search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.16k stars 6.31k forks source link

g_dbus_method_invocation_take_error: assertion 'error != NULL' failed #725

Closed xdnroot closed 4 years ago

xdnroot commented 4 years ago

Hi, I have two problem when configure l2tp/ipsec with script provided by hwdsl2.

First, I was connected to my vpn server from mikrotik and my android phone. But I could not connect to my vpn server on my ubuntu 18.04 (l2tp-gnome) with syslog error like this:

Feb  3 20:35:19 xdn-id nm-l2tp-service[4308]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Feb  3 20:35:19 xdn-id NetworkManager[1168]: <info>  [1580736919.9100] vpn-connection[0x556d86d24760,3a3e006a-2624-43fb-a472-3dbdc56d59ce,"node1-SG-ipsec",0]: VPN plugin: state changed: stopped (6)
Feb  3 20:35:19 xdn-id NetworkManager[1168]: <info>  [1580736919.9218] vpn-connection[0x556d86d24760,3a3e006a-2624-43fb-a472-3dbdc56d59ce,"node1-SG-ipsec",0]: VPN service disappeared
Feb  3 20:35:19 xdn-id NetworkManager[1168]: <warn>  [1580736919.9272] vpn-connection[0x556d86d24760,3a3e006a-2624-43fb-a472-3dbdc56d59ce,"node1-SG-ipsec",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

Second question: How to connecting each users of my vpn server? If I connect two devices to same vpn server, on my vpn server will create two pp interfaces. So, both devices can not connect to each other. Is it an error? Or indeed like that by default? What's the solution to connecting each vpn users?

Thanks

hwdsl2 commented 4 years ago

@xdnroot Hello! Using Ubuntu 18.04 as an IPsec VPN client has been tested and confirmed working. Please upgrade the following packages on your Ubuntu desktop (VPN client) using apt, then try again by following these instructions [1].

network-manager-l2tp network-manager-l2tp-gnome strongswan xl2tpd

After connecting to the VPN server, IPsec/L2TP VPN clients can ping each other using their assigned internal VPN IPs, for example, 192.168.42.10.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux

brendan-mccoy commented 3 years ago

I'm actually having this same issue, following the instructions and the udp 1701 fix.

