L2TP / IPSec failing to connect (Kubuntu 17.10)
After spending a few hours digging around, I found out what the problem is, and the solution.
The problem:
- Linux no longer supports the 3DES cipher, but many appliances still use it.
- Kubuntu 17.10 is missing phase1 and phase2 algorithm entry fields under IPSec Settings (this is a known bug), which are needed to setup an L2TP/IPSec connection to use 3DES.
The solution:
- Install the latest version of KDE Plasma from the "backports" PPA.
- Reboot, then create a new L2TP/IPSec VPN connection - phase1 and phase2 algorithm entry fields should now be present.
- For the Phase1 Algorithm, enter: 3des-sha1-modp1024!
- For the Phase2 Algorithm, enter: 3des-sha1!
From memory, I did the following:
sudo add-apt-repository ppa:kubuntu-ppa/backports
sudo apt update && sudo apt upgrade
sudo reboot
sudo apt install network-manager-l2tp-gnome
sudo apt install strongswan
sudo apt install libstrongswan-extra-plugins
sudo apt install libcharon-extra-plugins
Reboot, then add L2TP/IPSec as normal. You should now see the Phase1 and Phase2 algorithm textboxes as show in the attached image.
It's important to note that the above steps will not work if you have installed the latest Linux kernel (4.14 or higher, I believe), so it is highly likely that this workaround to get L2TP/IPSec working with the 3DES cipher will not work when the up and coming *Ubuntu 18.04 LTS is released.
I know that this question was in regards to getting L2TP/IPSec working on Kubuntu 17.10. However, 18.04 is out now, and here's how I get L2TP/IPSec working on Kubuntu 18.04:
$ sudo apt install network-manager-l2tp$ sudo systemctl stop xl2tpd.service$ sudo systemctl disable xl2tpd.service
Messing around with backports is not longer required as the Phase1 algorithms and Phase2 algorithms text-inputs are now included in the default Network Manager.
You can use ike-scan (option --nat-t for NAT traversal) to ask the VPN server if you need those options:
sudo ike-scan vpn.myserver.org
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
52.x.x.x Main Mode Handshake returned HDR=(CKY-R=aa91011bd9b543f7) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
Ending ike-scan 1.9: 1 hosts scanned in 0.064 seconds (15.54 hosts/sec). 1 returned handshake; 0 returned notify
The outputs Enc=3DES and Hash=SHA1 and Group=2:modp1024 gives you a hint if you need to adjust the phase algorithms. Note: My network-manager settings has a button which adds Legacy Proposals for both Phase1 and Phase2 Algorithms:
- Phase1 Algorithms:
aes256-sha1-ecp384,aes128-sha1-ecp256,3des-sha1-modp1024! - Phase2 Algorithms:
aes256-sha1,aes128-sha1,3des-sha1!
Pick those values you find in the output of ike-scan.