Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring Ubuntu Linux 22.04 to connect in a Meraki VPN

ivocalado
New here
‎Jul 22 2022 7:03 PM
‎Jul 22 2022 7:03 PM

Configuring Ubuntu Linux 22.04 to connect in a Meraki VPN

Hello folks, I'm trying to configure my Linux station connect to a Meraki VPN. I followed all the steps presented here (https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration). Nevertheless, when I try to connect it fails with the following error log. Any tip about how to proceed?

 

 

 

Jul 22 22:53:05 darkside NetworkManager[931]: <info>  [1658541185.0054] vpn[0x557c8275c700,5bef9673-1244-4646-aba9-381bd613643b,"My VPN"]: starting l2tp
Jul 22 22:53:05 darkside NetworkManager[931]: <info>  [1658541185.0056] audit: op="connection-activate" uuid="5bef9673-1244-4646-aba9-381bd613643b" name="My VPN" pid=8281 uid=1000 result="success"
Jul 22 22:53:05 darkside nm-l2tp-service[10335]: Check port 1701
Jul 22 22:53:05 darkside NetworkManager[10350]: Stopping strongSwan IPsec failed: starter is not running
Jul 22 22:53:07 darkside NetworkManager[10347]: Starting strongSwan 5.9.5 IPsec [starter]...
Jul 22 22:53:07 darkside NetworkManager[10347]: Loading config setup
Jul 22 22:53:07 darkside NetworkManager[10347]: Loading conn '5bef9673-1244-4646-aba9-381bd613643b'
Jul 22 22:53:07 darkside charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-41-generic, x86_64)
Jul 22 22:53:07 darkside charon: 00[LIB] providers loaded by OpenSSL: legacy default
Jul 22 22:53:07 darkside charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 22 22:53:07 darkside charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 22 22:53:07 darkside charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 22 22:53:07 darkside charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 22 22:53:07 darkside charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 22 22:53:07 darkside charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 22 22:53:07 darkside charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Jul 22 22:53:07 darkside charon: 00[CFG]   loaded IKE secret for %any
Jul 22 22:53:07 darkside charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Jul 22 22:53:07 darkside charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jul 22 22:53:07 darkside charon: 00[JOB] spawning 16 worker threads
Jul 22 22:53:07 darkside charon: 06[CFG] received stroke: add connection '5bef9673-1244-4646-aba9-381bd613643b'
Jul 22 22:53:07 darkside charon: 06[CFG] added configuration '5bef9673-1244-4646-aba9-381bd613643b'
Jul 22 22:53:08 darkside charon: 07[CFG] rereading secrets
Jul 22 22:53:08 darkside charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 22 22:53:08 darkside charon: 07[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Jul 22 22:53:08 darkside charon: 07[CFG]   loaded IKE secret for %any
Jul 22 22:53:08 darkside charon: 10[CFG] received stroke: initiate '5bef9673-1244-4646-aba9-381bd613643b'
Jul 22 22:53:08 darkside charon: 12[IKE] initiating Main Mode IKE_SA 5bef9673-1244-4646-aba9-381bd613643b[1] to <ip_replaced>
Jul 22 22:53:08 darkside charon: 12[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jul 22 22:53:08 darkside charon: 12[NET] sending packet: from 192.168.0.13[500] to <ip_replaced>[500] (212 bytes)
Jul 22 22:53:08 darkside charon: 11[NET] received packet: from <ip_replaced>[500] to 192.168.0.13[500] (156 bytes)
Jul 22 22:53:08 darkside charon: 11[ENC] parsed ID_PROT response 0 [ SA V V V V ]
Jul 22 22:53:08 darkside charon: 11[IKE] received XAuth vendor ID
Jul 22 22:53:08 darkside charon: 11[IKE] received DPD vendor ID
Jul 22 22:53:08 darkside charon: 11[IKE] received FRAGMENTATION vendor ID
Jul 22 22:53:08 darkside charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
Jul 22 22:53:08 darkside charon: 11[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 22 22:53:08 darkside charon: 11[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 22 22:53:08 darkside charon: 11[NET] sending packet: from 192.168.0.13[500] to <ip_replaced>[500] (244 bytes)
