search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.39k stars 6.34k forks source link

Fail to connect on server (RPi) reboot #1052

Closed LoryB closed 2 years ago

LoryB commented 3 years ago

Describe the issue After first install everything works very well but after restart my iPhone can't connect to the IKEv2 VPN. So I checked the log and got this (the rest is in the issue logs section):

Nov 16 20:54:06 LBE-Home pluto[1067]: netlink_acquire got message with length 116 < 232 bytes; ignore message

I've read on a Libreswan discussion that IPSec is trying to setup but RPi is still configuring the network card (due to all the other daemons installed) and it fails. After=network-online.target is waiting but not enough so a guy suggested to add a ping loop like this: ExecStartPre=/bin/sh -c 'until ping -c1 1.1.1.1; do sleep 1; done;' With this line on ipsec.service the problem is solved but is there a better way to solve the issue?

To Reproduce Steps to reproduce the behavior:

  1. Restart RPi
  2. Try to connect (it doesn't connect)

Expected behavior

  1. Restart RPi
  2. Connected

Logs Nov 16 20:54:06 LBE-Home pluto[1067]: loading secrets from "/etc/ipsec.secrets" Nov 16 20:54:06 LBE-Home pluto[1067]: netlink_acquire got message with length 116 < 232 bytes; ignore message Nov 16 20:54:06 LBE-Home pluto[1067]: netlink_acquire got message with length 116 < 232 bytes; ignore message Nov 16 20:54:08 LBE-Home pluto[1067]: netlink_acquire got message with length 116 < 232 bytes; ignore message Nov 16 20:54:12 LBE-Home pluto[1067]: netlink_acquire got message with length 60 < 232 bytes; ignore message Nov 16 20:54:12 LBE-Home pluto[1067]: netlink_acquire got message with length 60 < 232 bytes; ignore message Nov 16 20:54:12 LBE-Home pluto[1067]: netlink_acquire got message with length 60 < 232 bytes; ignore message Nov 16 20:54:12 LBE-Home pluto[1067]: netlink_acquire got message with length 68 < 232 bytes; ignore message Nov 16 20:54:12 LBE-Home pluto[1067]: netlink_acquire got message with length 68 < 232 bytes; ignore message Nov 16 20:54:13 LBE-Home pluto[1067]: netlink_acquire got message with length 116 < 232 bytes; ignore message Nov 16 20:54:15 LBE-Home pluto[1067]: netlink_acquire got message with length 116 < 232 bytes; ignore message

Server

Client 1

Client 2

hwdsl2 commented 3 years ago

@LoryB Hello! Can you try editing /etc/rc.local and replace sleep 15 with e.g. sleep 30? This increases the delay at system boot before the IPsec service is restarted. Reboot your server after that, and check the logs again. Does this fix the issue?

LoryB commented 3 years ago

@hwdsl2 I've tried to change from 15 to 30 seconds on rc.local but I still have the same trouble on restart. At the moment the only solution that works is that line on the IPSec.service: ExecStartPre=/bin/sh -c 'until ping -c1 1.1.1.1; do sleep 1; done;'

hwdsl2 commented 2 years ago

@LoryB I'm closing this since the current 15-second delay in rc.local should work under most cases to wait for the Raspberry Pi's network to be up. For your use case, please continue to use the ExecStartPre workaround you identified.