You are not logged in.

#1 2022-02-21 13:35:42

svalee
Member
Registered: 2019-01-20
Posts: 41
Website

No internet connection when running NetworkManager-l2tp over ipsec vpn

I haven't used it for a while, but I think one of the following might be causing trouble.
1. I moved to a different place.
2. Updates. Less likely, as I downgraded packages.

UPD: just installed VM and was able to use VPN just fine on ubuntu. So probably not a problem with local internet

I can connect to the VPN, but after that anything on the internet is unreachable.
Here's my config for VPN

connection.id:                          spotonf
connection.uuid:                        e538212d-b7e2-4180-bab9-cabfaa3bf65f
connection.stable-id:                   --
connection.type:                        vpn
connection.interface-name:              --
connection.autoconnect:                 yes
connection.autoconnect-priority:        0
connection.autoconnect-retries:         -1 (default)
connection.multi-connect:               0 (default)
connection.auth-retries:                -1
connection.timestamp:                   1645449565
connection.read-only:                   no
connection.permissions:                 --
connection.zone:                        --
connection.master:                      --
connection.slave-type:                  --
connection.autoconnect-slaves:          -1 (default)
connection.secondaries:                 --
connection.gateway-ping-timeout:        0
connection.metered:                     unknown
connection.lldp:                        default
connection.mdns:                        -1 (default)
connection.llmnr:                       -1 (default)
connection.dns-over-tls:                -1 (default)
connection.wait-device-timeout:         -1
ipv4.method:                            auto
ipv4.dns:                               8.8.8.8,8.8.4.4
ipv4.dns-search:                        --
ipv4.dns-options:                       --
ipv4.dns-priority:                      0
ipv4.addresses:                         --
ipv4.gateway:                           --
ipv4.routes:                            { ip = **, mt = 40 }; { ip = **,, mt = 40 }; { ip = **,, mt = 40 }; { ip = **,, mt = 40 }
ipv4.route-metric:                      -1
ipv4.route-table:                       0 (unspec)
ipv4.routing-rules:                     --
ipv4.ignore-auto-routes:                no
ipv4.ignore-auto-dns:                   no
ipv4.dhcp-client-id:                    --
ipv4.dhcp-iaid:                         --
ipv4.dhcp-timeout:                      0 (default)
ipv4.dhcp-send-hostname:                yes
ipv4.dhcp-hostname:                     --
ipv4.dhcp-fqdn:                         --
ipv4.dhcp-hostname-flags:               0x0 (none)
ipv4.never-default:                     yes
ipv4.may-fail:                          yes
ipv4.required-timeout:                  -1 (default)
ipv4.dad-timeout:                       -1 (default)
ipv4.dhcp-vendor-class-identifier:      --
ipv4.dhcp-reject-servers:               --
ipv6.method:                            auto
ipv6.dns:                               --
ipv6.dns-search:                        --
ipv6.dns-options:                       --
ipv6.dns-priority:                      0
ipv6.addresses:                         --
ipv6.gateway:                           --
ipv6.routes:                            --
ipv6.route-metric:                      -1
ipv6.route-table:                       0 (unspec)
ipv6.routing-rules:                     --
ipv6.ignore-auto-routes:                no
ipv6.ignore-auto-dns:                   no
ipv6.never-default:                     no
ipv6.may-fail:                          yes
ipv6.required-timeout:                  -1 (default)
ipv6.ip6-privacy:                       -1 (unknown)
ipv6.addr-gen-mode:                     stable-privacy
ipv6.ra-timeout:                        0 (default)
ipv6.dhcp-duid:                         --
ipv6.dhcp-iaid:                         --
ipv6.dhcp-timeout:                      0 (default)
ipv6.dhcp-send-hostname:                yes
ipv6.dhcp-hostname:                     --
ipv6.dhcp-hostname-flags:               0x0 (none)
ipv6.token:                             --
vpn.service-type:                       org.freedesktop.NetworkManager.l2tp
vpn.user-name:                          --
vpn.data:                               gateway = ***, ipsec-enabled = yes, ipsec-forceencaps = yes, ipsec-psk = ***, mru = 1400, mtu = 1400, password-flags = 0, user = ***
vpn.secrets:                            <hidden>
vpn.persistent:                         no
vpn.timeout:                            0
proxy.method:                           none
proxy.browser-only:                     no
proxy.pac-url:                          --
proxy.pac-script:                       --

Also, I would expect that ipv4.never-default true would mean, that the VPN is only used for the addresses in this network, am I wrong?

