[Swan] Issue with networkmanager and l2tp

Paul Wouters paul at nohats.ca
Sun Oct 25 17:44:56 UTC 2020


On Sun, 25 Oct 2020, Brian McKee wrote:

Maybe explicitely build with INITSYSTEM=systemd and see if that fixes
things?

Paul

> Date: Sun, 25 Oct 2020 12:20:53
> From: Brian McKee <raydude at gmail.com>
> Cc: "Swan at lists.libreswan.org" <Swan at lists.libreswan.org>
> To: Douglas Kosovic <doug at uq.edu.au>
> Subject: Re: [Swan] Issue with networkmanager and l2tp
> 
> I found another beginner mistake in the ebuild and reinstalled libreswan.
> The messages I'm getting now are:
> 
> Oct 25 09:17:49 threads NetworkManager[6124]: <info>  [1603642669.8190] audit: op="statistics"
> arg="refresh-rate-ms" pid=10301 uid=1000 result="success"
> Oct 25 09:17:58 threads NetworkManager[6124]: <info>  [1603642678.4519] audit: op="connection-activate"
> uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10301 uid=1000 result="success"
> Oct 25 09:17:58 threads NetworkManager[6124]: <info>  [1603642678.4627]
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID
> 12655
> Oct 25 09:17:58 threads NetworkManager[6124]: <info>  [1603642678.4691]
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear;
> activating connection
> Oct 25 09:17:59 threads NetworkManager[6124]: <info>  [1603642679.1184] audit: op="statistics"
> arg="refresh-rate-ms" pid=10301 uid=1000 result="success"
> Oct 25 09:18:05 threads kernel: Initializing XFRM netlink socket
> Oct 25 09:18:05 threads kernel: IPv4 over IPsec tunneling driver
> Oct 25 09:18:05 threads NetworkManager[6124]: <info>  [1603642685.7716] manager: (ip_vti0): new Generic device
> (/org/freedesktop/NetworkManager/Devices/6)
> Oct 25 09:18:05 threads kernel: IPsec XFRM device driver
> Oct 25 09:18:15 threads NetworkManager[6124]: <info>  [1603642695.8344]
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed:
> stopped (6)
> Oct 25 09:18:15 threads NetworkManager[6124]: <info>  [1603642695.8375]
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared
> Oct 25 09:18:15 threads NetworkManager[6124]: <warn>  [1603642695.8385]
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to
> connect: 'Message recipient disconnected from message bus without replying'
> 
> On Sun, Oct 25, 2020 at 9:03 AM Brian McKee <raydude at gmail.com> wrote:
>       Hi Doug,
> 
> I'm back again...
> I found an ipsec init script produced by libreswan's compile in ${IPSEC_CONFDIR}/../ipsec
> I modified the ebuild to move that script in /etc/init.d/ and it works.
> But I still can't connect to work. Here is the output in /var/log/messages:
> 
> Oct 25 08:57:15 threads NetworkManager[6097]: <info>  [1603641435.8662] audit: op="statistics"
> arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
> Oct 25 08:57:18 threads NetworkManager[6097]: <info>  [1603641438.4577] audit: op="connection-activate"
> uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10312 uid=1000 resul
> t="success"
> Oct 25 08:57:18 threads NetworkManager[6097]: <info>  [1603641438.4623]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service,
> PID 24090
> Oct 25 08:57:18 threads NetworkManager[6097]: <info>  [1603641438.4669]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear;
> activating
> connection
> Oct 25 08:57:19 threads NetworkManager[6097]: <info>  [1603641439.0556] audit: op="statistics"
> arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
> Oct 25 08:57:33 threads NetworkManager[6097]: <info>  [1603641453.8567]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state
> changed: stopped
> (6)
> Oct 25 08:57:33 threads NetworkManager[6097]: <info>  [1603641453.8597]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared
> Oct 25 08:57:33 threads NetworkManager[6097]: <warn>  [1603641453.8607]
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed
> to connect:
> 'Message recipient disconnected from message bus without replying'
> 
> /usr/sbin/ipsec start works now:
> threads /etc/init.d # /usr/sbin/ipsec start
> Redirecting to: rc-service ipsec start
> * WARNING: ipsec has already been started
> 
> Thanks for your patience and help.
> 
> On Sun, Oct 25, 2020 at 8:13 AM Brian McKee <raydude at gmail.com> wrote:
>       You are right. ipsec won't start because there is no service:/usr/sbin/ipsec start
>       Redirecting to: rc-service ipsec start
>       * rc-service: service `ipsec' does not exist
> I have to figure out how to create a service script for it.
> Perhaps I can get some help from the libreswan ebuild maintainer.
> I'll post in the bug report I created.
> 
> Thanks for your help.
> 
> 
> On Sun, Oct 25, 2020 at 5:49 AM Douglas Kosovic <doug at uq.edu.au> wrote:
>       Hi Brian,
> 
> 
> So the following doesn't work
> 
>   sudo /sbin/ipsec restart
> 
> and I suspect:
> 
>   sudo /sbin/ipsec start
> 
> the gentoo libreswan ebuild has both openrc and systemd, sorry I have no idea how the gentoo
> ebuild works with init script.
> 
> If you are using systemd, running the following might give a hint as to what needs to be done
> or is missing.
> 
>   sudo systemctl restart ipsec.service
> 
> 
> With systemd, I think it needs the following file to exist, but not sure with gentoo:
>   /lib/systemd/system/ipsec.service
> 
> 
> Sorry I'm not familiar with openrc or if gentoo is using some openrc/systemd hybrid setup,
