search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 84 forks source link

network-manager-l2tp for ubuntu 16.04 is missing #113

Closed sunnyjocker closed 4 years ago

sunnyjocker commented 4 years ago

i followed the instruction to add PPA, then apt-get install network-manager-l2tp, but 'E: Unable to locate package network-manager-l2tp'. then i go to https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp, found that there is only one package named libreswan for Xenial, is this the reason why i can't install network-manager-l2tp?

dkosovic commented 4 years ago

In the last few days I made the mistake of uploading network-manager-l2tp-1.2.14-1~ubuntu16.04.1 then realised the version number was wrong as it was missing ~ppa1, then, deleted and tried to upload network-manager-l2tp-1.2.14-1~ubuntu16.04.1~ppa1. It got rejected as it claimed the latter has a version number smaller then the former.

I then waited for the 6 hour window for the packages to be deleted and then got rejected trying to upload network-manager-l2tp-1.2.14-1~ubuntu16.04.1~ppa1 as it claimed it had already been uploaded.

Anyway, I'm hopefully going to submit `network-manager-l2tp-1.2.16-1 to Debian tonight, I was then going to release a backport to Xenial 16.04. But I wanted to wait till it gets to Debian so the diff shows up correctly in the package details.

As a workaround, I'll make a temporary repository when I get home tonight where you can get network-manager-l2tp-1.2.14-1~ubuntu16.04.1~ppa1 or maybe 1.2.16. Will let you know.

Sorry for the inconvenience.

sunnyjocker commented 4 years ago

great, thanks for the help , u are so kind

dkosovic commented 4 years ago

I've submitted the new network-manager-l2tp-1.2.16-1 package to Debian (which will make it to the next release of Ubuntu) :

I've done a backport to Ubuntu Xenial 16.04 that is temporarily located in this PPA:

To install the package and remove the temporary PPA issue:

sudo add-apt-repository ppa:dkosovic/network-manager-l2tp
sudo apt update

sudo apt install network-manager-l2tp network-manager-l2tp-gnome

sudo add-apt-repository --remove ppa:dkosovic/network-manager-l2tp
sudo apt update
sunnyjocker commented 4 years ago

I've submitted the new network-manager-l2tp-1.2.16-1 package to Debian (which will make it to the next release of Ubuntu) :

I've done a backport to Ubuntu Xenial 16.04 that is temporarily located in this PPA:

To install the package and remove the temporary PPA issue:

sudo add-apt-repository ppa:dkosovic/network-manager-l2tp
sudo apt update

sudo apt install network-manager-l2tp network-manager-l2tp-gnome

sudo add-apt-repository --remove ppa:dkosovic/network-manager-l2tp
sudo apt update

thx for making it available again, but i still can't install it because of the broken dependencies:

The following packages have unmet dependencies: network-manager-l2tp : Depends: xl2tpd (>= 1.3.6+dfsg-4ubuntu0.16.04.1) but 1.3.6+dfsg-4 is to be installed Depends: strongswan (>= 5.3.5-1ubuntu3.1) but 5.3.5-1ubuntu3 is to be installed or libreswan but it is not going to be installed E: Unable to correct problems, you have held broken packages.

i tried to use aptitude to solve it, but it says 'No more solutions available', can u help me a little bit more, thanks

Update: i installed xl2tpd on my machine, checking its version using: apt list --installed | grep xl2tpd but the version is 'xl2tpd/xenial,now 1.3.6+dfsg-4 amd64', lacking 'ubuntu0.16.04.1' compared with the dependency it needs, i don't know what cause it.

Update: i'm done, i manually download the 1.3.6+dfsg-4ubuntu0.16.04.1 deb, and installed it, and then successfully installed network-manager-l2tp. thanks again.

dkosovic commented 4 years ago

Very strange you were getting those dependencies issues as the xenial-updates apt repository which is normally enabled by default has newer versions of both packages:

It is as if the xenial-updates apt repository isn't enabled.

