NetworkManager with L2TP and IPSec VPN is tricky to configure under sway, and sometimes doesn't work

[grahamc]

Issue description

Phew, a big title! Trying to write down as much as I can before I forget.

First, the last part:

and sometimes doesn't work

If /etc/ipsec.secrets doesn't exist, sudo journalctl -f will show charon failing like:

charon[16135]: 06[CFG] expanding file expression '/etc/ipsec.secrets' failed
NetworkManager[4497]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
NetworkManager[4497]: no shared key found for 10.5.4.128 - 4.53.22.116
NetworkManager[4497]: generating INFORMATIONAL_V1 request 747574675 [ N(INVAL_KE) ]

sudo touch /etc/ipsec.secrets fixes this problem.

NixOS should probably create this file. I'm not sure if this file should be writable or not, when it exists, I have only ever seen it contain:

include ipsec.d/ipsec.nm-l2tp.secrets

I don't know what writes that there.

---

Now for

NetworkManager with L2TP and IPSec VPN is tricky to configure under sway

nmtui can't edit L2TP VPNs, but nix-shell -p networkmanagerapplet --run nm-connection-editor (GUI) can, even though nm-applet doesn't work under sway.

---

If you see this in the system logs:

NetworkManager[4497]: generating ID_PROT request 0 [ SA V V V V V ]
NetworkManager[4497]: sending packet: from LOCALIP[500] to REMOTEIP[500] (204 bytes)
NetworkManager[4497]: sending retransmit 1 of request message ID 0, seq 1
NetworkManager[4497]: sending packet: from hLOCALIP[500] to REMOTEIP[500] (204 bytes)
NetworkManager[4497]: destroying IKE_SA in state CONNECTING without notification
NetworkManager[4497]: establishing connection 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' failed
ipsec_starter[20328]: child 20329 (charon) has quit (exit code 0)

try enabling "legacy proposals" in nm-connection-editor's IPSec Settings and try again.

Technical details

• system: "x86_64-linux"
• host os: Linux 5.1.16, NixOS, 19.03.git.72d5332 (Koi)
• multi-user?: yes
• sandbox: yes
• version: nix-env (Nix) 2.2.2
• channels(root): "nixos-19.03.173068.9ec7625cee5"
• channels(grahamc): ""
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

[grahamc]

Side note, how do I know for sure sudo touch /etc/ipsec.secrets fixes it? I erased my / dozens of times nailing it down, reproducing it to exactly this.

[worldofpeace]

@grahamc I think the strongswan module creates that file and the actual L2TP plugin appends that line to this file.

figured that out in https://github.com/NixOS/nixpkgs/pull/64835#issuecomment-511603831

[grahamc]

Nice find that the strongswan module does create that file!

I don't have the strongswan module enabled, it seems something else in the stack would periodically create this file?

[worldofpeace]

I'm not sure what does create it eventually, but it appears the plugin expects the file to exist so we should just do exactly that.

environment.etc."ipsec.secrets".text = ''
  include ipsec.d/ipsec.nm-l2tp.secrets
'';

It doesn't help that it expects it to be mutable, so maybe we can handle this within the NM module to add more secrets. Though it would probably duplicate what the strongswan module does.

[grahamc]

@teto ^ does this make sense to you?

[teto]

So I just remembered about this module vpn.nix I have:

  services.strongswan = {
    enable = true;
    secrets = [
      "ipsec.d/ipsec.nm-l2tp.secrets"
    ];
  };

maybe instead we should have the networkmanager do

environment.etc."ipsec.secrets".text = ''
  include ipsec.d/ipsec.nm-l2tp.secrets
'';

when it detects the l2tp plugin but I am not sure how to do that. Maybe we would need to introduce a new option in networkmanager to add the nm-l2tp plugin and create the file.

I tend to connect physically to the private network and only as a last resort rely to nm-l2tp since it tends to not work regularly and I am not sure if it's blocked by the network or some l2tp breakage.

[worldofpeace]

We could add an option to networkmanager in the same way there's one for strongswan there networking.networkmanager.enableStrongSwan

[colonelpanic8]

@worldofpeace Was there ever any follow up on :

We could add an option to networkmanager in the same way there's one for strongswan there networking.networkmanager.enableStrongSwan

[stale[bot]]

Hello, I'm a bot and I thank you in the name of the community for opening this issue.

To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.

If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use Git blame or GitHub's web interface on the relevant files to find them.

Lastly, you can always ask for help at our Discourse Forum or at #nixos' IRC channel.

[ivankovnatsky]

i guess, it's still relevant, maybe not so urgent.

this helped me big time:

  services.strongswan = {
    enable = true;
    secrets = [
      "ipsec.d/ipsec.nm-l2tp.secrets"
    ];
  };

[stale[bot]]

I marked this as stale due to inactivity. → More info

[cdepillabout]

I just ran into this on 21.05.

