[Swan] Issue with networkmanager and l2tp

Brian McKee raydude at gmail.com
Fri Oct 23 16:52:55 UTC 2020 

Thanks Doug!
I'll open a ticket with the gentoo devs!

On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic <doug at uq.edu.au> wrote:

> Hi Brian,
>
>
>
> With Libreswan >= 4.0, the default NSS database files (*.db) have moved
> from /etc/ipsec.d to /var/lib/ipsec/nss
>
>
>
> Try the following Libreswan command to see if you get an error :
>
>
>
>     $ sudo ipsec initnss
>
>    ERROR: destination directory "/var/lib/ipsec/nss" is missing or
> permission denied
>
>
>
> pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the
> NSS database files :
>
>
> https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
>
>
>
>
>
> you could fix the aforementioned pkg_postinst(), or issue the following
> as a workaround:
>
>
>
>     sudo mkdir -p /var/lib/ipsec/nss
>
>     sudo chmod 700 /var/lib/ipsec/nss
>
>
>
> then try sudo ipsec initnss again.
>
>
>
> If you are using SELinux or AppArmor, a new rule might be required for
> /var/lib/ipsec/nss
>
>
>
>
>
> Cheers,
>
> Doug
>
>
>
> *From:* Swan <swan-bounces at lists.libreswan.org> *On Behalf Of *Brian McKee
> *Sent:* Friday, 23 October 2020 6:06 PM
> *To:* swan at lists.libreswan.org
> *Subject:* [Swan] Issue with networkmanager and l2tp
>
>
>
> Hello everyone,
>
>
>
> I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7)
> that is probably pretty out of date. It uses l2tp protocol.
>
>
>
> My Gentoo box is running Networkmanager 1.26.0 and until a recent update I
> was running libreswan-3.32-r1 which contains a patch to fix an NSS version
> issue. libreswan-3.32 without the patch fails to connect to my work because
> of the NSS issue.
>
>
>
> Networkmanager requires libreswan for l2tp protocol connections.
>
>
>
> In the latest update of my machine libreswan 4.1 installed and I could no
> longer connect to work. There was absolutely no useful messages from
> Networkmanager. This is what I got in /var/log/messages:
>
>
>
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4884]
> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
> name="wtec-SJ" pid=5647 uid=1000 result
> ="success"
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4920]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID 10712
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4984]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear; activating
> connection
> Oct 22 21:30:17 threads NetworkManager[4579]: <info>  [1603427417.1234]
> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
> result="success"
> Oct 22 21:30:27 threads NetworkManager[4579]: <info>  [1603427427.7335]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state changed: stopped
> (6)
> Oct 22 21:30:27 threads NetworkManager[4579]: <info>  [1603427427.7361]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
> Oct 22 21:30:27 threads NetworkManager[4579]: <warn>  [1603427427.7372]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN connection: failed to connect:
> 'Message recipient disconnected from message bus without replying'
>
> I figure I have a configuration issue, except that it works fine with the
> old version of libreswan.
>
>
>
> I'm hoping you guys have some idea what I'm talking about. I can email you
> any information on my machine and I can probably get the configuration for
> the (openvpn, I think) VPN server.
>
>
>
> I know that me using the old version of libreswan is eventually going to
> become a problem so I'd like to proactively figure out what's wrong and fix
> my system so my work flow isn't interrupted.
>
>
>
> I don't hand edit the config files, I let KDE configure network manager,
> so I figure there is something I need to change in that configuration.
>
>
>
> Anyway, thanks for reading and thanks in advance for any help you can
> offer.
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>


-- 
-- Consciousness moves everything.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201023/a6df8c63/attachment-0001.html>

More information about the Swan mailing list