strongswan no acceptable traffic selectors found error

[praxis88]

I have tested networkmanager-l2tp and strongswan across Ubuntu, Fedora, and Arch, on gnome, xfce, and plain ole TTY. With and without nm-applet, with and without storing passwords in user/all/prompt. from cli, from the gui. I have tested it to multiple VPN gateways. This is very recent as I was setting up batches of laptops over the last few months and it was working. I am seeing this as late as 1.8.x and as early as 1.2.x. Something is very very wrong.

All attempts to esablish a connection with l2tp & PSK return either

VPN plugin: failed: connect-failed (1)

or

VPN plugin: failed to request VPN secrets #3 user agent not available

The second of these is far more common. I only saw the first one time across all the testing I did.

[dkosovic]

Can you try running seahorse to see if you can connect to the Secret Service? Perhaps the secrets user agent is failing if the Secret Service is having issues or is down. Usually running GNOME Seahorse starts the Secret Service if it isn't already running.

[dkosovic]

For the VPN plugin: failed: connect-failed issue, I would need to see the full log output.

[praxis88]

Jan 27 20:51:29 DESKTOP NetworkManager[501]: <info>  [1611802289.8036] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: Started the VPN service, PID 2104
Jan 27 20:51:29 DESKTOP NetworkManager[501]: <info>  [1611802289.8084] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: Saw the service appear; activating connection
Jan 27 20:51:33 DESKTOP NetworkManager[501]: <info>  [1611802293.9514] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: VPN connection: (ConnectInteractive) reply received
Jan 27 20:51:38 DESKTOP NetworkManager[501]: <info>  [1611802298.0253] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: VPN plugin: state changed: starting (3)
Jan 27 20:51:52 DESKTOP NetworkManager[501]: <warn>  [1611802312.0380] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: VPN plugin: failed: connect-failed (1)
Jan 27 20:51:52 DESKTOP NetworkManager[501]: <warn>  [1611802312.0381] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: VPN plugin: failed: connect-failed (1)
Jan 27 20:51:52 DESKTOP NetworkManager[501]: <info>  [1611802312.0385] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: VPN plugin: state changed: stopping (5)
Jan 27 20:51:52 DESKTOP NetworkManager[501]: <info>  [1611802312.1477] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: VPN plugin: state changed: stopped (6)
Jan 27 20:51:52 DESKTOP NetworkManager[501]: <info>  [1611802312.1491] vpn-connection[0x557f052ea0a0,628ea30a-be38-4ee6-9661-bb88feeb24f8,"arca",0]: VPN service disappeared
(END)

I am working on getting an install of a gnome desktop here at home to test seahorse

[praxis88]

seahorse pulls up the gnuPG keys which say "this collection seems to be empty"

[dkosovic]

The log output looks like it is only from NetworkManager and not NetworkManager-l2tp.

Have a look at the debugging section of the README file :

• https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/README.md#debugging

Issue the following (but may need to adjust nm-l2tp-service path for your linux distro) :

sudo killall -TERM nm-l2tp-service
sudo /usr/libexec/nm-l2tp-service --debug

Then try the VPN connection in the GUI or in another terminal with nmcli, you should see more debugging output for the terminal running nm-l2tp-service.

I'm writing this on a Windows PC at work, so not sure what I normally see in seahorse.

[praxis88]

** Message: 21:51:33.814: Check port 1701
ipv6
    address-data : []
    dns : []
    dns-search : []
    ip6-privacy : 0
    method : 'auto'
    route-data : []

proxy

ipv4
    address-data : []
    dns : []
    dns-search : []
    method : 'auto'
    route-data : []

connection
    autoconnect : false
    id : 'arca'
    permissions : []
    type : 'vpn'
    uuid : '628ea30a-be38-4ee6-9661-bb88feeb24f8'

vpn
    data : {'gateway': 'xx.xx.xx.xx', 'ipsec-enabled': 'yes', 'ipsec-psk': '0sUzNjdXI1RnV0dXJlU29sZGllciEh', 'machine-auth-type': 'psk', 'password-flags': '1', 'user': 'xxx', 'user-auth-type': 'password'}
    secrets : {'password': 'xxx'}
    service-type : 'org.freedesktop.NetworkManager.l2tp'
    user-name : 'xxx'

