search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
488 stars 84 forks source link

Can't connect to VPN tunnel with PSK #27

Closed cristobaltapia closed 7 years ago

cristobaltapia commented 7 years ago

I have been trying to use this plugin to connect my computer to the VPN of my work. The VPN server runs on windows so yeah, I was expecting problems. Anyways, here is the debug information. Apparently the problem is that the PSK is not found, but I don't know why, since I included it in the configuration dialog.

Edit: I am using archlinux and libreswan

nm-l2tp[27042] <debug> nm-l2tp-service (version 1.2.4) starting...
nm-l2tp[27042] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[27042] <info>  ipsec enable flag: yes
** Message: Check port 1701
connection
    id : "VPN-NAME" (s)
    uuid : "9de70fc0-262d-4fe9-98d7-05470a13a3fd" (s)
    interface-name : NULL (sd)
    type : "vpn" (s)
    permissions : ["user:ctapia:"] (s)
    autoconnect : FALSE (s)
    autoconnect-priority : 0 (sd)
    timestamp : 0 (sd)
    read-only : FALSE (sd)
    zone : NULL (sd)
    master : NULL (sd)
    slave-type : NULL (sd)
    autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
    secondaries : [] (s)
    gateway-ping-timeout : 0 (sd)
    metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
    lldp : -1 (sd)
    stable-id : NULL (sd)

ipv6
    method : "auto" (s)
    dns : [] (s)
    dns-search : [] (s)
    dns-options : NULL (sd)
    dns-priority : 0 (sd)
    addresses : ((GPtrArray*) 0x21010e0) (s)
    gateway : NULL (sd)
    routes : ((GPtrArray*) 0x21010c0) (s)
    route-metric : -1 (sd)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-hostname : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    dad-timeout : -1 (sd)
    dhcp-timeout : 0 (sd)
    ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
    addr-gen-mode : 1 (sd)
    token : NULL (sd)

ipv4
    method : "auto" (s)
    dns : [] (s)
    dns-search : [] (s)
    dns-options : NULL (sd)
    dns-priority : 0 (sd)
    addresses : ((GPtrArray*) 0x2101040) (s)
    gateway : NULL (sd)
    routes : ((GPtrArray*) 0x2100fa0) (s)
    route-metric : -1 (sd)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-hostname : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    dad-timeout : -1 (sd)
    dhcp-timeout : 0 (sd)
    dhcp-client-id : NULL (sd)
    dhcp-fqdn : NULL (sd)

vpn
    service-type : "org.freedesktop.NetworkManager.l2tp" (s)
    user-name : "ctapia" (s)
    persistent : FALSE (sd)
    data : ((GHashTable*) 0x7f54a8004de0) (s)
    secrets : ((GHashTable*) 0x7f54a8004cc0) (s)
    timeout : 0 (sd)

nm-l2tp[27042] <info>  starting ipsec
Redirecting to: systemctl stop ipsec.service
Redirecting to: systemctl start ipsec.service
002 listening for IKE messages
002 adding interface wlp2s0/wlp2s0 192.168.2.113:500
002 adding interface wlp2s0/wlp2s0 192.168.2.113:4500
002 adding interface wlp2s0/wlp2s0 192.168.2.108:500
002 adding interface wlp2s0/wlp2s0 192.168.2.108:4500
002 adding interface lo/lo 127.0.0.1:500
002 adding interface lo/lo 127.0.0.1:4500
002 adding interface wlp2s0/wlp2s0 2003:69:af03:c002:659a:3482:fc96:fce7:500
002 adding interface wlp2s0/wlp2s0 2003:69:af03:c002:d424:6794:7dba:c965:500
002 adding interface lo/lo ::1:500
002 loading secrets from "/etc/ipsec.secrets"
002 no secrets filename matched "/etc/ipsec.d/*.secrets"
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
003 WARNING: using a weak secret (PSK)
nm-l2tp[27042] <warn>  Could not load new IPsec secret.
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 no secrets filename matched "/etc/ipsec.d/*.secrets"

(nm-l2tp-service:29001): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
dkosovic commented 7 years ago

Sorry I somehow missed this issue till now.

libreswan doesn't seem to like a PSK that is less than 8 characters in length and is giving a warning that it is weak. I'm not sure why it keeps trying to reload /etc/ipsec.secrets

EDIT: Turns out as of July 1st, 2015, libreswan refuses weak PSKs.

dkosovic commented 7 years ago

As networkmanager-l2tp works with either libreswan or strongswan, you could try strongswan and see if it allows a weak PSK.

cristobaltapia commented 7 years ago

Thanks for the information. Maybe I should talk with the IT people about this.