Anyway glad to hear you managed to install it.

sunnyjocker commented 4 years ago

but i still can't make it work, the debug output list below:

seeking_src = 0, seeking_gateway = 0, has_peer = 1 conn: "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" modecfgdomain=(null) conn: "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" modecfgbanner=(null) conn: "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" mark-in=(null) conn: "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" mark-out=(null) conn: "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" vti_iface=(null) 003 ike string error: Non alphanum char found after in modp string, just after "aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp" (state=ST_AK) nm-l2tp[5030] Could not establish IPsec tunnel.

(nm-l2tp-service:5030): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

any idea?

dkosovic commented 4 years ago

The error message has the following which looks truncated:

aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp

as it is supposed to be:

aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp384,aes128-sha1-modp1024,aes128-sha1-ecp256,3des-sha1-modp2048,3des-sha1-modp1024!

As the truncated string ended in -ecp instead of having -ecp384, perhaps that version of strongSwan is too old to support ecp384. I will look into it tonight.

Is phase 1 and 2 empty in the IPsec config dialog box?

If phase 1 is empty, as a temp fix you could try setting phase 1 to something shorter, e.g. :

aes256-sha1-modp2048,aes256-sha1-modp1536,aes128-sha1-modp1024,3des-sha1-modp2048,3des-sha1-modp1024!
sunnyjocker commented 4 years ago

yes, phase 1 and 2 are both empty. then i tried add the following in phase 1: aes256-sha1-modp2048,aes256-sha1-modp1536,aes128-sha1-modp1024,3des-sha1-modp2048,3des-sha1-modp1024! include the last '!', and leave phase 2 empty but still has error like above:

conn: "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" vti_iface=(null) 003 ike string error: Non alphanum char found after in modp string, just after "aes256-sha1-modp2048,aes256-sha1-modp1536,aes128-sha1-modp1024,3des-sha1-modp2048,3des-sha1-modp1024" (state=ST_AK) nm-l2tp[13635] Could not establish IPsec tunnel.

(nm-l2tp-service:13635): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

===================

here is the version of libreswan: sudo apt list --installed | grep swan

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libreswan/xenial,now 3.19-2~ubuntu16.04.1~ppa1 amd64 [installed,automatic] libstrongswan/xenial,now 5.3.5-1ubuntu3 amd64 [installed] libstrongswan-standard-plugins/xenial,now 5.3.5-1ubuntu3 amd64 [installed] strongswan-libcharon/xenial,now 5.3.5-1ubuntu3 amd64 [installed]

Update: i set phase 1 to : aes128-sha1-modp1024 and leave phase 2 empty. this error is gone, but i'm facing another problem:

003 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #1: we require IKEv1 peer to have ID 'A', but peer declares 'B' 218 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION 002 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #1: sending encrypted notification INVALID_ID_INFORMATION to A:4500 010 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #1: STATE_MAIN_I3: retransmission; will wait 500ms for response

A is the IP of my server, but B isn't. i don't how this IP address comes out. By the way, i can successfully connect my server with my iPhone, it just needs server IP, username, password, and psk. very simple.

Update: i found what cause B, on my server /etc/ipsec.conf, there is one line: leftid=B that's the reason, B is no long my server's ip, why can my iPhone connect successfully

dkosovic commented 4 years ago

I'll test it out tonight on Ubuntu 16.04, I only tested VPN connections on newer Ubuntu and Fedora versions.

There is a Remote ID option in the IPsec Options dialog box where you could set it to B. I guess strongswan insists on an ID if it was set on the server side. the iPhone uses racoon instead of strongswan and I guess it doesn't insist on the ID. Although the IPsec IKEv2 client on the iPhone has a Remote ID option, but I don't think it is using racoon.

One option is to switch from strongswan to libreswan with:

sudo apt install libreswan
sunnyjocker commented 4 years ago

I'll test it out tonight on Ubuntu 16.04, I only tested VPN connections on newer Ubuntu and Fedora versions.