Here's the output from NetworkManager-l2tp

sudo /usr/lib/NetworkManager/nm-l2tp-service --debug  
[sudo] password for paulefou:                                      
nm-l2tp[1459635] <debug> nm-l2tp-service (version 1.8.6) starting...
nm-l2tp[1459635] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[1459635] <info>  ipsec enable flag: yes
** Message: 20:18:06.252: Check port 1701
connection
	id : 'spotonf'
	permissions : []
	timestamp : 1645445512
	type : 'vpn'
	uuid : 'e538212d-b7e2-4180-bab9-cabfaa3bf65f'

vpn
	data : {'gateway': '***', 'ipsec-enabled': 'yes', 'ipsec-forceencaps': 'yes', 'ipsec-psk': '***', 'mru': '1400', 'mtu': '1400', 'password-flags': '0', 'user': '***'}
	secrets : {'ipsec-psk': '***', 'password': '***'}
	service-type : 'org.freedesktop.NetworkManager.l2tp'

ipv4
	address-data : []
	dns : [134744072, 67373064]
	dns-search : []
	method : 'auto'
	never-default : true
	route-data : [{'dest': <'***'>, 'prefix': <uint32 32>, 'metric': <uint32 40>}, {'dest': <'***'>, 'prefix': <uint32 32>, 'metric': <uint32 40>}, {'dest': <'***'>, 'prefix': <uint32 32>, 'metric': <uint32 40>}, {'dest': <'***'>, 'prefix': <uint32 32>, 'metric': <uint32 40>}]

ipv6
	address-data : []
	dns-search : []
	method : 'auto'
	route-data : []

