Closed lucaspalencia closed 6 years ago
dkosovic
commented
7 years ago It is libreswan having the issues. Sometimes it is due to the configuration, sometimes the kernel version as IPsec kernel modules are used, but could also be something else.
Which Linux distribution are you using and which version of libreswan?
dkosovic
commented
7 years ago Forgot to mention you could try running the following to see if libreswan has some issues:
sudo ipsec restart
sleep 2
sudo ipsec verifyI wouldn't mind seeing /var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf and might be able to spot something. Obfuscate any public IP addresses in the config file if you wish.
Running libreswan on the command-line might give some hints also:
sudo ipsec restart
sleep 2
sudo ipsec auto --config /var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf --verbose --add bce73451-8739-42ce-8ad3-318d58f289c4
sudo ipsec auto --up 3daf-4234-9b32-3234ed87655e
sudo ipsec status
lucaspalencia
commented
7 years ago @dkosovic thanks for the support!
Ubuntu 16.04 - Libreswan 3.19 (netkey) on 4.4.0-93-generic
Running:
sudo ipsec verify:
Version check and ipsec on-path [OK]
Libreswan 3.19 (netkey) on 4.4.0-93-generic
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/br-9c47954f8d23/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/br-c93567258cc7/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/docker0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/enp3s0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/wlp2s0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [UNKNOWN]
(run ipsec verify as root to test ipsec.secrets)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
ipsec verify: encountered 19 errors - see 'man ipsec_verify' for help
Running:
ipsec auto --config /var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf --verbose --add bce73451-8739-42ce-8ad3-318d58f289c4
cannot load config '/var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf': can't load file '/var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf'
The ipsec verify output looks fine.
I'm writing this on a Windows PC, so not able to test things out myself at the moment. I'm not sure what the "can't load file" error means, i.e. is the file not there or does it mean an issue with file permissions.
If it is due to file permissions, I don't see sudo at the start of the line that you ran, which would fix that issue.
But if the file isn't there, running sudo /usr/lib/NetworkManager/nm-l2tp-service --debug should leave behind the run-time generated files as mentioned on :
One of the files should be /var/run/nm-l2tp-ipsec-UUID.conf but with UUID replace by the UUID of the corresponding NetworkManager VPN connection. In the original log output, the UUID was bce73451-8739-42ce-8ad3-318d58f289c4, but the UUID would have changed if a new VPN connection was created.
If you could provide a copy of that generated ipsec config file, that would be great.
lucaspalencia
commented
6 years ago With sudo /usr/lib/NetworkManager/nm-l2tp-service --debug the files was generated.
Content of file /var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf:
conn bce73451-8739-42ce-8ad3-318d58f289c4
auto=add
type=transport
authby=secret
keyingtries=0
left=%defaultroute
leftprotoport=udp/l2tp
right=189.16.55.210
rightid=%any
rightprotoport=udp/l2tp
pfs=no
ike=aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024
esp=aes128-sha1,3des-sha1
forceencaps=yesCould you try deleting the phase 1 and 2 algorithms in the IPsec dialog box, as they are currently required more so when strongswan is used.
libreswan hasn't dropped the ciphers you have listed for its defaults. The syntax for the phase 1 algorithms is also slightly different between strongswan and libreswan, what you are using is the strongswan syntax.
lucaspalencia
commented
6 years ago Did it, but still returns:
The VPN connection failed because de VPN service failed to start
Updated content of file: /var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf:
conn bce73451-8739-42ce-8ad3-318d58f289c4
auto=add
type=transport
authby=secret
keyingtries=0
left=%defaultroute
leftprotoport=udp/l2tp
right=189.16.55.210
rightid=%any
rightprotoport=udp/l2tp
pfs=no
Is it still failing at the same spot?
