Connect Strongswan/VPN-Client (Debian) to IPSec/L2TP Server (Windows 2012) - AUTHENTIFICATION_FAILED












0















I am trying to connect my Debian Stretch box with a network running Windows-Only machines. There is a node there that acts as a VPN Server that runs Windows Server 2012R2. I am able to connect to it via L2TP VPN from both my Windows and my Mac machine, so even though I don't like the setup - it seems to be working. It's dumb easy configured without certs with a simple PSK. But all my many hours of trying to get it connected with a Debian box failed today :( I have tried every possible config modifications I found on the web... Here is the shortest one I am trying now getting always the same error at the end (PSK is correct):



ipsec.conf:



config setup

conn %default

    authby=secret

conn intp

    left=%any

    leftfirewall=no

    right=server_hostname

    rightfirewall=yes

    type=tunnel

    auto=add


ipsec.secrets



include /var/lib/strongswan/ipsec.secrets.inc

: PSK VALID_PSK


ipsec up intp



initiating IKE_SA intp[1] to 194.84.28.242

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1300 bytes)

received packet: from 194.84.28.242[500] to 144.76.196.175[500] (38 bytes)

parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]

peer didn't accept DH group MODP_3072, it requested MODP_1024

initiating IKE_SA intp[1] to 194.84.28.242

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1044 bytes)

received packet: from 194.84.28.242[500] to 144.76.196.175[500] (360 bytes)

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]

received MS NT5 ISAKMPOAKLEY v9 vendor ID

received MS-Negotiation Discovery Capable vendor ID

remote host is behind NAT

no IDi configured, fall back on IP address

authentication of '144.76.196.175' (myself) with pre-shared key

establishing CHILD_SA intp

generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) ]

sending packet: from 144.76.196.175[4500] to 194.84.28.242[4500] (412 bytes)

received packet: from 194.84.28.242[4500] to 144.76.196.175[4500] (68 bytes)

parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

received AUTHENTICATION_FAILED notify error

establishing connection 'intp' failed


Please help :)






vpn windows-server-2012 debian-stretch strongswan







share|improve this question























  • L2TP is usually used with IKEv1, however, you are connecting with IKEv2. To connect with IKEv1 set keyexchange=ikev1 (you'll need to change other stuff too, e.g. the traffic selectors with left|rightsubnet). However, since the server does respond to IKEv2 requests you might want to consider using that if the server administrator can provide you with valid credentials as it is the far superior protocol.

    – ecdsa
    Jan 21 at 9:25











  • Thank you very much! You pointed me exactly to the right direction!

    – Progratron
    Jan 24 at 10:17
















0















I am trying to connect my Debian Stretch box with a network running Windows-Only machines. There is a node there that acts as a VPN Server that runs Windows Server 2012R2. I am able to connect to it via L2TP VPN from both my Windows and my Mac machine, so even though I don't like the setup - it seems to be working. It's dumb easy configured without certs with a simple PSK. But all my many hours of trying to get it connected with a Debian box failed today :( I have tried every possible config modifications I found on the web... Here is the shortest one I am trying now getting always the same error at the end (PSK is correct):



ipsec.conf:



config setup

conn %default

    authby=secret

conn intp

    left=%any

    leftfirewall=no

    right=server_hostname

    rightfirewall=yes

    type=tunnel

    auto=add


ipsec.secrets



include /var/lib/strongswan/ipsec.secrets.inc

: PSK VALID_PSK


ipsec up intp



initiating IKE_SA intp[1] to 194.84.28.242

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1300 bytes)

received packet: from 194.84.28.242[500] to 144.76.196.175[500] (38 bytes)

parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]

peer didn't accept DH group MODP_3072, it requested MODP_1024

initiating IKE_SA intp[1] to 194.84.28.242

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1044 bytes)

received packet: from 194.84.28.242[500] to 144.76.196.175[500] (360 bytes)

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]

received MS NT5 ISAKMPOAKLEY v9 vendor ID

received MS-Negotiation Discovery Capable vendor ID

remote host is behind NAT

no IDi configured, fall back on IP address

authentication of '144.76.196.175' (myself) with pre-shared key

establishing CHILD_SA intp

generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) ]

sending packet: from 144.76.196.175[4500] to 194.84.28.242[4500] (412 bytes)

received packet: from 194.84.28.242[4500] to 144.76.196.175[4500] (68 bytes)

parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

received AUTHENTICATION_FAILED notify error

establishing connection 'intp' failed


Please help :)






vpn windows-server-2012 debian-stretch strongswan







share|improve this question























  • L2TP is usually used with IKEv1, however, you are connecting with IKEv2. To connect with IKEv1 set keyexchange=ikev1 (you'll need to change other stuff too, e.g. the traffic selectors with left|rightsubnet). However, since the server does respond to IKEv2 requests you might want to consider using that if the server administrator can provide you with valid credentials as it is the far superior protocol.