proxy

nm-l2tp[1459635] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.9.4 IPsec [starter]...
Loading config setup
Loading conn 'e538212d-b7e2-4180-bab9-cabfaa3bf65f'
nm-l2tp[1459635] <info>  Spawned ipsec up script with PID 1460009.
initiating Main Mode IKE_SA e538212d-b7e2-4180-bab9-cabfaa3bf65f[1] to ***
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from *myip*[500] to ***[500] (532 bytes)
received packet: from ***[500] to *myip*[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from *myip*[500] to ***[500] (244 bytes)
received packet: from ***[500] to *myip*[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from *myip*[4500] to ***[4500] (68 bytes)
received packet: from ***[4500] to *myip*[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA e538212d-b7e2-4180-bab9-cabfaa3bf65f[1] established between *myip*[*myip*]...***[***]
scheduling reauthentication in 9856s
maximum IKE_SA lifetime 10396s
generating QUICK_MODE request 587227660 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from *myip*[4500] to ***[4500] (244 bytes)
received packet: from ***[4500] to *myip*[4500] (180 bytes)
parsed QUICK_MODE response 587227660 [ HASH SA No ID ID NAT-OA NAT-OA ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA e538212d-b7e2-4180-bab9-cabfaa3bf65f{1} established with SPIs c51b9ef6_i 028ba8f3_o and TS *myip*/32[udp/l2f] === ***/32[udp/l2f]
generating QUICK_MODE request 587227660 [ HASH ]
connection 'e538212d-b7e2-4180-bab9-cabfaa3bf65f' established successfully
nm-l2tp[1459635] <info>  strongSwan IPsec tunnel is up.
** Message: 20:18:10.799: xl2tpd started with pid 1460018
xl2tpd[1460018]: Not looking for kernel SAref support.
xl2tpd[1460018]: Using l2tp kernel support.
xl2tpd[1460018]: xl2tpd version xl2tpd-1.3.16 started on halee PID:1460018
xl2tpd[1460018]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[1460018]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[1460018]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[1460018]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[1460018]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[1460018]: get_call: allocating new tunnel for host ***, port 1701.
xl2tpd[1460018]: Connecting to host ***, port 1701
xl2tpd[1460018]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[1460018]: control_finish: sending SCCRQ
xl2tpd[1460018]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[1460018]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[1460018]: framing_caps_avp: supported peer frames: async sync
xl2tpd[1460018]: bearer_caps_avp: supported peer bearers: analog digital
xl2tpd[1460018]: firmware_rev_avp: peer reports firmware version 264 (0x0108)
xl2tpd[1460018]: hostname_avp: peer reports hostname 'mE0CBBC046F9D'
xl2tpd[1460018]: vendor_avp: peer reports vendor 'Katalix Systems Ltd. Linux-3.18.66-meraki-x86 (x86_64)'
xl2tpd[1460018]: assigned_tunnel_avp: using peer's tunnel 18407
xl2tpd[1460018]: receive_window_size_avp: peer wants RWS of 10.  Will use flow control.
xl2tpd[1460018]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 18407, call is 0.
xl2tpd[1460018]: control_finish: sending SCCCN
xl2tpd[1460018]: Connection established to ***, 1701.  Local: 7159, Remote: 18407 (ref=0/0).
xl2tpd[1460018]: Calling on tunnel 7159
xl2tpd[1460018]: control_finish: message type is (null)(0).  Tunnel is 18407, call is 0.
xl2tpd[1460018]: control_finish: sending ICRQ
xl2tpd[1460018]: message_type_avp: message type 11 (Incoming-Call-Reply)
xl2tpd[1460018]: assigned_call_avp: using peer's call 35373
xl2tpd[1460018]: control_finish: message type is Incoming-Call-Reply(11).  Tunnel is 18407, call is 35373.
xl2tpd[1460018]: control_finish: Sending ICCN
xl2tpd[1460018]: Call established with ***, Local: 58972, Remote: 35373, Serial: 1 (ref=0/0)
xl2tpd[1460018]: start_pppd: I'm running: 
xl2tpd[1460018]: "/usr/sbin/pppd" 
xl2tpd[1460018]: "plugin" 
xl2tpd[1460018]: "pppol2tp.so" 
xl2tpd[1460018]: "pppol2tp" 
xl2tpd[1460018]: "7" 
xl2tpd[1460018]: "passive" 
xl2tpd[1460018]: "nodetach" 
xl2tpd[1460018]: ":" 
xl2tpd[1460018]: "debug" 
xl2tpd[1460018]: "file" 
xl2tpd[1460018]: "/var/run/nm-l2tp-e538212d-b7e2-4180-bab9-cabfaa3bf65f/ppp-options" 
xl2tpd[1460018]: message_type_avp: message type 16 (Set-Link-Info)
xl2tpd[1460018]: ignore_avp : Ignoring AVP
xl2tpd[1460018]: control_finish: message type is Set-Link-Info(16).  Tunnel is 18407, call is 35373.
nm-l2tp[1459635] <info>  Terminated xl2tpd daemon with PID 1460018.
xl2tpd[1460018]: death_handler: Fatal signal 15 received
xl2tpd[1460018]: Terminating pppd: sending TERM signal to pid 1460021
xl2tpd[1460018]: Connection 18407 closed to ***, port 1701 (Server closing)
Stopping strongSwan IPsec...
** Message: 20:19:26.071: ipsec shut down
nm-l2tp[1459635] <warn>  xl2tpd exited with error code 1
Stopping strongSwan IPsec failed: starter is not running
** Message: 20:19:26.078: ipsec shut down

Last edited by svalee (2022-02-21 14:30:48)

Offline

#2 2022-02-21 22:02:24

dkosovic
Member
Registered: 2017-12-16
Posts: 21

Re: No internet connection when running NetworkManager-l2tp over ipsec vpn

Are you trying to do VPN split tunneling? i.e. "Use this connection only for resources on its network" checkbox is selected in the IPv4 settings. I'm not sure if this setting is what corresponds to `ipv4.never-default`, but suspect it is. If you change it to 'no' or unselect the checkbox so all traffic goes over the VPN, does it work? The default is to route all traffic over the VPN.

I'm not sure if you are having a DNS issue or a routing issue with the VPN connection, are you able to do a DNS lookup of anything on the Internet such as `nslookup bbs.archlinux.org` ? Are you able to ping the IP address of anything on the same network as the VPN server?

If you are trying to do VPN split tunneling, you may need to manually configure the routing table to get beyond the VPN gateway, you can configure the routing in the IPv4 GUI settings. I also have no idea if the VPN server's DHCP you are using is using DHCP option 121 (or maybe even option 33) to push the routes to the VPN clients and if the Arch Linux DHCP client supports DHCP option 121.