nm-l2tp[3936] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.9.1 IPsec [starter]...
Loading config setup
Loading conn '628ea30a-be38-4ee6-9661-bb88feeb24f8'
nm-l2tp[3936] <info>  Spawned ipsec up script with PID 4121.
initiating Main Mode IKE_SA 628ea30a-be38-4ee6-9661-bb88feeb24f8[1] to 
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.0.102[500] to [500] (532 bytes)
received packet: from [500] to 192.168.0.102[500] (176 bytes)
parsed ID_PROT response 0 [ SA V V V V V ]
received strongSwan vendor ID
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.102[500] to [500] (396 bytes)
received packet: from [500] to 192.168.0.102[500] (380 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.0.102[4500] to [4500] (92 bytes)
received packet: from [4500] to 192.168.0.102[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA 628ea30a-be38-4ee6-9661-bb88feeb24f8[1] established between 192.168.0.102[192.168.0.102]...[]
scheduling reauthentication in 9747s
maximum IKE_SA lifetime 10287s
generating QUICK_MODE request 139682058 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.0.102[4500] to [4500] (268 bytes)
received packet: from [4500] to 192.168.0.102[4500] (172 bytes)
parsed QUICK_MODE response 139682058 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
no acceptable traffic selectors found
establishing connection '628ea30a-be38-4ee6-9661-bb88feeb24f8' failed
nm-l2tp[3936] <info>  strongSwan IPsec tunnel is up.
** Message: 21:51:37.369: xl2tpd started with pid 4130
xl2tpd[4130]: Not looking for kernel SAref support.
xl2tpd[4130]: Using l2tp kernel support.
xl2tpd[4130]: xl2tpd version xl2tpd-1.3.16 started on DESKTOP PID:4130
xl2tpd[4130]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[4130]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[4130]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[4130]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[4130]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[4130]: get_call: allocating new tunnel for host , port 1701.
xl2tpd[4130]: Connecting to host , port 1701
xl2tpd[4130]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[4130]: control_finish: sending SCCRQ
nm-l2tp[3936] <warn>  Looks like pppd didn't initialize our dbus module
nm-l2tp[3936] <info>  Terminated xl2tpd daemon with PID 4130.
xl2tpd[4130]: death_handler: Fatal signal 15 received
xl2tpd[4130]: Connection 0 closed to , port 1701 (Server closing)
Stopping strongSwan IPsec...
** Message: 21:51:51.485: ipsec shut down
nm-l2tp[3936] <warn>  xl2tpd exited with error code 1
Stopping strongSwan IPsec failed: starter is not running
** Message: 21:51:51.492: ipsec shut down

I edited some of this for privacy and security reasons, ips, usernames, passwords etc.

[praxis88]

Adding network-manager-strongswan (not listed as a dependency) seems to fix it on ubuntu based distributions. Still not working elsewhere for me

[dkosovic]

With Fedora you are most likely using libreswan, you could try switching to strongswan with the following:

sudo dnf install strongswan
sudo rpm -e libreswan

I can't explain what installing network-manager-strongswan might have triggered to fix the issue, I don't have it installed on Ubuntu.

no acceptable traffic selectors found in the log file seems to be the issue, but I can't explain what is causing it.

[praxis88]

The network-manager-strongswan fix did not transfer over to another baremetal box I tested it on after getting to work on mint and ubuntu20.04 virtual boxes last night. I am unsure what is causing the breakage here.

[dkosovic]

L2TP/IPsec in general does not work if multiple clients behind the same NAT try to connect at same time as they can not be distinguished by the VPN server.

Some L2TP/IPsec VPN servers can be configured or patched to to allow multiple clients behind the same NAT to connect at same time, e.g. strongswan connmark plugin with xl2tpd patch, see:

• https://wiki.strongswan.org/projects/strongswan/wiki/Connmark

[praxis88]

This is from many different networks, at many different times from many different distortions, from a few different package versions, from many different desktop environments, to 2 different tested VPN gateways. Something is very wrong between dbus, ipsec packages, networkmanager, and networkmanager-l2tp

[dkosovic]

Are the two different VPN gateways Cisco Unity by any chance?

Regarding the no acceptable traffic selectors found issue, do you have the Ubuntu strongswan-plugin-unity package installed ? If so, could you remove it. The unity plugin is what is generating those errors.

[dkosovic]

Forgot to add the following to my last message.

The IPsec connection fails after the no acceptable traffic selectors found error with the strongswan establishing connection '628ea30a-be38-4ee6-9661-bb88feeb24f8' failed error message.

In the following nm-l2tp-service code, it checks if the IPSec connection is established by using the strongswan ipsec status command-line command :

• https://github.com/nm-l2tp/NetworkManager-l2tp/blob/master/src/nm-l2tp-service.c#L1461

But it appears ipsec status returns a false positive that the IPSec connection was established, so nm-l2tp-service continues with the L2TP connection (and subsequently fails), even though the IPSec connection isn't up. So it appears to be a bug with the strongswan ipsec status command.

I would try removing or disabling the strongswan unity plugin.

[praxis88]

They are sophos Gateways and I don't have a strongswan-plugin-unity

I did a 'sudo find / | fzf' for unity plugin and strongswan keywords and didnt find much of anything on the system pertaining to that

What seems to give people less issues libreswan or strongswan?

[dkosovic]

Looks like the strongswan unity plugin is built by default on later Ubuntu versions with the --enable-unity configure switch. After Ubuntu 18.04 the unity plugin hasn't been a separate package. Might be the same for other Linux distros.