Seeing a log like this:

journalctl log when starting vpn

charon[2059]: 00[CFG] loading ca certificates from '/nix/store/va01sq5aqg6p7yakvpg2zlnsdj4pm9dj-strongswan-5.8.1/etc/ipsec.d/cacerts'
charon[2059]: 00[CFG] loading aa certificates from '/nix/store/va01sq5aqg6p7yakvpg2zlnsdj4pm9dj-strongswan-5.8.1/etc/ipsec.d/aacerts'
charon[2059]: 00[CFG] loading ocsp signer certificates from '/nix/store/va01sq5aqg6p7yakvpg2zlnsdj4pm9dj-strongswan-5.8.1/etc/ipsec.d/ocspcerts'
charon[2059]: 00[CFG] loading attribute certificates from '/nix/store/va01sq5aqg6p7yakvpg2zlnsdj4pm9dj-strongswan-5.8.1/etc/ipsec.d/acerts'
charon[2059]: 00[CFG] loading crls from '/nix/store/va01sq5aqg6p7yakvpg2zlnsdj4pm9dj-strongswan-5.8.1/etc/ipsec.d/crls'
charon[2059]: 00[CFG] loading secrets from '/nix/store/va01sq5aqg6p7yakvpg2zlnsdj4pm9dj-strongswan-5.8.1/etc/ipsec.secrets'
charon[2059]: 00[CFG] expanding file expression '/etc/ipsec.secrets' failed
charon[2059]: 00[CFG] opening triplet file /nix/store/va01sq5aqg6p7yakvpg2zlnsdj4pm9dj-strongswan-5.8.1/etc/ipsec.d/triplets.dat failed: No such file or directory
charon[2059]: 00[CFG] loaded 0 RADIUS server configurations
charon[2059]: 00[CFG] no script for ext-auth script defined, disabled
charon[2059]: 00[LIB] loaded plugins: charon unbound pkcs11 aesni aes des rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert pem openssl af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac curl attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-eap xauth-pam dhcp counters
charon[2059]: 00[JOB] spawning 16 worker threads
ipsec_starter[2058]: charon (2059) started after 660 ms
charon[2059]: 11[CFG] received stroke: add connection '1c5abe1b-ebef-4658-8991-563d1d248812'
charon[2059]: 11[CFG] added configuration '1c5abe1b-ebef-4658-8991-563d1d248812'
charon[2059]: 13[CFG] rereading secrets
charon[2059]: 13[CFG] loading secrets from '/nix/store/va01sq5aqg6p7yakvpg2zlnsdj4pm9dj-strongswan-5.8.1/etc/ipsec.secrets'
charon[2059]: 13[CFG] expanding file expression '/etc/ipsec.secrets' failed
charon[2059]: 14[CFG] received stroke: initiate '1c5abe1b-ebef-4658-8991-563d1d248812'
charon[2059]: 15[IKE] initiating Main Mode IKE_SA 1c5abe1b-ebef-4658-8991-563d1d248812[1] to 123.111.111.111
charon[2059]: 15[IKE] initiating Main Mode IKE_SA 1c5abe1b-ebef-4658-8991-563d1d248812[1] to 123.111.111.111
charon[2059]: 15[ENC] generating ID_PROT request 0 [ SA V V V V V ]
charon[2059]: 15[NET] sending packet: from 192.168.1.11[500] to 123.111.111.111[500] (304 bytes)
charon[2059]: 03[NET] received packet: from 123.111.111.111[500] to 192.168.1.11[500] (204 bytes)
charon[2059]: 03[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
charon[2059]: 03[IKE] received NAT-T (RFC 3947) vendor ID
charon[2059]: 03[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
charon[2059]: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon[2059]: 03[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon[2059]: 03[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon[2059]: 03[IKE] received DPD vendor ID
charon[2059]: 03[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon[2059]: 03[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon[2059]: 03[NET] sending packet: from 192.168.1.11[500] to 123.111.111.111[500] (372 bytes)
charon[2059]: 04[NET] received packet: from 123.111.111.111[500] to 192.168.1.11[500] (356 bytes)
charon[2059]: 04[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon[2059]: 04[IKE] no shared key found for 192.168.1.11 - 123.111.111.111
charon[2059]: 04[ENC] generating INFORMATIONAL_V1 request 1193606320 [ N(INVAL_KE) ]
charon[2059]: 04[NET] sending packet: from 192.168.1.11[500] to 123.111.111.111[500] (56 bytes)
NetworkManager[2277]: initiating Main Mode IKE_SA 1c5abe1b-ebef-4658-8991-563d1d248812[1] to 123.111.111.111
NetworkManager[2277]: generating ID_PROT request 0 [ SA V V V V V ]
NetworkManager[2277]: sending packet: from 192.168.1.11[500] to 123.111.111.111[500] (304 bytes)
NetworkManager[2277]: received packet: from 123.111.111.111[500] to 192.168.1.11[500] (204 bytes)
NetworkManager[2277]: parsed ID_PROT response 0 [ SA V V V V V V ]
NetworkManager[2277]: received NAT-T (RFC 3947) vendor ID
NetworkManager[2277]: received draft-ietf-ipsec-nat-t-ike-03 vendor ID
NetworkManager[2277]: received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
NetworkManager[2277]: received draft-ietf-ipsec-nat-t-ike-02 vendor ID
NetworkManager[2277]: received draft-ietf-ipsec-nat-t-ike-00 vendor ID
NetworkManager[2277]: received DPD vendor ID
NetworkManager[2277]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
NetworkManager[2277]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
NetworkManager[2277]: sending packet: from 192.168.1.11[500] to 123.111.111.111[500] (372 bytes)
NetworkManager[2277]: received packet: from 123.111.111.111[500] to 192.168.1.11[500] (356 bytes)
NetworkManager[2277]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
NetworkManager[2277]: no shared key found for 192.168.1.11 - 123.111.111.111
NetworkManager[2277]: generating INFORMATIONAL_V1 request 1193606320 [ N(INVAL_KE) ]
NetworkManager[2277]: sending packet: from 192.168.1.11[500] to 123.111.111.111[500] (56 bytes)
NetworkManager[2277]: establishing connection '1c5abe1b-ebef-4658-8991-563d1d248812' failed
NetworkManager[2283]: Stopping strongSwan IPsec...
charon[2059]: 00[DMN] signal of type SIGINT received. Shutting down
ipsec_starter[2058]: child 2059 (charon) has quit (exit code 0)
ipsec_starter[2058]: 
ipsec_starter[2058]: charon stopped after 200 ms
ipsec_starter[2058]: ipsec starter stopped
nm-l2tp-service[2039]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
NetworkManager[954]:   [1633421507.6803] vpn-connection[0x24c60a0,1c5abe1b-ebef-4658-8991-563d1d248812,"my-l2tp-vpn",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
.nm-applet-wrap[1470]: Failed to show notification: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Notifications was not provided by any .service files