I wouldn't mind seeing some of the log output from journalctl and/or nm-l2tp-service --debug
lucaspalencia
commented
6 years ago Running: sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
connection
id : "VPN connection 1" (s)
uuid : "bce73451-8739-42ce-8ad3-318d58f289c4" (s)
interface-name : NULL (sd)
type : "vpn" (s)
permissions : ["user:lucaspalencia:"] (s)
autoconnect : FALSE (s)
autoconnect-priority : 0 (sd)
timestamp : 0 (sd)
read-only : FALSE (sd)
zone : NULL (sd)
master : NULL (sd)
slave-type : NULL (sd)
autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
secondaries : [] (s)
gateway-ping-timeout : 0 (sd)
metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
lldp : -1 (sd)
ipv6
method : "auto" (s)
dns : [] (s)
dns-search : [] (s)
dns-options : NULL (sd)
dns-priority : 0 (sd)
addresses : ((GPtrArray*) 0xa42ae0) (s)
gateway : NULL (sd)
routes : ((GPtrArray*) 0xa42ac0) (s)
route-metric : -1 (sd)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-hostname : NULL (sd)
dhcp-send-hostname : TRUE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)
dad-timeout : -1 (sd)
dhcp-timeout : 0 (sd)
ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_DISABLED) (s)
addr-gen-mode : 1 (sd)
ipv4
method : "auto" (s)
dns : [] (s)
dns-search : [] (s)
dns-options : NULL (sd)
dns-priority : 0 (sd)
addresses : ((GPtrArray*) 0xa42980) (s)
gateway : NULL (sd)
routes : ((GPtrArray*) 0xa42960) (s)
route-metric : -1 (sd)
ignore-auto-routes : FALSE (sd)
ignore-auto-dns : FALSE (sd)
dhcp-hostname : NULL (sd)
dhcp-send-hostname : TRUE (sd)
never-default : FALSE (sd)
may-fail : TRUE (sd)
dad-timeout : -1 (sd)
dhcp-timeout : 0 (sd)
dhcp-client-id : NULL (sd)
dhcp-fqdn : NULL (sd)
vpn
service-type : "org.freedesktop.NetworkManager.l2tp" (s)
user-name : "lucaspalencia" (s)
persistent : FALSE (sd)
data : ((GHashTable*) 0xa43520) (s)
secrets : ((GHashTable*) 0xa43580) (s)
timeout : 0 (sd)
nm-l2tp[7637] <info> starting ipsec
Redirecting to: systemctl stop ipsec.service
Redirecting to: systemctl start ipsec.service
002 listening for IKE messages
002 adding interface wlp2s0/wlp2s0 192.168.1.175:500
002 adding interface wlp2s0/wlp2s0 192.168.1.175:4500
002 adding interface docker0/docker0 172.17.0.1:500
002 adding interface docker0/docker0 172.17.0.1:4500
002 adding interface br-c93567258cc7/br-c93567258cc7 172.19.0.1:500
002 adding interface br-c93567258cc7/br-c93567258cc7 172.19.0.1:4500
002 adding interface br-9c47954f8d23/br-9c47954f8d23 172.18.0.1:500
002 adding interface br-9c47954f8d23/br-9c47954f8d23 172.18.0.1:4500
002 adding interface lo/lo 127.0.0.1:500
002 adding interface lo/lo 127.0.0.1:4500
002 adding interface lo/lo ::1:500
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-14fac112-78fa-4a28-9d7b-1b900a9289f2.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-8ab5b585-9503-43a8-993b-26e9437b1ef7.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-988bef61-126d-4b5f-9666-cc0d7e2de990.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-dbc99801-a3f6-465d-b59a-4353f807f38d.secrets"
opening file: /var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf
debugging mode enabled
end of file /var/run/nm-l2tp-ipsec-bce73451-8739-42ce-8ad3-318d58f289c4.conf
Loading conn bce73451-8739-42ce-8ad3-318d58f289c4
starter: left is KH_DEFAULTROUTE
loading named conns: bce73451-8739-42ce-8ad3-318d58f289c4
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst via 192.168.1.1 dev wlp2s0 src table 254
set nexthop: 192.168.1.1
dst 169.254.0.0 via dev br-9c47954f8d23 src table 254
dst 172.17.0.0 via dev docker0 src 172.17.0.1 table 254
dst 172.18.0.0 via dev br-9c47954f8d23 src 172.18.0.1 table 254
dst 172.19.0.0 via dev br-c93567258cc7 src 172.19.0.1 table 254
dst 192.168.1.0 via dev wlp2s0 src 192.168.1.175 table 254
dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored)
dst 172.17.0.0 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.17.0.1 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.17.255.255 via dev docker0 src 172.17.0.1 table 255 (ignored)
dst 172.18.0.0 via dev br-9c47954f8d23 src 172.18.0.1 table 255 (ignored)
dst 172.18.0.1 via dev br-9c47954f8d23 src 172.18.0.1 table 255 (ignored)
dst 172.18.255.255 via dev br-9c47954f8d23 src 172.18.0.1 table 255 (ignored)
dst 172.19.0.0 via dev br-c93567258cc7 src 172.19.0.1 table 255 (ignored)
dst 172.19.0.1 via dev br-c93567258cc7 src 172.19.0.1 table 255 (ignored)
dst 172.19.255.255 via dev br-c93567258cc7 src 172.19.0.1 table 255 (ignored)
dst 192.168.1.0 via dev wlp2s0 src 192.168.1.175 table 255 (ignored)
dst 192.168.1.175 via dev wlp2s0 src 192.168.1.175 table 255 (ignored)
dst 192.168.1.255 via dev wlp2s0 src 192.168.1.175 table 255 (ignored)
seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst 192.168.1.1 via dev wlp2s0 src 192.168.1.175 table 254
set addr: 192.168.1.175
seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "bce73451-8739-42ce-8ad3-318d58f289c4" modecfgdomain=(null)
conn: "bce73451-8739-42ce-8ad3-318d58f289c4" modecfgbanner=(null)
conn: "bce73451-8739-42ce-8ad3-318d58f289c4" mark-in=(null)
conn: "bce73451-8739-42ce-8ad3-318d58f289c4" mark-out=(null)
conn: "bce73451-8739-42ce-8ad3-318d58f289c4" vti_iface=(null)
002 added connection description "bce73451-8739-42ce-8ad3-318d58f289c4"
nm-l2tp[7637] <info> Spawned ipsec auto --up script with PID 8289.
