IPSec strongswan "established successfully", but no ppp0

I'm trying to connect an Ubuntu Server 16.04 to an IPSec L2TP VPN using the strongswan client.

Aparently the connection is established successfully, but the interface ppp0 isn't created.

This is the result of sudo ipsec up myconnection:

initiating Main Mode IKE_SA myconnection[2] to 116.38.129.101
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.0.104[500] to 116.38.129.101[500] (212 bytes)
received packet: from 116.38.129.101[500] to 192.168.0.104[500] (132 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.104[500] to 116.38.129.101[500] (244 bytes)
received packet: from 116.38.129.101[500] to 192.168.0.104[500] (236 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.0.104[4500] to 116.38.129.101[4500] (100 bytes)
received packet: from 116.38.129.101[4500] to 192.168.0.104[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA myconnection[2] established between 192.168.0.104[192.168.0.104]...116.38.129.101[116.38.129.101]
scheduling reauthentication in 10033s
maximum IKE_SA lifetime 10573s
generating QUICK_MODE request 1590491286 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.0.104[4500] to 116.38.129.101[4500] (220 bytes)
received packet: from 116.38.129.101[4500] to 192.168.0.104[4500] (188 bytes)
parsed QUICK_MODE response 1590491286 [ HASH SA No ID ID NAT-OA NAT-OA ]
connection 'myconnection' established successfully

Any hint?.


First of all check with uname -a your Linux kernel version and, if you have the 4.14, I have bad news for you: you have a bugged kernel. The 4.13 seems good, and also the 4.15, but not the 4.14. See this answer in a libreswan bug report.

Anyway you can also try Network Manager. Install the network-manager-l2tp package.

Here an example of a valid NetworkManager VPN file that you can save in /etc/NetworkManager/system-connections/MY_DAMN_VPN:

[connection]
id=MY_DAMN_VPN
uuid=very-random-stuff
type=vpn

[vpn]
gateway=IP_OF_MY_DAMN_VPN
ipsec-enabled=yes
ipsec-esp=aes256-sha1,aes128-sha1,3des-sha1!
ipsec-ike=aes256-sha1-ecp384,aes128-sha1-ecp256,3des-sha1-modp1536!
ipsec-psk=MY_SUPER_SECRET_SHARED_PASSWORD
password-flags=0
user=local-vpn
service-type=org.freedesktop.NetworkManager.l2tp

[vpn-secrets]
password=MY_SUPER_SECRET_PASSWORD

[ipv4]
dns-search=
method=auto
never-default=true

Then restart Network Manager and activate the VPN:

systemctl restart NetworkManager
nmcli connection up MY_DAMN_VPN

This stuff was tested in Debian GNU/Linux buster with a damn Microsoft Windows VPN server.

Good luck!

P.S.

Do not try to use OpenVPN to talk with a proprietary VPN server: OpenVPN is based on TLS technology (because it has security in mind). L2TP/IPsec seems to be not. [1]

[1]: https://en.wikipedia.org/wiki/IPsec From Wikipedia you can further read about the NSA interference in IPsec, thanks to some sources about it.