You are not logged in.
- Topics: Active | Unanswered
#1 2017-12-13 21:41:02
- Scriptor
- Member
- Registered: 2011-01-16
- Posts: 146
L2TP Ipsec NetworkManager
Hello,
I am trying to connect to a vpn l2tp server. In order to connect to it I am using the package networkmanager-libreswan. In the network manager I was able to configure a connection (server ip, username, key and PSK). Unfortunately it doesn't work.
Here are some information:
$ journalctl -xe
c. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface lo:500 40
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface lo:500 fd 40
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface lo:4500 39
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface lo:4500 fd 39
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface lo:500 38
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface lo:500 fd 38
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface enp3s0:4500 37
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface enp3s0:4500 fd 37
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface enp3s0:500 36
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface enp3s0:500 fd 36
déc. 14 18:46:40 Host-001 pluto[15931]: forgetting secrets
déc. 14 18:46:40 Host-001 pluto[15931]: loading secrets from "/etc/ipsec.secrets"
déc. 14 18:46:40 Host-001 pluto[15931]: loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a.secrets"
déc. 14 18:46:40 Host-001 NetworkManager[394]: 010 "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: STATE_QUICK_I1: retransmission; will wait 1000ms for response
déc. 14 18:46:41 Host-001 NetworkManager[394]: 010 "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: STATE_QUICK_I1: retransmission; will wait 2000ms for response
déc. 14 18:46:43 Host-001 NetworkManager[394]: 010 "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: STATE_QUICK_I1: retransmission; will wait 4000ms for response
déc. 14 18:46:47 Host-001 NetworkManager[394]: 010 "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: STATE_QUICK_I1: retransmission; will wait 8000ms for response
déc. 14 18:46:49 Host-001 nm-l2tp-service[15300]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
déc. 14 18:46:49 Host-001 NetworkManager[394]: <info> [1513273609.4416] vpn-connection[0x5631b2576350,280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a,"ETNA",0]: VPN plugin: state changed: stopped (6)
déc. 14 18:46:49 Host-001 NetworkManager[394]: <info> [1513273609.4455] vpn-connection[0x5631b2576350,280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a,"ETNA",0]: VPN service disappeared
déc. 14 18:46:49 Host-001 NetworkManager[394]: <warn> [1513273609.4472] vpn-connection[0x5631b2576350,280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a,"ETNA",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
déc. 14 18:46:49 Host-001 gnome-shell[1242]: Ignoring excess values in shadow definition
déc. 14 18:46:49 Host-001 gnome-shell[1242]: Ignoring excess values in shadow definition
déc. 14 18:46:49 Host-001 gnome-shell[1242]: Ignoring excess values in shadow definition
déc. 14 18:46:49 Host-001 gnome-shell[1242]: Ignoring excess values in shadow definition$ systemctl status ipsec
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2017-12-14 18:46:39 CET; 2min 19s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 15322 ExecStopPost=/usr/bin/ipsec --stopnflog (code=exited, status=0/SUCCESS)
Process: 15321 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
Process: 15320 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
Process: 15315 ExecStop=/usr/lib/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)
Process: 15920 ExecStartPre=/usr/bin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Process: 15919 ExecStartPre=/usr/bin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 15634 ExecStartPre=/usr/lib/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 15633 ExecStartPre=/usr/lib/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 15931 (pluto)
Status: "Startup completed."