Jul 22 22:53:08 darkside charon: 13[NET] received packet: from <ip_replaced>[500] to 192.168.0.13[500] (244 bytes)
Jul 22 22:53:08 darkside charon: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jul 22 22:53:08 darkside charon: 13[IKE] local host is behind NAT, sending keep alives
Jul 22 22:53:08 darkside charon: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
Jul 22 22:53:08 darkside charon: 13[NET] sending packet: from 192.168.0.13[4500] to <ip_replaced>[4500] (68 bytes)
Jul 22 22:53:08 darkside charon: 14[NET] received packet: from <ip_replaced>[4500] to 192.168.0.13[4500] (68 bytes)
Jul 22 22:53:08 darkside charon: 14[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jul 22 22:53:08 darkside charon: 14[IKE] IKE_SA 5bef9673-1244-4646-aba9-381bd613643b[1] established between 192.168.0.13[192.168.0.13]...<ip_replaced>[<ip_replaced>]
Jul 22 22:53:08 darkside charon: 14[IKE] scheduling reauthentication in 9966s
Jul 22 22:53:08 darkside charon: 14[IKE] maximum IKE_SA lifetime 10506s
Jul 22 22:53:08 darkside charon: 14[ENC] generating QUICK_MODE request 680526569 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Jul 22 22:53:08 darkside charon: 14[NET] sending packet: from 192.168.0.13[4500] to <ip_replaced>[4500] (356 bytes)
Jul 22 22:53:08 darkside charon: 01[NET] received packet: from <ip_replaced>[4500] to 192.168.0.13[4500] (76 bytes)
Jul 22 22:53:08 darkside charon: 01[ENC] parsed INFORMATIONAL_V1 request 3407603671 [ HASH N(NO_PROP) ]
Jul 22 22:53:08 darkside charon: 01[IKE] received NO_PROPOSAL_CHOSEN error notify
Jul 22 22:53:08 darkside NetworkManager[10390]: initiating Main Mode IKE_SA 5bef9673-1244-4646-aba9-381bd613643b[1] to <ip_replaced>
Jul 22 22:53:08 darkside NetworkManager[10390]: generating ID_PROT request 0 [ SA V V V V V ]
Jul 22 22:53:08 darkside NetworkManager[10390]: sending packet: from 192.168.0.13[500] to <ip_replaced>[500] (212 bytes)
Jul 22 22:53:08 darkside NetworkManager[10390]: received packet: from <ip_replaced>[500] to 192.168.0.13[500] (156 bytes)
Jul 22 22:53:08 darkside NetworkManager[10390]: parsed ID_PROT response 0 [ SA V V V V ]
Jul 22 22:53:08 darkside NetworkManager[10390]: received XAuth vendor ID
Jul 22 22:53:08 darkside NetworkManager[10390]: received DPD vendor ID
Jul 22 22:53:08 darkside NetworkManager[10390]: received FRAGMENTATION vendor ID
Jul 22 22:53:08 darkside NetworkManager[10390]: received NAT-T (RFC 3947) vendor ID
Jul 22 22:53:08 darkside NetworkManager[10390]: selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 22 22:53:08 darkside NetworkManager[10390]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 22 22:53:08 darkside NetworkManager[10390]: sending packet: from 192.168.0.13[500] to <ip_replaced>[500] (244 bytes)
Jul 22 22:53:08 darkside NetworkManager[10390]: received packet: from <ip_replaced>[500] to 192.168.0.13[500] (244 bytes)
Jul 22 22:53:08 darkside NetworkManager[10390]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jul 22 22:53:08 darkside NetworkManager[10390]: local host is behind NAT, sending keep alives
Jul 22 22:53:08 darkside NetworkManager[10390]: generating ID_PROT request 0 [ ID HASH ]
Jul 22 22:53:08 darkside NetworkManager[10390]: sending packet: from 192.168.0.13[4500] to <ip_replaced>[4500] (68 bytes)
Jul 22 22:53:08 darkside NetworkManager[10390]: received packet: from <ip_replaced>[4500] to 192.168.0.13[4500] (68 bytes)
Jul 22 22:53:08 darkside NetworkManager[10390]: parsed ID_PROT response 0 [ ID HASH ]
Jul 22 22:53:08 darkside NetworkManager[10390]: IKE_SA 5bef9673-1244-4646-aba9-381bd613643b[1] established between 192.168.0.13[192.168.0.13]...<ip_replaced>[<ip_replaced>]
Jul 22 22:53:08 darkside NetworkManager[10390]: scheduling reauthentication in 9966s
Jul 22 22:53:08 darkside NetworkManager[10390]: maximum IKE_SA lifetime 10506s
