search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 84 forks source link

Problem with connecting #125

Closed lukasvitroleracc closed 4 years ago

lukasvitroleracc commented 4 years ago

Hello I try keep connecting to IPSec VPN but it doesnt work (it works on windows so credentials are fine)

NetworkManager[819]: <info>  [1584060722.8265] vpn-connection[0x55941b3202e0,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: Started the VPN service, PID 22426
NetworkManager[819]: <info>  [1584060722.8465] vpn-connection[0x55941b3202e0,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: Saw the service appear; activating connection
NetworkManager[819]: <info>  [1584060722.9638] vpn-connection[0x55941b3202e0,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: VPN connection: (ConnectInteractive) reply received
nm-l2tp-service[22426]: Check port 1701
NetworkManager[819]: Redirecting to: systemctl restart ipsec.service
NetworkManager[819]: 002 listening for IKE messages
NetworkManager[819]: 002 forgetting secrets
NetworkManager[819]: 002 loading secrets from "/etc/ipsec.secrets"
NetworkManager[819]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
NetworkManager[819]: debugging mode enabled
NetworkManager[819]: end of file /var/run/nm-l2tp-b205d9cd-c775-445d-a66f-6d46e06a2d54/ipsec.conf
NetworkManager[819]: Loading conn b205d9cd-c775-445d-a66f-6d46e06a2d54
NetworkManager[819]: starter: left is KH_DEFAULTROUTE
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" modecfgdns=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" modecfgdomains=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" modecfgbanner=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" mark=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" mark-in=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" mark-out=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" vti_iface=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" redirect-to=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" accept-redirect-to=<unset>
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" esp=aes256-sha1,aes256-md5
NetworkManager[819]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp>
NetworkManager[819]: opening file: /var/run/nm-l2tp-b205d9cd-c775-445d-a66f-6d46e06a2d54/ipsec.conf
NetworkManager[819]: loading named conns: b205d9cd-c775-445d-a66f-6d46e06a2d54
NetworkManager[819]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
NetworkManager[819]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
NetworkManager[819]: dst  via 192.168.0.1 dev wlp60s0 src  table 254
NetworkManager[819]: set nexthop: 192.168.0.1
NetworkManager[819]: dst 192.168.0.0 via  dev wlp60s0 src 192.168.0.192 table 254
NetworkManager[819]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
NetworkManager[819]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
NetworkManager[819]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
NetworkManager[819]: dst 192.168.0.0 via  dev wlp60s0 src 192.168.0.192 table 255 (ignored)
NetworkManager[819]: dst 192.168.0.192 via  dev wlp60s0 src 192.168.0.192 table 255 (ignored)
NetworkManager[819]: dst 192.168.0.255 via  dev wlp60s0 src 192.168.0.192 table 255 (ignored)
NetworkManager[819]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
NetworkManager[819]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
NetworkManager[819]: dst 192.168.0.1 via  dev wlp60s0 src 192.168.0.192 table 254
NetworkManager[819]: set addr: 192.168.0.192
NetworkManager[819]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
NetworkManager[819]: 002 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: initiating Main Mode
NetworkManager[819]: 104 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: initiate
NetworkManager[819]: 003 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]
NetworkManager[819]: 106 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I2: sent MI2, expecting MR2
NetworkManager[819]: 108 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: sent MI3, expecting MR3
NetworkManager[819]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response
NetworkManager[819]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: retransmission; will wait 1 seconds for response
NetworkManager[819]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: retransmission; will wait 2 seconds for response
NetworkManager[819]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: retransmission; will wait 4 seconds for response
NetworkManager[819]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: retransmission; will wait 8 seconds for response
nm-l2tp-service[22426]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
NetworkManager[819]: <info>  [1584060734.8723] vpn-connection[0x55941b3202e0,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: VPN plugin: state changed: stopped (6)
NetworkManager[819]: <info>  [1584060734.8786] vpn-connection[0x55941b3202e0,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: VPN service disappeared
NetworkManager[819]: <warn>  [1584060734.8808] vpn-connection[0x55941b3202e0,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: VPN connection: failed to connect: 'Message recipien>
NetworkManager[819]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: retransmission; will wait 16 seconds for response
NetworkManager[819]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: retransmission; will wait 32 seconds for response
NetworkManager[819]: 031 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I3: 60 second timeout exceeded after 7 retransmits.  Possible authentication failure: no acceptable res>
NetworkManager[819]: 000 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: starting keying attempt 2 of an unlimited number, but releasing whack
SA=(Enc=AES Hash=MD5 Auth=PSK Group=2:modp1024 KeyLength=256 LifeType=Seconds LifeDuration(4)=0x00007080)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 KeyLength=256 LifeType=Seconds LifeDuration(4)=0x00007080)
dkosovic commented 4 years ago

The connection is failing at the phase 1 (main mode) negotiation stage.

libreswan >= 3.30 is no longer built with DH2 (modp1024) support. Which version of libreswan are you using?

lukasvitroleracc commented 4 years ago

I am using libreswan 3.29-2

dkosovic commented 4 years ago

If you are using Network-Manager-l2tp 1.8.0-5 with Fedora, I've removed the modp1024 proposals from Network-Manager-l2tp's default phase 1 algorithms so it can be compatible with libreswan >= 3.30.