> but your rcscript suspicion seems plausible.
> 
> 
> 
> Cheers,
> Doug
> 
> _______________________________________________________________________________________________________________
> From: Brian McKee <raydude at gmail.com>
> Sent: Sunday, 25 October 2020 6:04 AM
> To: Paul Wouters <paul at nohats.ca>
> Cc: Douglas Kosovic <doug at uq.edu.au>; Swan at lists.libreswan.org <Swan at lists.libreswan.org>
> Subject: Re: [Swan] Issue with networkmanager and l2tp  
> I have /sbin/ipsec.
> I rebooted to get networkmanager to restart with the latest version of libreswan.
> 
> I'm still getting an error message:
> 
> Oct 24 12:58:23 threads NetworkManager[6097]: <info>  [1603569503.8941] audit:
> op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
> Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6586] audit:
> op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10312
> uid=1000 resul
> t="success"
> Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6708]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the
> VPN service, PID 11786
> Oct 24 12:58:27 threads NetworkManager[6097]: <info>  [1603569507.6779]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the
> service appear; activating
> connection
> Oct 24 12:58:28 threads NetworkManager[6097]: <info>  [1603569508.6593] audit:
> op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
> Oct 24 12:58:32 threads /etc/init.d/NetworkManager[11800]: rc-service: service `ipsec' does
> not exist
> Oct 24 12:58:32 threads NetworkManager[6097]: <warn>  [1603569512.8038]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN
> connection: failed to connect:
> 'Could not restart the ipsec service.'
> Oct 24 12:58:32 threads NetworkManager[6097]: <info>  [1603569512.8063]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin:
> state changed: stopped
> (6)
> Oct 24 12:58:32 threads NetworkManager[6097]: <info>  [1603569512.8081]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service
> disappeared
> 
> It's still looking for ipsec. I think it's looking for /etc/init.d/ipsecd or something like
> that based on the error message. Is an rcscript meant to be added by libreswan? So that
> something else is missing from the ebuild?
> 
> Again, I really appreciate your patience with me. Thanks so much.
> 
> On Sat, Oct 24, 2020 at 7:08 AM Paul Wouters <paul at nohats.ca> wrote:
>       pluto[17294]: ignoring message from whack with bad magic 1869114160; should
>       be 1869114159; Mismatched versions of userland tools. 
>       Sent
> 
> It looks like either you have two installs (one in /usr and one in /usr/local or your
> pluto
> did not restart after installing a newer version ?
> 
> Paul
> 
> 
>
>       On Oct 23, 2020, at 23:26, Brian McKee <raydude at gmail.com> wrote:
>
>       Hi Paul and Doug,
> 
> So I got libreswan 4.1 to install with the new folder by modifying the ebuild,
> but I'm still having problems. Here is the output of networkmanager:
> Oct 23 20:19:40 threads NetworkManager[4579]: <info>  [1603509580.7688] audit:
> op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
> Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5025] audit:
> op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
> name="wtec-SJ" pid=5647 uid=1000 result
> ="success"
> Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5068]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID 28727
> Oct 23 20:19:42 threads NetworkManager[4579]: <info>  [1603509582.5115]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear; activating
> connection
> Oct 23 20:19:43 threads NetworkManager[4579]: <info>  [1603509583.2001] audit:
> op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
> Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad magic
> 1869114160; should be 1869114159; Mismatched versions of userland tools.
> Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No such
> file or directory
> Oct 23 20:19:51 threads NetworkManager[4579]: <warn>  [1603509591.5840]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN connection: failed to connect:
> 'Could not restart the ipsec service.'
> Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5851]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state changed: stopped
> (6)
> Oct 23 20:19:51 threads NetworkManager[4579]: <info>  [1603509591.5875]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
> 
> I'm guessing I'm having ipsec issues...
> 
> Can you give me a shove in the right direction?
> 
> On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters <paul at nohats.ca> wrote:
>       On Fri, 23 Oct 2020, Brian McKee wrote:
>
>       > Thanks Doug!I'll open a ticket with the gentoo devs!
>
>       They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files
>       at the same
>       location if they prefer that.
>
>       Note that libreswan-4.x also no longer builds support for DH2, and
>       some
>       NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might
>       also
>       be running into that. That required a fix to NM-libreswan in fedora
>       at
>       least.
>
>       Pau
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
> 
> 
> 
> --
> -- Consciousness moves everything.
> 
> 
> 
> --
> -- Consciousness moves everything.
> 
> 
> 
> --
> -- Consciousness moves everything.
> 
>


More information about the Swan mailing list