[Swan] Issue with networkmanager and l2tp

Brian McKee raydude at gmail.com
Sat Oct 24 03:25:48 UTC 2020


Hi Paul and Doug,

So I got libreswan 4.1 to install with the new folder by modifying the
ebuild, but I'm still having problems. Here is the output of networkmanager:

Oct 23 20:19:40 threads NetworkManager[4579]: <info>  [1603509580.7688]
audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
result="success"
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5025]
audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5068]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the VPN service, PID 28727
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5115]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the service appear; activating
connection
Oct 23 20:19:43 threads NetworkManager[4579]: <info>  [1603509583.2001]
audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
result="success"
Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad
magic 1869114160; should be 1869114159; Mismatched versions of userland
tools.
Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No
such file or directory
Oct 23 20:19:51 threads NetworkManager[4579]: <warn>  [1603509591.5840]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5851]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin: state changed: stopped
(6)
Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5875]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service disappeared

I'm guessing I'm having ipsec issues...

Can you give me a shove in the right direction?

On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 23 Oct 2020, Brian McKee wrote:
>
> > Thanks Doug!I'll open a ticket with the gentoo devs!
>
> They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at
> the same
> location if they prefer that.
>
> Note that libreswan-4.x also no longer builds support for DH2, and some
> NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
> be running into that. That required a fix to NM-libreswan in fedora at
> least.
>
> Paul
>
> > On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic <doug at uq.edu.au> wrote:
> >
> >       Hi Brian,
> >
> >
> >
> >       With Libreswan >= 4.0, the default NSS database files (*.db) have
> moved from /etc/ipsec.d to
> >       /var/lib/ipsec/nss
> >
> >
> >
> >       Try the following Libreswan command to see if you get an error :
> >
> >
> >
> >           $ sudo ipsec initnss
> >
> >          ERROR: destination directory "/var/lib/ipsec/nss" is missing or
> permission denied
> >
> >
> >
> >       pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d
> for the NSS database files :
> >
> >
> https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
> >
> >
> >
> >
> >
> >       you could fix the aforementioned pkg_postinst(), or issue the
> following as a workaround:
> >
> >
> >
> >           sudo mkdir -p /var/lib/ipsec/nss
> >
> >           sudo chmod 700 /var/lib/ipsec/nss
> >
> >
> >
> >       then try sudo ipsec initnss again.
> >
> >
> >
> >       If you are using SELinux or AppArmor, a new rule might be required
> for /var/lib/ipsec/nss
> >
> >
> >
> >
> >
> >       Cheers,
> >
> >       Doug
> >
> >
> >
> >       From: Swan <swan-bounces at lists.libreswan.org> On Behalf Of Brian
> McKee
> >       Sent: Friday, 23 October 2020 6:06 PM
> >       To: swan at lists.libreswan.org
> >       Subject: [Swan] Issue with networkmanager and l2tp
> >
> >
> >
> >       Hello everyone,
> >
> >
> >
> > I'm a Gentoo linux user. My work uses a linux based VPN server (Centos
> 7) that is probably pretty out of date.
> > It uses l2tp protocol.
> >
> >
> >
> > My Gentoo box is running Networkmanager 1.26.0 and until a recent update
> I was running libreswan-3.32-r1 which
> > contains a patch to fix an NSS version issue. libreswan-3.32 without the
> patch fails to connect to my work
> > because of the NSS issue.
> >
> >
> >
> > Networkmanager requires libreswan for l2tp protocol connections.
> >
> >
> >
> > In the latest update of my machine libreswan 4.1 installed and I could
> no longer connect to work. There was
> > absolutely no useful messages from Networkmanager. This is what I got in
> /var/log/messages:
> >
> >
> >
> > Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4884]
> audit: op="connection-activate"
> > uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647
> uid=1000 result
> > ="success"
> > Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4920]
> >
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID
> > 10712
> > Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4984]
> >
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear;
> > activating
> > connection
> > Oct 22 21:30:17 threads NetworkManager[4579]: <info>  [1603427417.1234]
> audit: op="statistics"
> > arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
> > Oct 22 21:30:27 threads NetworkManager[4579]: <info>  [1603427427.7335]
> >
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state changed:
> > stopped
> > (6)
> > Oct 22 21:30:27 threads NetworkManager[4579]: <info>  [1603427427.7361]
> >
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
> > Oct 22 21:30:27 threads NetworkManager[4579]: <warn>  [1603427427.7372]
> >
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN connection: failed to
> > connect:
> > 'Message recipient disconnected from message bus without replying'
> >
> > I figure I have a configuration issue, except that it works fine with
> the old version of libreswan.
> >
> >
> >
> > I'm hoping you guys have some idea what I'm talking about. I can email
> you any information on my machine and I
> > can probably get the configuration for the (openvpn, I think) VPN server.
> >
> >
> >
> > I know that me using the old version of libreswan is eventually going to
> become a problem so I'd like to
> > proactively figure out what's wrong and fix my system so my work flow
> isn't interrupted.
> >
> >
> >
> > I don't hand edit the config files, I let KDE configure network manager,
> so I figure there is something I need
> > to change in that configuration.
> >
> >
> >
> > Anyway, thanks for reading and thanks in advance for any help you can
> offer.
> >
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
> >
> >
> >
> > --
> > -- Consciousness moves everything.
> >
> >
>


-- 
-- Consciousness moves everything.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201023/8b14905d/attachment-0001.html>


More information about the Swan mailing list