A workaround would be to explicitly set the Phase 1 Algorithms in the IPsec Setting dialog box to:

aes128-sha1-modp1024
lukasvitroleracc commented 4 years ago

I tried that and it seems to return the same errors? :(

Mär 13 09:07:25 NANAMI NetworkManager[739]: <info>  [1584086845.2050] audit: op="connection-update" uuid="b205d9cd-c775-445d-a66f-6d46e06a2d54" name="greatoo23" args="vpn.data" pid=4927 uid=1000 result="success"
Mär 13 09:07:31 NANAMI NetworkManager[739]: <info>  [1584086851.2626] audit: op="connection-activate" uuid="b205d9cd-c775-445d-a66f-6d46e06a2d54" name="greatoo23" pid=3676 uid=1000 result="success"
Mär 13 09:07:31 NANAMI NetworkManager[739]: <info>  [1584086851.2748] vpn-connection[0x55bb28cd2120,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: Started the VPN service, PID 4978
Mär 13 09:07:31 NANAMI NetworkManager[739]: <info>  [1584086851.3056] vpn-connection[0x55bb28cd2120,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: Saw the service appear; activating connection
Mär 13 09:07:31 NANAMI NetworkManager[739]: <info>  [1584086851.4263] vpn-connection[0x55bb28cd2120,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: VPN connection: (ConnectInteractive) reply received
Mär 13 09:07:31 NANAMI nm-l2tp-service[4978]: Check port 1701
Mär 13 09:07:31 NANAMI NetworkManager[739]: whack: Pluto is not running (no "/run/pluto/pluto.ctl")
Mär 13 09:07:31 NANAMI NetworkManager[739]: Redirecting to: systemctl restart ipsec.service
Mär 13 09:07:33 NANAMI NetworkManager[739]: <info>  [1584086853.2580] manager: (ip_vti0): new Generic device (/org/freedesktop/NetworkManager/Devices/5)
Mär 13 09:07:33 NANAMI NetworkManager[739]: 002 listening for IKE messages
Mär 13 09:07:33 NANAMI NetworkManager[739]: 002 forgetting secrets
Mär 13 09:07:33 NANAMI NetworkManager[739]: 002 loading secrets from "/etc/ipsec.secrets"
Mär 13 09:07:33 NANAMI NetworkManager[739]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Mär 13 09:07:33 NANAMI NetworkManager[739]: debugging mode enabled
Mär 13 09:07:33 NANAMI NetworkManager[739]: end of file /var/run/nm-l2tp-b205d9cd-c775-445d-a66f-6d46e06a2d54/ipsec.conf
Mär 13 09:07:33 NANAMI NetworkManager[739]: Loading conn b205d9cd-c775-445d-a66f-6d46e06a2d54
Mär 13 09:07:33 NANAMI NetworkManager[739]: starter: left is KH_DEFAULTROUTE
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" modecfgdns=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" modecfgdomains=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" modecfgbanner=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" mark=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" mark-in=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" mark-out=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" vti_iface=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" redirect-to=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" accept-redirect-to=<unset>
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" esp=aes256-sha1,aes256-md5
Mär 13 09:07:33 NANAMI NetworkManager[739]: conn: "b205d9cd-c775-445d-a66f-6d46e06a2d54" ike=aes128-sha1-modp1024
Mär 13 09:07:33 NANAMI NetworkManager[739]: opening file: /var/run/nm-l2tp-b205d9cd-c775-445d-a66f-6d46e06a2d54/ipsec.conf
Mär 13 09:07:33 NANAMI NetworkManager[739]: loading named conns: b205d9cd-c775-445d-a66f-6d46e06a2d54
Mär 13 09:07:33 NANAMI NetworkManager[739]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
Mär 13 09:07:33 NANAMI NetworkManager[739]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst  via 192.168.0.1 dev wlp60s0 src  table 254
Mär 13 09:07:33 NANAMI NetworkManager[739]: set nexthop: 192.168.0.1
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst 192.168.0.0 via  dev wlp60s0 src 192.168.0.192 table 254
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst 192.168.0.0 via  dev wlp60s0 src 192.168.0.192 table 255 (ignored)
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst 192.168.0.192 via  dev wlp60s0 src 192.168.0.192 table 255 (ignored)
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst 192.168.0.255 via  dev wlp60s0 src 192.168.0.192 table 255 (ignored)
Mär 13 09:07:33 NANAMI NetworkManager[739]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
Mär 13 09:07:33 NANAMI NetworkManager[739]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Mär 13 09:07:33 NANAMI NetworkManager[739]: dst 192.168.0.1 via  dev wlp60s0 src 192.168.0.192 table 254
Mär 13 09:07:33 NANAMI NetworkManager[739]: set addr: 192.168.0.192
Mär 13 09:07:33 NANAMI NetworkManager[739]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
Mär 13 09:07:33 NANAMI NetworkManager[739]: 002 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: initiating Main Mode
Mär 13 09:07:33 NANAMI NetworkManager[739]: 104 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: initiate
Mär 13 09:07:33 NANAMI NetworkManager[739]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
Mär 13 09:07:34 NANAMI NetworkManager[739]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
Mär 13 09:07:35 NANAMI NetworkManager[739]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
Mär 13 09:07:37 NANAMI NetworkManager[739]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
Mär 13 09:07:41 NANAMI NetworkManager[739]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
Mär 13 09:07:43 NANAMI nm-l2tp-service[4978]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Mär 13 09:07:43 NANAMI NetworkManager[739]: <info>  [1584086863.3775] vpn-connection[0x55bb28cd2120,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: VPN plugin: state changed: stopped (6)
Mär 13 09:07:43 NANAMI NetworkManager[739]: <info>  [1584086863.3852] vpn-connection[0x55bb28cd2120,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: VPN service disappeared
Mär 13 09:07:43 NANAMI NetworkManager[739]: <warn>  [1584086863.3893] vpn-connection[0x55bb28cd2120,b205d9cd-c775-445d-a66f-6d46e06a2d54,"greatoo23",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus >
Mär 13 09:07:49 NANAMI NetworkManager[739]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
Mär 13 09:08:05 NANAMI NetworkManager[739]: 010 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
Mär 13 09:08:37 NANAMI NetworkManager[739]: 031 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits.  No response (or no acceptable response) to our first IKEv1 message
Mär 13 09:08:37 NANAMI NetworkManager[739]: 000 "b205d9cd-c775-445d-a66f-6d46e06a2d54" #1: starting keying attempt 2 of an unlimited number, but releasing whack
dkosovic commented 4 years ago