Offline

#3 2022-03-03 09:17:10

svalee
Member
Registered: 2019-01-20
Posts: 41
Website

Re: No internet connection when running NetworkManager-l2tp over ipsec vpn

Hi, sorry for the late reply. I was a little bit busy with some personal issues.

Are you trying to do VPN split tunneling? i.e. "Use this connection only for resources on its network" checkbox is selected in the IPv4 settings. I'm not sure if this setting is what corresponds to `ipv4.never-default`, but suspect it is. If you change it to 'no' or unselect the checkbox so all traffic goes over the VPN, does it work? The default is to route all traffic over the VPN.

I've tried both ways, the result is the same.

are you able to do a DNS lookup of anything on the Internet such as `nslookup bbs.archlinux.org` ?

No

nslookup bbs.archlinux.org
;; connection timed out; no servers could be reached

Are you able to ping the IP address of anything on the same network as the VPN server?

Left it for the future, as I don't know any resource that exists only inside the VPN network.


If you are trying to do VPN split tunneling, you may need to manually configure the routing table to get beyond the VPN gateway, you can configure the routing in the IPv4 GUI settings

I've only tried to do it to localize the problem. I can send all traffic through VPN, that's okay.

I also have no idea if the VPN server's DHCP you are using is using DHCP option 121 (or maybe even option 33) to push the routes to the VPN clients and if the Arch Linux DHCP client supports DHCP option 121.

That one I have no idea too, but it works for me on ubuntu.

Also, with the update to 1.20 I can no longer connect to the VPN. I guess that is a separate issue, but do you think it would be helpful, to do further debugging on a new version, or try to fix for old version?

Here's the output for newer version

sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[7954] <debug> nm-l2tp-service (version 1.20.0) starting...        
nm-l2tp[7954] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[7954] <info>  ipsec enable flag: yes
** Message: 16:10:15.713: Check port 1701
connection
	id : 'spotonf'
	permissions : []
	timestamp : 1645445512
	type : 'vpn'
	uuid : 'e538212d-b7e2-4180-bab9-cabfaa3bf65f'

vpn
	data : {'gateway': '*gateway-ip*', 'ipsec-enabled': 'yes', 'ipsec-forceencaps': 'yes', 'ipsec-psk': '*secret*', 'mru': '1400', 'mtu': '1400', 'password-flags': '0', 'user': '*username*'}
	secrets : {'ipsec-psk': '*secret*', 'password': '*password*'}
	service-type : 'org.freedesktop.NetworkManager.l2tp'

ipv4
	address-data : []
	dns : [134744072, 67373064]
	dns-search : []
	method : 'auto'
	never-default : true
	route-data : [{'dest': <'*ip*'>, 'prefix': <uint32 32>, 'metric': <uint32 40>}, {'dest': <'*ip*'>, 'prefix': <uint32 32>, 'metric': <uint32 40>}, {'dest': <'*ip*'>, 'prefix': <uint32 32>, 'metric': <uint32 40>}, {'dest': <'*ip*'>, 'prefix': <uint32 32>, 'metric': <uint32 40>}]

ipv6
	address-data : []
	dns-search : []
	method : 'auto'
	route-data : []

