Closed 2w-consultoria closed 3 months ago
The missing config it is referring to is in the /run/nm-l2tp-e731aa8f-e136-417e-a925-a62488370810/ipsec.conf
file.
It's like you have two instances running and they are clobbering each other, pppd
shouldn't be appearing in the logs as the strongswan charon IPsec connection hasn't been established.
Before you start the VPN connection, check if charon or something else is listening on UDP port 500 with either of the following:
$ sudo ss -tunlp | grep :500
udp UNCONN 0 0 0.0.0.0:500 0.0.0.0:* users:(("charon",pid=12238,fd=12))
udp UNCONN 0 0 *:500 *:* users:(("charon",pid=12238,fd=10))
$ sudo netstat -tunlp | grep :500
udp 0 0 0.0.0.0:500 0.0.0.0:* 12238/charon
udp6 0 0 :::500 :::* 12238/charon
If they are, stop and disable them. I would recommend doing the following anyway as NetworkManager-l2tp starts its own instance of strongswan's charon.
sudo systemctl stop strongswan-starter
sudo systemctl stop strongswan
sudo systemctl disable strongswan-starter
sudo systemctl disable strongswan
Make sure there is no other instances of nm-l2tp-service
, xl2tpd
or pppd
running:
sudo killall -TERM nm-l2tp-service
sudo killall -TERM xl2tpd
sudo killall -TERM pppd
Then try the VPN connection again.
Unrelated or at least I think unrelated, I see bypass policy in the logs, unlike many other Linux distros, Arch Linux enables experimental strongswan plugins that can be problematic, I would recommend disabling them with the following:
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/bypass-lan.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/connmark.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/forecast.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/sha3.conf
You will also need to reboot as kernel modules used by some of the strongswan plugins might also be loaded.
Thanks for your answer, unfortunetly did not work. I tried all of your sugestions.
There were two significant changes in NetworkManager-l2tp :
noccp
ppp option when MPPE is selected.This change is related to commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/fdf5d98e86c5f0a97f9649fa3e23b3c001a93340
Don't think it is relevant for this issue because if you were impacted by this change with the connection not working anymore, you would have received maybe one of the following messages in the log output:
pppd[4444]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
pppd[5555]: Protocol-Reject for 'Compression Control Protocol' (0x80fd) received
pppd[5555]: MPPE required but peer negotiation failed
This change is related to commit# https://github.com/nm-l2tp/NetworkManager-l2tp/commit/dcec057dbb4917125e9d7b7941df454001ff2e88
Although there is a fair bit of code change, it only modifies one line in the generated /run/nm-l2tp-e731aa8f-e136-417e-a925-a62488370810/ipsec.conf
file which originally had left=%defaultroute
has %defaultroute
replaced with the local IP address.
In my case, this is what my generated ipsec.conf
file looks like:
$ sudo cat /run/nm-l2tp-6e419b1a-f8ba-40fc-b1c5-770d9e528496/ipsec.conf
config setup
conn 6e419b1a-f8ba-40fc-b1c5-770d9e528496
auto=add
type=transport
authby=secret
left=192.168.0.159
leftprotoport=udp/l2tp
rightprotoport=udp/l2tp
right=145.67.141.61
rightid=%any
keyingtries=%forever
ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp384,aes128-sha1-modp1024,aes128-sha1-ecp256,3des-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,aes128-sha1,3des-sha1!
keyexchange=ikev1
You can try manually running the following on the command-line and see if you get an error:
sudo ipsec restart --conf /run/nm-l2tp-e731aa8f-e136-417e-a925-a62488370810/ipsec.conf --debug
sleep 2
sudo ipsec up e731aa8f-e136-417e-a925-a62488370810
sudo ipsec status
If you do get the same error, you could then try changing the left=xxx.xxx.xxx.xxx
line in the /run/nm-l2tp-e731aa8f-e136-417e-a925-a62488370810/ipsec.conffile with
left=%defaultroute` and see if you still get an error.
The file /run/nm-l2tp-xxxxx/ipsec.conf doesn't exist. If i initiate the connection then the file is created, after de connection is end the file dont exist anymore.
I don´t undestand why, but in the previius version works fine.
The information about de connection is in /etc/NetworkManager/system-connections/XXXX.nmconnection
The NetworkManager had a new version in the same day too, maybe has an issue too.
Thanks foy your help.
In your original log output, you have pppd running with PID 29994, while you have strongswan charon with PID 30672. Which indicates there is a pppd process that was started before strongswan charon, most likely from a previous VPN connection.
Normally what happens with NetworkManager-l2tp is that strongswan charon is started first. If the strongswan IPsec connection was successful, it is followed by xl2tpd and pppd for the L2TP connection.
If you are still getting the same log output and error (after explicitly killing nm-l2tp-service, xl2tpd and pppd which you normally don't have to do), it just doesn't make sense as to where the pppd process is starting from. Perhaps you did some update that is causing the GUI to start two instances of the VPN connection somehow.
Or is the log output different and you are getting a different error?
Running the following for debugging will prevent the /run/nm-l2tp-UUID/ipsec.conf file from being deleted:
sudo killall -TERM nm-l2tp-service
sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
then start your VPN connection in the GUI and then try to reproduce the problem.
Hi, the same error in debug mode, when i add the left=xxx.xxx.xxx.xxx the message below ocours:
charon[12554]: 05[NET] error writing to socket: Network is unreachable
LOG:
nm-l2tp[11972] <info> starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.9.13 IPsec [starter]...
Loading config setup
Loading conn '8249e2da-74a1-4710-abba-7180505aaa18'
nm-l2tp[11972] <info> Spawned ipsec up script with PID 12128.
no config named '8249e2da-74a1-4710-abba-7180505aaa18'
Stopping strongSwan IPsec...
** Message: 09:48:45.043: Could not establish IPsec connection.
(nm-l2tp-service:11972): GLib-GIO-CRITICAL **: 09:48:45.043: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Hopefully commit https://github.com/nm-l2tp/NetworkManager-l2tp/commit/031e9e01ac07c0cb1588d9a9b075d6c984f5628d fixes this issue.
I suspect somewhere earlier in your logs you had one of the following error messages generated by the get_localaddr() function;
unable to connect to L2TP VPN gateway
failed to get local IP
Which subsequently broke the generation of the /run/nm-l2tp-UUID/ipsec.conffile
Thank you!
Hi, after updatde from 1.20.10-1 to 1.20.12-1 l2tp not conbect. I have downgrade, then connect as expexted. Thanks.