New job, New VPN


As the title says, every time I get a new job I have to use a new VPN service.
Sometimes is very handy and linux friendly, sometimes is not linux friendly, sometimes is something in the middle.

I have a say: if you want to know IPSec, move to China.
Since I'm in China and my employer's VPN support for Linux is something in the middle, I started to fiddle with it until I could connect using Linux (they only support Windows, OSX is vaguely documented and unsupported).

In the short OSX documentation says that the VPN is L2TP+IPSec based, so I started playing with strongSwan.

As soon as I start the tunnel this appear on the logs

$ sudo ipsec up L2TP-PSK
initiating IKE_SA L2TP-PSK[1] to 1.2.3.4
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.17.8.144[500] to 1.2.3.4[500] (1108 bytes)
retransmit 1 of request with message ID 0
sending packet: from 172.17.8.144[500] to 1.2.3.4[500] (1108 bytes)
retransmit 2 of request with message ID 0
sending packet: from 172.17.8.144[500] to 1.2.3.4[500] (1108 bytes)
retransmit 3 of request with message ID 0
sending packet: from 172.17.8.144[500] to 1.2.3.4[500] (1108 bytes)
retransmit 4 of request with message ID 0
sending packet: from 172.17.8.144[500] to 1.2.3.4[500] (1108 bytes)

This is going nowhere.....

I was sure the VPN is IKEv1, so I added it to the config file it was the same :(

Divine illumination from good (and my son who wants to use the computer to watch Youtube) told me the problem is the proposal, IKEv1 will only take your first proposal, and by default strongswan will offer you a lot of proposals.

OK, how can I know which proposal will be accepted by the server without brute forcing over and over (which is a long and boring process).

$ apt-cache search ike
$ apt-cache search ipsec
google
and so on...
I don't remember how I did get to know....

ike-scan :D

Among many other things, ike-scan can tell you which proposal the VPN concentrator will take :)

$ sudo ike-scan 1.2.3.4
ERROR: Could not bind network socket to local port 500
Only one process may bind to the source port at any one time.
ERROR: bind: Address already in use

uhhh, I need to shutdown strongswan

$ sudo ike-scan 1.2.3.4
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
1.2.3.4  Main Mode Handshake returned HDR=(CKY-R=5bee34fe52e3b336) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds \ 
LifeDuration(4)=0x00007080) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=36665412e8c59732317454eeefef85b6

Ending ike-scan 1.9: 1 hosts scanned in 0.021 seconds (46.81 hosts/sec).  1 returned handshake; 0 returned notify

Then I modified my /etc/ipsec.conf

conn L2TP-PSK
   esp=3des-sha1
   ike=3des-sha1-modp1024
   keyexchange=ikev1
   forceencaps=yes
   authby=secret
   auto=add
   rekey=yes
   type=transport
   left=%any
   right=1.2.3.4

And try again

$ sudo ipsec up L2TP-PSK 
initiating Main Mode IKE_SA L2TP-PSK[1] to 1.2.3.4
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 172.17.8.144[500] to 1.2.3.4[500] (212 bytes)
received packet: from 1.2.3.4[500] to 172.17.8.144[500] (140 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received unknown vendor ID: 36:66:54:12:e8:c5:97:32:31:74:54:ee:ef:ef:85:b6
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.17.8.144[500] to 1.2.3.4[500] (244 bytes)
received packet: from 1.2.3.4[500] to 172.17.8.144[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 172.17.8.144[4500] to 1.2.3.4[4500] (68 bytes)
received packet: from 1.2.3.4[4500] to 172.17.8.144[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA L2TP-PSK[1] established between 172.17.8.144[172.17.8.144]...1.2.3.4[1.2.3.4]
scheduling reauthentication in 10044s
maximum IKE_SA lifetime 10584s
generating QUICK_MODE request 2220555048 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 172.17.8.144[4500] to 1.2.3.4[4500] (220 bytes)
received packet: from 1.2.3.4[4500] to 172.17.8.144[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3120509775 [ HASH N(INITIAL_CONTACT) ]
received packet: from 1.2.3.4[4500] to 172.17.8.144[4500] (148 bytes)
parsed QUICK_MODE response 2220555048 [ HASH SA No ID ID ]
CHILD_SA L2TP-PSK{1} established with SPIs c2e76ee8_i 3914bddb_o and TS 172.17.8.144/32 === 1.2.3.4/32 
connection 'L2TP-PSK' established successfully

:D :D :D :D :D :D :D :D :D :D :D :D :D

now its turn for l2tp

I just copied and paste from here you should do the same. works like a champ!

The only thing I added is support to use a token as a password. An script that modifies /etc/ppp/options.l2tpd.client and start xl2tpd and here is it

1
2
3
4
5
6
7
#!/bin/bash
sudo service xl2tpd stop
echo "TOKEN?"
read TOKEN
sudo sed -i "s/password.*/password $TOKEN/" /etc/ppp/options.l2tpd.client
sudo service xl2tpd start
echo "c VPN-NAME" | sudo tee  /var/run/xl2tpd/l2tp-control

This is valid using the following software:

  • strongswan 5.2.1-4
  • xl2tpd 1.3.6+dfsg-2

Against a Hillstone Secure Connect concentrator, unknown version.