Open momu opened 5 months ago
I see bypass policy in the logs, unlike many other Linux distros, Manjaro enables experimental strongswan plugins that can be problematic, try to disable loading them with:
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/bypass-lan.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/connmark.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/forecast.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/sha3.conf
You will also need to reboot as kernel modules used by some of the strongswan plugins might also be loaded.
I have the same issue when I try to connect to a VPN.
Unfortunately, the advice from the comment above didn't help.
Linux version:
Linux 6.1.71-1-MANJARO x86_64
journalctl logs:
Feb 02 20:36:12 realism-manjaro-pc NetworkManager[20042]: <info> [1706895372.4847] vpn[0x56228f6e22a0,18e5f0f9-17bf-48f6-ad08-afb0d3058d92,"VPN"]: starting l2tp
Feb 02 20:36:12 realism-manjaro-pc NetworkManager[20042]: <info> [1706895372.4850] audit: op="connection-activate" uuid="18e5f0f9-17bf-48f6-ad08-afb0d3058d92" name="VPN" pid=1593 uid=1000 result="success"
Feb 02 20:36:22 realism-manjaro-pc NetworkManager[20042]: <warn> [1706895382.4998] vpn[0x56228f6e22a0,18e5f0f9-17bf-48f6-ad08-afb0d3058d92,"VPN"]: failed to connect: 'Timeout was reached'
My colleagues don't have this problem on other distros. I'm pretty sure that my VPN connection settings are correct.
I don't currently have a VM with either Manjaro or Arch Linux. As they are cutting edge distros, they are typically the distros that first encounter issues with kernel updates that break the L2TP kernel modules and have issues with changes to NetworkManger. I'll try and spin one up this week.
One other thing I forgot to suggest is that the following services should be stopped and preferably disabled :.
Some Arch Linux doco for L2TP suggests running the strongswan service, but they most definitely should not be run as NetworkManger is not compatible with it. It is compatible with strongswan-starter, but there is no need to have it running. NetworkManger-l2tp starts its own instance of strongwan, so doesn't need either of the above two services.
Although I don't think these strongswan services are an issue in these cases.
Regarding the 10 second timeout, that is not something from this repository, the IPsec connection has a 16 sec timeout as does the xl2tpd/pppd connection:
From memory, NetworkManager had a 50 second timeout for VPN connections, maybe it has been reduced on Manjaro?
I'm not about to reproduce as my VPN connection takes less than 10 seconds.
@dkosovic Thank you for your assistance. I've checked that the source code of nm and nm-l2tp is taken directly from their actual repositories and has no mentions related to "timeout" in pacman build configuration(even if this parameters don't exist). I think this issue can be closed as it's not related to nm directly.
You could try replacing strongswan with libreswan from AUR : https://aur.archlinux.org/packages/libreswan
It is built with USE_DH2=true
option i.e. the weak modp1024 algorithm that the VPN server you are connecting to is using in the logs for the selected proposal. That USE_DH2=true
option is not enabled by default in the libreswan upstream source code with later versions of libreswan, so is a good thing AUR does in this case.
But from the libreswan AUR comments, looks like there are some issues with building/running it at the moment and there are some workarounds.
Hopefully libreswan might be quicker in connecting.
I didn't mention it, but I have tried both strongswan and libreswan. The result was the same. I want to try to build strongswan with increased timeout.
I'll leave this issue open in case other Manjaro and Arch Linux users come along with the same issue, that way they know something is wrong.
This is where the failed to connect
warning message from NetworkManager is coming from :
https://github.com/NetworkManager/NetworkManager/blob/1.44.2/src/core/vpn/nm-vpn-connection.c#L1569
In that warning, it looks like Timeout was reached
is a D-Bus timeout error.
sudo systemctl status dbus
or sudo journalctl -u dbus
might have some hints as to what is wrong.
You could use strongswan on the command-line with the generated ipsec config file for further debugging and for removing NetworkManager from the equation. The below ipsec
commands are identical to what this VPN client uses (except it doesn't use the sleep 2
command, instead it uses a for loop to determine when connection is ready).
sudo ipsec restart --conf /var/run/nm-l2tp-e0b3b8cc-f213-4ac6-9942-a3907827b791/ipsec.conf --debug
sleep 2
sudo ipsec up e0b3b8cc-f213-4ac6-9942-a3907827b791
sudo ipsec status
(e0b3b8cc-f213-4ac6-9942-a3907827b791
was obtained from a Loading conn 'e0b3b8cc-f213-4ac6-9942-a3907827b791'
line in the original post's log output.)
If strongswan isn't able to connect, you could post the ipsec.conf file contents and the command-line output to the strongswan issues page:
They might be able to help you resolve the issue.
As I'm jealous of my colleague who uses the l2tp connection on his Linux Mint machine successfully, I gave it a try on two different Manjaro systems.
I installed
networkmanager-l2tp
andstrongswan
:Created a new
l2tp
connection entry with the network manager, which resulted in thisnmconnection
file:When trying to connect using this connection,
journalctl -f -u NetworkManager.service
gives:Looks like there is a
10 s
timeout indicated by this line:Does anybody have a clue where the problem is?