On Sat, 11 Apr 2020, venstiven wrote:
I am new to l2tp/ipsec vpn, i've been trying to connect to a Zyxel USG firewall
for hours...
I was given ikev1 credentials (psk, username, password, public IP) and an IP
range I will have access to
(192.168.157.X). I've tried the credentials on windows, they work.
I am trying to connect from a Debian 10 VPS. I've tried a lot of settings and
none of them let me go further than
phase 1.
The first phase uses 3des, sha1, modp1024. I tried that for the esp parameter
with no luck, leaving it empty also
doesn't work.
Recent versions of libreswan no longer support DH (modp1024). It is
simply too insecure to be allowed. Note that 3des-sha1 is also a
configuration from the 1990's and should really be upgraded to something
modern.
conn lug-vpn
ike=3des-sha1;modp1024
esp=3des-sha1;modp1024
right=12.34.567.89
left=98.76.54.321
leftprotoport=17/1701
rightprotoport=17/1701
initial_contact=yes
authby=secret
auto=add
I assume you might need aggressive=yes if this is really a group PSK
based connection. You should also have your leftprotoport be 17/%any
Try modp1536 instead of modp1024. If that also works, use that.
004 "lug-vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY
cipher=3DES_CBC_192 integ=HMAC_SHA1
group=MODP1024}
So phase one is up.
002 "lug-vpn" #2: initiating Quick Mode
031 "lug-vpn" #2: STATE_QUICK_I1: 60 second timeout exceeded after 7
retransmits. No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal
For L2TP those look like the right options. You can try playing with:
pfs=no
and
type=transport
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
