EdgeRouter L2TP VPN does not work with updated systems
-
So I posted this over on the Ubiquiti Community, but wanting more eyes on it.
I have been unable to use L2TP since I ran upgrades and libreswan was upgraded to
libreswan-3.21-1.fc26.x86_64. I currently havelibreswan-3.23-1.fc27.x86_64. My router is an ERL running 1.10.0.Checking what was being offered, I see this.
[user@hostname ~]$ sudo ./ike-scan.sh mv.ip.add.ress | grep SA SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=MD5 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=MD5 Group=15:modp3072 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=MD5 Group=19 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=SHA2-384 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=SHA2-384 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=SHA2-384 Group=15:modp3072 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=SHA2-384 Group=19 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=3DES Hash=SHA2-384 Group=20 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=MD5 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=MD5 Group=15:modp3072 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=MD5 Group=19 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=SHA2-384 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=SHA2-384 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=SHA2-384 Group=15:modp3072 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=SHA2-384 Group=19 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=128 Hash=SHA2-384 Group=20 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=MD5 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=MD5 Group=15:modp3072 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=MD5 Group=19 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=SHA2-384 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=SHA2-384 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=SHA2-384 Group=15:modp3072 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=SHA2-384 Group=19 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=192 Hash=SHA2-384 Group=20 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=MD5 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=MD5 Group=15:modp3072 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=MD5 Group=19 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=SHA2-384 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=SHA2-384 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=SHA2-384 Group=15:modp3072 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=SHA2-384 Group=19 Auth=PSK LifeType=Seconds LifeDuration=28800) SA=(Enc=AES KeyLength=256 Hash=SHA2-384 Group=20 Auth=PSK LifeType=Seconds LifeDuration=28800)Network Manager's L2TP no longer supports such weak encryption.
https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues#weak-legacy-algorithms
Legacy algorithms that are considered weak or broken are regularly removed from the default set of allowed algorithms with newer releases of strongSwan and Libreswan. As of strongSwan 5.4.0 and Libreswan 3.20, the above algorithms (apart from SHA1 and MODP1536 for Libreswan which still includes them for backwards compatibility) have been or in some cases already been removed from the default set of allowed algorithms.
This post says that the L2TP ciphers are not configurable unless we drop to editing the scripts.
https://community.ubnt.com/t5/EdgeMAX/L2TP-IPSec-default-negotiation-3DES-vs-AES-SHA1-vs-SHA2-etc/m-...
This is huge problem, IMO.
-
That github link contains this link.
https://github.com/nm-l2tp/network-manager-l2tp#example-workaround-for-3des-sha1-and-modp1024-broken-algorithms
Which says this.
I added that, but still no go.
-
Well shit maybe a problem with the kernel
The NetworkManager maintainer replies on the Ubiquiti forum post I made.
https://community.ubnt.com/t5/EdgeMAX/L2TP-unusable-on-Fedora/td-p/2254953 -
Booted a VM to the Fedora 27 Workstation Live ISO.
Useddnfto installed L2TP and it worked perfectly.The Live ISO uses kernel 4.13.9-300.
This confirm that kernel 4.14 and 4.15 are doing something wrong and are breaking IPsec.
-
@jaredbusch said in EdgeRouter L2TP VPN does not work with updated systems:
Booted a VM to the Fedora 27 Workstation Live ISO.
Useddnfto installed L2TP and it worked perfectly.The Live ISO uses kernel 4.13.9-300.
This confirm that kernel 4.14 and 4.15 are doing something wrong and are breaking IPsec.
You can block dnf from installing newer kernels until this is fixed if you need to.
-
@dafyre said in EdgeRouter L2TP VPN does not work with updated systems:
@jaredbusch said in EdgeRouter L2TP VPN does not work with updated systems:
Booted a VM to the Fedora 27 Workstation Live ISO.
Useddnfto installed L2TP and it worked perfectly.The Live ISO uses kernel 4.13.9-300.
This confirm that kernel 4.14 and 4.15 are doing something wrong and are breaking IPsec.
You can block dnf from installing newer kernels until this is fixed if you need to.
I've long been on a kernel newer than 4.13
-
Was this the bug you were referring to?
https://bugzilla.redhat.com/show_bug.cgi?id=1526203
https://github.com/hwdsl2/setup-ipsec-vpn/issues/102
https://github.com/libreswan/libreswan/issues/140 -
@dbeato I'm not referencing any bug.
I am telling you it does not work on 4.15. So whatever that bug was involved with is not resolved currently.Additionally the NetworkManager maintainer stated in his post on the Ubiquiti community that it was broke in 4.15 also.
-
@dbeato said in EdgeRouter L2TP VPN does not work with updated systems:
Was this the bug you were referring to?
https://bugzilla.redhat.com/show_bug.cgi?id=1526203
https://github.com/hwdsl2/setup-ipsec-vpn/issues/102
https://github.com/libreswan/libreswan/issues/140Your first link is semi related.
I have no idea wtf you are trying to prove with the second link.
The third link is only tangently related, but a follow up post on that links to the actual kernel commits that are the problem. But I have no idea how to know what is what from that level of in depth detail.
https://patchwork.ozlabs.org/patch/838470/ -
@jaredbusch said in EdgeRouter L2TP VPN does not work with updated systems:
@dbeato said in EdgeRouter L2TP VPN does not work with updated systems:
Was this the bug you were referring to?
https://bugzilla.redhat.com/show_bug.cgi?id=1526203
https://github.com/hwdsl2/setup-ipsec-vpn/issues/102
https://github.com/libreswan/libreswan/issues/140Your first link is semi related.
I have no idea wtf you are trying to prove with the second link.
The third link is only tangently related, but a follow up post on that links to the actual kernel commits that are the problem. But I have no idea how to know what is what from that level of in depth detail.
https://patchwork.ozlabs.org/patch/838470/The 2nd one deserved the WTF because is from 1/2017 so it is not related.
-
@JaredBusch Does your L2TP work in Fedora 28?
I'm on 4.17.7-200 & can't get L2TP working (from my desktop)
I spin up a W10 vm & no problem getting it work -
@fateknollogee said in EdgeRouter L2TP VPN does not work with updated systems:
@JaredBusch Does your L2TP work in Fedora 28?
I'm on 4.17.7-200 & can't get L2TP working (from my desktop)
I spin up a W10 vm & no problem getting it workIt was working on two months ago or so it was working last month I have not tried it in a few weeks
-
Did you use the Libreswan or Strongswan setting in your previous post?
