What could make ike-scan see an IP that is an L2TP/IPSEC VPN show up like a non-IPSEC VPN?

Question

Before today, I connected to my work VPN fine (using libreswan and NetworkManager-l2tp). After upgrading my system, my VPN connections ceased functioning. After a lot of troubleshooting, I noticed something strange:

sudo ike-scan [vpn address] results in:

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.471 seconds (0.40 hosts/sec).  0 returned handshake; 0 returned notify

Which indicates that the target gate way isn't an IPSec gateway (even though it most certainly is).

What could cause this? Is there something in a set of settings outside of ike-scan that needs to be altered in order for it to work appropriately? There are other IPSec VPN addresses that show up similarly, even though they are L2TP/IPSec VPNs. Also, only a couple of weeks ago I used ike-scan to figure out what the Phase1 and Phase2 algorithms were for my work's VPN.

There are other VPNs, too, like the one in this answer that don't work. Several other L2TP/IPSec IPs don't work either.

What could be going on here?

Answer 1

If you use ike-scan without specifying the proposal you want to test against, it will default to 3des-sha1-modp1024. Looking at the output, your VPN server doesn't seem support to support that proposal.

Try the following ike-scan.sh script which iterates through a number of proposals. You can run it like sudo ./ike-scan.sh [vpn address] | grep SA= or sudo bash ike-scan.sh [vpn address] | grep SA=

#!/bin/sh

# Encryption algorithms: 3des=5, aes128=7/128, aes192=7/192, aes256=7/256
ENCLIST="5 7/128 7/192 7/256"
# Hash algorithms: md5=1, sha1=2, sha256=5, sha384=6, sha512=7
HASHLIST="1 2 5 6 7"
# Diffie-Hellman groups: 1, 2, 5, 14, 15, 19, 20, 21
GROUPLIST="1 2 5 14 15 19 20 21"
# Authentication method: Preshared Key=1, RSA signatures=3
AUTHLIST="1 3"

for ENC in $ENCLIST; do
   for HASH in $HASHLIST; do
       for GROUP in $GROUPLIST; do
          for AUTH in $AUTHLIST; do
             echo ike-scan --trans=$ENC,$HASH,$AUTH,$GROUP -M "$@"
             ike-scan --trans=$ENC,$HASH,$AUTH,$GROUP -M "$@"
          done
      done
   done
done

Answer 2

If would recommend using the newer network-manager-l2tp 1.2.16 from the following PPA :

• https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

For backwards compatibility with most L2TP/IPsec VPN servers out there, network-manager-l2tp 1.2.16 and later no longer uses the strongSwan and libreswan default set of allowed algorithms, instead algorithms that are a merge of Windows 10 and macOS/iOS/iPadOS L2TP/IPsec clients' IKEv1 proposals are used instead for the default. The weakest proposals that were not common to both Win10 and iOS were dropped, but all of the strongest ones were kept.

So with network-manager-l2tp 1.2.16 and 1.8.0 (note: 1.8.0 hasn't been released for Ubuntu due to GPLv2 licensing incompatibility issues with OpenSSL inherited from Debian), I would recommend deleteing the phase 1 and 2 proposals as they shouldn't be necessary anymore.

If you use strongswan and enable debugging as described in the README.md file:

• https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/README.md

You can see both the Phase 1 (Main Mode) and Phase 2 (Quick Mode) proposals offered by the VPN server.