search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
486 stars 83 forks source link

After upgrade to 1.20.12-1 this issue occurs: no config named #222

Closed 2w-consultoria closed 3 months ago

2w-consultoria commented 4 months ago

Hi, after updatde from 1.20.10-1 to 1.20.12-1 l2tp not conbect. I have downgrade, then connect as expexted. Thanks.

mar 05 17:20:05 archlinux charon[30672]: 00[LIB] dropped capabilities, running as uid 0, gid 0
mar 05 17:20:05 archlinux charon[30672]: 00[JOB] spawning 16 worker threads
mar 05 17:20:05 archlinux charon[30672]: 06[IKE] installed bypass policy for 192.168.123.0/24
mar 05 17:20:05 archlinux charon[30672]: 06[IKE] installed bypass policy for fe80::/64
mar 05 17:20:05 archlinux ipsec_starter[30670]: charon (30672) started after 80 ms
mar 05 17:20:05 archlinux charon[30672]: 12[CFG] received stroke: add connection 'e731aa8f-e136-417e-a925-a62488370810'
mar 05 17:20:06 archlinux charon[30672]: 14[CFG] rereading secrets
mar 05 17:20:06 archlinux charon[30672]: 14[CFG] loading secrets from '/etc/ipsec.secrets'
mar 05 17:20:06 archlinux charon[30672]: 14[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
mar 05 17:20:06 archlinux charon[30672]: 14[CFG]   loaded IKE secret for %any
mar 05 17:20:06 archlinux charon[30672]: 07[CFG] received stroke: initiate 'e731aa8f-e136-417e-a925-a62488370810'
mar 05 17:20:06 archlinux charon[30672]: 07[CFG] no config named 'e731aa8f-e136-417e-a925-a62488370810'
mar 05 17:20:06 archlinux NetworkManager[30709]: no config named 'e731aa8f-e136-417e-a925-a62488370810'
mar 05 17:20:07 archlinux pppd[29994]: Connection terminated.
mar 05 17:20:07 archlinux charon[30672]: 03[KNL] interface ppp0 deleted
mar 05 17:20:07 archlinux NetworkManager[30715]: Stopping strongSwan IPsec...
mar 05 17:20:07 archlinux pppd[29994]: Modem hangup
mar 05 17:20:07 archlinux pppd[29994]: Exit._
dkosovic commented 4 months ago

The missing config it is referring to is in the /run/nm-l2tp-e731aa8f-e136-417e-a925-a62488370810/ipsec.conf file.

It's like you have two instances running and they are clobbering each other, pppd shouldn't be appearing in the logs as the strongswan charon IPsec connection hasn't been established.

Before you start the VPN connection, check if charon or something else is listening on UDP port 500 with either of the following:

$ sudo ss -tunlp | grep :500
udp   UNCONN 0      0                   0.0.0.0:500        0.0.0.0:*    users:(("charon",pid=12238,fd=12))
udp   UNCONN 0      0                         *:500              *:*    users:(("charon",pid=12238,fd=10))
$ sudo netstat -tunlp | grep :500
udp        0      0 0.0.0.0:500             0.0.0.0:*                           12238/charon
udp6       0      0 :::500                  :::*                                12238/charon

If they are, stop and disable them. I would recommend doing the following anyway as NetworkManager-l2tp starts its own instance of strongswan's charon.

sudo systemctl stop strongswan-starter
sudo systemctl stop strongswan

sudo systemctl disable strongswan-starter
sudo systemctl disable strongswan

Make sure there is no other instances of nm-l2tp-service, xl2tpd or pppd running:

sudo killall -TERM nm-l2tp-service
sudo killall -TERM xl2tpd
sudo killall -TERM pppd

Then try the VPN connection again.

Unrelated or at least I think unrelated, I see bypass policy in the logs, unlike many other Linux distros, Arch Linux enables experimental strongswan plugins that can be problematic, I would recommend disabling them with the following:

sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/bypass-lan.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/connmark.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/forecast.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/sha3.conf

You will also need to reboot as kernel modules used by some of the strongswan plugins might also be loaded.

