Problem with network manager

[kentone]

I have this nm-plugin on Arch, and the log file says this:

abr 25 23:16:12 testhost NetworkManager[432]: 002 listening for IKE messages abr 25 23:16:12 testhost NetworkManager[432]: 002 forgetting secrets abr 25 23:16:12 testhost NetworkManager[432]: 002 loading secrets from "/etc/ipsec.secrets" abr 25 23:16:12 testhost NetworkManager[432]: 003 WARNING: using a weak secret (PSK) abr 25 23:16:12 testhost pluto[20768]: | refresh. setup callback for interface lo:500 24 abr 25 23:16:12 testhost pluto[20768]: | setup callback for interface lo:500 fd 24 abr 25 23:16:12 testhost pluto[20768]: | refresh. setup callback for interface lo:4500 23 abr 25 23:16:12 testhost pluto[20768]: | setup callback for interface lo:4500 fd 23 abr 25 23:16:12 testhost pluto[20768]: | refresh. setup callback for interface lo:500 22 abr 25 23:16:12 testhost pluto[20768]: | setup callback for interface lo:500 fd 22 abr 25 23:16:12 testhost pluto[20768]: | refresh. setup callback for interface wlp2s0:4500 21 abr 25 23:16:12 testhost pluto[20768]: | setup callback for interface wlp2s0:4500 fd 21 abr 25 23:16:12 testhost pluto[20768]: | refresh. setup callback for interface wlp2s0:500 20 abr 25 23:16:12 testhost pluto[20768]: | setup callback for interface wlp2s0:500 fd 20 abr 25 23:16:12 testhost pluto[20768]: forgetting secrets abr 25 23:16:12 testhost pluto[20768]: loading secrets from "/etc/ipsec.secrets" abr 25 23:16:12 testhost pluto[20768]: WARNING: using a weak secret (PSK) abr 25 23:16:13 testhost pluto[20768]: listening for IKE messages abr 25 23:16:13 testhost NetworkManager[432]: 002 listening for IKE messages abr 25 23:16:13 testhost NetworkManager[432]: 002 forgetting secrets abr 25 23:16:13 testhost NetworkManager[432]: 002 loading secrets from "/etc/ipsec.secrets" abr 25 23:16:13 testhost NetworkManager[432]: 003 WARNING: using a weak secret (PSK) abr 25 23:16:13 testhost pluto[20768]: | refresh. setup callback for interface lo:500 24 abr 25 23:16:13 testhost pluto[20768]: | setup callback for interface lo:500 fd 24 abr 25 23:16:13 testhost pluto[20768]: | refresh. setup callback for interface lo:4500 23 abr 25 23:16:13 testhost pluto[20768]: | setup callback for interface lo:4500 fd 23 abr 25 23:16:13 testhost pluto[20768]: | refresh. setup callback for interface lo:500 22 abr 25 23:16:13 testhost pluto[20768]: | setup callback for interface lo:500 fd 22 abr 25 23:16:13 testhost pluto[20768]: | refresh. setup callback for interface wlp2s0:4500 21 abr 25 23:16:13 testhost pluto[20768]: | setup callback for interface wlp2s0:4500 fd 21 abr 25 23:16:13 testhost pluto[20768]: | refresh. setup callback for interface wlp2s0:500 20 abr 25 23:16:13 testhost pluto[20768]: | setup callback for interface wlp2s0:500 fd 20 abr 25 23:16:13 testhost pluto[20768]: forgetting secrets abr 25 23:16:13 testhost pluto[20768]: loading secrets from "/etc/ipsec.secrets" abr 25 23:16:13 testhost pluto[20768]: WARNING: using a weak secret (PSK) abr 25 23:16:14 testhost pluto[20768]: listening for IKE messages abr 25 23:16:14 testhost pluto[20768]: | refresh. setup callback for interface lo:500 24 abr 25 23:16:14 testhost NetworkManager[432]: 002 listening for IKE messages abr 25 23:16:14 testhost NetworkManager[432]: 002 forgetting secrets abr 25 23:16:14 testhost NetworkManager[432]: 002 loading secrets from "/etc/ipsec.secrets" abr 25 23:16:14 testhost NetworkManager[432]: 003 WARNING: using a weak secret (PSK) abr 25 23:16:14 testhost pluto[20768]: | setup callback for interface lo:500 fd 24 abr 25 23:16:14 testhost pluto[20768]: | refresh. setup callback for interface lo:4500 23 abr 25 23:16:14 testhost pluto[20768]: | setup callback for interface lo:4500 fd 23 abr 25 23:16:14 testhost pluto[20768]: | refresh. setup callback for interface lo:500 22 abr 25 23:16:14 testhost pluto[20768]: | setup callback for interface lo:500 fd 22 abr 25 23:16:14 testhost pluto[20768]: | refresh. setup callback for interface wlp2s0:4500 21 abr 25 23:16:14 testhost pluto[20768]: | setup callback for interface wlp2s0:4500 fd 21 abr 25 23:16:14 testhost pluto[20768]: | refresh. setup callback for interface wlp2s0:500 20 abr 25 23:16:14 testhost pluto[20768]: | setup callback for interface wlp2s0:500 fd 20 abr 25 23:16:14 testhost pluto[20768]: forgetting secrets abr 25 23:16:14 testhost pluto[20768]: loading secrets from "/etc/ipsec.secrets" abr 25 23:16:14 testhost pluto[20768]: WARNING: using a weak secret (PSK) abr 25 23:16:14 testhost NetworkManager[432]: VPN connection 'MYVPN L2TP' (Connect) reply received. abr 25 23:16:14 testhost NetworkManager[432]: VPN connection 'MYVPN L2TP' failed to connect: 'Could not talk to pluto the IKE daemon.'. abr 25 23:16:14 testhost NetworkManager[432]: error disconnecting VPN: Could not process the request because no VPN connection was active.

