search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
488 stars 84 forks source link

IPSec Timeout on Debian Jessie #67

Closed dosentmatter closed 6 years ago

dosentmatter commented 6 years ago

The vpn server I am connecting to uses legacy ciphers: phase 1: 3des-sha1-modp1024 phase 2: 3des-sha1

I am on Debian Jessie.

Here is what I used to build and install. I am using libreswan because I got it working on Linux Mint using libreswan https://github.com/nm-l2tp/network-manager-l2tp/issues/62. I tried strongswan with the above ciphers but I get the same timeout. The GUI is available but I can't connect.

sudo apt install \
build-essential \
git \
intltool \
libtool \
network-manager-dev \
libnm-util-dev \
libnm-glib-dev \
libnm-glib-vpn-dev \
libnm-gtk-dev \
libnm-dev \
libnma-dev \
ppp-dev \
libdbus-glib-1-dev \
libsecret-1-dev \
libgtk-3-dev \
libglib2.0-dev \
xl2tpd \
libreswan

git clone https://github.com/nm-l2tp/network-manager-l2tp.git
cd network-manager-l2tp

#debian jessie uses old nm 0.9
git checkout nm-1-0

./autogen.sh
./configure \
  --disable-static --prefix=/usr \
  --sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \
  --libexecdir=/usr/lib/NetworkManager \
  --localstatedir=/var \
  --with-pppd-plugin-dir=/usr/lib/pppd/2.4.7

make
sudo make install

I get this message in syslog: VPN connection 'VPN NAME' failed to connect: 'Method invoked for Connect returned FALSE but did not set error'.

Here is the debug log:

$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
** Message: nm-l2tp-service (version 1.0.8) starting...
connection
    id : "VPN NAME" (s)
    uuid : "9b117491-9a67-46a7-ac91-a8ada37408fd" (s)
    interface-name : NULL (sd)
    type : "vpn" (s)
    permissions : user:USER: (s)
    autoconnect : FALSE (s)
    timestamp : 0 (sd)
    read-only : FALSE (sd)
    zone : NULL (sd)
    master : NULL (sd)
    slave-type : NULL (sd)
    secondaries :  (sd)
    gateway-ping-timeout : 0 (sd)
vpn
    service-type : "org.freedesktop.NetworkManager.l2tp" (s)
    user-name : "USER" (s)
    data : gateway=12.226.97.162,mtu=1400,user=NAME,ipsec-enabled=yes,ipsec-psk=XXXXXXXXXXXXXXXX,password-flags=1,mru=1400 (s)
    secrets : password=XXXXXXXXXXXX (s)
ipv6
    method : "auto" (s)
    dhcp-hostname : NULL (sd)
    dns :  (s)
    dns-search :  (sd)
    addresses :  (s)
    routes :  (s)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    ip6-privacy : -1 (sd)
ipv4
    method : "auto" (s)
    dns :  (s)
    dns-search :  (sd)
    addresses :  (s)
    address-labels :  (sd)
    routes :  (s)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-client-id : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    dhcp-hostname : NULL (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
** Message: ipsec enable flag: yes
** Message: Check port 1701
** Message: starting ipsec
Redirecting to: systemctl stop ipsec.service
Redirecting to: systemctl start ipsec.service
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
002 listening for IKE messages
002 adding interface wlan0/wlan0 192.168.93.13:500
002 adding interface wlan0/wlan0 192.168.93.13:4500
002 adding interface eth0:avahi/eth0:avahi 169.254.12.9:500
002 adding interface eth0:avahi/eth0:avahi 169.254.12.9:4500
002 adding interface lo/lo 127.0.0.1:500
002 adding interface lo/lo 127.0.0.1:4500
002 adding interface wlan0/wlan0 2600:1:b302:f851:9ead:97ff:fed1:eaad:500
002 adding interface lo/lo ::1:500
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-9b117491-9a67-46a7-ac91-a8ada37408fd.secrets"
opening file: /var/run/nm-l2tp-ipsec-9b117491-9a67-46a7-ac91-a8ada37408fd.conf
debugging mode enabled
end of file /var/run/nm-l2tp-ipsec-9b117491-9a67-46a7-ac91-a8ada37408fd.conf
Loading conn 9b117491-9a67-46a7-ac91-a8ada37408fd
starter: left is KH_DEFAULTROUTE
loading named conns: 9b117491-9a67-46a7-ac91-a8ada37408fd
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst  via 192.168.93.1 dev wlan0 src  table 254 (ignored)
set nexthop: 192.168.93.1
dst  via  dev eth0 src  table 254 (ignored)
dst  via 192.168.93.1 dev wlan0 src  table 254 (ignored)
dst 169.254.0.0 via  dev eth0 src 169.254.12.9 table 254 (ignored)
dst 169.254.0.0 via  dev wlan0 src  table 254 (ignored)
dst 192.168.93.0 via  dev wlan0 src 192.168.93.13 table 254 (ignored)
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255
dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255
dst 169.254.0.0 via  dev eth0 src 169.254.12.9 table 255
dst 169.254.12.9 via  dev eth0 src 169.254.12.9 table 255
dst 169.254.255.255 via  dev eth0 src 169.254.12.9 table 255
dst 192.168.93.0 via  dev wlan0 src 192.168.93.13 table 255
dst 192.168.93.13 via  dev wlan0 src 192.168.93.13 table 255
dst 192.168.93.255 via  dev wlan0 src 192.168.93.13 table 255
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst 192.168.93.1 via  dev wlan0 src 192.168.93.13 table 254 (ignored)
set addr: 192.168.93.13
conn: "9b117491-9a67-46a7-ac91-a8ada37408fd" modecfgdomain=(null)
conn: "9b117491-9a67-46a7-ac91-a8ada37408fd" modecfgbanner=(null)
conn: "9b117491-9a67-46a7-ac91-a8ada37408fd" mark=(null)
002 added connection description "9b117491-9a67-46a7-ac91-a8ada37408fd"
** Message: Spawned ipsec auto --up script with PID 4260.
002 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: initiating Main Mode
104 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: initiate
010 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: retransmission; will wait 500ms for response
010 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: retransmission; will wait 1000ms for response
010 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: retransmission; will wait 2000ms for response
010 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: retransmission; will wait 4000ms for response
010 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: retransmission; will wait 8000ms for response
** (nm-l2tp-service:3654): WARNING **: Timeout trying to establish IPsec connection
** Message: Terminating ipsec script with PID 4260.
** (nm-l2tp-service:3654): WARNING **: Could not establish IPsec tunnel.
010 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: retransmission; will wait 16000ms for response
(nm-l2tp-service:3654): GLib-CRITICAL **: Source ID 7 was not found when attempting to remove it
~ $ 010 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: retransmission; will wait 32000ms for response
031 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: max number of retransmissions (8) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKEv1 message
000 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: starting keying attempt 2 of an unlimited number, but releasing whack
dkosovic commented 6 years ago

