[Swan] Issue with networkmanager and l2tp
Douglas Kosovic
doug at uq.edu.au
Fri Oct 23 12:00:44 UTC 2020
Hi Brian,
With Libreswan >= 4.0, the default NSS database files (*.db) have moved from /etc/ipsec.d to /var/lib/ipsec/nss
Try the following Libreswan command to see if you get an error :
$ sudo ipsec initnss
ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied
pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the NSS database files :
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
you could fix the aforementioned pkg_postinst(), or issue the following as a workaround:
sudo mkdir -p /var/lib/ipsec/nss
sudo chmod 700 /var/lib/ipsec/nss
then try sudo ipsec initnss again.
If you are using SELinux or AppArmor, a new rule might be required for /var/lib/ipsec/nss
Cheers,
Doug
From: Swan <swan-bounces at lists.libreswan.org> On Behalf Of Brian McKee
Sent: Friday, 23 October 2020 6:06 PM
To: swan at lists.libreswan.org
Subject: [Swan] Issue with networkmanager and l2tp
Hello everyone,
I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7) that is probably pretty out of date. It uses l2tp protocol.
My Gentoo box is running Networkmanager 1.26.0 and until a recent update I was running libreswan-3.32-r1 which contains a patch to fix an NSS version issue. libreswan-3.32 without the patch fails to connect to my work because of the NSS issue.
Networkmanager requires libreswan for l2tp protocol connections.
In the latest update of my machine libreswan 4.1 installed and I could no longer connect to work. There was absolutely no useful messages from Networkmanager. This is what I got in /var/log/messages:
Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4884] audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4920] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID 10712
Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4984] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear; activating
connection
Oct 22 21:30:17 threads NetworkManager[4579]: <info> [1603427417.1234] audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 22 21:30:27 threads NetworkManager[4579]: <info> [1603427427.7335] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed: stopped
(6)
Oct 22 21:30:27 threads NetworkManager[4579]: <info> [1603427427.7361] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared
Oct 22 21:30:27 threads NetworkManager[4579]: <warn> [1603427427.7372] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to connect:
'Message recipient disconnected from message bus without replying'
I figure I have a configuration issue, except that it works fine with the old version of libreswan.
I'm hoping you guys have some idea what I'm talking about. I can email you any information on my machine and I can probably get the configuration for the (openvpn, I think) VPN server.
I know that me using the old version of libreswan is eventually going to become a problem so I'd like to proactively figure out what's wrong and fix my system so my work flow isn't interrupted.
I don't hand edit the config files, I let KDE configure network manager, so I figure there is something I need to change in that configuration.
Anyway, thanks for reading and thanks in advance for any help you can offer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201023/9280a5d7/attachment.html>
More information about the Swan
mailing list