proxy

nm-l2tp[7954] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.9.5 IPsec [starter]...
Loading config setup
Loading conn 'e538212d-b7e2-4180-bab9-cabfaa3bf65f'
nm-l2tp[7954] <info>  Spawned ipsec up script with PID 8013.
initiating Main Mode IKE_SA e538212d-b7e2-4180-bab9-cabfaa3bf65f[1] to *gateway-ip*
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from *my-ip*[500] to *gateway-ip*[500] (532 bytes)
received packet: from *gateway-ip*[500] to *my-ip*[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from *my-ip*[500] to *gateway-ip*[500] (244 bytes)
received packet: from *gateway-ip*[500] to *my-ip*[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from *my-ip*[4500] to *gateway-ip*[4500] (68 bytes)
received packet: from *gateway-ip*[4500] to *my-ip*[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA e538212d-b7e2-4180-bab9-cabfaa3bf65f[1] established between *my-ip*[*my-ip*]...*gateway-ip*[*gateway-ip*]
scheduling reauthentication in 10226s
maximum IKE_SA lifetime 10766s
generating QUICK_MODE request 695058390 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from *my-ip*[4500] to *gateway-ip*[4500] (244 bytes)
received packet: from *gateway-ip*[4500] to *my-ip*[4500] (180 bytes)
parsed QUICK_MODE response 695058390 [ HASH SA No ID ID NAT-OA NAT-OA ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA e538212d-b7e2-4180-bab9-cabfaa3bf65f{1} established with SPIs c0441cc7_i 03ee3408_o and TS *my-ip*/32[udp/l2f] === *gateway-ip*/32[udp/l2f]
generating QUICK_MODE request 695058390 [ HASH ]
connection 'e538212d-b7e2-4180-bab9-cabfaa3bf65f' established successfully
nm-l2tp[7954] <info>  strongSwan IPsec tunnel is up.
** Message: 16:10:20.040: kl2tpd started with pid 8022
level=info tunnel_name=t1 session_name=s1 message="new dynamic session" session_id=61989 peer_session_id=0 pseudowire=7
level=info tunnel_name=t1 message="new dynamic tunnel" version=2 encap=UDP local=0.0.0.0:1701 peer=*gateway-ip*:1701 tunnel_id=53441 peer_tunnel_id=0
level=debug tunnel_name=t1 message="fsm event" event=open
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeSccrq ns=0 nr=0 isRetransmit=false
level=debug tunnel_name=t1 function=transport message="socket recv" length=151
level=debug tunnel_name=t1 function=transport message=recv message_type=avpMsgTypeSccrp
level=debug tunnel_name=t1 function=transport message="send complete" message_type=avpMsgTypeSccrq error=null
level=debug tunnel_name=t1 message="fsm event" event=newsession
level=debug tunnel_name=t1 message="fsm event" event=sccrp
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeScccn
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeScccn ns=1 nr=1 isRetransmit=false
level=debug tunnel_name=t1 function=transport message="socket recv" length=12
level=debug tunnel_name=t1 function=transport message="send complete" message_type=avpMsgTypeScccn error=null
level=info tunnel_name=t1 message="control plane established"
level=info tunnel_name=t1 message="data plane established"
level=debug tunnel_name=t1 session_name=s1 message="fsm event" event=tunnelopen
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeIcrq
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeIcrq ns=2 nr=1 isRetransmit=false
level=debug tunnel_name=t1 function=transport message="socket recv" length=28
level=debug tunnel_name=t1 function=transport message=recv message_type=avpMsgTypeIcrp
level=debug tunnel_name=t1 message="fsm event" event=sessionmsg
level=debug tunnel_name=t1 function=transport message="send complete" message_type=avpMsgTypeIcrq error=null
level=debug tunnel_name=t1 session_name=s1 message="fsm event" event=icrp
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeIccn
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeIccn ns=3 nr=2 isRetransmit=false
level=debug tunnel_name=t1 function=transport message="socket recv" length=34
level=error tunnel_name=t1 function=transport message="frame receive failed" error="malformed header: length 53441 exceeds buffer bounds of 30"
level=debug tunnel_name=t1 function=transport message="socket recv" length=12
level=debug tunnel_name=t1 function=transport message="send complete" message_type=avpMsgTypeIccn error=null
level=info tunnel_name=t1 session_name=s1 message="control plane established"
level=info tunnel_name=t1 session_name=s1 message="data plane established"
level=info message="session up" tunnel_name=t1 session_name=s1 tunnel_id=53441 session_id=61989 peer_tunnel_id=62463 peer_session_id=26344
level=debug tunnel_name=t1 function=transport message="socket recv" length=36
level=debug tunnel_name=t1 function=transport message=recv message_type=avpMsgTypeSli
level=error tunnel_name=t1 message="bad control message" message_type=avpMsgTypeSli error="no specification for v2 message avpMsgTypeSli"
level=debug tunnel_name=t1 message="fsm event" event=close
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeStopccn
level=debug tunnel_name=t1 function=transport message=send message_type=avpMsgTypeStopccn ns=4 nr=3 isRetransmit=false
level=debug tunnel_name=t1 function=transport message="socket recv" length=36
level=debug tunnel_name=t1 function=transport message=recv message_type=avpMsgTypeCdn
level=debug tunnel_name=t1 function=transport message="send complete" message_type=avpMsgTypeStopccn error=null
level=info message="session down" result= tunnel_name=t1 session_name=s1 tunnel_id=53441 session_id=61989 peer_tunnel_id=62463 peer_session_id=26344
level=info message="killing pseudowire"
level=info tunnel_name=t1 session_name=s1 message=close
level=error tunnel_name=t1 function=transport message="socket read failed" error="use of closed file"
level=error tunnel_name=t1 function=transport message="transport down" error="transport shut down by user"
level=info tunnel_name=t1 message=close
level=error tunnel_name=t1 message="unhandled v2 control message" message_type=avpMsgTypeSli
level=debug tunnel_name=t1 message="fsm event" event=close
level=error tunnel_name=t1 message="failed to handle fsm event" error="no transition defined for event close in state dead"
nm-l2tp[7954] <info>  Terminated kl2tpd daemon with PID 8022.
level=info message="received signal, shutting down"
Stopping strongSwan IPsec...
level=error message="pppd exited with an error code" error="exit status 16" error_message="the link was terminated by the modem hanging up"
level=info message="graceful shutdown complete"
level=info message="pseudowire terminated"
** Message: 16:10:31.554: ipsec shut down
Stopping strongSwan IPsec failed: starter is not running
** Message: 16:10:31.569: ipsec shut down

