark (!) to the end, also your esp syntax was wrong. Try offering the following proposals in the ipsec.conf file and see if the VPN server is happy :




          • ike=aes256-sha1-modp2048!

          • esp=aes-sha1!






          share|improve this answer
























          • aes is an alias for aes128, so I don't know for the Phase 2 or esp line if it should be esp=aes256-sha1! as it is odd to use a different number of bits between phase 1 & 2. See the following page for the encryption algorithm keywords wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

            – Douglas Kosovic
            Nov 3 '18 at 7:37











          • I'm totally sure the server is offering L2TP with those algorithms. Following various guides i edited ipsec.conf as shown in my edited question. Still getting the same error... What's the difference between a IKEv1 and a L2TP configuration in ipsec.conf?

            – Adriano Di Cara
            Nov 4 '18 at 11:52













          • L2TP/IPsec is also IKEv1, but uses L2TP (or more precisely PPP) for the user authentication, while IPsec XAuth does the user authentication by itself and doesn't need L2TP. For a L2TP ipsec.conf you would normally find leftprotoport and rightprotoport=udp/L2TP (or =17/1701 if you prefer numerical values like your example), there is no XAuth, there are also config files for xl2tpd and pppd. From the logs IKE Phase 1 has been established, but ESP Quick Mode is failing. I would recommend using esp=aes256-sha1! as it is usually esp=encryption-integrity!

            – Douglas Kosovic
            Nov 5 '18 at 6:22













          • Connection successful using esp=aes256-sha1! Thank you very much! The problem is now with xl2tpd, launching echo "c myvpn" > /var/run/xl2tpd/l2tp-control doesn't make available the ppp0 device I expect.

            – Adriano Di Cara
            Nov 5 '18 at 9:40













          • Or you could use network-manager-l2tp and in the IPsec config dialog box enter aes256-sha1-modp1024! for phase 1 and aes256-sha1! for phase 2. If you do use network-manager-l2tp, you might need to stop the system xl2tpd service, see the README.md file for issue with not stopping system xl2tpd service github.com/nm-l2tp/network-manager-l2tp/tree/nm-1-2

            – Douglas Kosovic
            Nov 5 '18 at 12:45
















          0














          Your ipsec.conf seems to be for IPsec IKEv1 XAuth, not for L2TP/IPsec, but you mentioned L2TP. What kind of VPN service is the WatchGuard server offering?



          If you are using strongswan I would try adding an exclamation mark (!) to the end, also your esp syntax was wrong. Try offering the following proposals in the ipsec.conf file and see if the VPN server is happy :




          • ike=aes256-sha1-modp2048!

          • esp=aes-sha1!






          share|improve this answer
























          • aes is an alias for aes128, so I don't know for the Phase 2 or esp line if it should be esp=aes256-sha1! as it is odd to use a different number of bits between phase 1 & 2. See the following page for the encryption algorithm keywords wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

            – Douglas Kosovic
            Nov 3 '18 at 7:37











          • I'm totally sure the server is offering L2TP with those algorithms. Following various guides i edited ipsec.conf as shown in my edited question. Still getting the same error... What's the difference between a IKEv1 and a L2TP configuration in ipsec.conf?

            – Adriano Di Cara
            Nov 4 '18 at 11:52













          • L2TP/IPsec is also IKEv1, but uses L2TP (or more precisely PPP) for the user authentication, while IPsec XAuth does the user authentication by itself and doesn't need L2TP. For a L2TP ipsec.conf you would normally find leftprotoport and rightprotoport=udp/L2TP (or =17/1701 if you prefer numerical values like your example), there is no XAuth, there are also config files for xl2tpd and pppd. From the logs IKE Phase 1 has been established, but ESP Quick Mode is failing. I would recommend using esp=aes256-sha1! as it is usually esp=encryption-integrity!

            – Douglas Kosovic
            Nov 5 '18 at 6:22













          • Connection successful using esp=aes256-sha1! Thank you very much! The problem is now with xl2tpd, launching echo "c myvpn" > /var/run/xl2tpd/l2tp-control doesn't make available the ppp0 device I expect.