Running the following command fixed my error and allowed me to connect:

$ sudo touch /etc/ipsec.secrets

The networking part of my /etc/nixos/configuration.nix only has networking.networkmanager.enable = true;.

[cdepillabout]

This still appears relevant in 21.11.

Adding this (as mentioned above) to my config appears to get an L2TP and IPSec VPN working with NetworkManager:

environment.etc."ipsec.secrets".text = ''
  include ipsec.d/ipsec.nm-l2tp.secrets
'';

[bluecmd]

Still relevant in 22.05. I am confirming that with a clean install, trying to set up L2TP/IPsec VPNs fail with the following indicator:

Jun 06 14:55:06 stereolith charon[6662]: 05[CFG] received stroke: add connection 'ab4eabdb-e992-48f8-8b2c-69abc91a1eeb'
Jun 06 14:55:06 stereolith charon[6662]: 05[CFG] added configuration 'ab4eabdb-e992-48f8-8b2c-69abc91a1eeb'
Jun 06 14:55:07 stereolith charon[6662]: 07[CFG] rereading secrets
Jun 06 14:55:07 stereolith charon[6662]: 07[CFG] loading secrets from '/nix/store/agdfkxnyhanhcmby4mh5jv4ya7aah4h2-strongswan-5.9.5/etc/ipsec.secrets'
Jun 06 14:55:07 stereolith charon[6662]: 07[CFG] expanding file expression '/etc/ipsec.secrets' failed
Jun 06 14:55:07 stereolith charon[6662]: 09[CFG] received stroke: initiate 'ab4eabdb-e992-48f8-8b2c-69abc91a1eeb'
Jun 06 14:55:07 stereolith charon[6662]: 11[IKE] initiating Main Mode IKE_SA ab4eabdb-e992-48f8-8b2c-69abc91a1eeb[1] to xxxx
Jun 06 14:55:07 stereolith charon[6662]: 11[IKE] initiating Main Mode IKE_SA ab4eabdb-e992-48f8-8b2c-69abc91a1eeb[1] to xxxx
Jun 06 14:55:07 stereolith charon[6662]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
..
Jun 06 14:55:07 stereolith charon[6662]: 12[IKE] received FRAGMENTATION vendor ID
Jun 06 14:55:07 stereolith charon[6662]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 06 14:55:07 stereolith charon[6662]: 13[IKE] no shared key found for 'xxx'[xxxx] - '%any'[xxxx]
Jun 06 14:55:07 stereolith charon[6662]: 13[IKE] no shared key found for xxxxx - xxxxx
Jun 06 14:55:07 stereolith charon[6662]: 13[ENC] generating INFORMATIONAL_V1 request 2829213968 [ N(INVAL_KE) ]
Jun 06 14:55:07 stereolith charon[6662]: 13[NET] sending packet: from xxxx[500] to xxxxx[500] (56 bytes)

sudo touch /etc/ipsec.secrets fixed the issue for me straight away as well.

[ncfavier]

Fix in https://github.com/NixOS/nixpkgs/pull/340325