L2TP-VPN not working between Strongswan/Debian (client) and Windows 2012 (server). Authentication failed?

P

Programmerus2019-01-18 21:54:24

Debian

Programmerus, 2019-01-18 21:54:24

I'm trying to connect as a Debian Strech client using Strongswan to a VPN server (IPSec/L2TP) running on Windows Server 2012R2. The server is working fine . clients under Windows and even MacOS connect to it without problems. No special dances with a tambourine are needed.
I struggled for three hours today trying to connect Strongswan and Debian Strech to it - I have already tried everything, zero to the mass. The config is below (now I have already removed almost everything from it - but I have already tried completely different combinations). Error - AUTHENTICATION FAILED. PSK I enter certainly correct.
ipsec.conf

config setup
conn %default
    authby=secret
conn intp
    left=%any
    leftfirewall=no
    right=server_hostname
    rightfirewall=yes
    type=tunnel
    auto=add

ipsec.secrets

include /var/lib/strongswan/ipsec.secrets.inc
: PSK VALID_PSK

ipsec up intp

initiating IKE_SA intp[1] to 194.84.28.242
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1300 bytes)
received packet: from 194.84.28.242[500] to 144.76.196.175[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_3072, it requested MODP_1024
initiating IKE_SA intp[1] to 194.84.28.242
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1044 bytes)
received packet: from 194.84.28.242[500] to 144.76.196.175[500] (360 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]
received MS NT5 ISAKMPOAKLEY v9 vendor ID
received MS-Negotiation Discovery Capable vendor ID
remote host is behind NAT
no IDi configured, fall back on IP address
authentication of '144.76.196.175' (myself) with pre-shared key
establishing CHILD_SA intp
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) ]
sending packet: from 144.76.196.175[4500] to 194.84.28.242[4500] (412 bytes)
received packet: from 194.84.28.242[4500] to 144.76.196.175[4500] (68 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'intp' failed

Thanks in advance for science ;)

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

G

gt0rs, 2019-05-19
@gt0rs

Faced the same problem, by trial and error I got the following config (client and server behind NAT, strongswan 5.7):

config setup

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    ike=3des-sha1-modp1024!
    esp=3des-sha1!

conn l2tp_psk
    keyexchange=ikev1
    left=%defaultroute
    auto=add
    authby=psk
    type=transport
    leftprotoport=17/1701
    rightprotoport=17/1701
    right=XXX.XXX.XXX.XX # Публичный IP сервера
    rightid=XXX.XXX.XXX.XXX # IP сервера в локальной сети
    rightsendcert=never