            – Adriano Di Cara
            Nov 5 '18 at 9:40













          • Or you could use network-manager-l2tp and in the IPsec config dialog box enter aes256-sha1-modp1024! for phase 1 and aes256-sha1! for phase 2. If you do use network-manager-l2tp, you might need to stop the system xl2tpd service, see the README.md file for issue with not stopping system xl2tpd service github.com/nm-l2tp/network-manager-l2tp/tree/nm-1-2

            – Douglas Kosovic
            Nov 5 '18 at 12:45














          0












          0








          0







          Your ipsec.conf seems to be for IPsec IKEv1 XAuth, not for L2TP/IPsec, but you mentioned L2TP. What kind of VPN service is the WatchGuard server offering?



          If you are using strongswan I would try adding an exclamation mark (!) to the end, also your esp syntax was wrong. Try offering the following proposals in the ipsec.conf file and see if the VPN server is happy :




          • ike=aes256-sha1-modp2048!

          • esp=aes-sha1!






          share|improve this answer













          Your ipsec.conf seems to be for IPsec IKEv1 XAuth, not for L2TP/IPsec, but you mentioned L2TP. What kind of VPN service is the WatchGuard server offering?



          If you are using strongswan I would try adding an exclamation mark (!) to the end, also your esp syntax was wrong. Try offering the following proposals in the ipsec.conf file and see if the VPN server is happy :




          • ike=aes256-sha1-modp2048!

          • esp=aes-sha1!







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 3 '18 at 7:29









          Douglas KosovicDouglas Kosovic

          36114




          36114













          • aes is an alias for aes128, so I don't know for the Phase 2 or esp line if it should be esp=aes256-sha1! as it is odd to use a different number of bits between phase 1 & 2. See the following page for the encryption algorithm keywords wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

            – Douglas Kosovic
            Nov 3 '18 at 7:37











          • I'm totally sure the server is offering L2TP with those algorithms. Following various guides i edited ipsec.conf as shown in my edited question. Still getting the same error... What's the difference between a IKEv1 and a L2TP configuration in ipsec.conf?

            – Adriano Di Cara
            Nov 4 '18 at 11:52













          • L2TP/IPsec is also IKEv1, but uses L2TP (or more precisely PPP) for the user authentication, while IPsec XAuth does the user authentication by itself and doesn't need L2TP. For a L2TP ipsec.conf you would normally find leftprotoport and rightprotoport=udp/L2TP (or =17/1701 if you prefer numerical values like your example), there is no XAuth, there are also config files for xl2tpd and pppd. From the logs IKE Phase 1 has been established, but ESP Quick Mode is failing. I would recommend using esp=aes256-sha1! as it is usually esp=encryption-integrity!

            – Douglas Kosovic
            Nov 5 '18 at 6:22













          • Connection successful using esp=aes256-sha1! Thank you very much! The problem is now with xl2tpd, launching echo "c myvpn" > /var/run/xl2tpd/l2tp-control doesn't make available the ppp0 device I expect.

            – Adriano Di Cara
            Nov 5 '18 at 9:40













          • Or you could use network-manager-l2tp and in the IPsec config dialog box enter aes256-sha1-modp1024! for phase 1 and aes256-sha1! for phase 2. If you do use network-manager-l2tp, you might need to stop the system xl2tpd service, see the README.md file for issue with not stopping system xl2tpd service github.com/nm-l2tp/network-manager-l2tp/tree/nm-1-2

            – Douglas Kosovic
            Nov 5 '18 at 12:45



















          • aes is an alias for aes128, so I don't know for the Phase 2 or esp line if it should be esp=aes256-sha1! as it is odd to use a different number of bits between phase 1 & 2. See the following page for the encryption algorithm keywords wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

            – Douglas Kosovic
            Nov 3 '18 at 7:37











          • I'm totally sure the server is offering L2TP with those algorithms. Following various guides i edited ipsec.conf as shown in my edited question. Still getting the same error... What's the difference between a IKEv1 and a L2TP configuration in ipsec.conf?

