<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Hi Brian,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText">With Libreswan >= 4.0, the default NSS database files (*.db) have moved from /etc/ipsec.d to /var/lib/ipsec/nss<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Try the following Libreswan command to see if you get an error :<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"> $ sudo ipsec initnss<o:p></o:p></p>
<p class="MsoPlainText"> ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">pkg_postinst() in the gentoo ebuild is still using
</span>/etc/ipsec.d for the NSS database files :<o:p></o:p></p>
<p class="MsoNormal"> <a href="https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild">
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">you could fix the aforementioned <span style="mso-fareast-language:EN-US">
pkg_postinst(), or</span> issue the following as a workaround:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> sudo mkdir -p /var/lib/ipsec/nss<o:p></o:p></p>
<p class="MsoNormal"> sudo chmod 700 /var/lib/ipsec/nss<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">then try sudo ipsec initnss again.<o:p></o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal">If you are using SELinux or AppArmor, a new rule might be required for /var/lib/ipsec/nss<span style="mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US">Doug<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span lang="EN-US"> Swan <swan-bounces@lists.libreswan.org>
<b>On Behalf Of </b>Brian McKee<br>
<b>Sent:</b> Friday, 23 October 2020 6:06 PM<br>
<b>To:</b> swan@lists.libreswan.org<br>
<b>Subject:</b> [Swan] Issue with networkmanager and l2tp<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hello everyone,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7) that is probably pretty out of date. It uses l2tp protocol.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My Gentoo box is running Networkmanager 1.26.0 and until a recent update I was running libreswan-3.32-r1 which contains a patch to fix an NSS version issue. libreswan-3.32 without the patch fails to connect to my work because of the NSS
issue.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Networkmanager requires libreswan for l2tp protocol connections.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In the latest update of my machine libreswan 4.1 installed and I could no longer connect to work. There was absolutely no useful messages from Networkmanager. This is what I got in /var/log/messages:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Courier New";color:black">Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4884] audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ"
pid=5647 uid=1000 result</span><span style="font-family:"Courier New""><br>
="success" <br>
Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4920] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID 10712
<br>
Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4984] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear; activating<br>
connection <br>
Oct 22 21:30:17 threads NetworkManager[4579]: <info> [1603427417.1234] audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
<br>
Oct 22 21:30:27 threads NetworkManager[4579]: <info> [1603427427.7335] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed: stopped<br>
(6) <br>
Oct 22 21:30:27 threads NetworkManager[4579]: <info> [1603427427.7361] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared
<br>
Oct 22 21:30:27 threads NetworkManager[4579]: <warn> [1603427427.7372] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to connect:<br>
'Message recipient disconnected from message bus without replying'</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">I figure I have a configuration issue, except that it works fine with the old version of libreswan.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">I'm hoping you guys have some idea what I'm talking about. I can email you any information on my machine and I can probably get the configuration for the (openvpn, I think) VPN server.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">I know that me using the old version of libreswan is eventually going to become a problem so I'd like to proactively figure out what's wrong and fix my system so my work flow isn't interrupted.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">I don't hand edit the config files, I let KDE configure network manager, so I figure there is something I need to change in that configuration.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">Anyway, thanks for reading and thanks in advance for any help you can offer.</span><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>