Someone else has reported the exact same issue, i.e. :

104 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: initiate
010 "9b117491-9a67-46a7-ac91-a8ada37408fd" #1: STATE_MAIN_I1: retransmission; will wait 500ms for response
...

Which seems to indicate the first payload from the VPN server is not being recieved. I'm guessing a firewall is blocking it.

Is ike-scan or the ike-scan.sh script on the following page able to query the VPN server ?

https://github.com/nm-l2tp/network-manager-l2tp/wiki/Known-Issues#querying-vpn-server-for-supported-ipsec-ikev1-ciphers

If ike-scan isn't able to query the VPN server, it would be highly likely it is a firewall issue and not a libreswan issue.

dkosovic commented 6 years ago

Unrelated to your current issue, but though I would mention it. I was never able to establish a connection with the xl2tpd-1.3.6 package that ships with Jessie, but had no issues with xl2tpd-1.3.8 from jessie-backports :

https://packages.debian.org/jessie-backports/xl2tpd

dosentmatter commented 6 years ago

I'll have to get back to you on this one. The machine having problems isn't actually mine, and I couldn't get in contact with the owner today. Thanks for the suggestions.

I was able to get it to work using a Debian Jessie VM. ike-scan worked for me but I had to use xl2tpd-1.3.8 from jessie-backports. I was getting a different debug log than the owner's log above. My final config for the VM was network-manager-l2tp-1.0.8 + libreswan-3.16-1 + xl2tpd-1.3.8.

I'll see if this config works for the owner, when we get the chance to speak.

dosentmatter commented 6 years ago

So we were able to get it to work. He said his ike-scan wasn't able to reach the VPN server the other day but works today. He didn't have to install xl2tpd-1.3.8 like I did for my Debian Jessie VM. He is using libreswan.

I'm not sure what caused his problem but it could be because of his spotty internet since he lives in a rural area. Thanks for the tips on debugging! I'm gonna close this issue now.