There is a Remote ID option in the IPsec Options dialog box where you could set it to B. I guess strongswan insists on an ID if it was set on the server side. the iPhone uses racoon instead of strongswan and I guess it doesn't insist on the ID. Although the IPsec IKEv2 client on the iPhone has a Remote ID option, but I don't think it is using racoon.

One option is to switch from strongswan to libreswan with:

sudo apt install libreswan

Thanks, but I'm currently using libreswan, not strongswan. I can see it in my installed package list. my l2tp server is behind the NAT, but there is forward(port 500, 4500) to it. After setting Remote ID, the error above is gone but still can't connect on my client-side. The log is:

xl2tpd[14698]: Terminating pppd: sending TERM signal to pid 14707 xl2tpd[14698]: Connection 10172 closed to A, port 1701 (Server closing) 002 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b": deleting non-instance connection 002 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #2: deleting state (STATE_QUICK_I2) 005 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #2: ESP traffic information: in=0B out=0B 002 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #1: deleting state (STATE_MAIN_I4) ** Message: ipsec shut down

the problem is that it tries to connect port 1071, this is obviously not right, isn't l2tp just use 500 and 4500?

Update: i noticed something wrong from log:

117 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #2: STATE_QUICK_I1: initiate 002 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "6796c192-632f-46b3-8df4-1a3b2d1a2a6b" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0xb9014bc3 <0x68a29068 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=126.33.192.99:4500 DPD=passive} nm-l2tp[22447] Libreswan IPsec tunnel is up. Message: xl2tpd started with pid 23119 xl2tpd[23119]: setsockopt recvref[30]: Protocol not available** xl2tpd[23119]: Using l2tp kernel support. xl2tpd[23119]: xl2tpd version xl2tpd-1.3.6 started on moshuang-ubuntu PID:23119 xl2tpd[23119]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.

It do try to use port 4500, and then encountered 'Protocol not available', what's the problem?

dkosovic commented 4 years ago

setsockopt recvref[30]: Protocol not available is safe to ignore. it is to do with openswan's SAref patch for Linux kernel 2.6.36. xl2tpd and openswan are from the same vendor, most linux distros don't ship with openswan. The patch got rejected and isn't in newer kernels.

L2TP uses UDP port 1701, 500 and 4500 is for IPsec. You could try clicking on the "Enforce UDP Encapsulation" and see if that helps.

Is the system xl2tpd running? See Issue with not stopping system xl2tpd service in the README.md file (it may or may not be an issue for you) :

sunnyjocker commented 4 years ago

setsockopt recvref[30]: Protocol not available is safe to ignore. it is to do with openswan's SAref patch for Linux kernel 2.6.36. xl2tpd and openswan are from the same vendor, most linux distros don't ship with openswan. The patch got rejected and isn't in newer kernels.

L2TP uses UDP port 1701, 500 and 4500 is for IPsec. You could try clicking on the "Enforce UDP Encapsulation" and see if that helps.

Is the system xl2tpd running? See Issue with not stopping system xl2tpd service in the README.md file (it may or may not be an issue for you) :

It's done when check 'Enforce UDP Encapsulation', there's no need for port 1701. You saved my day. Thank you so muuuuuuuuuuuch...

dkosovic commented 4 years ago

network-manager-l2tp - 1.2.16-1~ubuntu16.04.1~ppa1 that includes patch for older libreswan versions which don't support ECP algorithms, now up on regular PPA location:

sunnyjocker commented 4 years ago

network-manager-l2tp - 1.2.16-1~ubuntu16.04.1~ppa1 that includes patch for older libreswan versions which don't support ECP algorithms, now up on regular PPA location:

thanks

salehi commented 3 years ago

https://stackoverflow.com/questions/60879711/how-to-install-network-manager-on-ubuntu/63990632#63990632 Here is my solution :)