[Swan] Issue with networkmanager and l2tp

Douglas Kosovic doug at uq.edu.au
Sat Oct 24 06:50:45 UTC 2020


Hi Brian,

It is not clear from that short log snippet which ipsec command is causing an issue with whack.

Can you confirm you are able to start or restart the pluto ipsec daemon on gentoo with :

   sudo ipsec start

or

  sudo ipsec restart

then confirm it is running with :

  sudo ipsec status


if status thinks it is running, you can try bringing up the NetworkManager-l2tp IPsec connection with :

  sudo ipsec auto \
  --config /run/nm-l2tp-9a088450-2a7b-4012-befe-facf564c77e0/ipsec.conf –verbose \
  -add 9a088450-2a7b-4012-befe-facf564c77e0

  sudo ipsec auto up -add 9a088450-2a7b-4012-befe-facf564c77e0


(note it is okay to copy and paste the backslash line continuation in the above)


If you don’t have /run/nm-l2tp-9a088450-2a7b-4012-befe-facf564c77e0/ , issue the following:

  sudo killall -TERM nm-l2tp-service
  sudo /usr/libexec/nm-l2tp-service --debug

then try to establish the connection in the GUI. I’m just guessing nm-l2tp-service is located in /usr/libexec/ on gentoo.



Cheers,
Doug


From: Brian McKee <raydude at gmail.com>
Sent: Saturday, 24 October 2020 1:26 PM
To: Paul Wouters <paul at nohats.ca>
Cc: Douglas Kosovic <doug at uq.edu.au>; swan at lists.libreswan.org
Subject: Re: [Swan] Issue with networkmanager and l2tp

Hi Paul and Doug,

So I got libreswan 4.1 to install with the new folder by modifying the ebuild, but I'm still having problems. Here is the output of networkmanager:

Oct 23 20:19:40 threads NetworkManager[4579]: <info>  [1603509580.7688] audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5025] audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5068] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID 28727
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5115] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear; activating
connection
Oct 23 20:19:43 threads NetworkManager[4579]: <info>  [1603509583.2001] audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad magic 1869114160; should be 1869114159; Mismatched versions of userland tools.
Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No such file or directory
Oct 23 20:19:51 threads NetworkManager[4579]: <warn>  [1603509591.5840] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5851] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed: stopped
(6)
Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5875] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared
I'm guessing I'm having ipsec issues...

Can you give me a shove in the right direction?

On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters <paul at nohats.ca<mailto:paul at nohats.ca>> wrote:
On Fri, 23 Oct 2020, Brian McKee wrote:

> Thanks Doug!I'll open a ticket with the gentoo devs!

They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at the same
location if they prefer that.

Note that libreswan-4.x also no longer builds support for DH2, and some
NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
be running into that. That required a fix to NM-libreswan in fedora at
least.

Paul

> On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic <doug at uq.edu.au<mailto:doug at uq.edu.au>> wrote:
>
>       Hi Brian,
>
>
>
>       With Libreswan >= 4.0, the default NSS database files (*.db) have moved from /etc/ipsec.d to
>       /var/lib/ipsec/nss
>
>
>
>       Try the following Libreswan command to see if you get an error :
>
>
>
>           $ sudo ipsec initnss
>
>          ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied
>
>
>
>       pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the NSS database files :
>
>          https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
>
>
>
>
>
>       you could fix the aforementioned pkg_postinst(), or issue the following as a workaround:
>
>
>
>           sudo mkdir -p /var/lib/ipsec/nss
>
>           sudo chmod 700 /var/lib/ipsec/nss
>
>
>
>       then try sudo ipsec initnss again.
>
>
>
>       If you are using SELinux or AppArmor, a new rule might be required for /var/lib/ipsec/nss
>
>
>
>
>
>       Cheers,
>
>       Doug
>
>
>
>       From: Swan <swan-bounces at lists.libreswan.org<mailto:swan-bounces at lists.libreswan.org>> On Behalf Of Brian McKee
>       Sent: Friday, 23 October 2020 6:06 PM
>       To: swan at lists.libreswan.org<mailto:swan at lists.libreswan.org>
>       Subject: [Swan] Issue with networkmanager and l2tp
>
>
>
>       Hello everyone,
>
>
>
> I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7) that is probably pretty out of date.
> It uses l2tp protocol.
>
>
>
> My Gentoo box is running Networkmanager 1.26.0 and until a recent update I was running libreswan-3.32-r1 which
> contains a patch to fix an NSS version issue. libreswan-3.32 without the patch fails to connect to my work
> because of the NSS issue.
>
>
>
> Networkmanager requires libreswan for l2tp protocol connections.
>
>
>
> In the latest update of my machine libreswan 4.1 installed and I could no longer connect to work. There was
> absolutely no useful messages from Networkmanager. This is what I got in /var/log/messages:
>
>
>
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4884] audit: op="connection-activate"
> uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647 uid=1000 result
> ="success"
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4920]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID
> 10712
> Oct 22 21:30:16 threads NetworkManager[4579]: <info>  [1603427416.4984]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear;
> activating
> connection
> Oct 22 21:30:17 threads NetworkManager[4579]: <info>  [1603427417.1234] audit: op="statistics"
> arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
> Oct 22 21:30:27 threads NetworkManager[4579]: <info>  [1603427427.7335]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed:
> stopped
> (6)
> Oct 22 21:30:27 threads NetworkManager[4579]: <info>  [1603427427.7361]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared
> Oct 22 21:30:27 threads NetworkManager[4579]: <warn>  [1603427427.7372]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to
> connect:
> 'Message recipient disconnected from message bus without replying'
>
> I figure I have a configuration issue, except that it works fine with the old version of libreswan.
>
>
>
> I'm hoping you guys have some idea what I'm talking about. I can email you any information on my machine and I
> can probably get the configuration for the (openvpn, I think) VPN server.
>
>
>
> I know that me using the old version of libreswan is eventually going to become a problem so I'd like to
> proactively figure out what's wrong and fix my system so my work flow isn't interrupted.
>
>
>
> I don't hand edit the config files, I let KDE configure network manager, so I figure there is something I need
> to change in that configuration.
>
>
>
> Anyway, thanks for reading and thanks in advance for any help you can offer.
>
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201024/e293db22/attachment-0001.html>


More information about the Swan mailing list