search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
493 stars 83 forks source link

Unable to establish connection #23

Closed ghost closed 7 years ago

ghost commented 8 years ago

Hey, I wonder if you can help me.

I managed to install this on my Ubuntu 16.10, but I'm still unable to connect. I get:

The VPN connection 'name' failed, because the VPN service failed to start

and then

The VPN connection 'name' failed, because there were no valid VPN secrets

I already posted fairly detailed description on what's going on at https://www.reddit.com/r/Ubuntu/comments/4pz1fl/l2tp_ipsec_vpn_client_under_ubuntu_1604/d90ynm8/

I would greatly appreciate if you could find a moment and give it a look.

dkosovic commented 8 years ago

The "no valid VPN secrets" error is a bit misleading, it's to do with GNOME Libsecret and a timeout when the network-manager-l2tp plugin wasn't able to provide NetworkManager with a secret, because it is in a bad state after the first time it was run.

It gets into a bad state when the strongswan ipsec starter processes goes astray by going into a loop and never exiting. I'm planning on implementing a timeout of maybe 10 seconds and kill the ipsec processes if it hasn't connected before that timeout.

It's most likely related to issue https://github.com/nm-l2tp/network-manager-l2tp/issues/16

Sometimes when I supply wrong IPsec arguments, I can cause the strongswan ipsec starter to go into a loop with the same log output as you are getting. But there may be other reasons why strongswan goes into a loop.

Do you get the same problem if you use the strongswan command-line tools, in particular ipsec up? e.g :

First add a pre-shared key to /etc/ipsec.secrets with a line something like:

: PSK this-is-my-PSK

with this-is-my-PSK replaced by the actual PSK.

sudo ipsec restart --conf /var/run/nm-ipsec-l2tp.12345/ipsec.conf --debug
sudo ipsec up nm-ipsec-l2tp-12345
sudo ipsec status

but replace /var/run/nm-ipsec-l2tp.12345/ipsec.conf with something that actually exists under /var/run/

ghost commented 8 years ago

Big thanks for looking into this so quickly. I tried the above, but unfortunately it's the same

osh@oshHomeUbuntu:~$ sudo ipsec restart --conf /var/run/nm-ipsec-l2tp.15686/ipsec.conf --debug
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...
Loading config setup
Loading conn 'nm-ipsec-l2tp-15686'
found netkey IPsec stack
osh@oshHomeUbuntu:~$ sudo ipsec up nm-ipsec-l2tp-15686
initiating Main Mode IKE_SA nm-ipsec-l2tp-15686[1] to REMOTE
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from LOCAL[500] to REMOTE[500] (280 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from LOCAL[500] to REMOTE[500] (280 bytes)
sending retransmit 2 of request message ID 0, seq 1
sending packet: from LOCAL[500] to REMOTE[500] (280 bytes)
sending retransmit 3 of request message ID 0, seq 1
sending packet: from LOCAL[500] to REMOTE[500] (280 bytes)
sending retransmit 4 of request message ID 0, seq 1
sending packet: from LOCAL[500] to REMOTE[500] (280 bytes)
sending retransmit 5 of request message ID 0, seq 1
sending packet: from LOCAL[500] to REMOTE[500] (280 bytes)
giving up after 5 retransmits
peer not responding, trying again (2/0)
initiating Main Mode IKE_SA nm-ipsec-l2tp-15686[1] to REMOTE
...

In the meantime ipsec status returns:

Security Associations (0 up, 1 connecting):
nm-ipsec-l2tp-15686[1]: CONNECTING, LOCAL[%any]...REMOTE[%any]

Until I call ipsec stop

I read #16 and what struck my eyes was which indicates you didn't fill in the Group Name and Gateway ID fields I did not fill them either, because I don't have them - I was provided only with vpn address, my username, password and shared secret.

dkosovic commented 8 years ago

The Group Name and Gateway ID comment was related to issue #15 where the submitter filled in the Group Name and Gateway ID fields and I recommended to leave them blank. In issue #16, I was just confirming those two fields were already blank, so was a different issue to #15.

I don't know if you could remove or add any options to nm-ipsec-l2tp.12345/ipsec.conf to get the IPsec connection to work, but I suspect not. https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection has details on the options.

I suspect there is some sort of incompatibility between the version of strongswan you are using and your VPN server.

When I had the same issue on OpenSUSE, I had to install a different version of strongswan to get things to work.

The submitter in #16, solved the issue by replacing strongswan with libreswan

dkosovic commented 7 years ago

As this appears to be a strongswan-5.3.0 bug or incompatibility, I'll close this issue.

Ubuntu now has a new strongswan-5.5.0 in Zesty testing and includes an AppArmor fix I requested. There have been a significant number of compatibility issues fixed since 5.3.0, so should hopefully solve your issue.

But perhaps the simplest workaround at the moment is to uninstall the system strongswan, then build and install libreswan under /usr/local/ . The NetworkManager-l2tp plugin looks at a number of locations for libreswan and strongswan