$ sudo find /etc/strongswan.d -type f -exec grep -H unity {} \;
/etc/strongswan.d/charon.conf:    # cisco_unity = no

Could you try uncommenting cisco_unity = no to ensure it is set to no in /etc/strongswan.d/charon.conf

Sophos Gateways apparently use libreswan, so in this case you might have had more luck if you tried libreswan, although I suspect it will now work with strongswan when cisco_unity = no is set. It is debatable which one of libreswan or strongswan has less issues, sometimes one works, but the other doesn't.

Chromebooks use strongswan, there are lots of bug reports regarding Sophos UTM as VPN server and Chromebooks clients with strongswan on the Chromebooks being built with --enable-unity :

• https://community.sophos.com/utm-firewall/f/management-networking-logging-and-reporting/90387/l2tp-ipsec-not-longer-working-with-chrome-os-chromebook-version-57
• https://bugs.chromium.org/p/chromium/issues/detail?id=707139

[dkosovic]

Extract from chromium bug# 707139 :

Disable USE flag for strongSwan unity plugin

During the strongSwan 5.5.0 upgrade, the unity plugin got enabled because it is on by default in new strongSwan builds. But this plugin has a known issue that breaks transport mode, resulting in a regression when interoperating with certain VPN gateways. Disable the unity plugin until this is fixed. We never need Split-Include for transport mode anyway, and we do not currently support tunnel mode.

It might be worthwhile reporting the bug to Debian and/or Ubuntu so they don't build their strongswan package with --enable-unity

[praxis88]

nm-l2tp[1874] <debug> nm-l2tp-service (version 1.8.6) starting...
nm-l2tp[1874] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[1874] <info>  ipsec enable flag: yes
vpn
    data : {'gateway': '', 'ipsec-enabled': 'yes', 'ipsec-psk': '0sUzNjdXI1RnV0dXJlU29sZGllciEh', 'machine-auth-type': 'psk', 'mru': '1400', 'mtu': '1400', 'password-flags': '2', 'refuse-chap': 'yes', 'refuse-eap': 'yes', 'refuse-mschap': 'yes', 'refuse-pap': 'yes', 'user': , 'user-auth-type': 'password'}
    secrets : {'password': ''}
    service-type : 'org.freedesktop.NetworkManager.l2tp'
    user-name : ''

ipv6
    address-data : []
    dns : []
    dns-search : []
    ip6-privacy : 0
    method : 'auto'
    route-data : []

connection
    autoconnect : false
    id : 'arc'
    permissions : []
    type : 'vpn'
    uuid : 'a83729b6-bdf1-4df4-8973-00a328c661e2'

proxy

ipv4
    address-data : []
    dns : []
    dns-search : []
    method : 'auto'
    route-data : []

nm-l2tp[1874] <info>  starting ipsec
nm-l2tp[1874] <info>  Spawned ipsec up script with PID 1929.
initiating Main Mode IKE_SA a83729b6-bdf1-4df4-8973-00a328c661e2[1] to 
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.0.102[500] to [500] (532 bytes)
received packet: from [500] to 192.168.0.102[500] (176 bytes)
parsed ID_PROT response 0 [ SA V V V V V ]
received strongSwan vendor ID
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.102[500] to [500] (396 bytes)
received packet: from [500] to 192.168.0.102[500] (380 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.0.102[4500] to [4500] (92 bytes)
received packet: from [4500] to 192.168.0.102[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA a83729b6-bdf1-4df4-8973-00a328c661e2[1] established between 192.168.0.102[192.168.0.102]...
scheduling reauthentication in 9819s
maximum IKE_SA lifetime 10359s
generating QUICK_MODE request 83895387 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.0.102[4500] to [4500] (268 bytes)
received packet: from [4500] to 192.168.0.102[4500] (172 bytes)
parsed QUICK_MODE response 83895387 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
no acceptable traffic selectors found
establishing connection 'a83729b6-bdf1-4df4-8973-00a328c661e2' failed
nm-l2tp[1874] <info>  strongSwan IPsec tunnel is up.
nm-l2tp[1874] <warn>  Looks like pppd didn't initialize our dbus module
nm-l2tp[1874] <info>  Terminated xl2tpd daemon with PID 1938.
nm-l2tp[1874] <warn>  xl2tpd exited with error code 1

No dice on the cisco_unity = no. I am testing from arch now using networkmanager-l2tp networkmanager-l2tp-gnome and strongswan. I also tested earlier today with fedora so it is affecting debian based, arch based, and redhat based distros

[praxis88]

The fix works, it just has to be done in unity.conf and charon.conf

The charon.conf doesnt seem to do anything. It works after I set load = no in the unity.conf.

I have verified the fix across 3 distributions now. Good work man

[dkosovic]

That's great news, glad to hear!

I might put something in the FAQ regarding the no acceptable traffic selectors found error and the unity.conf and charon.conf workaround. I also need to fix the code to prevent a false positive with a failed strongswan connection.