[Swan] Issue with networkmanager and l2tp

Brian McKee raydude at gmail.com
Sun Oct 25 16:20:53 UTC 2020 

I found another beginner mistake in the ebuild and reinstalled libreswan.

The messages I'm getting now are:

Oct 25 09:17:49 threads NetworkManager[6124]: <info>  [1603642669.8190]
audit: op="statistics" arg="refresh-rate-ms" pid=10301 uid=1000
result="success"
Oct 25 09:17:58 threads NetworkManager[6124]: <info>  [1603642678.4519]
audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
name="wtec-SJ" pid=10301 uid=1000 result="success"
Oct 25 09:17:58 threads NetworkManager[6124]: <info>  [1603642678.4627]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the VPN service, PID 12655
Oct 25 09:17:58 threads NetworkManager[6124]: <info>  [1603642678.4691]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the service appear; activating connection
Oct 25 09:17:59 threads NetworkManager[6124]: <info>  [1603642679.1184]
audit: op="statistics" arg="refresh-rate-ms" pid=10301 uid=1000
result="success"
Oct 25 09:18:05 threads kernel: Initializing XFRM netlink socket
Oct 25 09:18:05 threads kernel: IPv4 over IPsec tunneling driver
Oct 25 09:18:05 threads NetworkManager[6124]: <info>  [1603642685.7716]
manager: (ip_vti0): new Generic device
(/org/freedesktop/NetworkManager/Devices/6)
Oct 25 09:18:05 threads kernel: IPsec XFRM device driver
Oct 25 09:18:15 threads NetworkManager[6124]: <info>  [1603642695.8344]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin: state changed: stopped (6)
Oct 25 09:18:15 threads NetworkManager[6124]: <info>  [1603642695.8375]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service disappeared
Oct 25 09:18:15 threads NetworkManager[6124]: <warn>  [1603642695.8385]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN connection: failed to connect: 'Message recipient disconnected from
message bus without replying'

On Sun, Oct 25, 2020 at 9:03 AM Brian McKee <raydude at gmail.com> wrote:

