You are not logged in.

#1 2017-05-24 14:08:53

syco
Member
Registered: 2008-11-06
Posts: 20

[SOLVED] Libreswan l2tp-ipsec timeout

Hello,
I'm trying to setup a vpn connection using libreswan and network manager, but I'm stuck..
I've installed libreswan from aur and all the followind packets for network manager

# pacman -Qqs networkmanager
libnm
libnm-glib
networkmanager
networkmanager-l2tp
networkmanager-libreswan
networkmanager-openconnect
networkmanager-openvpn
networkmanager-pptp
networkmanager-qt
networkmanager-vpnc
nm-connection-editor

I installed and started ipsec-tools

# systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-05-24 14:37:41 IST; 5min ago

I've also executed this..

echo 1 > /proc/sys/net/ipv4/ip_forward

And I created a L2TP connection in Network Manager using Gateway, Username, Password, and IPsec Pre-shared Key. I've also changed the PPP authentication method to the one required by the company server.
After I enable the vpn just created it connects and it changes my routing table to route all traffic through the vpn (as expected), but at this point things starts not to work:

I can dig a hostname:

# dig google.com
google.com.		299	IN	A	209.85.202.102
google.com.		299	IN	A	209.85.202.113
google.com.		299	IN	A	209.85.202.139
google.com.		299	IN	A	209.85.202.100
google.com.		299	IN	A	209.85.202.138
google.com.		299	IN	A	209.85.202.101

I can ping a hostname:

# ping google.com
PING google.com (209.85.202.113) 56(84) bytes of data.
64 bytes from dg-in-f113.1e100.net (209.85.202.113): icmp_seq=1 ttl=50 time=23.6 ms
64 bytes from dg-in-f113.1e100.net (209.85.202.113): icmp_seq=2 ttl=50 time=24.8 ms
64 bytes from dg-in-f113.1e100.net (209.85.202.113): icmp_seq=3 ttl=50 time=24.8 ms

But everything else times out:

# telnet google.com 80
Trying 209.85.202.113...

And if I ssh to any server, inside or outside the local network, ssh gets stuck until it times out.

Until yesterday I had a different laptop (always with Arch) and I was using a manual script inspired by https://wiki.archlinux.org/index.php/Op … ient_setup
It was working pefectly fine, but on my freshly installed Arch it has the same issue as libreswan.
Unfortunately my old laptop has already been wiped, so I can't troubleshoot with both.

Did anyone already encountered this issue before?
Thanks

Last edited by syco (2017-05-27 00:29:23)

Offline

#2 2017-05-26 10:57:15

syco
Member
Registered: 2008-11-06
Posts: 20

Re: [SOLVED] Libreswan l2tp-ipsec timeout

I've done some testing and I still can't figure out what's happening:
I got centos 7 on virtualbox and started using libreswan commandline,
here is the script I used https://pastebin.com/r2ztShH5

This is what happens on Centos 7 Virtualbox:

[root@centos ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.1.1      0.0.0.0         UG    100    0        0 enp0s3
172.0.0.0       172.21.0.94     255.0.0.0       UG    0      0        0 ppp0
172.16.1.1      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
172.31.1.0      0.0.0.0         255.255.255.0   U     100    0        0 enp0s3
192.168.56.0    0.0.0.0         255.255.255.0   U     100    0        0 enp0s8
[root@centos ~]# ping 172.21.2.31 -c 5
PING 172.21.2.31 (172.21.2.31) 56(84) bytes of data.
64 bytes from 172.21.2.31: icmp_seq=1 ttl=64 time=19.1 ms
64 bytes from 172.21.2.31: icmp_seq=2 ttl=64 time=20.2 ms
64 bytes from 172.21.2.31: icmp_seq=3 ttl=64 time=19.4 ms
64 bytes from 172.21.2.31: icmp_seq=4 ttl=64 time=18.9 ms
64 bytes from 172.21.2.31: icmp_seq=5 ttl=64 time=19.2 ms

--- 172.21.2.31 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4008ms
rtt min/avg/max/mdev = 18.982/19.414/20.276/0.482 ms
[root@centos ~]# ssh -o ConnectTimeout=3 root@172.21.2.31
root@172.21.2.31's password: 
Last login: Fri May 26 10:32:29 2017 from 172.21.0.92
[root@pbx-dev ~]# logout
Connection to 172.21.2.31 closed.
[root@centos ~]#

This is what happens on Arch:

[root@echo ~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.1.1      0.0.0.0         UG    600    0        0 wlp1s0
172.0.0.0       172.21.0.95     255.0.0.0       UG    0      0        0 ppp0
172.16.1.1      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.31.1.0      0.0.0.0         255.255.255.0   U     600    0        0 wlp1s0
192.168.56.0    0.0.0.0         255.255.255.0   U     0      0        0 vboxnet0
[root@echo ~]# ping 172.21.2.31 -c 5
PING 172.21.2.31 (172.21.2.31) 56(84) bytes of data.
64 bytes from 172.21.2.31: icmp_seq=1 ttl=64 time=19.0 ms
64 bytes from 172.21.2.31: icmp_seq=2 ttl=64 time=19.1 ms
64 bytes from 172.21.2.31: icmp_seq=3 ttl=64 time=18.2 ms
64 bytes from 172.21.2.31: icmp_seq=4 ttl=64 time=19.4 ms
64 bytes from 172.21.2.31: icmp_seq=5 ttl=64 time=19.2 ms

--- 172.21.2.31 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 18.268/19.033/19.436/0.438 ms
[root@echo ~]# ssh -vvv -o ConnectTimeout=3 root@172.21.2.31
OpenSSH_7.5p1, OpenSSL 1.1.0e  16 Feb 2017
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 3: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "172.21.2.31" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 172.21.2.31 [172.21.2.31] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 172.21.2.31 port 22: Connection timed out
ssh: connect to host 172.21.2.31 port 22: Connection timed out
[root@echo ~]#

What could that be?

P.S. I know now the issue is not libreswan, if someone has a suggestion for a better title please drop a reply..

Offline

#3 2017-05-26 17:41:18

alexpnx
Member
From: Nicosia, Cyprus
Registered: 2006-06-10
Posts: 47

Re: [SOLVED] Libreswan l2tp-ipsec timeout

I'm facing the exact same issue, since today.
This is on all three of my arch installations.

I'm using strongswan instead of libreswan, in conjuction with networkmanager-l2tp.

I've captured some traffic with wireshark and I'm getting many TCP packets with SYN which are never ACKed, therefore TCP connections cannot be established when the VPN is active.
Maybe this is an issue with UDP encapsulation.

These are all the packages that were upgraded before the problem started:

2017-05-26 00:20:37	btrfs-progs
2017-05-26 00:20:37	dmidecode
2017-05-26 00:20:41	go
2017-05-26 00:20:41	hdparm
2017-05-26 00:20:41	lib32-openssl
2017-05-26 00:20:41	libatomic_ops
2017-05-26 00:20:47	libtiff
2017-05-26 00:20:47	xfsprogs
2017-05-26 00:20:48	libvirt
2017-05-26 00:20:51	linux-firmware
2017-05-26 00:20:54	linux
2017-05-26 00:20:57	linux-headers
2017-05-26 00:20:57	openssl-1.0
2017-05-26 00:20:58	nodejs
2017-05-26 00:20:58	npth
2017-05-26 00:20:58	opus
2017-05-26 00:20:58	pandoc
2017-05-26 00:20:59	pandoc-citeproc
2017-05-26 00:20:59	pango
2017-05-26 00:20:59	python2-pytest
2017-05-26 00:20:59	python-pytest
2017-05-26 00:21:00	qt5-base
2017-05-26 00:21:00	strace
2017-05-26 00:21:00	ufw
2017-05-26 00:21:01	vagrant-substrate
2017-05-26 00:21:01	virtualbox-host-modules-arch
2017-05-26 00:21:04	webkit2gtk
2017-05-26 00:21:04	youtube-dl

I've also found this: https://patchwork.ozlabs.org/patch/753614/

So, I've installed linux-lts and L2TP/IPSEC is working again. It looks like the kernel patch above introduced this bug.

Last edited by alexpnx (2017-05-26 18:32:37)

Offline

#4 2017-05-27 00:28:46

syco
Member
Registered: 2008-11-06
Posts: 20

Re: [SOLVED] Libreswan l2tp-ipsec timeout

I can confirm that lts kernel works for me too.
Thanks, you saved my Arch..

Offline

#5 2017-06-14 20:04:00

frol
Member
Registered: 2016-02-22
Posts: 2

Re: [SOLVED] Libreswan l2tp-ipsec timeout

Yeah, it seems to be a Linux Kernel regression which was introduced in 4.11rc3 according to https://groups.google.com/d/topic/linux … discussion

I bumped into this issue and indeed switch to the LTS 4.9.31 kernel helped me.

Offline

Board footer

Powered by FluxBB