002 "bce73451-8739-42ce-8ad3-318d58f289c4" #1: initiating Main Mode
104 "bce73451-8739-42ce-8ad3-318d58f289c4" #1: STATE_MAIN_I1: initiate
010 "bce73451-8739-42ce-8ad3-318d58f289c4" #1: STATE_MAIN_I1: retransmission; will wait 500ms for response
010 "bce73451-8739-42ce-8ad3-318d58f289c4" #1: STATE_MAIN_I1: retransmission; will wait 1000ms for response
010 "bce73451-8739-42ce-8ad3-318d58f289c4" #1: STATE_MAIN_I1: retransmission; will wait 2000ms for response
010 "bce73451-8739-42ce-8ad3-318d58f289c4" #1: STATE_MAIN_I1: retransmission; will wait 4000ms for response
010 "bce73451-8739-42ce-8ad3-318d58f289c4" #1: STATE_MAIN_I1: retransmission; will wait 8000ms for response
nm-l2tp[7637] <warn> Timeout trying to establish IPsec connection
nm-l2tp[7637] <info> Terminating ipsec script with PID 8289.
nm-l2tp[7637] <warn> Could not establish IPsec tunnel.
(nm-l2tp-service:7637): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
About the journalctl what command i need to run to send for you?
dkosovic
commented
6 years ago Don't worry about the journalctl output.
Immediately after the #1: STATE_MAIN_I1: initiate line in the logs, it is supposed to receive a number of payloads from the VPN server and echo what it received.
I'm guessing a firewall is blocking the connection.
Is ike-scan or the ike-scan.sh script on the following page able to query the VPN server ?
If ike-scan isn't able to query the VPN server, it would be highly likely it is a firewall issue and not a libreswan issue.
lucaspalencia
commented
6 years ago Running:
sudo ./ike-scan.sh [VPN_IP ]| grep SA
After some minutes, nothing returns.
Running:
sudo ike-scan [VPN_IP]
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
Ending ike-scan 1.9: 1 hosts scanned in 2.440 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Probably it is a firewall issue so?
dkosovic
commented
6 years ago Yeah, most probably a firewall issue.
lucaspalencia
commented
6 years ago Ok, thanks for the support @dkosovic!
dkosovic
commented
6 years ago Actually there is another test you could try to rule out if it is an issue on the VPN server side. You could try querying another VPN server like one of the free L2TP/IPsec servers. If it works, the issue is then most likely on the server side, firewall or otherwise.
Here is the output I get when querying us1.superfreevpn.com :
$ sudo ./ike-scan.sh us1.superfreevpn.com | grep SA
SA=(Enc=3DES Hash=MD5 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=MD5 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration=28800 KeyLength=128)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800 KeyLength=128)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration=28800 KeyLength=128)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration=28800 KeyLength=128)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800 KeyLength=128)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration=28800 KeyLength=128)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration=28800 KeyLength=192)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800 KeyLength=192)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration=28800 KeyLength=192)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration=28800 KeyLength=192)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800 KeyLength=192)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration=28800 KeyLength=192)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration=28800 KeyLength=256)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800 KeyLength=256)
SA=(Enc=AES Hash=MD5 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration=28800 KeyLength=256)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=1:modp768 LifeType=Seconds LifeDuration=28800 KeyLength=256)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration=28800 KeyLength=256)
SA=(Enc=AES Hash=SHA1 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration=28800 KeyLength=256)
After install and configure the VPN, when i tried to connect: "The VPN connection failed"
Running:
sudo /usr/lib/NetworkManager/nm-l2tp-service --debugThis error is about VPN configuration or network-manager-l2tp installation ?