> Hi Doug,
>
> I'm back again...
>
> I found an ipsec init script produced by libreswan's compile in
> ${IPSEC_CONFDIR}/../ipsec
> I modified the ebuild to move that script in /etc/init.d/ and it works.
>
> But I still can't connect to work. Here is the output in /var/log/messages:
>
> Oct 25 08:57:15 threads NetworkManager[6097]: <info>  [1603641435.8662]
> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
> result="success"
> Oct 25 08:57:18 threads NetworkManager[6097]: <info>  [1603641438.4577]
> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
> name="wtec-SJ" pid=10312 uid=1000 resul
> t="success"
> Oct 25 08:57:18 threads NetworkManager[6097]: <info>  [1603641438.4623]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID 24090
> Oct 25 08:57:18 threads NetworkManager[6097]: <info>  [1603641438.4669]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear; activating
> connection
> Oct 25 08:57:19 threads NetworkManager[6097]: <info>  [1603641439.0556]
> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
> result="success"
> Oct 25 08:57:33 threads NetworkManager[6097]: <info>  [1603641453.8567]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state changed: stopped
> (6)
> Oct 25 08:57:33 threads NetworkManager[6097]: <info>  [1603641453.8597]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
> Oct 25 08:57:33 threads NetworkManager[6097]: <warn>  [1603641453.8607]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN connection: failed to connect:
> 'Message recipient disconnected from message bus without replying'
>
> /usr/sbin/ipsec start works now:
> threads /etc/init.d # /usr/sbin/ipsec start
> Redirecting to: rc-service ipsec start
> * WARNING: ipsec has already been started
>
> Thanks for your patience and help.
>
> On Sun, Oct 25, 2020 at 8:13 AM Brian McKee <raydude at gmail.com> wrote:
>
>> You are right. ipsec won't start because there is no service:
>> /usr/sbin/ipsec start
>> Redirecting to: rc-service ipsec start
>> * rc-service: service `ipsec' does not exist
>> I have to figure out how to create a service script for it.
>> Perhaps I can get some help from the libreswan ebuild maintainer.
>> I'll post in the bug report I created.
>>
>> Thanks for your help.
>>
>>
>> On Sun, Oct 25, 2020 at 5:49 AM Douglas Kosovic <doug at uq.edu.au> wrote:
>>
>>> Hi Brian,
>>>
>>>
>>> So the following doesn't work
>>>
>>>   sudo /sbin/ipsec restart
>>>
>>> and I suspect:
>>>
>>>   sudo /sbin/ipsec start
>>>
>>> the gentoo libreswan ebuild has both openrc and systemd, sorry I have no
>>> idea how the gentoo ebuild works with init script.
>>>
>>> If you are using systemd, running the following might give a hint as to
>>> what needs to be done or is missing.
>>>
>>>   sudo systemctl restart ipsec.service
>>>
>>>
>>> With systemd, I think it needs the following file to exist, but not sure
>>> with gentoo:
>>>   /lib/systemd/system/ipsec.service
>>>
>>>
>>> Sorry I'm not familiar with openrc or if gentoo is using some
>>> openrc/systemd hybrid setup, but your rcscript suspicion seems plausible.
>>>
>>>
>>>
>>> Cheers,
>>> Doug
>>>
>>> ------------------------------
>>> *From:* Brian McKee <raydude at gmail.com>
>>> *Sent:* Sunday, 25 October 2020 6:04 AM
>>> *To:* Paul Wouters <paul at nohats.ca>
>>> *Cc:* Douglas Kosovic <doug at uq.edu.au>; Swan at lists.libreswan.org <
>>> Swan at lists.libreswan.org>
>>> *Subject:* Re: [Swan] Issue with networkmanager and l2tp
>>>
>>> I have /sbin/ipsec.
>>>
>>> I rebooted to get networkmanager to restart with the latest version of
>>> libreswan.
>>>
>>> I'm still getting an error message:
>>>
>>> Oct 24 12:58:23 threads NetworkManager[6097]: <info>  [1603569503.8941]
>>> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
>>> result="success"
>>> Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6586]
>>> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
>>> name="wtec-SJ" pid=10312 uid=1000 resul
>>> t="success"
>>> Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6708]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> Started the VPN service, PID 11786
>>> Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6779]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> Saw the service appear; activating
>>> connection
>>> Oct 24 12:58:28 threads NetworkManager[6097]: <info>  [1603569508.6593]
>>> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
>>> result="success"
>>> Oct 24 12:58:32 threads /etc/init.d/NetworkManager[11800]: rc-service:
>>> service `ipsec' does not exist
>>> Oct 24 12:58:32 threads NetworkManager[6097]: <warn>  [1603569512.8038]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN connection: failed to connect:
>>> 'Could not restart the ipsec service.'
>>> Oct 24 12:58:32 threads NetworkManager[6097]: <info>  [1603569512.8063]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN plugin: state changed: stopped
>>> (6)
>>> Oct 24 12:58:32 threads NetworkManager[6097]: <info>  [1603569512.8081]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN service disappeared
>>>
>>> It's still looking for ipsec. I think it's looking for
>>> /etc/init.d/ipsecd or something like that based on the error message. Is an
>>> rcscript meant to be added by libreswan? So that something else is missing
>>> from the ebuild?
>>>
>>> Again, I really appreciate your patience with me. Thanks so much.
>>>
>>> On Sat, Oct 24, 2020 at 7:08 AM Paul Wouters <paul at nohats.ca> wrote:
>>>
>>> pluto[17294]: ignoring message from whack with bad magic 1869114160;
>>> should be 1869114159; Mismatched versions of userland tools.
>>>
>>> Sent
>>>
>>> It looks like either you have two installs (one in /usr and one in
>>> /usr/local or your pluto
>>> did not restart after installing a newer version ?
>>>
>>> Paul
>>>
>>>
>>>
>>> On Oct 23, 2020, at 23:26, Brian McKee <raydude at gmail.com> wrote:
>>>
>>> 
>>> Hi Paul and Doug,
>>>
>>> So I got libreswan 4.1 to install with the new folder by modifying the
>>> ebuild, but I'm still having problems. Here is the output of
>>> networkmanager:
>>>
>>> Oct 23 20:19:40 threads NetworkManager[4579]: <info>  [1603509580.7688]
>>> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
>>> result="success"
>>> Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5025]
>>> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
>>> name="wtec-SJ" pid=5647 uid=1000 result
>>> ="success"
>>> Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5068]
>>> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> Started the VPN service, PID 28727
>>> Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5115]
>>> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> Saw the service appear; activating
>>> connection
>>> Oct 23 20:19:43 threads NetworkManager[4579]: <info>  [1603509583.2001]
>>> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
>>> result="success"
>>> Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with
>>> bad magic 1869114160; should be 1869114159; Mismatched versions of userland
>>> tools.
>>> Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service:
>>> No such file or directory
>>> Oct 23 20:19:51 threads NetworkManager[4579]: <warn>  [1603509591.5840]
>>> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN connection: failed to connect:
>>> 'Could not restart the ipsec service.'
>>> Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5851]
>>> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN plugin: state changed: stopped
>>> (6)
>>> Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5875]
>>> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN service disappeared
>>>
>>> I'm guessing I'm having ipsec issues...
>>>
>>> Can you give me a shove in the right direction?
>>>
>>> On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters <paul at nohats.ca> wrote:
>>>
>>> On Fri, 23 Oct 2020, Brian McKee wrote:
>>>
>>> > Thanks Doug!I'll open a ticket with the gentoo devs!
>>>
>>> They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at
>>> the same
>>> location if they prefer that.
>>>
>>> Note that libreswan-4.x also no longer builds support for DH2, and some
>>> NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
>>> be running into that. That required a fix to NM-libreswan in fedora at
>>> least.
>>>
>>> Pau
>>>
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>
>>
>>
>> --
>> -- Consciousness moves everything.
>>
>
>
> --
> -- Consciousness moves everything.
>


-- 
-- Consciousness moves everything.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201025/d6e3dbc5/attachment-0001.html>

More information about the Swan mailing list