I'll look into it. If it's okay I'm not going to mark this post as "SOLVED"
Thank you very much.
]]>You might need to stop the system xl2tpd, see:
https://github.com/nm-l2tp/network-mana … pd-service
If your VPN server is using weak and old IPsec IKEv1 algorithms, you might need to reconfigure the VPN server or specify the weak algorithms in the NetworkManager-l2tp IPsec options dialog box, see:
https://github.com/nm-l2tp/network-mana … algorithms
You can query the VPN server for what algorithms is supports by running the ike-scan.sh script on the following page:
https://github.com/nm-l2tp/network-mana … algorithms
If you need L2TP/IPsec, use NetworkManager-l2tp which uses xl2tpd for L2TP and libreswan or strongswan for IPsec IKEv1 (without XAUTH).
]]>I am trying to connect to a vpn l2tp server. In order to connect to it I am using the package networkmanager-libreswan. In the network manager I was able to configure a connection (server ip, username, key and PSK). Unfortunately it doesn't work.
Here are some information:
$ journalctl -xe
c. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface lo:500 40
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface lo:500 fd 40
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface lo:4500 39
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface lo:4500 fd 39
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface lo:500 38
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface lo:500 fd 38
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface enp3s0:4500 37
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface enp3s0:4500 fd 37
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface enp3s0:500 36
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface enp3s0:500 fd 36
déc. 14 18:46:40 Host-001 pluto[15931]: forgetting secrets
déc. 14 18:46:40 Host-001 pluto[15931]: loading secrets from "/etc/ipsec.secrets"
déc. 14 18:46:40 Host-001 pluto[15931]: loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a.secrets"
déc. 14 18:46:40 Host-001 NetworkManager[394]: 010 "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: STATE_QUICK_I1: retransmission; will wait 1000ms for response
déc. 14 18:46:41 Host-001 NetworkManager[394]: 010 "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: STATE_QUICK_I1: retransmission; will wait 2000ms for response
déc. 14 18:46:43 Host-001 NetworkManager[394]: 010 "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: STATE_QUICK_I1: retransmission; will wait 4000ms for response
déc. 14 18:46:47 Host-001 NetworkManager[394]: 010 "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: STATE_QUICK_I1: retransmission; will wait 8000ms for response
déc. 14 18:46:49 Host-001 nm-l2tp-service[15300]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
déc. 14 18:46:49 Host-001 NetworkManager[394]: <info> [1513273609.4416] vpn-connection[0x5631b2576350,280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a,"ETNA",0]: VPN plugin: state changed: stopped (6)
déc. 14 18:46:49 Host-001 NetworkManager[394]: <info> [1513273609.4455] vpn-connection[0x5631b2576350,280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a,"ETNA",0]: VPN service disappeared
déc. 14 18:46:49 Host-001 NetworkManager[394]: <warn> [1513273609.4472] vpn-connection[0x5631b2576350,280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a,"ETNA",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
déc. 14 18:46:49 Host-001 gnome-shell[1242]: Ignoring excess values in shadow definition
déc. 14 18:46:49 Host-001 gnome-shell[1242]: Ignoring excess values in shadow definition
déc. 14 18:46:49 Host-001 gnome-shell[1242]: Ignoring excess values in shadow definition
déc. 14 18:46:49 Host-001 gnome-shell[1242]: Ignoring excess values in shadow definition
$ systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2017-12-14 18:46:39 CET; 2min 19s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 15322 ExecStopPost=/usr/bin/ipsec --stopnflog (code=exited, status=0/SUCCESS)
Process: 15321 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
Process: 15320 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
Process: 15315 ExecStop=/usr/lib/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
Process: 15920 ExecStartPre=/usr/bin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Process: 15919 ExecStartPre=/usr/bin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 15634 ExecStartPre=/usr/lib/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 15633 ExecStartPre=/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 15931 (pluto)
Status: "Startup completed."
Tasks: 12 (limit: 4915)
CGroup: /system.slice/ipsec.service
└─15931 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface enp3s0:500 36
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface enp3s0:500 fd 36
déc. 14 18:46:40 Host-001 pluto[15931]: forgetting secrets
déc. 14 18:46:40 Host-001 pluto[15931]: loading secrets from "/etc/ipsec.secrets"
déc. 14 18:46:40 Host-001 pluto[15931]: loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a.secrets"
déc. 14 18:47:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: max number of retransmissions (8) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
déc. 14 18:47:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: starting keying attempt 2 of an unlimited number, but releasing whack
déc. 14 18:47:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #3: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #2 {using isakmp#1 msgid:418233d1 proposal=3DES(3)_000-SHA1(2) pfsgroup=no-pfs}
déc. 14 18:47:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: deleting state (STATE_QUICK_I1)
déc. 14 18:48:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #3: deleting state (STATE_QUICK_I1)
$ ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.21 (netkey) on 4.14.5-1-ARCH
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/wlp0s20f0u13/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [UNKNOWN]
(run ipsec verify as root to test ipsec.secrets)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
$ systemctl status xl2tpd
● xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP)
Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-12-13 22:07:26 CET; 49min ago
Main PID: 1066 (xl2tpd)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/xl2tpd.service
└─1066 /usr/bin/xl2tpd -D
archlinux systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
archlinux xl2tpd[1066]: xl2tpd[1066]: setsockopt recvref[30]: Protocol not available
archlinux xl2tpd[1066]: xl2tpd[1066]: Using l2tp kernel support.
archlinux xl2tpd[1066]: xl2tpd[1066]: xl2tpd version xl2tpd-1.3.10 started on archlinux PID:1066
archlinux xl2tpd[1066]: xl2tpd[1066]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
archlinux xl2tpd[1066]: xl2tpd[1066]: Forked by Scott Balmos and David Stipp, (C) 2001
archlinux xl2tpd[1066]: xl2tpd[1066]: Inherited by Jeff McAdams, (C) 2002
archlinux xl2tpd[1066]: xl2tpd[1066]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
archlinux xl2tpd[1066]: xl2tpd[1066]: Listening on IP address 0.0.0.0, port 1701
/etc/ipsec.config
# /etc/ipsec.conf - Libreswan IPsec configuration file
# Uncomment when using this configuration file with openswan
#version 2
#
# Manual: ipsec.conf.5
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
# For MacOSX use "bsd"
protostack=netkey
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
# an unusual location.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug "all", "none" or a combation from below:
# "raw crypt parsing emitting control controlmore kernel pfkey
# natt x509 dpd dns oppo oppoinfo private".
# Note: "private" is not included with "all", as it can show confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug when asked by a developer
#plutodebug=none
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
Thank you very much in advance for any help.
]]>