2w-consultoria commented 4 months ago

Thanks for your answer, unfortunetly did not work. I tried all of your sugestions.

dkosovic commented 4 months ago

There were two significant changes in NetworkManager-l2tp :

1. Fixes MPPE protocol negotiation by not using noccp ppp option when MPPE is selected.

This change is related to commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/fdf5d98e86c5f0a97f9649fa3e23b3c001a93340

Don't think it is relevant for this issue because if you were impacted by this change with the connection not working anymore, you would have received maybe one of the following messages in the log output:

pppd[4444]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
pppd[5555]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
pppd[5555]: MPPE required but peer negotiation failed

2. Determine correct local IP address for IPSec

This change is related to commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/dcec057dbb4917125e9d7b7941df454001ff2e88

Although there is a fair bit of code change, it only modifies one line in the generated /run/nm-l2tp-e731aa8f-e136-417e-a925-a62488370810/ipsec.conf file which originally had left=%defaultroute has %defaultroute replaced with the local IP address.

In my case, this is what my generated ipsec.conf file looks like:

$ sudo cat /run/nm-l2tp-6e419b1a-f8ba-40fc-b1c5-770d9e528496/ipsec.conf
config setup
conn 6e419b1a-f8ba-40fc-b1c5-770d9e528496
  auto=add
  type=transport
  authby=secret
  left=192.168.0.159
  leftprotoport=udp/l2tp
  rightprotoport=udp/l2tp
  right=145.67.141.61
  rightid=%any
  keyingtries=%forever
  ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp384,aes128-sha1-modp1024,aes128-sha1-ecp256,3des-sha1-modp2048,3des-sha1-modp1024!
  esp=aes256-sha1,aes128-sha1,3des-sha1!
  keyexchange=ikev1

You can try manually running the following on the command-line and see if you get an error:

sudo ipsec restart --conf /run/nm-l2tp-e731aa8f-e136-417e-a925-a62488370810/ipsec.conf --debug
sleep 2
sudo ipsec up e731aa8f-e136-417e-a925-a62488370810

sudo ipsec status

If you do get the same error, you could then try changing the left=xxx.xxx.xxx.xxx line in the /run/nm-l2tp-e731aa8f-e136-417e-a925-a62488370810/ipsec.conffile withleft=%defaultroute` and see if you still get an error.

2w-consultoria commented 4 months ago

The file /run/nm-l2tp-xxxxx/ipsec.conf doesn't exist. If i initiate the connection then the file is created, after de connection is end the file dont exist anymore.

I don´t undestand why, but in the previius version works fine.

The information about de connection is in /etc/NetworkManager/system-connections/XXXX.nmconnection

The NetworkManager had a new version in the same day too, maybe has an issue too.

Thanks foy your help.

dkosovic commented 4 months ago

In your original log output, you have pppd running with PID 29994, while you have strongswan charon with PID 30672. Which indicates there is a pppd process that was started before strongswan charon, most likely from a previous VPN connection.

Normally what happens with NetworkManager-l2tp is that strongswan charon is started first. If the strongswan IPsec connection was successful, it is followed by xl2tpd and pppd for the L2TP connection.

If you are still getting the same log output and error (after explicitly killing nm-l2tp-service, xl2tpd and pppd which you normally don't have to do), it just doesn't make sense as to where the pppd process is starting from. Perhaps you did some update that is causing the GUI to start two instances of the VPN connection somehow.

Or is the log output different and you are getting a different error?

Running the following for debugging will prevent the /run/nm-l2tp-UUID/ipsec.conf file from being deleted:

sudo killall -TERM nm-l2tp-service
sudo /usr/lib/NetworkManager/nm-l2tp-service --debug

then start your VPN connection in the GUI and then try to reproduce the problem.

2w-consultoria commented 4 months ago

Hi, the same error in debug mode, when i add the left=xxx.xxx.xxx.xxx the message below ocours:

charon[12554]: 05[NET] error writing to socket: Network is unreachable

LOG:

nm-l2tp[11972] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.9.13 IPsec [starter]...
Loading config setup
Loading conn '8249e2da-74a1-4710-abba-7180505aaa18'
nm-l2tp[11972] <info>  Spawned ipsec up script with PID 12128.
no config named '8249e2da-74a1-4710-abba-7180505aaa18'
Stopping strongSwan IPsec...
** Message: 09:48:45.043: Could not establish IPsec connection.

(nm-l2tp-service:11972): GLib-GIO-CRITICAL **: 09:48:45.043: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
dkosovic commented 3 months ago

Hopefully commit https://github.com/nm-l2tp/NetworkManager-l2tp/commit/031e9e01ac07c0cb1588d9a9b075d6c984f5628d fixes this issue.

I suspect somewhere earlier in your logs you had one of the following error messages generated by the get_localaddr() function;

Which subsequently broke the generation of the /run/nm-l2tp-UUID/ipsec.conffile

2w-consultoria commented 3 months ago

Thank you!