Hi, On Sat, Apr 6, 2019, at 5:21 PM, A P wrote: > I have tried and tried and tried... With NetworkManager and totally manually, > and I get the same error, with nothing much about it on the web... I get "*no > acceptable traffic selectors found*" > > Thank in advance for your help! > > > Here is the log: > > initiating Main Mode IKE_SA myvpn[1] to 180.235.156.4 > generating ID_PROT request 0 [ SA V V V V V ] > sending packet: from 192.168.1.2[500] to 180.235.156.4[500] (176 bytes) > received packet: from 180.235.156.4[500] to 192.168.1.2[500] (124 bytes) > parsed ID_PROT response 0 [ SA V V ] > received NAT-T (RFC 3947) vendor ID > received FRAGMENTATION vendor ID > selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > generating ID_PROT request 0 [ KE No NAT-D NAT-D ] > sending packet: from 192.168.1.2[500] to 180.235.156.4[500] (244 bytes) > received packet: from 180.235.156.4[500] to 192.168.1.2[500] (304 bytes) > parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] > received Cisco Unity vendor ID > received XAuth vendor ID > received unknown vendor ID: 65:83:ea:08:11:06:75:21:d2:51:cd:44:16:26:47:73 > received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 > local host is behind NAT, sending keep alives > generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] > sending packet: from 192.168.1.2[4500] to 180.235.156.4[4500] (100 bytes) > received packet: from 180.235.156.4[4500] to 192.168.1.2[4500] (84 bytes) > parsed ID_PROT response 0 [ ID HASH V ] > received DPD vendor ID > IKE_SA myvpn[1] established between > 192.168.1.2[192.168.1.2]...180.235.156.4[180.235.156.4] > scheduling reauthentication in 3390s > maximum IKE_SA lifetime 3570s > generating QUICK_MODE request 3689125877 [ HASH SA No ID ID NAT-OA NAT-OA ] > sending packet: from 192.168.1.2[4500] to 180.235.156.4[4500] (188 bytes) > received packet: from 180.235.156.4[4500] to 192.168.1.2[4500] (204 bytes) > parsed QUICK_MODE response 3689125877 [ HASH SA No ID ID N((24576)) NAT-OA > NAT-OA ] > selected proposal: ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ > *no acceptable traffic selectors found* > establishing connection 'myvpn' failed
l2tp works over UDP and it's a fixed port 1701 on the server. You need to have "traffic selectors" that match that - so that IPSec knows what exactly (what *traffic*) you want to encrypt - and they need to agree between the server and the client. I assume that Network Manager has set this up correctly on your "local" side. Let's check your server config. Please post your tunnel config file - i.e. the file where you have "left=", "right=", and all that fun stuff. And please check that you have items like these leftprotoport=17/1701 rightprotoport=17/%any Protocol 17 is UDP and we need port number 1701 on the server. Or use names leftprotoport=udp/l2tp rightprotoport=udp/%any This is for "legacy" config file format (which it seems is used more often, because of tutorials on the web). PS - this seems like a good tutorial https://wiki.gentoo.org/wiki/IPsec_L2TP_VPN_server PPS - 3DES and MD5 are not considered good enough these days... -- K
