Strongswan config problem when using l2tp plugin

[srnikolic86]

Hello,

I have set up everything in Gnome Network Manager and when trying to connect I get

no config named '9c89399c-1107-4c1c-84fd-87d2d295f0e9'

in my /etc/var/syslog.

Here is my whole log:

NetworkManager[1511]: <info>  [1586161749.2484] audit: op="connection-activate" uuid="9c89399c-1107-4c1c-84fd-87d2d295f0e9" name="xxx IPsec" pid=27018 uid=1000 result="success"
NetworkManager[1511]: <info>  [1586161749.2528] vpn-connection[0x555d5e32e170,9c89399c-1107-4c1c-84fd-87d2d295f0e9,"xxx IPsec",0]: Started the VPN service, PID 32292
NetworkManager[1511]: <info>  [1586161749.2594] vpn-connection[0x555d5e32e170,9c89399c-1107-4c1c-84fd-87d2d295f0e9,"xxx IPsec",0]: Saw the service appear; activating connection
NetworkManager[1511]: <info>  [1586161749.2661] vpn-connection[0x555d5e32e170,9c89399c-1107-4c1c-84fd-87d2d295f0e9,"xxx IPsec",0]: VPN connection: (ConnectInteractive) reply received
NetworkManager[1511]: Stopping strongSwan IPsec failed: starter is not running
NetworkManager[1511]: Starting strongSwan 5.6.2 IPsec [starter]...
NetworkManager[1511]: Loading config setup
NetworkManager[1511]: Loading conn '9c89399c-1107-4c1c-84fd-87d2d295f0e9'
NetworkManager[1511]: found netkey IPsec stack
NetworkManager[1511]: no config named '9c89399c-1107-4c1c-84fd-87d2d295f0e9'
NetworkManager[1511]: Stopping strongSwan IPsec...
NetworkManager[1511]: <info>  [1586161752.6583] vpn-connection[0x555d5e32e170,9c89399c-1107-4c1c-84fd-87d2d295f0e9,"xxx IPsec",0]: VPN plugin: state changed: stopped (6)
NetworkManager[1511]: <info>  [1586161752.6599] vpn-connection[0x555d5e32e170,9c89399c-1107-4c1c-84fd-87d2d295f0e9,"xxx IPsec",0]: VPN service disappeared
NetworkManager[1511]: <warn>  [1586161752.6607] vpn-connection[0x555d5e32e170,9c89399c-1107-4c1c-84fd-87d2d295f0e9,"xxx IPsec",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

I have tried creating 9c89399c-1107-4c1c-84fd-87d2d295f0e9 config in /etc/ipsec.conf, but I still get the same error.

Are you familiar with this issue and do you know how to resolve it?

[dkosovic]

/etc/ipsec.conf isn't used, the following are the generated files for the connection:

• /var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/xl2tpd.conf
• /var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/xl2tpd-control
• /var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/xl2tpd.pid
• /var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/ppp-options
• /var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/ipsec.conf
• /etc/ipsec.d/ipsec.nm-l2tp.secrets

first make sure nm-l2tp-service isn't running :

sudo killall -TERM nm-l2tp-service

Ensure /var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/ipsec.conf exists, if it doesn't use nm-l2tp-service --debug, see debugging section of README.md file for the full path :

• https://github.com/nm-l2tp/NetworkManager-l2tp#debugging

You could use strongswan on the command-line with the generated ipsec config file for further debugging. The below ipsec commands are identical to what this VPN client uses ( except it doesn't use the sleep 2 command, but a for loop to determine when it is ready).

sudo ipsec restart --conf /var/run/nm-l2tp-ipsec-9c89399c-1107-4c1c-84fd-87d2d295f0e9.conf --debug
sleep 2
sudo ipsec up 9c89399c-1107-4c1c-84fd-87d2d295f0e9

sudo ipsec status

Do you still get the no config named '9c89399c-1107-4c1c-84fd-87d2d295f0e9' error using the command-line?

[srnikolic86]

Thank you for your fast response.

Only these three files get created:

/var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/ipsec.conf
/var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/ppp-options
/var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/xl2tpd.conf

Running commands like you said outputs this. It just tries to send a package without any success in the end. There is no "no config" error when using the comand-line. (I have replaced real public ip addres with 'hostip'.)

~$ sudo killall -TERM nm-l2tp-service
nm-l2tp-service: no process found

~$ sudo ipsec restart --conf /var/run/nm-l2tp-9c89399c-1107-4c1c-84fd-87d2d295f0e9/ipsec.conf --debug
Stopping strongSwan IPsec...
Starting strongSwan 5.6.2 IPsec [starter]...
Loading config setup
Loading conn '9c89399c-1107-4c1c-84fd-87d2d295f0e9'
found netkey IPsec stack

~$ sudo ipsec up 9c89399c-1107-4c1c-84fd-87d2d295f0e9
initiating IKE_SA 9c89399c-1107-4c1c-84fd-87d2d295f0e9[1] to hostip
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.10.43[500] to hostip[500] (1116 bytes)
retransmit 1 of request with message ID 0
sending packet: from 192.168.10.43[500] to hostip[500] (1116 bytes)
retransmit 2 of request with message ID 0
sending packet: from 192.168.10.43[500] to hostip[500] (1116 bytes)
retransmit 3 of request with message ID 0
sending packet: from 192.168.10.43[500] to hostip[500] (1116 bytes)
retransmit 4 of request with message ID 0
sending packet: from 192.168.10.43[500] to hostip[500] (1116 bytes)
retransmit 5 of request with message ID 0
sending packet: from 192.168.10.43[500] to hostip[500] (1116 bytes)

[dkosovic]

That's right about only those 3 files getting created (along with /etc/ipsec.d/ipsec.nm-l2tp.secrets), the other two files get created once xl2tpd is started.

So looks like there are two issues:

1. Following for loop which waits for strongswan to become ready is most likely exiting too early because strongswan's ipsec rereadsecrets is giving a false positive that it is ready (after the ipsec restart) :
   • https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/src/nm-l2tp-service.c#L1395

Strongswan has given false positives in the past and I had to add workaround code, but I haven't seen it happening there.

2. The IPsec connection isn't able to be established even from the command-line.

I'm not sure which linux distro you are using, if you are using Ubuntu or a derivative, i would recommend using the newer network-manager-l2tp packages from the following PPA:

• https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

For backwards compatibility with most L2TP/IPsec VPN servers out there, network-manager-l2tp 1.2.16 no longer uses the strongSwan or libreswan default set of allowed algorithms, instead algorithms that are a merge of Windows 10 and iOS L2TP/IPsec clients' IKEv1 proposals are used instead for the network-manager-l2tp defaults. The weakest proposals that were not common to both Win10 and iOS were dropped, but all of the strongest ones were kept.

You could try switching from strongswan to libreswan, if you are using Ubuntu, the following should do it:

sudo apt install libreswan

[dkosovic]

closing due to lack of activity and assume it was solved.