VPN (L2TP / IPsec) connection is not possible

Autonomous Machines Jetson & Embedded Systems Jetson Nano
#1

I am trying to connect to L2TP VPN using Jetson Nano.
However, IPSec connection cannot be established using Network Manager L2TP or StrongSwan.

If you know how to establish an IPSec connection, please let me know.

The environment is as follows
Kernel: 4.9.140-tegra
NetworkManager-L2TP: 1.2.8-2build1 amd64 arm64
StrongSwan: U5.8.1/K4.9.140-tegra

1 Like
#2

For NetworkManager-L2TP: 1.2.8-2build1, I assume you meant arm64 instead of amd64.

I would recommend using the newer network-manager-l2tp 1.2.16 from the following PPA:

For backwards compatibility with most L2TP/IPsec VPN servers out there, network-manager-l2tp 1.2.16 no longer uses the strongSwan and libreswan default set of allowed algorithms, instead algorithms that are a merge of Windows 10 and macOS/iOS/iPadOS L2TP/IPsec clients’ IKEv1 proposals are used instead. The weakest proposals that were not common to both Win10 and iOS were dropped, but all of the strongest ones were kept.

So I suspect you’ll have more luck with the newer version.

#3

Thank you very much.

Update to “network-manager-l2tp 1.2.16” as advised
Tried to connect.
However, the following error appears and the connection cannot be made.

$ sudo / usr / lib / NetworkManager / nm-l2tp-service --debug
nm-l2tp [xxxx] nm-l2tp-service (version 1.2.16) starting 

nm-l2tp [xxxx] uses default --bus-name “org.freedesktop.NetworkManager.l2tp”
:
generating QUICK_MODE request xxx [HASH SA No KE ID ID NAT-OA NAT-OA]
sending packet: from yyy.yyy.yyy.yyy [4500] to xxx.xxx.xxx.xxx [4500] (xxx bytes)
received packet: from xxx.xxx.xxx.xxx [4500] to yyy.yyy.yyy.yyy [4500] (xxx bytes)
parsed QUICK_MODE response xxx [HASH SA No KE ID ID NAT-OA NAT-OA]

received netlink error: Function not implemented (38)
unable to add SAD entry with SPI xxx (FAILED)

From the error message
For example, the kernel does not support encryption
Is it the cause?

Messages that correspond to StrongSwan forums
It was done.
https://wiki.strongswan.org/issues/2121

I’m sorry, but please give me some advice.

#4

I can’t see the ‘received proposals’ log output which has the list of Quick Mode proposals offered by the VPN server. Looks like your kernel can’t handle one of the selected proposals. I can’t tell from that snippet of log output which one.

You’ll need to manually enter the Phase 2 Algorithms in the IPsec Option dialog box based on the received proposals till you get a combination that works with your kernel. It is currently set to the following default internally:

aes256-sha1,aes128-sha1,3des-sha1!

you might like to first try entering the above without aes256-sha1, then if it doesn’t work, only keep 3des-sha1!.

but if the received proposals has others that weren’t in the default I mentioned, you can see the keywords for all strongswan algorithms on the following page:

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

#5

Forgot to mention, you might also want to check you have the crypto plugin packages installed, e.g. libstrongswan-standard-plugins and libstrongswan-extra-plugins.

#6

Thank you for your advice.
Connection has not been made yet.

libstrongswan-standard-plugins and
Install libstrongswan-extra-plugins
Report the result of setting Phase 2 Algorithms

libstrongswan-*-plugin was obtained from the following PPA
https://launchpad.net/~just-vpn/+archive/ubuntu/strongswan

[result]

  1. 3des-sha1!
    parsed INFORMATIONAL_V1 request 158090692 [HASH N (NO_PROP)]
    received NO_PROPOSAL_CHOSEN error notify

2.aes256-sha1, aes128-sha1,3des-sha1!
received packet: from xxx.xxx.xxx.xxx [4500] to yyy.yyy.yyy.yyy [4500] (xxx bytes)
parsed QUICK_MODE response xxxxx [HASH SA No ID ID NAT-OA NAT-OA]
selected proposal: ESP: AES_CBC_128 / HMAC_SHA1_96 / NO_EXT_SEQ
received netlink error: Protocol not supported (93)
unable to add SAD entry with SPI xxx (FAILED)
received netlink error: Protocol not supported (93)
unable to add SAD entry with SPI xxx (FAILED)
unable to install inbound and outbound IPsec SA (SAD) in kernel
establishing connection ‘xxx’ failed

Looking at the results, “2.” seems to be the correct setting
“Protocol not supported (93)” and the connection could not be established.

#7

I guess you could try running the script on the following page to check if the require kernel modules for strongswan are installed:

Maybe switching from strongswan to libreswan might help. Installing libreswan package on Ubuntu should automatically uninstall strongswan.

Sorry I don’t have a Jetson to try and reproduce the issue myself.

#8

Solved.
Thank you very much.

This was because the kernel module needed by strongswan was insufficient.
I enabled the following settings and built a kernel to make an L2TP IPsec connection.

below setting at .config

CONFIG_INET_AH = y
CONFIG_INET_ESP = y
CONFIG_INET_IPCOMP = y

Thank you for various advice.
It was very helpful.

#9

Hello,

Thanks for the good writing.

I am currently unable to access jetson nano connected to vpn.

Connection is possible when using a devkit carrier board
If I use our custom carrier board, it is impossible to connect.

Based on your experience, can you give me any advice?

The vpn type is as follows:

image

Thank you.

#10