    – ecdsa
    Jan 21 at 9:25











  • Thank you very much! You pointed me exactly to the right direction!

    – Progratron
    Jan 24 at 10:17














0












0








0








I am trying to connect my Debian Stretch box with a network running Windows-Only machines. There is a node there that acts as a VPN Server that runs Windows Server 2012R2. I am able to connect to it via L2TP VPN from both my Windows and my Mac machine, so even though I don't like the setup - it seems to be working. It's dumb easy configured without certs with a simple PSK. But all my many hours of trying to get it connected with a Debian box failed today :( I have tried every possible config modifications I found on the web... Here is the shortest one I am trying now getting always the same error at the end (PSK is correct):



ipsec.conf:



config setup

conn %default

    authby=secret

conn intp

    left=%any

    leftfirewall=no

    right=server_hostname

    rightfirewall=yes

    type=tunnel

    auto=add


ipsec.secrets



include /var/lib/strongswan/ipsec.secrets.inc

: PSK VALID_PSK


ipsec up intp



initiating IKE_SA intp[1] to 194.84.28.242

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1300 bytes)

received packet: from 194.84.28.242[500] to 144.76.196.175[500] (38 bytes)

parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]

peer didn't accept DH group MODP_3072, it requested MODP_1024

initiating IKE_SA intp[1] to 194.84.28.242

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1044 bytes)

received packet: from 194.84.28.242[500] to 144.76.196.175[500] (360 bytes)

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]

received MS NT5 ISAKMPOAKLEY v9 vendor ID

received MS-Negotiation Discovery Capable vendor ID

remote host is behind NAT

no IDi configured, fall back on IP address

authentication of '144.76.196.175' (myself) with pre-shared key

establishing CHILD_SA intp

generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) ]

sending packet: from 144.76.196.175[4500] to 194.84.28.242[4500] (412 bytes)

received packet: from 194.84.28.242[4500] to 144.76.196.175[4500] (68 bytes)

parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

received AUTHENTICATION_FAILED notify error

establishing connection 'intp' failed


Please help :)






vpn windows-server-2012 debian-stretch strongswan







share|improve this question














I am trying to connect my Debian Stretch box with a network running Windows-Only machines. There is a node there that acts as a VPN Server that runs Windows Server 2012R2. I am able to connect to it via L2TP VPN from both my Windows and my Mac machine, so even though I don't like the setup - it seems to be working. It's dumb easy configured without certs with a simple PSK. But all my many hours of trying to get it connected with a Debian box failed today :( I have tried every possible config modifications I found on the web... Here is the shortest one I am trying now getting always the same error at the end (PSK is correct):



ipsec.conf:



config setup

conn %default

    authby=secret

conn intp

    left=%any

    leftfirewall=no

    right=server_hostname

    rightfirewall=yes

    type=tunnel

    auto=add


ipsec.secrets



include /var/lib/strongswan/ipsec.secrets.inc

: PSK VALID_PSK


ipsec up intp



initiating IKE_SA intp[1] to 194.84.28.242

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1300 bytes)

received packet: from 194.84.28.242[500] to 144.76.196.175[500] (38 bytes)

parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]

peer didn't accept DH group MODP_3072, it requested MODP_1024

initiating IKE_SA intp[1] to 194.84.28.242

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]

sending packet: from 144.76.196.175[500] to 194.84.28.242[500] (1044 bytes)

received packet: from 194.84.28.242[500] to 144.76.196.175[500] (360 bytes)

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V ]

received MS NT5 ISAKMPOAKLEY v9 vendor ID

received MS-Negotiation Discovery Capable vendor ID

remote host is behind NAT

no IDi configured, fall back on IP address

authentication of '144.76.196.175' (myself) with pre-shared key

establishing CHILD_SA intp

generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) ]

sending packet: from 144.76.196.175[4500] to 194.84.28.242[4500] (412 bytes)

received packet: from 194.84.28.242[4500] to 144.76.196.175[4500] (68 bytes)

parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

received AUTHENTICATION_FAILED notify error

establishing connection 'intp' failed


Please help :)






vpn windows-server-2012 debian-stretch strongswan




vpn windows-server-2012 debian-stretch strongswan






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 18 at 18:35









ProgratronProgratron

1




1













  • L2TP is usually used with IKEv1, however, you are connecting with IKEv2. To connect with IKEv1 set keyexchange=ikev1 (you'll need to change other stuff too, e.g. the traffic selectors with left|rightsubnet). However, since the server does respond to IKEv2 requests you might want to consider using that if the server administrator can provide you with valid credentials as it is the far superior protocol.