            – Adriano Di Cara
            Nov 4 '18 at 11:52













          • L2TP/IPsec is also IKEv1, but uses L2TP (or more precisely PPP) for the user authentication, while IPsec XAuth does the user authentication by itself and doesn't need L2TP. For a L2TP ipsec.conf you would normally find leftprotoport and rightprotoport=udp/L2TP (or =17/1701 if you prefer numerical values like your example), there is no XAuth, there are also config files for xl2tpd and pppd. From the logs IKE Phase 1 has been established, but ESP Quick Mode is failing. I would recommend using esp=aes256-sha1! as it is usually esp=encryption-integrity!

            – Douglas Kosovic
            Nov 5 '18 at 6:22













          • Connection successful using esp=aes256-sha1! Thank you very much! The problem is now with xl2tpd, launching echo "c myvpn" > /var/run/xl2tpd/l2tp-control doesn't make available the ppp0 device I expect.

            – Adriano Di Cara
            Nov 5 '18 at 9:40













          • Or you could use network-manager-l2tp and in the IPsec config dialog box enter aes256-sha1-modp1024! for phase 1 and aes256-sha1! for phase 2. If you do use network-manager-l2tp, you might need to stop the system xl2tpd service, see the README.md file for issue with not stopping system xl2tpd service github.com/nm-l2tp/network-manager-l2tp/tree/nm-1-2

            – Douglas Kosovic
            Nov 5 '18 at 12:45

















          aes is an alias for aes128, so I don't know for the Phase 2 or esp line if it should be esp=aes256-sha1! as it is odd to use a different number of bits between phase 1 & 2. See the following page for the encryption algorithm keywords wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

          – Douglas Kosovic
          Nov 3 '18 at 7:37





          aes is an alias for aes128, so I don't know for the Phase 2 or esp line if it should be esp=aes256-sha1! as it is odd to use a different number of bits between phase 1 & 2. See the following page for the encryption algorithm keywords wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

          – Douglas Kosovic
          Nov 3 '18 at 7:37













          I'm totally sure the server is offering L2TP with those algorithms. Following various guides i edited ipsec.conf as shown in my edited question. Still getting the same error... What's the difference between a IKEv1 and a L2TP configuration in ipsec.conf?

          – Adriano Di Cara
          Nov 4 '18 at 11:52







          I'm totally sure the server is offering L2TP with those algorithms. Following various guides i edited ipsec.conf as shown in my edited question. Still getting the same error... What's the difference between a IKEv1 and a L2TP configuration in ipsec.conf?

          – Adriano Di Cara
          Nov 4 '18 at 11:52















          L2TP/IPsec is also IKEv1, but uses L2TP (or more precisely PPP) for the user authentication, while IPsec XAuth does the user authentication by itself and doesn't need L2TP. For a L2TP ipsec.conf you would normally find leftprotoport and rightprotoport=udp/L2TP (or =17/1701 if you prefer numerical values like your example), there is no XAuth, there are also config files for xl2tpd and pppd. From the logs IKE Phase 1 has been established, but ESP Quick Mode is failing. I would recommend using esp=aes256-sha1! as it is usually esp=encryption-integrity!

          – Douglas Kosovic
          Nov 5 '18 at 6:22







          L2TP/IPsec is also IKEv1, but uses L2TP (or more precisely PPP) for the user authentication, while IPsec XAuth does the user authentication by itself and doesn't need L2TP. For a L2TP ipsec.conf you would normally find leftprotoport and rightprotoport=udp/L2TP (or =17/1701 if you prefer numerical values like your example), there is no XAuth, there are also config files for xl2tpd and pppd. From the logs IKE Phase 1 has been established, but ESP Quick Mode is failing. I would recommend using esp=aes256-sha1! as it is usually esp=encryption-integrity!

          – Douglas Kosovic
          Nov 5 '18 at 6:22















          Connection successful using esp=aes256-sha1! Thank you very much! The problem is now with xl2tpd, launching echo "c myvpn" > /var/run/xl2tpd/l2tp-control doesn't make available the ppp0 device I expect.

          – Adriano Di Cara
          Nov 5 '18 at 9:40







          Connection successful using esp=aes256-sha1! Thank you very much! The problem is now with xl2tpd, launching echo "c myvpn" > /var/run/xl2tpd/l2tp-control doesn't make available the ppp0 device I expect.

