IPSec over L2TP: received NO_PROPOSAL_CHOSEN error notify

ipsecnetworkingopenswanvpnxl2tpd

Environment:

# uname -a
Linux shrimpwagon 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u1 (2017-02-22) x86_64 GNU/Linux

I have already installed:

# apt-get install strongswan xl2tpd

I'm trying to connect to a Meraki VPN. I spoke to a Meraki tech and he said that it looks like it is not authenticating but didn't give me much more detail:

# ipsec up L2TP-PSK
generating QUICK_MODE request 2711688330 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 10.0.0.4[4500] to 50.123.152.194[4500] (252 bytes)
received packet: from 50.123.152.194[4500] to 10.0.0.4[4500] (68 bytes)
parsed INFORMATIONAL_V1 request 2555305796 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'L2TP-PSK' failed

ipsec.conf:

config setup
    virtual_private=%v4:10.0.0.0/8
#   nat_traversal=yes
    protostack=auto
    oe=off
    plutoopts="--interface=eth0"

conn L2TP-PSK
    keyexchange=ikev1
    ike=aes128-sha1-modp1024,3des-sha1-modp1024!
    phase2=ah
    phase2alg=aes128-sha1-modp1024,3des-sha1-modp1024!
    authby=secret
    aggrmode=yes
    pfs=no
    auto=add
    keyingtries=2
#   dpddelay=30
#   dpdtimeout=120
#   dpdaction=clear
#   rekey=yes
    ikelifetime=8h
    keylife=1h
    type=transport
    left=%defaultroute
#   leftnexthop=%defaultroute
#   leftprotoport=udp/l2tp
    right=50.123.152.194
    rightsubnet=10.2.150.0/24

ipsec.secrets:

%any %any : PSK "****"

xl2tpd.conf:

[lac vpn-connection]
lns = 50.123.152.194
;refuse chap = yes
;refuse pap = no
;require authentication = yes
;name = vpn-server
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

options.l2tpd.client:

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name swelch
password ****

I have gotten most of my instructions from this site:

https://www.elastichosts.com/blog/linux-l2tpipsec-vpn-client/

I did have to put it into aggresive mode, specify ikev1 and set the ike algorithms. Once I did that then I was able to start communicating to the MX. But I'm getting this error now and I am at a total loss.

Thanks in advance!

Best Answer

When connecting as a Meraki Client VPN, it only supports protocols that have been removed from the Strongswan default protocol negotiation list (because the SWEET32 birthday attack is possible against some of these protocols) so you have to specify them explicitly (as you have).

If you install ike-scan and run it against your Meraki "server" sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan YOUR.SERVER.IP you can see what the default protocol is. I'm fairly confident it is 3des-sha1-modp1024 like you have above, though in my (NetworkManager) generated ipsec.conf I don't have the phase2 and phase2alg lines, but an esp.

Here is the snippet from my working config with the protocols:

  keyexchange=ikev1
  ike=3des-sha1-modp1024!
  esp=3des-sha1!

Sidenote: This probably doesn't matter for you since you are using the CLI, but I'm using a PPA for the NM plugin for L2TP from ppa:nm-l2tp/network-manager-l2tp and in my NetworkManager GUI it refers Phase 1 and Phase 2, but in the generated ipsec config those map to the ike and esp above. I used this blog post

Related Solutions

IPSec/L2TP VPN connection fails

Could you delete the temporary secrets files that didn't get deleted :

sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secrets

The NO_PROPOSAL_CHOSEN error indicates there is still something wrong with the phase 1 algorithm used for the initial proposal. I would also try it without the exclamation mark, Libreswan (which is what you are probably using on Fedora) most definitely doesn't support that syntax.

Could you try running the ike-scan.sh script in the "Querying VPN server for supported IPsec IKEv1 ciphers" section of the following page :

https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues

Running ike-scan by itself sometimes isn't enough as the VPN server might support more cipher suites.

What you did for phase 1 and phase 2 algorithms should have worked with the 3DES algorithm, but perhaps something else is going wrong. Hopefully your VPN server supports other algorithms that ike-scan.sh will report and you could try them.

I assume you are using the network-manager-l2tp PPA for Ubuntu 16.04. If you are still having issues, could you try libreswan instead of strongswan on Ubuntu 16.04, remove the phase 1 & 2 algorithms in the IPsec config dialog box and install libreswan by issuing:

sudo apt install libreswan

Older versions of libreswan still have the legacy ciphers suites in the default set of ciphers for the phase 1 and 2 algorithms.

The newer version of libreswan that is in Fedora 26 Updates is like strongswan when it comes to legacy cipher suites, see Fedora Bugzilla bug#1486604. Hopefully you are able to use some other ciphers.

Best Answer

Related Solutions

IPSec/L2TP VPN connection fails

Related Question