Re: VPN (IPsec/L2TP) to windows server



Am 25.01.21 um 16:13 schrieb Thomas Haller:
On Mon, 2021-01-25 at 13:36 +0100, michaelof--- via networkmanager-list
wrote:
Hi all,



first post to this mailing list, after being subscribed.


I've got trouble with a VPN connection from several LINUX systems
tested (and also Android) to a IPsec/L2TP VPN on a MSWIN server. FYI
Windows to Windows connection works fine, at once, with MSWIN default
settings, tested on a VM running in my Linux (OpenSuse) box. 

Detailed description here:
https://forums.opensuse.org/showthread.php/549340-VPN-(ipsec-l2tp)-to-windows-server
No solution.

Asked also here:
https://lists.openswan.org/pipermail/users/2021-January/023799.html
No answer.


So trying here if I maybe could get a hint for narrowing down
further: As written to the openswan mailing list, it might be
possible that setting "leftprotoport=udp/%any" to the IPsec settings
would solve the problem (Found here:
https://lists.openswan.org/pipermail/users/2013-July/022547.html)

But I have no clue how/where to enter this param, adding to
/etc/ipsec.conf does not help.

Could you give me some hints how NetworkManager works internally,
when setting up an IPsec connection? I've got the impression that
NetworkManager creates some "temporary" connections, where are they
stored? And how can I debug them?



Hi,


On Linux, there are (at least) two IPSec implmentations: strongswan and
libreswan (formerly openswan). Both have a VPN plugin for
NetworkManager.

The libreswan plugin is here:
https://gitlab.gnome.org/GNOME/NetworkManager-libreswan/


As always in NetworkManager, you create a "connection profile" with the
settings for your VPN. The simplest way is via nm-connection-editor
(and installing the GTK plugin). You can of course use nmcli for that
too, the problem is that then you need to configure the right keys, and
that is not well documented. So, a good start is using the GUI, and
check what it does (with `nmcli connection show "$PROFILE"`). Or, read
the source code (in gitlab).

If you have a configuration file for libreswan, you also can import it
with nm-connection-editor or `nmcli connection import type libreswan
file "$FILENAME"`.


best,
Thomas


Hi Thomas,

THANKS for answering! And thanks for the hints for nmcli, never used/beeing aware of it before.
Checked my (OpenSuse) system, I've strongswan installed. OpenSuse NetworkManager plugin repo pkgs exist for 
both strongswan and libreswan. Installed the strongswan plugin, but I'm confused: I'm getting an option now 
for the creation of "VPN based on IPsec (strongswan) / VPN based in IPsec, IKEv1, IKEv2". But trying this 
option does not provide me any L2TP options.
So - I'm  not a vpn expert - I think that my orgininally used NetworkManager vpn plugin 
"NetworkManager-l2tp"/"NetworkManager-l2tp-gnome" seems to be the correct one. If working :(
Mystic to me is the way how NetworkManager "triggers" the interaction between the IPsec part and the L2TP 
part within this plugin: At first encrypted IPsec connections seems to be established, using existing 
strongswan instrallation (no idea how to "tell" to use libreswan instead, if additionally installed). And 
secondly, the L2TP part seems to fail, whyever. Hint from stronsgwan mailing list's earlier thread was to set 
"leftprotoport=udp/l2tp rightprotoport=udp/any", but I've no idea where and how in combination with 
NetworkManager.

Michael


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]