          – Adriano Di Cara
          Nov 5 '18 at 9:40















          Or you could use network-manager-l2tp and in the IPsec config dialog box enter aes256-sha1-modp1024! for phase 1 and aes256-sha1! for phase 2. If you do use network-manager-l2tp, you might need to stop the system xl2tpd service, see the README.md file for issue with not stopping system xl2tpd service github.com/nm-l2tp/network-manager-l2tp/tree/nm-1-2

          – Douglas Kosovic
          Nov 5 '18 at 12:45





          Or you could use network-manager-l2tp and in the IPsec config dialog box enter aes256-sha1-modp1024! for phase 1 and aes256-sha1! for phase 2. If you do use network-manager-l2tp, you might need to stop the system xl2tpd service, see the README.md file for issue with not stopping system xl2tpd service github.com/nm-l2tp/network-manager-l2tp/tree/nm-1-2

          – Douglas Kosovic
          Nov 5 '18 at 12:45


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1089199%2fvpn-ipsec-psk-no-proposal-chosen%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          GameSpot

          Image
          body.skin-minerva .mw-parser-output table.infobox caption{text-align:center} GameSpot 戰地風雲:惡名昭彰2在Gamespot的評論 网站类型 新聞 持有者 CBS 创始人 Pete Deemer Vince Broady Jon Epstein 网站 http://www.gamespot.com/ 注册 Optional (free and paid) 推出时间 1996年5月1日 [1] GameSpot (中国大陆:游戏基地),於1996年5月由Pete Deemer和Vince Broady創立,是一個提供新聞、評論、預告片、下載及其他的相關資訊的電子遊戲網站。GameSpot被一間後來被CNET收購的企業ZDNet所收購。根據Alexa,GameSpot.com是200個網路擁擠最嚴重的網站之一。 除了由GameSpot員工創作的內容,網站還允許用戶寫評論、網誌、之後在網路論壇分享。一些在CNET旗下的GameFAQs分享。 2004年, GameSpot被Spike TV的觀眾選上「電子遊戲賞節目」贏得「最傑出遊戲網站。 [2] 其他的遊戲網站還有IGN、1UP.com、GameSpy是它最大的競爭對手。2008年,根據Compete.com的統計,「gamespot.com」吸引了最少6000萬人的點擊率。 [3] GameSpot的主頁鏈結了到最近新聞、評論、預告、和一些有關遊戲機的入口:Wii、任天堂DS、電腦遊戲、Xbox 360、PSP、PlayStation 2、PlayStation 3。它還有一列「最受歡迎遊戲名單」,還有給用戶快速獲得遊戲資訊的搜尋器。GameSpot 還包括一些小範圍的遊戲機:任天堂64、GameCube、Game Boy Color、Game Boy Advance、Xbox、PlayStation、SEGA Saturn、Dreamcast、Neo Geo Pocket Color、N-Gage、手機遊戲。 目录 1 歷史 1.1 國際歷史 1.2 著名的員工 2 評論和分
          Read more

          connect to host localhost port 22: Connection refused

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0; } 1 1 I created a Ubuntu Vagrant box and ssh'd into it. Now, created a ssh key and trying to ssh to my localhost but I get the following error. vagrant@vagrant-ubuntu-trusty-64:~$ ssh -vvvv localhost OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: connect to address 127.0.0.1 port 22: Connection refused ssh: connect to host localhost port 22: Connection refused When I check the list of ports opened as follows: vagrant@vagrant-ubuntu-trusty-64:~$ s
          Read more

          Getting a Wifi WPA2 wifi connection

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0; } 0 I've been trying to get a simple wifi connection ! bu I have to admit I just can't get it done ! here is what I've tried: root@MYONE:/etc# clear root@MYONE:/etc# vi wpa_supplicant.conf ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 update_config=1 network={ ssid="Mi Engine" psk="7407352688e4" } root@MYONE:/etc# iw wlan0 link Not connected. root@MYONE:/etc# ifconfig eth0 Link encap:Ethernet HWaddr 74:FE:48:3A:55:AB inet addr:192.168.178.88 Bcast:192.168.178.255 Mask:255.255.255.0 inet6 addr: fe80::76fe:48ff:fe3a:55ab%4804152/64 Scope:Link UP BRO
          Read more