Closed shawnLeeZX closed 7 years ago
The config files network-manager-l2tp generates are found under /var/run/
. Are you able to establish a L2TP/IPsec connection with the config files you provided using strongswan and xl2tpd on the command-line? I can see a few options in your config files that aren't used by network-manager-l2tp which might be significant.
Regarding the new IPsec dialog box, the following settings should make it the same as the commit version you are using :
The above Phase1 Algorithms has the additional 3des-sha1-modp1024 which I didn't include in the example in the README.md file, but I did mention earlier versions used it, also your corresponding config file includes it.
Using the config files I provided, I can manage to establish the ipsec connection (ipsec up IE
is successful), and activate ppp0
interface. But after that, the system started to freeze, or frequently soft lockup (ifconfig
just stuck). The log is rather similar (with the log I attached) up to the point of connection being down, except the connection does not down, but stuck. I have to do hard reboot. The situation is similar with this thread, which says there is some kernel bug in linux. But I figured someone says your package works fine, so I still think there may be some config I got wrong. So I tried your package, which I got the above logs.
I do not understand the config files I used much ... but in Ubuntu 14.04 things works fine with l2tp-ipsec-vpn
which uses openswan (I used a GUI before: https://soeasytomakeitwork.wordpress.com/2014/05/02/set-up-a-l2tpipsec-vpn-connection-on-ubuntu-desktop/). I just put the gateway ip address, account and username, then everything works. I am writing this on the purpose of offering some default setting that works I guess. I do not need to hand pick the encryption algorithm in this scenario. So the default of openswan may be good, but I do not know what they are.
I do not think fallback to 14.04 is an option, so please offer some advice, or how should I debug my problem. Thanks very much!
Earlier versions of Ubuntu didn't use a kernel module with xl2tpd, so one thing you could try is modify the xl2tpd source's Makefile by commenting out the line that contains:
OSFLAGS+= -DUSE_KERNEL
then rebuild and reinstall xl2tpd with:
make clean
make
sudo make install
Then see if you are able to reproduce the softlock.
The pppol2tp kernel module that xl2tpd uses has been known to completely freeze some systems :
I suspect it won't make much difference, but as you were using openswan previously, you could also try libreswan which forked from openswan only a few years ago (unlike strongswan which has a much older common ancestor of FreeS/WAN) . Have a look at https://github.com/nm-l2tp/network-manager-l2tp/issues/36#issuecomment-272849766 which describes how to build libreswan.
I compiled xl2tpd from source. This time, the system won't hang up. But the connection is down after a few seconds the connection is established. The same with the case if I used your package.
Then I compiled and installed libreswan, same things happen.
xl2tpd[9832]: Maximum retries exceeded for tunnel 57312. Closing.
xl2tpd[9832]: Terminating pppd: sending TERM signal to pid 32456
xl2tpd[9832]: Connection 1032 closed to 137.189.99.189, port 1701 (Timeout)
xl2tpd[9832]: Can not find tunnel 57312 (refhim=0)
xl2tpd[9832]: network_thread: unable to find call or tunnel to handle packet. call = 5938, tunnel = 57312 Dumping.
xl2tpd[9832]: Can not find tunnel 57312 (refhim=0)
xl2tpd[9832]: network_thread: unable to find call or tunnel to handle packet. call = 0, tunnel = 57312 Dumping
But the output of ipsec auto --up IE
this time may be more informative. Is it cipher algorithm is not agreed at all in the end?:
002 "IE" #1: initiating Main Mode
104 "IE" #1: STATE_MAIN_I1: initiate
002 "IE" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "IE" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "IE" #1: ignoring unknown Vendor ID payload [85aac747a48d8f5bab26126ffbd1143d]
002 "IE" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "IE" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "IE" #1: Main mode peer ID is ID_IPV4_ADDR: '137.189.99.189'
002 "IE" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "IE" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=md5 group=MODP1024}
002 "IE" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:d1c96fd2 proposal=defaults pfsgroup=no-pfs}
117 "IE" #2: STATE_QUICK_I1: initiate
003 "IE" #2: NAT-Traversal: received 1 NAT-OA. Ignored because peer is not NATed
003 "IE" #2: our client subnet returned doesn't match my proposal - us:10.6.45.81/32 vs them:137.189.240.198/32
003 "IE" #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
003 "IE" #2: our client peer returned port doesn't match my proposal - us:1701 vs them:0
003 "IE" #2: Allowing bad L2TP/IPsec proposal (see bug #849) anyway
002 "IE" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "IE" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0xf02cf025 <0xd5f28a88 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=137.189.99.189:4500 DPD=passive}
The config file I used for ipsec.conf
is different (I used the conf previously for openswan):
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
# For MacOSX use "bsd"
protostack=netkey
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file at
# an unusual location.
#logfile=/var/log/pluto.log
#
# Do not enable debug options to debug configuration issues!
#
# plutodebug "all", "none" or a combation from below:
# "raw crypt parsing emitting control controlmore kernel pfkey
# natt x509 dpd dns oppo oppoinfo private".
# Note: "private" is not included with "all", as it can show confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug when asked by a developer
#plutodebug=none
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least upto 2015)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# Added by me (config from L2TP IPsec VPN Manager)
plutodebug=none
strictcrlpolicy=no
nat_traversal=yes
interfaces=%defaultroute
oe=off
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
conn %default
keyingtries=3
pfs=no
rekey=yes
type=transport
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701
conn IE
authby=secret
right=SERVE_IP
rightid=""
auto=add
ikelifetime=8h
lifetime=8h
You are seeing some proposal warnings, for the following:
003 "IE" #2: our client subnet returned doesn't match my proposal - us:10.6.45.81/32 vs them:137.189.240.198/32
Could probably be quietened by setting the following in ipsec.conf
:
rightid=%any
For the following:
003 "IE" #2: our client peer returned port doesn't match my proposal - us:1701 vs them:0
it's related to the following:
leftprotoport=17/1701
rightprotoport=17/1701
It's pretty odd that the VPN server used port 0 instead of 1701.
Only real suggestion I have is to try and build the same version number of xl2tpd as what you used on Ubuntu 14.04
I checked a working Ubuntu workstation, whose xl2tpd version is the same (1.3.6). Maybe there is something wrong with the kernel algorithm.
Thanks very much for the help. I guess I have to leave this as it is for some time, having spent too much time, and starting worrying about deadline. Maybe I will switch to arch when I have more time.
I will leave this issue open, thinking I may come back in the future, maybe with a fix.
I'll close this issue, I'm just cleaning up open issues that can be closed.
I'll reopen it whenever you reply with an email in the future.
But as you seem to be having an issue with the command-line tools also, it doesn't seem like a bug specifically with this VPN plug-in
Hi, I compiled 6a8ed3f from source (seems ike and esp dialogue does not work, so I fall back to the version that does not use the dialogue), and also xl2tp from source. The connection is able to establish, however, after some seconds, the xl2tp tunnel just die.
I am using ubuntu 16.04. network-manager is of 1.2.6. The full log is attached, so is configuration files for xl2tp, ipsec.
ipsec.conf
xl2tp.conf
options.l2tp.client
Syslog