Closed tukusejssirs closed 1 year ago
Sorry to hear that disabling the experimental strongswan plugins didn't solve the issue.
When I get home, I'll try and update an Arch Linux VM to the latest packages and try to reproduce the issue.
I haven't tested yet with Linux Kernel 6.0 or later, you seem to be using kernel 6.0.2. It's not the first time that a major kernel update has broken IPsec.
Thanks! :pray:
Indeed, I am using linux@6.0.2.arch1-1
. I could make a test with linux-lts@5.15.74-1
.
It's not the first time that a major kernel update has broken IPsec.
Could you expand on why does it happen? Isn’t IPsec sort of a standard (or whatever you call it) that should not be broken? What causes (usually) the breaks?
I have tested it on LTS kernel (with the experimental strongswan
extensions disabled), but it fails the same way as described in the OP.
Actually, I didn't read the logs properly, I believe the issue is the following in the logs:
charon[123743]: 00[NET] could not open IPv4 socket, IPv4 disabled
As strongswan's charon couldn't open a socket, it subsequently fails.
Check if there is something else listening on UDP port 500 other than charon, e.g. :
$ sudo ss -tunlp | grep :500
udp UNCONN 0 0 0.0.0.0:500 0.0.0.0:* users:(("charon",pid=12238,fd=12))
udp UNCONN 0 0 *:500 *:* users:(("charon",pid=12238,fd=10))
$ sudo netstat -tunlp | grep :500
udp 0 0 0.0.0.0:500 0.0.0.0:* 12238/charon
udp6 0 0 :::500 :::* 12238/charon
I call it a progress! Thanks! :pray:
Well, something is using it, however, no program/PID is listed with it.
udp UNCONN 0 0 0.0.0.0:500 0.0.0.0:*
udp UNCONN 0 0 [::]:500 [::]:*
Now the question is what uses it.
Update
Okay, that was quite easy. Port 500
is used by strongswan
service. When I disabled ut (sudo systemctl stop --now strongswan
), the port was not used, when I re-enabled the service, the port is used again.
The strongswan
service logs this at its startup:
Oct 24 14:44:02 charon-systemd[124566]: PKCS11 module '<name>' lacks library path
Oct 24 14:44:02 charon-systemd[124566]: attr-sql plugin: database URI not set
Oct 24 14:44:02 charon-systemd[124566]: loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 24 14:44:02 charon-systemd[124566]: loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 24 14:44:02 charon-systemd[124566]: loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 24 14:44:02 charon-systemd[124566]: loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 24 14:44:02 charon-systemd[124566]: loading crls from '/etc/ipsec.d/crls'
Oct 24 14:44:02 charon-systemd[124566]: loading secrets from '/etc/ipsec.secrets'
Oct 24 14:44:02 charon-systemd[124566]: loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Oct 24 14:44:02 charon-systemd[124566]: loaded IKE secret for %any
Oct 24 14:44:02 charon-systemd[124566]: sql plugin: database URI not set
Oct 24 14:44:02 charon-systemd[124566]: opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Oct 24 14:44:02 charon-systemd[124566]: loaded 0 RADIUS server configurations
Oct 24 14:44:02 charon-systemd[124566]: HA config misses local/remote address
Oct 24 14:44:02 charon-systemd[124566]: no script for ext-auth script defined, disabled
Oct 24 14:44:02 charon-systemd[124566]: loaded plugins: charon-systemd ldap pkcs11 aesni aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1>
Oct 24 14:44:02 charon-systemd[124566]: dropped capabilities, running as uid 0, gid 0
Oct 24 14:44:02 charon-systemd[124566]: spawning 16 worker threads
Oct 24 14:44:02 swanctl[124583]: no files found matching '/etc/swanctl/conf.d/*.conf'
Oct 24 14:44:02 swanctl[124583]: no authorities found, 0 unloaded
Oct 24 14:44:02 swanctl[124583]: no pools found, 0 unloaded
Oct 24 14:44:02 swanctl[124583]: no connections found, 0 unloaded
Is it correct?
strongswan I believe comes with 3 different IPsec daemons, charon
, charon-systemd
and charon-nm
.
NetworkManager-l2tp starts its own instance of charon
by issuing ipsec restart
which stops any instance of charon
and then starts charon
and points it to a custom ipsec.conf file. I would have thought ipsec restart
would stop charon-systemd
, but guess it doesn't on Arch Linux.
If you make sure nothing is using UDP port 500 before NetworkManager-l2tp network connection is started, that should be okay.
You’re right. When I disable strongswan
service, I can enable the VPN (via nmcli
). I still need to remove the extra route (see #132), however, it is usable now.
I would have thought
ipsec restart
would stopcharon-systemd
, but guess it doesn't on Arch Linux.
I am not sure if I manually enabled the strongswan
service during my debugging of this issue (some time ago) or not, thus I suggest to to test if your assumption is correct.
Anyway, you helped me a lot! Thank you very much! :pray:
For Arch Linux users that search and find this issue, the old strongswan systemd service (which starts the charon
daemon) was renamed from strongswan.service
to strongswan-starter.service
according to the Arch Linux strongswan wiki:
NetworkManager-l2tp is compatible with strongswan-starter.service
, but not strongswan.service
. Regardless, there is no need to start either service as NetworkManager-l2tp will start its own instance of the charon
daemon.
Related comments from #132: 1, 2, 3, 4
I cannot connect to the VPN on Arch Linux, however, some time ago I could. I didn’t change any configuration on the local machine (apart from package upgrades) nor the VPN server was changed. I can connect to the server on MS Windows 10.
Here are some logs (replaced the VPN server IP with
$vpn_server_ip
:
```python Oct 24 09:06:22 NetworkManager[806]:sudo journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd
I get the same result after disabling experimental
strongswan
plugins (disabling them and rebooting the system, like you, @dkosovic, suggested in here).