L2TP Over IPSec VPN from Linux (any linux distribution)

pistapista Member Posts: 21  Freshman Member
Hi folks!

Anyone have any luck w/ L2TP Over IPSec VPN connections from some Linux distribution?

My case (USG-1100) works fine from Windows, macOS and Android. But it doesn't work from Linux distributions (Ubuntu 18.04 doesn't have client, Ubuntu 16.04, Fedora etc. I am receiving ERROR:

"578da8a0-1365-413b-97f2-88322e336242" #1: ERROR: asynchronous network error report on wlp3s0 (sport=500) for message to 176.xx.xx.xx port 500, complainant 176.xx.xx.xx: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)] ).

Is it working for somebody? Does anybody know how to? 

Thanks a lot! 

Comments

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 256  mod
    Hi @pista,
    Can you paste USG VPN phase 1 and phase 2 negotiation log(Monitor > LOG), Maybe we can find some clues by VPN connection Log.
  • pistapista Member Posts: 21  Freshman Member
    edited July 19, 2018 2:52PM
    Hi @Zyxel_Cooldia ,

    thanks for your reply! I tried from two linux devices today (Ubuntu 16.04 and Fedora r27). In the attachment you can find the logs from journalctl from both devices.

    “Phase1 Algorithms” is set to 3des-sha1 in Zyxel settings and in linux connection as well.
    “Phase2 Algorithms” to 3des-sha1 in Zyxel settings and in linux connection as well.

    Looks like IKE in Phase1 are not sync correctly, just wondering why. Should I use some different settings for these algorithms? 

    Do you have please any idea? 

    Thank you!
  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 256  mod
    Hi @pista,
    Can you provide the USG side VPN connection log, not Linux VPN log.
    1)    Log in USG Web GUI
    2)    Go to menu “Monitor > Log”, take a screen shot for VPN connection log.
  • pistapista Member Posts: 21  Freshman Member
    edited July 19, 2018 2:52PM
    Hi @Zyxel_Cooldia

    It was attached in 'ubuntu_16_04' as well, screenshot in the attachment of this message.

    Thank you for your help in advance.




  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 256  mod
    Hi @pista,
    I install Ubuntu 18.04 LTS on lab device to test l2tp over IP sec VPN connection to USG. it works fine on VPN connection.
    It seems phase 1 DH group mismatch with USG phase1 configuration on your site.
    Can you set the phase 1 DH group to 14 (on USG) and try it again.
  • pistapista Member Posts: 21  Freshman Member
    @Zyxel_Cooldia thx, I will do it and I will let you know!

    Can you provide me some manual? Or the best would be to provide me your setting from USG and Ubuntu (to see how did you set it up). I could follow and try as well.

    I appreciate your help! Thank you! 
  • Ed_JCLEd_JCL Member Posts: 1  Freshman Member
    Olá boa tarde! Alguém tem manual (passo a passo) como configurar a VPN no linux usando USG110 ? Pois no Windows eu consigo fazer esta configuração facilmente. Meu e-mail: [email protected]
  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 256  mod
    Hi @pista,
    The following is lab testing VPN configuration, assume related VPN module installed correctly on Linux, you should only need to modify the DH group on USG phase 1 for VPN connection.
    ~~~~~~~~~~~~~~~~~~~~~ Configuration file~~~~~~~~~~~~~~~~~~~~~~~~~~
    !
    isakmp policy WIZ_L2TP_VPN
    peer-ip 0.0.0.0 0.0.0.0
    local-ip interface wan1
    authentication pre-share
    encrypted-keystring $4$9eOBIIyQ$smPR6vGlxEufdb9dONhlwS6Zi5oT2vxckyi3tK33Gakg/DwtBRF12f8G25E49YXVEbcpBxS32kJSx5xYWRqDXc3D0r4PWG5N9rGVnKzSvss$
    mode main
    transform-set 3des-sha 3des-md5 des-sha
    group14
    lifetime 86400
    dpd-interval 30
    peer-id type any
    !
    crypto map WIZ_L2TP_VPN
    ipsec-isakmp WIZ_L2TP_VPN
    encapsulation transport
    transform-set esp-3des-sha esp-3des-md5 esp-des-sha
    set security-association lifetime seconds 86400
    set pfs none
    scenario remote-access-server
    local-policy WIZ_L2TP_VPN_LOCAL
    remote-policy any
    !
    ........
    ........
    !
    l2tp-over-ipsec crypto WIZ_L2TP_VPN
    l2tp-over-ipsec pool WIZ_L2TP_VPN_IP_ADDRESS_POOL
    l2tp-over-ipsec first-dns-server 8.8.8.8
    l2tp-over-ipsec second-dns-server 168.95.1.1
    !
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Web GUI configuration (Configuration > VPN > IPSec VPN > VPN gateway)

  • pistapista Member Posts: 21  Freshman Member
    @Zyxel_Cooldia, thank you!

    May I ask you what VPN module is installed on your Linux [Ubuntu 18.04 LTS]? And what file 'Configuration file' (name and destination) you meant?

    Appreciate your help! 
  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 256  mod
    Hi @pista,
    You can setup L2TP connection easily by installed network-manager-l2tp network-manager-l2tp-gnome, as for related VPN module, I will send you the information you need via private message.
Sign In to comment.