Cisco Meraki VPN

At my work the I.T. company replaced our router, they gave us this information about how to connect. It is a cisco. I have all of my development tools setup on linux. I have installed xl2tp, strongswan and the network manager specific things. I have verified that I can connect to the vpn using a windows 10 box so I know I can connect. It is complaining that a service is not running, and in the logs it says strongswan was not able to start. I have run through some tutorials and so far the same thing. I am guessing there is another package for strongswan that is needed however I cannot seem to figure out which one that would be.

Tutorial that I followed : https://www.bestvpnz.com/how-to-set-up-l2tp-ipsec-vpn-on-linux-networkmanager-strongswan/

xl2tp status and that is running
shane@shane-ThinkPad-Yoga-14 /var/log $ sudo service xl2tpd status
● xl2tpd.service - LSB: layer 2 tunelling protocol daemon
Loaded: loaded (/etc/init.d/xl2tpd; bad; vendor preset: enabled)
Active: active (running) since Fri 2018-02-23 08:48:14 CST; 2 days ago
Docs: man:systemd-sysv-generator(8)
Process: 1899 ExecStart=/etc/init.d/xl2tpd start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/xl2tpd.service
└─1960 /usr/sbin/xl2tpd

Feb 23 08:48:14 shane-ThinkPad-Yoga-14 systemd[1]: Starting LSB: layer 2 tunelling protocol daemon...
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 xl2tpd[1928]: setsockopt recvref[30]: Protocol not available
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 xl2tpd[1960]: xl2tpd version xl2tpd-1.3.6 started on shane-ThinkPad-Yoga-14 PID:1960
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 xl2tpd[1960]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 xl2tpd[1960]: Forked by Scott Balmos and David Stipp, (C) 2001
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 xl2tpd[1899]: Starting xl2tpd: xl2tpd.
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 xl2tpd[1960]: Inherited by Jeff McAdams, (C) 2002
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 systemd[1]: Started LSB: layer 2 tunelling protocol daemon.
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 xl2tpd[1960]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Feb 23 08:48:14 shane-ThinkPad-Yoga-14 xl2tpd[1960]: Listening on IP address 0.0.0.0, port 1701
shane@shane-ThinkPad-Yoga-14 /var/log $ ps aux | grep xl2tpd
root      1960  0.0  0.0   4464     8 ?        Ss   Feb23   0:00 /usr/sbin/xl2tpd
shane    28787  0.0  0.0  14220  1012 pts/3    S+   12:09   0:00 grep --color=auto xl2tpd
shane@shane-ThinkPad-Yoga-14 /var/log $ 