    – ecdsa
    Jan 21 at 9:25











  • Thank you very much! You pointed me exactly to the right direction!

    – Progratron
    Jan 24 at 10:17



















  • L2TP is usually used with IKEv1, however, you are connecting with IKEv2. To connect with IKEv1 set keyexchange=ikev1 (you'll need to change other stuff too, e.g. the traffic selectors with left|rightsubnet). However, since the server does respond to IKEv2 requests you might want to consider using that if the server administrator can provide you with valid credentials as it is the far superior protocol.

    – ecdsa
    Jan 21 at 9:25











  • Thank you very much! You pointed me exactly to the right direction!

    – Progratron
    Jan 24 at 10:17

















L2TP is usually used with IKEv1, however, you are connecting with IKEv2. To connect with IKEv1 set keyexchange=ikev1 (you'll need to change other stuff too, e.g. the traffic selectors with left|rightsubnet). However, since the server does respond to IKEv2 requests you might want to consider using that if the server administrator can provide you with valid credentials as it is the far superior protocol.

– ecdsa
Jan 21 at 9:25





L2TP is usually used with IKEv1, however, you are connecting with IKEv2. To connect with IKEv1 set keyexchange=ikev1 (you'll need to change other stuff too, e.g. the traffic selectors with left|rightsubnet). However, since the server does respond to IKEv2 requests you might want to consider using that if the server administrator can provide you with valid credentials as it is the far superior protocol.

– ecdsa
Jan 21 at 9:25













Thank you very much! You pointed me exactly to the right direction!

– Progratron
Jan 24 at 10:17





Thank you very much! You pointed me exactly to the right direction!

– Progratron
Jan 24 at 10:17










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1395868%2fconnect-strongswan-vpn-client-debian-to-ipsec-l2tp-server-windows-2012-aut%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1395868%2fconnect-strongswan-vpn-client-debian-to-ipsec-l2tp-server-windows-2012-aut%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Plaza Victoria

Image
Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l...
Read more

Brian Clough

Image
Brian Clough Datos personales Nombre completo Brian Howard Clough Apodo(s) Old Big 'Ead, Cloughie [ 1 ] ​ Nacimiento Middlesbrough, Inglaterra, Reino Unido 21 de marzo de 1935 Nacionalidad(es) Fallecimiento Derby, Reino Unido 20 de septiembre de 2004 (69 años) Altura 1,78 [ 1 ] ​ metros Carrera Deporte Fútbol Debut deportivo 1955 (Como jugador) 1965 (Como entrenador) (Middlesbrough F. C. (Como jugador) Hartlepool United F. C. (Como entrenador) ) Posición Delantero Goles en clubes 269 [ 2 ] ​ Retirada deportiva 1964 (Como jugador) 1993 (Como entrenador) (Sunderland A. F. C. (Como jugador) Nottingham Forest (Como entrenador) ) Carrera internacional Part. 2 [editar datos en Wikidata] Brian Howard Clough , OBE [ 3 ] ​ (Middlesbrough, Inglaterra, Reino Unido, 21 de marzo de 1935 – Derby, Inglaterra, Reino Unido, 20 de septiembre de 2004) fue un jugador y entrenador británico de fútbol. Es conocido por...
Read more

Cáceres

Image
Para otros usos de este término, véase Cáceres (desambiguación). Cáceres Municipio y ciudad Bandera Escudo Collage de Cáceres Cáceres Ubicación de Cáceres en España. Cáceres Ubicación de Cáceres en la provincia de Cáceres. País  España • Com. autónoma  Extremadura • Provincia  Cáceres • Partido judicial Cáceres Ubicación 39°28′23″N 6°22′16″O  /  39.473055555556, -6.3711111111111 Coordenadas: 39°28′23″N 6°22′16″O  /  39.473055555556, -6.3711111111111 • Altitud 457 [ 1 ] ​ msnm (mín.:211 [ 2 ] ​, máx.:708 [ 2 ] ​) Superficie 1750,33 km² Núcleos de población Cáceres Estación Arroyo-Malpartida Rincón de Ballesteros Valdesalor Fundación 34 a. C. Población 96 068 hab. (2018) • Densidad 54,8 hab./km² Gentilicio Cacereño/a [ 3 ] ​ Código postal 10001-10005, 10195 Alcaldesa (2015) María Elena Nevado del Campo [ 4 ] ​ Presupuesto 69.045.004€ [ 5 ] ​  (año ...
Read more