Tasks: 12 (limit: 4915)
CGroup: /system.slice/ipsec.service
└─15931 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
déc. 14 18:46:40 Host-001 pluto[15931]: | refresh. setup callback for interface enp3s0:500 36
déc. 14 18:46:40 Host-001 pluto[15931]: | setup callback for interface enp3s0:500 fd 36
déc. 14 18:46:40 Host-001 pluto[15931]: forgetting secrets
déc. 14 18:46:40 Host-001 pluto[15931]: loading secrets from "/etc/ipsec.secrets"
déc. 14 18:46:40 Host-001 pluto[15931]: loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a.secrets"
déc. 14 18:47:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: max number of retransmissions (8) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
déc. 14 18:47:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: starting keying attempt 2 of an unlimited number, but releasing whack
déc. 14 18:47:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #3: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #2 {using isakmp#1 msgid:418233d1 proposal=3DES(3)_000-SHA1(2) pfsgroup=no-pfs}
déc. 14 18:47:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #2: deleting state (STATE_QUICK_I1)
déc. 14 18:48:43 Host-001 pluto[15931]: "280e08c1-3c4a-47b3-8dc9-8bf778f5ef9a" #3: deleting state (STATE_QUICK_I1)$ ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.21 (netkey) on 4.14.5-1-ARCH
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/wlp0s20f0u13/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [UNKNOWN]
(run ipsec verify as root to test ipsec.secrets)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]$ systemctl status xl2tpd
● xl2tpd.service - Level 2 Tunnel Protocol Daemon (L2TP)
Loaded: loaded (/usr/lib/systemd/system/xl2tpd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-12-13 22:07:26 CET; 49min ago
Main PID: 1066 (xl2tpd)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/xl2tpd.service
└─1066 /usr/bin/xl2tpd -D
archlinux systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
archlinux xl2tpd[1066]: xl2tpd[1066]: setsockopt recvref[30]: Protocol not available
archlinux xl2tpd[1066]: xl2tpd[1066]: Using l2tp kernel support.
archlinux xl2tpd[1066]: xl2tpd[1066]: xl2tpd version xl2tpd-1.3.10 started on archlinux PID:1066
archlinux xl2tpd[1066]: xl2tpd[1066]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
archlinux xl2tpd[1066]: xl2tpd[1066]: Forked by Scott Balmos and David Stipp, (C) 2001
archlinux xl2tpd[1066]: xl2tpd[1066]: Inherited by Jeff McAdams, (C) 2002
archlinux xl2tpd[1066]: xl2tpd[1066]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
archlinux xl2tpd[1066]: xl2tpd[1066]: Listening on IP address 0.0.0.0, port 1701/etc/ipsec.config
# /etc/ipsec.conf - Libreswan IPsec configuration file
# Uncomment when using this configuration file with openswan
#version 2
#
# Manual: ipsec.conf.5
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
# For MacOSX use "bsd"
protostack=netkey
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
# an unusual location.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug "all", "none" or a combation from below:
# "raw crypt parsing emitting control controlmore kernel pfkey
# natt x509 dpd dns oppo oppoinfo private".
# Note: "private" is not included with "all", as it can show confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug when asked by a developer
#plutodebug=none
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least up to 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.confThank you very much in advance for any help.
Last edited by Scriptor (2017-12-14 17:50:38)
Offline
#2 2017-12-16 00:55:32
- dkosovic
- Member
- Registered: 2017-12-16
- Posts: 21
Re: L2TP Ipsec NetworkManager
NetworkManager-libreswan is an IPsec IKEv1 with Extended Authentication (XAUTH) VPN client, it doesn't support L2TP or use xl2tpd.
If you need L2TP/IPsec, use NetworkManager-l2tp which uses xl2tpd for L2TP and libreswan or strongswan for IPsec IKEv1 (without XAUTH).
Last edited by dkosovic (2017-12-16 01:07:19)
Offline
#3 2017-12-16 01:06:14
- dkosovic
- Member
- Registered: 2017-12-16
- Posts: 21
Re: L2TP Ipsec NetworkManager
If you use NetworkManager-l2tp, don't use kernel-4.14.x as it broke L2TP/IPsec, see:
https://bugs.archlinux.org/task/56605
You might need to stop the system xl2tpd, see:
https://github.com/nm-l2tp/network-mana … pd-service
If your VPN server is using weak and old IPsec IKEv1 algorithms, you might need to reconfigure the VPN server or specify the weak algorithms in the NetworkManager-l2tp IPsec options dialog box, see:
https://github.com/nm-l2tp/network-mana … algorithms
You can query the VPN server for what algorithms is supports by running the ike-scan.sh script on the following page:
https://github.com/nm-l2tp/network-mana … algorithms
Offline
#4 2017-12-16 11:33:39
- Scriptor
- Member
- Registered: 2011-01-16
- Posts: 146
Re: L2TP Ipsec NetworkManager
Thank you very very much for your answer 
I'll look into it. If it's okay I'm not going to mark this post as "SOLVED"
Thank you very much.
Offline