Here is the syslog output
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: [1519581375.8476] audit: op=“connection-activate” uuid=“725995f2-6a69-4b67-9390-de05e3344c49” name=“VPN 1” pid=2582 uid=1000 result="success"
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: [1519581375.8592] vpn-connection[0x11a21c0,725995f2-6a69-4b67-9390-de05e3344c49,“VPN 1”,0]: Started the VPN service, PID 27529
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: [1519581375.8774] vpn-connection[0x11a21c0,725995f2-6a69-4b67-9390-de05e3344c49,“VPN 1”,0]: Saw the service appear; activating connection
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: [1519581375.8891] vpn-connection[0x11a21c0,725995f2-6a69-4b67-9390-de05e3344c49,“VPN 1”,0]: VPN connection: (ConnectInteractive) reply received
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: nm-l2tp[27529] ipsec enable flag: yes
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: ** Message: Check port 1701
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: ** Message: Can’t bind to port 1701
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: nm-l2tp[27529] L2TP port 1701 is busy, using ephemeral.
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: nm-l2tp[27529] starting ipsec
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 NetworkManager[1083]: Stopping strongSwan IPsec…
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 charon: 00[DMN] signal of type SIGINT received. Shutting down
Feb 25 11:56:15 shane-ThinkPad-Yoga-14 ipsec[27556]: Stopping strongSwan IPsec failed: starter is not running
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 NetworkManager[1083]: Starting strongSwan 5.3.5 IPsec [starter]…
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 NetworkManager[1083]: Loading config setup
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 NetworkManager[1083]: Loading conn '725995f2-6a69-4b67-9390-de05e3344c49’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 NetworkManager[1083]: found netkey IPsec stack
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.10.0-38-generic, x86_64)
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-725995f2-6a69-4b67-9390-de05e3344c49.secrets’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[CFG] loaded IKE secret for %any
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent
xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 00[JOB] spawning 16 worker threads
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 05[CFG] received stroke: add connection '725995f2-6a69-4b67-9390-de05e3344c49’
Feb 25 11:56:18 shane-ThinkPad-Yoga-14 charon: 05[CFG] added configuration '725995f2-6a69-4b67-9390-de05e3344c49’
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 charon: 08[CFG] rereading secrets
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 charon: 08[CFG] loading secrets from '/etc/ipsec.secrets’
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 charon: 08[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-725995f2-6a69-4b67-9390-de05e3344c49.secrets’
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 charon: 08[CFG] loaded IKE secret for %any
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 NetworkManager[1083]: nm-l2tp[27529] Spawned ipsec up script with PID 27613.
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 charon: 09[CFG] received stroke: initiate '725995f2-6a69-4b67-9390-de05e3344c49’
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 charon: 11[IKE] initiating Main Mode IKE_SA 725995f2-6a69-4b67-9390-de05e3344c49[1] to 24.106.1.218
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V ]
Feb 25 11:56:19 shane-ThinkPad-Yoga-14 charon: 11[NET] sending packet: from 192.168.1.132[500] to 24.106.1.218[500] (248 bytes)
Feb 25 11:56:23 shane-ThinkPad-Yoga-14 charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Feb 25 11:56:23 shane-ThinkPad-Yoga-14 charon: 12[NET] sending packet: from 192.168.1.132[500] to 24.106.1.218[500] (248 bytes)
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: nm-l2tp[27529] Timeout trying to establish IPsec connection
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: nm-l2tp[27529] Terminating ipsec script with PID 27613.
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: Stopping strongSwan IPsec…
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 charon: 00[DMN] signal of type SIGINT received. Shutting down
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: initiating Main Mode IKE_SA 725995f2-6a69-4b67-9390-de05e3344c49[1] to 24.106.1.218
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: generating ID_PROT request 0 [ SA V V V V ]
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: sending packet: from 192.168.1.132[500] to 24.106.1.218[500] (248 bytes)
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: sending retransmit 1 of request message ID 0, seq 1
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: sending packet: from 192.168.1.132[500] to 24.106.1.218[500] (248 bytes)
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: destroying IKE_SA in state CONNECTING without notification
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: establishing connection ‘725995f2-6a69-4b67-9390-de05e3344c49’ failed
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: nm-l2tp[27529] Could not establish IPsec tunnel.
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: (nm-l2tp-service:27529): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion ‘error != NULL’ failed
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: [1519581389.1992] vpn-connection[0x11a21c0,725995f2-6a69-4b67-9390-de05e3344c49,“VPN 1”,0]: VPN plugin: state changed: stopped (6)
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: [1519581389.2034] vpn-connection[0x11a21c0,725995f2-6a69-4b67-9390-de05e3344c49,“VPN 1”,0]: VPN plugin: state change reason: unknown (0)
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: [1519581389.2093] vpn-connection[0x11a21c0,725995f2-6a69-4b67-9390-de05e3344c49,“VPN 1”,0]: VPN service disappeared
Feb 25 11:56:29 shane-ThinkPad-Yoga-14 NetworkManager[1083]: [1519581389.2126] vpn-connection[0x11a21c0,725995f2-6a69-4b67-9390-de05e3344c49,“VPN 1”,0]: VPN connection: failed to connect: ‘Message recipient disconnected from message bus without replying’

You have port 1701 blocked. Open it up on your local firewall for this service.

I also needed to turn xl2tdp off as a service, I added the ports as well and still no connect. I will have to pick apart the logs again and will have to report back. PITA.

     sudo iptables -L -nv
Chain INPUT (policy ACCEPT 180 packets, 15662 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 ctstate NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1701 ctstate NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 168 packets, 13677 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:1701 ctstate ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:1701 ctstate ESTABLISHED

So it turns out that it was not a firewall issue.

I had turned off the service, then I had to add some somewhat cryptic settings under the ipsec settings Phase1 Algorithms : 3des-sha-modp1024 and Phase2 Algorithms : 3des0sha1 that is what ended up curing it. I removed the firewall settings and it still works. From what I saw since the process was already using that port it was having issues connecting to the port. People are complaining about that on a few different threads.

I have been attempting to get this to work however I have not had much success. Considering I am a noob I am not surprised by the lack of progress.

I am looking to connection to a Meraki MX64 at my work.

I have to deal with Windows all day at work and I just can’t stand all the bullshit that comes with Windows.