I have to connect to a private network using forticlient (IPSec + 2FA). However, the linux client doesn’t support IPsec.
There is some information online that it could be achieved using the networkmanager & strongswan.
So far what I have:
networking.networkmanager = {
enable = true;
enableStrongSwan = true;
};
services.xl2tpd.enable = true;
services.strongswan.enable = true;
services.strongswan.secrets = [
"ipsec.d/ipsec.nm-l2tp.secrets"
];
Using network manager I configure the vpn as a L2TP connection. When trying to connect to the VPN, the connection start but it times out. I am not sure when nor where I am supposed to enter the 2fa pin.
Here is the log
nm-l2tp-service[4638]: Check port 1701
nm-l2tp-service[4638]: Can't bind to port 1701
NetworkManager[4667]: Stopping strongSwan IPsec...
NetworkManager[4664]: Starting strongSwan 5.9.5 IPsec [starter]...
NetworkManager[4664]: Loading config setup
NetworkManager[4664]: Loading conn 'edb6b807-e2a2-443d-bbfd-43793897b1f6'
ipsec_starter[4664]: Starting strongSwan 5.9.5 IPsec [starter]...
ipsec_starter[4664]: Loading config setup
ipsec_starter[4664]: Loading conn 'edb6b807-e2a2-443d-bbfd-43793897b1f6'
ipsec_starter[4675]: Attempting to start charon...
charon[4676]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.54, x86_64)
charon[4676]: 00[CFG] PKCS11 module '<name>' lacks library path
charon[4676]: 00[CFG] dnscert plugin is disabled
charon[4676]: 00[NET] using forecast interface enp45s0
charon[4676]: 00[CFG] joining forecast multicast groups: x.x.x.1,x.x.x.22,x.x.x.251,x.x.x.252,x.x.x.250
charon[4676]: 00[CFG] loading ca certificates from '/nix/store/akhq9f3ymzl0sbi2di15bqzx09jknlr9-strongswan-5.9.5/etc/ipsec.d/cacerts'
charon[4676]: 00[CFG] loading aa certificates from '/nix/store/akhq9f3ymzl0sbi2di15bqzx09jknlr9-strongswan-5.9.5/etc/ipsec.d/aacerts'
charon[4676]: 00[CFG] loading ocsp signer certificates from '/nix/store/akhq9f3ymzl0sbi2di15bqzx09jknlr9-strongswan-5.9.5/etc/ipsec.d/ocspcerts'
charon[4676]: 00[CFG] loading attribute certificates from '/nix/store/akhq9f3ymzl0sbi2di15bqzx09jknlr9-strongswan-5.9.5/etc/ipsec.d/acerts'
charon[4676]: 00[CFG] loading crls from '/nix/store/akhq9f3ymzl0sbi2di15bqzx09jknlr9-strongswan-5.9.5/etc/ipsec.d/crls'
charon[4676]: 00[CFG] loading secrets from '/nix/store/akhq9f3ymzl0sbi2di15bqzx09jknlr9-strongswan-5.9.5/etc/ipsec.secrets'
charon[4676]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon[4676]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
charon[4676]: 00[CFG] loaded IKE secret for %any
charon[4676]: 00[CFG] opening triplet file /nix/store/akhq9f3ymzl0sbi2di15bqzx09jknlr9-strongswan-5.9.5/etc/ipsec.d/triplets.dat failed: No such file or direc>
charon[4676]: 00[CFG] loaded 0 RADIUS server configurations
charon[4676]: 00[CFG] no script for ext-auth script defined, disabled
charon[4676]: 00[LIB] loaded plugins: charon unbound pkcs11 aesni aes des rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey >
charon[4676]: 00[JOB] spawning 16 worker threads
ipsec_starter[4675]: charon (4676) started after 20 ms
charon[4676]: 06[CFG] received stroke: add connection 'edb6b807-e2a2-443d-bbfd-43793897b1f6'
charon[4676]: 06[CFG] added configuration 'edb6b807-e2a2-443d-bbfd-43793897b1f6'
charon[4676]: 10[CFG] rereading secrets
charon[4676]: 10[CFG] loading secrets from '/nix/store/akhq9f3ymzl0sbi2di15bqzx09jknlr9-strongswan-5.9.5/etc/ipsec.secrets'
charon[4676]: 10[CFG] loading secrets from '/etc/ipsec.secrets'
charon[4676]: 10[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
charon[4676]: 10[CFG] loaded IKE secret for %any
charon[4676]: 12[CFG] received stroke: initiate 'edb6b807-e2a2-443d-bbfd-43793897b1f6'
charon[4676]: 14[IKE] initiating Main Mode IKE_SA edb6b807-e2a2-443d-bbfd-43793897b1f6[1] to x.x.x.122
charon[4676]: 14[IKE] initiating Main Mode IKE_SA edb6b807-e2a2-443d-bbfd-43793897b1f6[1] to x.x.x.122
charon[4676]: 14[ENC] generating ID_PROT request 0 [ SA V V V V V ]
charon[4676]: 14[NET] sending packet: from x.x.x.x[500] to x.x.x.122[500] (532 bytes)
charon[4676]: 07[IKE] sending retransmit 1 of request message ID 0, seq 1
charon[4676]: 07[NET] sending packet: from x.x.x.115[500] to x.x.x.122[500] (532 bytes)
NetworkManager[1280]: <warn> [1658347497.4787] vpn[0x1fd6490,edb6b807-e2a2-443d-bbfd-43793897b1f6,"VPN"]: failed to connect: 'Timeout was reached'
NetworkManager[4718]: Stopping strongSwan IPsec...
charon[4676]: 00[DMN] SIGINT received, shutting down
charon[4676]: 00[IKE] destroying IKE_SA in state CONNECTING without notification
NetworkManager[4714]: initiating Main Mode IKE_SA edb6b807-e2a2-443d-bbfd-43793897b1f6[1] to 24.201.17.122
NetworkManager[4714]: generating ID_PROT request 0 [ SA V V V V V ]
NetworkManager[4714]: sending packet: from x.x.x.115[500] to x.x.x.x[500] (532 bytes)
NetworkManager[4714]: sending retransmit 1 of request message ID 0, seq 1
NetworkManager[4714]: sending packet: from x.x.x.115[500] to x.x.x.122[500] (532 bytes)
NetworkManager[4714]: destroying IKE_SA in state CONNECTING without notification
NetworkManager[4714]: establishing connection 'edb6b807-e2a2-443d-bbfd-43793897b1f6' failed
ipsec_starter[4675]: child 4676 (charon) has quit (exit code 0)
ipsec_starter[4675]:
ipsec_starter[4675]: charon stopped after 200 ms
ipsec_starter[4675]: ipsec starter stopped
nm-l2tp-service[4638]: Could not establish IPsec connection.
nm-l2tp-service[4638]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed