[Swan] Issue with networkmanager and l2tp

Paul Wouters paul at nohats.ca
Fri Oct 23 17:47:18 UTC 2020 

On Fri, 23 Oct 2020, Brian McKee wrote:

> Thanks Doug!I'll open a ticket with the gentoo devs!

They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at the same
location if they prefer that.

Note that libreswan-4.x also no longer builds support for DH2, and some
NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
be running into that. That required a fix to NM-libreswan in fedora at
least.

Paul

> On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic <doug at uq.edu.au> wrote:
>
>       Hi Brian,
>
>        
>
>       With Libreswan >= 4.0, the default NSS database files (*.db) have moved from /etc/ipsec.d to
>       /var/lib/ipsec/nss
>
>        
>
>       Try the following Libreswan command to see if you get an error :
>
>        
>
>           $ sudo ipsec initnss
>
>          ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied
>
>        
>
>       pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the NSS database files :
>
>          https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
>
>        
>
>        
>
>       you could fix the aforementioned pkg_postinst(), or issue the following as a workaround:
>
>        
>
>           sudo mkdir -p /var/lib/ipsec/nss
>
>           sudo chmod 700 /var/lib/ipsec/nss
>
>        
>
>       then try sudo ipsec initnss again.
>
>        
>
>       If you are using SELinux or AppArmor, a new rule might be required for /var/lib/ipsec/nss
>
>        
>
>        
>
>       Cheers,
>
>       Doug
>
>        
>
>       From: Swan <swan-bounces at lists.libreswan.org> On Behalf Of Brian McKee
>       Sent: Friday, 23 October 2020 6:06 PM
>       To: swan at lists.libreswan.org
>       Subject: [Swan] Issue with networkmanager and l2tp
>
>        
>
>       Hello everyone,
>
>        
> 
> I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7) that is probably pretty out of date.
> It uses l2tp protocol.
> 
>  
> 
> My Gentoo box is running Networkmanager 1.26.0 and until a recent update I was running libreswan-3.32-r1 which
> contains a patch to fix an NSS version issue. libreswan-3.32 without the patch fails to connect to my work
> because of the NSS issue.
> 
>  
> 
> Networkmanager requires libreswan for l2tp protocol connections.
> 
>  
> 
> In the latest update of my machine libreswan 4.1 installed and I could no longer connect to work. There was
> absolutely no useful messages from Networkmanager. This is what I got in /var/log/messages:
> 
>  
> 
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4884] audit: op="connection-activate"
> uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647 uid=1000 result
> ="success"
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4920]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID
> 10712
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4984]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear;
> activating
> connection
> Oct 22 21:30:17 threads NetworkManager[4579]: <info>  [1603427417.1234] audit: op="statistics"
> arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
> Oct 22 21:30:27 threads NetworkManager[4579]: <info>  [1603427427.7335]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed:
> stopped
> (6)
> Oct 22 21:30:27 threads NetworkManager[4579]: <info>  [1603427427.7361]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared
> Oct 22 21:30:27 threads NetworkManager[4579]: <warn>  [1603427427.7372]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to
> connect:
> 'Message recipient disconnected from message bus without replying'
> 
> I figure I have a configuration issue, except that it works fine with the old version of libreswan.
> 
>  
> 
> I'm hoping you guys have some idea what I'm talking about. I can email you any information on my machine and I
> can probably get the configuration for the (openvpn, I think) VPN server.
> 
>  
> 
> I know that me using the old version of libreswan is eventually going to become a problem so I'd like to
> proactively figure out what's wrong and fix my system so my work flow isn't interrupted.
> 
>  
> 
> I don't hand edit the config files, I let KDE configure network manager, so I figure there is something I need
> to change in that configuration.
> 
>  
> 
> Anyway, thanks for reading and thanks in advance for any help you can offer.
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
> 
> 
> 
> --
> -- Consciousness moves everything.
> 
>

More information about the Swan mailing list