Sorry, I didn't notice the KeyLength=256 in your first message, the Phase 1 Algorithms in the IPsec Setting dialog box should actually be:

aes256-sha1-modp1024

But having said that, the default phase 1 proposals from the first message already had that proposal :

ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp

I would probably recommend trying to switch from libreswan to strongswan. If you are using Fedora, can be achieved with:

sudo rpm -e libreswan
sudo dnf install strongswan

I would recommend removing the Phase 1 Algorithm.

dkosovic commented 4 years ago

Actually looking at the following line in the libreswan log output and doing a Google search, the Vendor ID seems to imply it is a FortiGate VPN server:

ignoring unknown Vendor ID payload [8299031757a36082c6a621de00000000]

Lots of people seem to have FortiGate interoperability issues with libreswan and strongswan.

FortiGate seems to be a clone of Cisco IPsec, so it would seem the vpnc client would be appropriate to use, but as it is not a complete clone, the Cisco vpnc client needs a FortiGate compatibility patch :

You could then use NetworkManager-vpnc with that patched vpnc for the backend.

Alternatively instead of using IPsec, you could try using the openfortivpn backend with NetworkManager-fortisslvpn for the UI frontend:

JOYUAGV commented 4 years ago

I installed the pack on ubuntu 18.04 following the linux tutorial, but it doesn't work (the vpn turned off by itself with no reason), who can help me! Thanks!

dkosovic commented 4 years ago

@JOYUAGV could you open a new issue as this issue is regarding a Fedora client with a FortiGate VPN server.

Before you post a new issue, try the following:

  1. install the newer network-manager-l2tp 1.2.18 from: 
sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp
sudo apt update
sudo apt install network-manager-l2tp network-manager-l2tp-gnome

With this newer version of network-manager-l2tp, you shouldn't need to enter anything in for the Phase 1 & 2 Algorithms in the IPsec options, if you have, I would recommend removing the entries.

  1. Try stopping the system xl2tpd:
sudo systemctl stop xl2tpd

See the "Issue with not stopping system xl2tpd service" section of the README.md file for more details.

If it still doesn't work, post the output of journalctl --unit=NetworkManager --no-hostname in the new issue, feel free to obfuscate any IP addresses.