Offline

#4 2022-03-03 11:59:31

-thc
Member
Registered: 2017-03-15
Posts: 209

Re: No internet connection when running NetworkManager-l2tp over ipsec vpn

svalee wrote:
level=error tunnel_name=t1 function=transport message="frame receive failed" error="malformed header: length 53441 exceeds buffer bounds of 30"
[...]
level=error tunnel_name=t1 message="bad control message" message_type=avpMsgTypeSli error="no specification for v2 message avpMsgTypeSli"

Did you notice that these two errors appeared in your thread from last April in nearly exactly the same way?

Offline

#5 2022-03-04 08:19:48

svalee
Member
Registered: 2019-01-20
Posts: 41
Website

Re: No internet connection when running NetworkManager-l2tp over ipsec vpn

I did not, thanks. However, last time it was misconfiguration, this time config is the same, but on the newer version, I can't connect to the VPN.

Offline

#6 2022-03-04 10:29:07

-thc
Member
Registered: 2017-03-15
Posts: 209

Re: No internet connection when running NetworkManager-l2tp over ipsec vpn

I just had a look at the dependencies of NetworkManager-l2tp and the corresponding Wiki page.

This is way too complicated for me. I'm reminded of the Bruce Schneier quote:

In our opinion, IPSec is too complicated to be secure.

I would suggest downgrading again and solving the routing problem.

Last edited by -thc (2022-03-04 12:00:08)

Offline

#7 2022-03-22 12:44:02

dkosovic
Member
Registered: 2017-12-16
Posts: 21

Re: No internet connection when running NetworkManager-l2tp over ipsec vpn

There is an upstream NetworkManager 1.36 routing table bug which breaks VPN split tunneling connections :
https://gitlab.freedesktop.org/NetworkM … issues/946

You might be having a kl2tpd issue with NetworkManager-l2tp version 1.20.0 which you don't have with earlier versions which would be using xl2tpd. You could try renaming or removing `/usr/local/bin/kl2tpd` to force it to use xl2tpd.

Offline

#8 2022-03-29 02:54:50

dkosovic
Member
Registered: 2017-12-16
Posts: 21

Re: No internet connection when running NetworkManager-l2tp over ipsec vpn

I ended up setting up a VM with Arch Linux. As mentioned in the upstream bug report :
  https://gitlab.freedesktop.org/NetworkM … issues/946

the networkmanager 1.36 issue is due to a bug with the Arch Linux strongswan package as I wasn't able to reproduce the issue when I switched to the AUR libreswan package nor when I used Fedora 36 and strongswan. Fedora 36 has disabled a number of strongswan features that are too broken to enable, while the Arch Linux strongswan package still has them enabled.

That routing issue I previously mentioned was for network-manager 1.36.2 on Debian Sid, so may or may not have been applicable to Arch Linux, but 1.36.4 definitely doesn't have the routing issue.

Offline

Board footer

Powered by FluxBB