and does not connect.

Maybe i have a configuration issue, but looks like nm can't talk with pluto.

Hope you can help me or fix it if there is a bug :)

Cheers

[dkosovic]

Can you confirm you are using NetworkManger-l2tp 1.0.0 and have Libreswan installed instead of Openswan ?

https://aur.archlinux.org/packages/networkmanager-l2tp/

[dkosovic]

Actually after looking at the error properly, you must be using NetworkManger-l2tp 1.0.0 and libreswan,

Could you issue the following two commands to verify if there are any issues with Libreswan, including pluto :

$ sudo ipsec start $ sudo ipsec verify Verifying installed system and configuration files

Version check and ipsec on-path [OK] Libreswan 3.17 (netkey) on 4.4.7 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Hardware random device [N/A] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPSChecking for obsolete ipsec.conf options [OK] Opportunistic Encryption [DISABLED]

For some of the above it's okay to fail e.g. rp_filter, but for the others, the following command might give some hints : sudo ipsec status

[kentone]

yep, libreswan and networkmanager-l2tp 1.0.0 here ;D I encountered an error, I don't disabled: ICMP default/send_redirects ICMP default/accept_redirects But even now it don't works, I will do more research and if I find the problem i will report here :)

[dkosovic]

I've installed Arch Linux and I'm not able to reproduce the issue you are having. The code is very similar to the following bash script which keeps trying 10 times with a 1 second sleep between each attempt, to determine if Pluto is up. The only difference is that the C code prints "Could not talk to pluto the IKE daemon" on the last unsuccessful attempt, not all unsuccessful attempts.

# /bin/bash

/usr/bin/ipsec restart
for i in {1..10}
do
  /usr/bin/ipsec auto --ready
  if ($?)
  then
     break
  else
     echo Could not talk to pluto the IKE daemon.
  fi
  sleep 1
done

But I do get a ppp lock error with xltpd on Arch Linux, someone else has reported the issue here, https://github.com/nm-l2tp/network-manager-l2tp/issues/4

[dkosovic]

Forgot to mention, NetworkManager-l2tp also supports strongswan, which could be used as a replacement for libreswan.

[dkosovic]

As mentioned in the other Arch Linux thread, please downgrade to the xl2tpd-1.3.6-1 package.

Also make sure you are using network-manager-l2tp 1.0.0 (which is for the stable NetworkManager 1.0), not 1.2.0 which is intended for the unreleased NetworkManager 1.2.