Mar 16 11:44:09 reno NetworkManager[515]: <info>  [1615909449.0234] audit: op="connection-activate" uuid="5328d697-dcf8-44bb-be7a-452af41a964d" name="VPN connection 1" pid=956 uid=1000 result="success"
Mar 16 11:44:09 reno NetworkManager[515]: <info>  [1615909449.0272] vpn-connection[0x55dd7299c780,5328d697-dcf8-44bb-be7a-452af41a964d,"VPN connection 1",0]: Started the VPN service, PID 1654
Mar 16 11:44:09 reno NetworkManager[515]: <info>  [1615909449.0359] vpn-connection[0x55dd7299c780,5328d697-dcf8-44bb-be7a-452af41a964d,"VPN connection 1",0]: Saw the service appear; activating connection
Mar 16 11:44:09 reno NetworkManager[515]: <info>  [1615909449.0431] vpn-connection[0x55dd7299c780,5328d697-dcf8-44bb-be7a-452af41a964d,"VPN connection 1",0]: VPN connection: (ConnectInteractive) reply received
Mar 16 11:44:09 reno nm-l2tp-service[1654]: Check port 1701
Mar 16 11:44:09 reno NetworkManager[1668]: Stopping strongSwan IPsec failed: starter is not running
Mar 16 11:44:11 reno NetworkManager[1665]: Starting strongSwan 5.8.2 IPsec [starter]...
Mar 16 11:44:11 reno NetworkManager[1665]: Loading config setup
Mar 16 11:44:11 reno NetworkManager[1665]: Loading conn '5328d697-dcf8-44bb-be7a-452af41a964d'
Mar 16 11:44:11 reno charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.8.0-45-generic, x86_64)
Mar 16 11:44:11 reno charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 16 11:44:11 reno charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 16 11:44:11 reno charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 16 11:44:11 reno charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 16 11:44:11 reno charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 16 11:44:11 reno charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 16 11:44:11 reno charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Mar 16 11:44:11 reno charon: 00[CFG]   loaded IKE secret for %any
Mar 16 11:44:11 reno charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Mar 16 11:44:11 reno charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 16 11:44:11 reno charon: 00[JOB] spawning 16 worker threads
Mar 16 11:44:11 reno charon: 04[CFG] received stroke: add connection '5328d697-dcf8-44bb-be7a-452af41a964d'
Mar 16 11:44:11 reno charon: 04[CFG] added configuration '5328d697-dcf8-44bb-be7a-452af41a964d'
Mar 16 11:44:12 reno charon: 06[CFG] rereading secrets
Mar 16 11:44:12 reno charon: 06[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 16 11:44:12 reno charon: 06[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Mar 16 11:44:12 reno charon: 06[CFG]   loaded IKE secret for %any
Mar 16 11:44:12 reno charon: 08[CFG] received stroke: initiate '5328d697-dcf8-44bb-be7a-452af41a964d'
Mar 16 11:44:12 reno charon: 02[IKE] initiating Main Mode IKE_SA 5328d697-dcf8-44bb-be7a-452af41a964d[1] to REDACTED
Mar 16 11:44:12 reno charon: 02[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Mar 16 11:44:12 reno charon: 02[NET] sending packet: from REDACTED[500] to REDACTED[500] (240 bytes)
Mar 16 11:44:16 reno charon: 13[IKE] sending retransmit 1 of request message ID 0, seq 1
Mar 16 11:44:16 reno charon: 13[NET] sending packet: from REDACTED[500] to REDACTED[500] (240 bytes)
Mar 16 11:44:19 reno systemd-resolved[472]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Mar 16 11:44:19 reno systemd-resolved[472]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Mar 16 11:44:22 reno NetworkManager[1708]: Stopping strongSwan IPsec...
Mar 16 11:44:22 reno charon: 00[DMN] signal of type SIGINT received. Shutting down
Mar 16 11:44:22 reno charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Mar 16 11:44:22 reno NetworkManager[1706]: initiating Main Mode IKE_SA 5328d697-dcf8-44bb-be7a-452af41a964d[1] to REDACTED
Mar 16 11:44:22 reno NetworkManager[1706]: generating ID_PROT request 0 [ SA V V V V V ]
Mar 16 11:44:22 reno NetworkManager[1706]: sending packet: from REDACTED[500] to REDACTED[500] (240 bytes)
Mar 16 11:44:22 reno NetworkManager[1706]: sending retransmit 1 of request message ID 0, seq 1
Mar 16 11:44:22 reno NetworkManager[1706]: sending packet: from REDACTED[500] to REDACTED[500] (240 bytes)
Mar 16 11:44:22 reno NetworkManager[1706]: destroying IKE_SA in state CONNECTING without notification
Mar 16 11:44:22 reno NetworkManager[1706]: establishing connection '5328d697-dcf8-44bb-be7a-452af41a964d' failed
Mar 16 11:44:22 reno nm-l2tp-service[1654]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Mar 16 11:44:22 reno NetworkManager[515]: <info>  [1615909462.2087] vpn-connection[0x55dd7299c780,5328d697-dcf8-44bb-be7a-452af41a964d,"VPN connection 1",0]: VPN service disappeared
Mar 16 11:44:22 reno NetworkManager[515]: <warn>  [1615909462.2096] vpn-connection[0x55dd7299c780,5328d697-dcf8-44bb-be7a-452af41a964d,"VPN connection 1",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
Mar 16 11:44:32 reno systemd-resolved[472]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.

My packages are up to date, using Lubuntu but it should be the same as Ubuntu essentially.

network-manager-l2tp is already the newest version (1.2.16-1).
network-manager-l2tp-gnome is already the newest version (1.2.16-1).
xl2tpd is already the newest version (1.3.12-1.1).
strongswan is already the newest version (5.8.2-1ubuntu3.1).
brendan-mccoy commented 3 years ago

Actually, my issue was I forgot to open ports 500+4500 on the network ACLs ;)

tumluliu commented 3 years ago

hey @brendan-mccoy , could you tell more about how you fixed the issue? I met exactly the same problem as you posted. By "open ports 500+4500 on the network ACLs", do you mean your local ufw firewall settings, or your VPN server side's config? thanks a lot in advance!

brendan-mccoy commented 3 years ago

My client was on a network that I had locked down, so I had to add a rule to my network level firewall to allow the server to egress using those ports.

So in the case of seeing those messages it's likely a network issue SOMEWHERE, so I'd just double-check your server, client, and any intermediary firewalls to confirm those ports are open.