Open vatula opened 4 years ago
vatula
commented
4 years ago Don't know if it's related, but ipsec service also fails to start.
sudo systemctl start ipsec
...
journalctl -xe
...
Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.
ahkok
commented
4 years ago IPSEC infrastructure requires manual setup. I have no reasonable test infrastructure, so this is difficult to test if not impossible. Please run the various tools from the command line and inspect the output. journalctl -xe is usually ... useless.
ahkok
commented
4 years ago Note: IPSEC support is untested at this point. If someone understands how we can improve it, perhaps with e.g. tmpfiles and unit files, I'd welcome pointers and detailed instructions on how we can improve the packaging in ClearLinux.
vatula
commented
4 years ago IPSEC infrastructure requires manual setup. I have no reasonable test infrastructure, so this is difficult to test if not impossible. Please run the various tools from the command line and inspect the output.
journalctl -xeis usually ... useless.
I'm useless too then. As I am a mere user. Not a power user. I do not know how networking works on linux nor do I know how to debug ipsec configuration issues (if that is an ipsec configuration issue). I just wanted a vpn connection to my work. I chose Clear Linux after reading "https://clearlinux.org/about" where it says "Out of the box industry standard security features enabled Eg. IPTables, SSH, OpenSSL, IPSec VPN, ..."
But I am happy to assist in debugging (by following instructions) if anyone is interested in this issue.
vatula
commented
4 years ago Additional information I'm on the build 32760 libreswan 3.31
I did some checks: sudo ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.31 (netkey) on 5.5.15-930.native
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or XFRM/NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or XFRM/NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Checking rp_filter [OK]
Checking that pluto is running [FAILED]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
ipsec verify: encountered 4 errors - see 'man ipsec_verify' for help
thekitaev
commented
4 years ago I've got exactly same issue
dkosovic
commented
4 years ago I've done up some new libreswan and NetworkManager-l2tp packages that work.
I've repurposed /run/pluto/ which is an existing directory that gets created by the libreswan pluto IPsec daemon for NetworkManager-l2tp to write /run/pluto/ipsec.nm-l2tp.secrets instead of /etc/ipsec.d/ipsec.nm-l2tp.secrets.
One remaining issue is that NSS's /usr/bin/certutil from the cryptography bundle is required, otherwise libreswan will segfault as the NSS database isn't initialized. For the time being, the workaround is to explicitly install the cryptography bundle:
sudo swupd bundle-add cryptographyAnother thing is that I've reset the revision number to 1 for both packages, not sure if that is the Clear Linux way for packages, but it is for other Linux distros when the package version number is increased.
More details on new libreswan and NetworkManager-l2tp packages in subsequent two messages.
dkosovic
commented
4 years ago Regarding the new libreswan-3.32 package.
Find changes here: https://github.com/dkosovic/libreswan/commit/6ba964562bae3fa1490a4705d6b6ea806a9603ca
and corresponding patch: https://github.com/dkosovic/libreswan/commit/6ba964562bae3fa1490a4705d6b6ea806a9603ca.patch
Summary of some of the changes:
The following files weren't getting packaged up due to Clear Linux's stateless nature:
/etc/ipsec.conf
/etc/ipsec.secrets
/etc/ipsec.d/
/etc/ipsec.d/policies/block
/etc/ipsec.d/policies/clear
/etc/ipsec.d/policies/clear-or-private
/etc/ipsec.d/policies/portexcludes.conf
/etc/ipsec.d/policies/private
/etc/ipsec.d/policies/private-or-clear
/etc/pam.d/pluto
/etc/sysctl.d/50-libreswan.conf/etc/ipsec.conf, /etc/ipsec.secrets and /etc/ipsec.d/ are now located under /usr/share/defaults/etc/.
/etc/pam.d/pluto is now /usr/share/pam.d/pluto.
/etc/sysctl.d/50-libreswan.conf is now /usr/lib/sysctl.d/50-libreswan.conf
/usr/share/defaults/etc/ipsec.secretsOn other Linux distributions, /etc/ipsec.secrets only contains include /etc/ipsec.d/*.secrets
In this new libreswan package, /usr/share/defaults/etc/ipsec.secrets file contains the following :
include /etc/ipsec.d/*.secrets
include /run/pluto/*.secretsSo it will attempt to include any *.secrets files in /etc/ipsec.d/ and /run/pluto/. Note, NetworkManager-l2tp wil use /run/pluto/ as it can't write to /etc/ipsec.d/ on Clear Linux.
/usr/share/defaults/etc/ipsec.confThe ipsec.conf contains include /etc/ipsec.d/*.conf which is the same as other Linux distros.
%make_install rpm spec macro issueThe %make_install rpm spec macro ignores the arguments in the make_install_args file, so I overrode the %make_install macro with a combination of the install_macro and make_install_args files. This eliminated the need for 0001-Set-default-options-since-passing-them-later-doesn-t.patch.
The upstream 0001-NSS_PKCS11_2_0_COMPAT-libreswan-3.22.patch file is required to avoid a segfault with NSS >= 3.52.
For backwards compatibility with many VPN servers, this new libreswan package is built with DH2 (modp1024) support.
dkosovic
commented
4 years ago Regarding the new NetworkManager-l2tp-1.8.2 package.
Needs the libreswan-3.32 package from previous message.
Find changes here: https://github.com/dkosovic/NetworkManager-l2tp/commit/3f9a719097f9234c59e532d1a2a65b33f3ced972
and corresponding patch: https://github.com/dkosovic/NetworkManager-l2tp/commit/3f9a719097f9234c59e532d1a2a65b33f3ced972.patch
NetworkManager-l2tp 1.8.2 has a potentional GPL licensing conflict when linked with versions of OpenSSL < 3.0.0. But, extract from the release notes located on https://github.com/nm-l2tp/NetworkManager-l2tp/releases :
Please check to see if your intended Linux distribution has made any statements about considering OpenSSL to be a "System Library" and so exempt from the licensing conflict. Alternatively a good check to determine if OpenSSL is considered a "System Library" is to see if the postgresql package on the intended Linux distribution has dependencies on both OpenSSL and GNU readline library
Looking at the Clear Linux postgresql spec file : https://github.com/clearlinux-pkgs/postgresql/blob/master/postgresql.spec
Both openssl-dev and readline-dev are part of the the build requires, so it would appear Clear Linux considers OpenSSL to be a "System Library" and so exempt from the licensing conflict, otherwise it would not be possible to link with both OpenSSL and the GPL'ed readline.
The PPPD plugin was getting installed to the wrong location and wasn't checking which version of PPP was installed.
The build_prepend file sets the PPP_VERSION env variable which is then used in the following configure line:
--with-pppd-plugin-dir=/usr/lib/pppd/$PPP_VERSION/etc/ipsec.d/ipsec.nm-l2tp.secrets/run/pluto/ipsec.nm-l2tp.secrets is now used instead of /etc/ipsec.d/ipsec.nm-l2tp.secrets because of error described in the subject of this issue.
Clear Linux build ID: 32580 I am a single user on the system. Autologin disabled.
steps to reproduce:
Via GNOME shell, with a networkmanager applet add a new vpn L2TP configuration and specify L2TP IPSec Options:
Pre-shared key (I have also specified Phase 1 and Phase 2 algorithms, but I recon specifying Pre-shared key should be sufficient for reproduction)
Save config and attempt to turn VPN on
then check the logs:
journalctl -u NetworkManager.serviceto see