[Swan] Issue with networkmanager and l2tp

Douglas Kosovic doug at uq.edu.au
Sun Oct 25 12:48:58 UTC 2020 

Hi Brian,


So the following doesn't work

  sudo /sbin/ipsec restart

and I suspect:

  sudo /sbin/ipsec start

the gentoo libreswan ebuild has both openrc and systemd, sorry I have no idea how the gentoo ebuild works with init script.

If you are using systemd, running the following might give a hint as to what needs to be done or is missing.

  sudo systemctl restart ipsec.service


With systemd, I think it needs the following file to exist, but not sure with gentoo:
  /lib/systemd/system/ipsec.service


Sorry I'm not familiar with openrc or if gentoo is using some openrc/systemd hybrid setup, but your rcscript suspicion seems plausible.



Cheers,
Doug

________________________________
From: Brian McKee <raydude at gmail.com>
Sent: Sunday, 25 October 2020 6:04 AM
To: Paul Wouters <paul at nohats.ca>
Cc: Douglas Kosovic <doug at uq.edu.au>; Swan at lists.libreswan.org <Swan at lists.libreswan.org>
Subject: Re: [Swan] Issue with networkmanager and l2tp

I have /sbin/ipsec.

I rebooted to get networkmanager to restart with the latest version of libreswan.

I'm still getting an error message:

Oct 24 12:58:23 threads NetworkManager[6097]: <info>  [1603569503.8941] audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6586] audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10312 uid=1000 resul
t="success"
Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6708] vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID 11786
Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6779] vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear; activating
connection
Oct 24 12:58:28 threads NetworkManager[6097]: <info>  [1603569508.6593] audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 24 12:58:32 threads /etc/init.d/NetworkManager[11800]: rc-service: service `ipsec' does not exist
Oct 24 12:58:32 threads NetworkManager[6097]: <warn>  [1603569512.8038] vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 24 12:58:32 threads NetworkManager[6097]: <info>  [1603569512.8063] vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed: stopped
(6)
Oct 24 12:58:32 threads NetworkManager[6097]: <info>  [1603569512.8081] vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared

It's still looking for ipsec. I think it's looking for /etc/init.d/ipsecd or something like that based on the error message. Is an rcscript meant to be added by libreswan? So that something else is missing from the ebuild?

Again, I really appreciate your patience with me. Thanks so much.

On Sat, Oct 24, 2020 at 7:08 AM Paul Wouters <paul at nohats.ca<mailto:paul at nohats.ca>> wrote:
pluto[17294]: ignoring message from whack with bad magic 1869114160<tel:1869114160>; should be 1869114159<tel:1869114159>; Mismatched versions of userland tools.

Sent

It looks like either you have two installs (one in /usr and one in /usr/local or your pluto
did not restart after installing a newer version ?

Paul



On Oct 23, 2020, at 23:26, Brian McKee <raydude at gmail.com<mailto:raydude at gmail.com>> wrote:


Hi Paul and Doug,

So I got libreswan 4.1 to install with the new folder by modifying the ebuild, but I'm still having problems. Here is the output of networkmanager:

Oct 23 20:19:40 threads NetworkManager[4579]: <info>  [1603509580.7688] audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5025] audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5068] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID 28727
Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5115] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear; activating
connection
Oct 23 20:19:43 threads NetworkManager[4579]: <info>  [1603509583.2001] audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad magic 1869114160; should be 1869114159; Mismatched versions of userland tools.
Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No such file or directory
Oct 23 20:19:51 threads NetworkManager[4579]: <warn>  [1603509591.5840] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5851] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed: stopped
(6)
Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5875] vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared

I'm guessing I'm having ipsec issues...

Can you give me a shove in the right direction?

On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters <paul at nohats.ca<mailto:paul at nohats.ca>> wrote:
On Fri, 23 Oct 2020, Brian McKee wrote:

> Thanks Doug!I'll open a ticket with the gentoo devs!

They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at the same
location if they prefer that.

Note that libreswan-4.x also no longer builds support for DH2, and some
NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
be running into that. That required a fix to NM-libreswan in fedora at
least.

Pau

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201025/c5b13cd4/attachment-0001.html>

More information about the Swan mailing list