Jul 22 22:53:08 darkside NetworkManager[10390]: generating QUICK_MODE request 680526569 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
Jul 22 22:53:08 darkside NetworkManager[10390]: sending packet: from 192.168.0.13[4500] to <ip_replaced>[4500] (356 bytes)
Jul 22 22:53:08 darkside NetworkManager[10390]: received packet: from <ip_replaced>[4500] to 192.168.0.13[4500] (76 bytes)
Jul 22 22:53:08 darkside NetworkManager[10390]: parsed INFORMATIONAL_V1 request 3407603671 [ HASH N(NO_PROP) ]
Jul 22 22:53:08 darkside NetworkManager[10390]: received NO_PROPOSAL_CHOSEN error notify
Jul 22 22:53:08 darkside NetworkManager[10390]: establishing connection '5bef9673-1244-4646-aba9-381bd613643b' failed
Jul 22 22:53:08 darkside nm-l2tp-service[10335]: xl2tpd started with pid 10396
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: Not looking for kernel SAref support.
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: Using l2tp kernel support.
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: xl2tpd version xl2tpd-1.3.16 started on darkside PID:10396
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: Forked by Scott Balmos and David Stipp, (C) 2001
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: Inherited by Jeff McAdams, (C) 2002
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: Listening on IP address 0.0.0.0, port 1701
Jul 22 22:53:08 darkside NetworkManager[10396]: xl2tpd[10396]: Connecting to host <ip_replaced>, port 1701
Jul 22 22:53:22 darkside NetworkManager[10396]: xl2tpd[10396]: death_handler: Fatal signal 15 received
Jul 22 22:53:22 darkside NetworkManager[10396]: xl2tpd[10396]: Connection 0 closed to <ip_replaced>, port 1701 (Server closing)
Jul 22 22:53:22 darkside NetworkManager[931]: <warn>  [1658541202.9119] vpn[0x557c8275c700,5bef9673-1244-4646-aba9-381bd613643b,"My VPN"]: dbus: failure: connect-failed (1)
Jul 22 22:53:22 darkside NetworkManager[931]: <warn>  [1658541202.9120] vpn[0x557c8275c700,5bef9673-1244-4646-aba9-381bd613643b,"My VPN"]: dbus: failure: connect-failed (1)
Jul 22 22:53:22 darkside NetworkManager[10400]: Stopping strongSwan IPsec...
Jul 22 22:53:22 darkside charon: 00[DMN] SIGINT received, shutting down
Jul 22 22:53:22 darkside charon: 00[IKE] deleting IKE_SA 5bef9673-1244-4646-aba9-381bd613643b[1] between 192.168.0.13[192.168.0.13]...<ip_replaced>[<ip_replaced>]
Jul 22 22:53:22 darkside charon: 00[IKE] sending DELETE for IKE_SA 5bef9673-1244-4646-aba9-381bd613643b[1]
Jul 22 22:53:22 darkside charon: 00[ENC] generating INFORMATIONAL_V1 request 382468415 [ HASH D ]
Jul 22 22:53:22 darkside charon: 00[NET] sending packet: from 192.168.0.13[4500] to <ip_replaced>[4500] (84 bytes)
Jul 22 22:53:23 darkside nm-l2tp-service[10335]: ipsec shut down

 

 

Labels:
0 Kudos
Subscribe
1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 23 2022 4:08 PM
‎Jul 23 2022 4:08 PM

I don't know the answer.

 

My gut reaction (because this is what I would do as I prefer the path of least pain) is to suggest buying some Cisco AnyConnect licences and using that.  Linux is a first-class supported platform for AnyConnect, and is more likely to work.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

 

Otherwise - the below error is the key bit to focus on.  It means you are not accepting any of the security transforms presented by the Meraki MX.  The default security transforms presented are quite weak, but Meraki has to use those otherwise, Windows won't connect.  I'm guessing Ubuntu 22 has disabled these weaker transform sets.

 

 

received NO_PROPOSAL_CHOSEN error notify

 

 

I'm not sure what the exact cipher presented to client VPN is by default.  My guess is:
AES128-CBC+SHA1+DH Group 2

 

In StrongSwan it is likely to be something like (untested):

ike=aes128-sha1-modp1024

esp=aes128-sha1-modp1024

 

If you don't have Windows users, you can ask Meraki support to change this to (for client VPN):

AES128-CBC+SHA1+DH Group 14

Which is more likely to work.

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.