search

nm-l2tp / NetworkManager-l2tp

L2TP and L2TP/IPsec support for NetworkManager
GNU General Public License v2.0
488 stars 84 forks source link

Connect failed! #77

Closed jouyouyun closed 6 years ago

jouyouyun commented 6 years ago

The nm connection file:

[connection]
id=flutter
uuid=04cd896d-f843-483e-b383-2cc0a90915b0
type=vpn
permissions=

[vpn]
gateway=18.221.140.253
ipsec-enabled=yes
ipsec-esp=aes128-sha1,aes256-sha256,3des-md5,aes256-sha1
ipsec-ike=aes128-sha1-modp1024,aes256-sha256-modp2048,3des-sha1-modp2048,aes256-sha256-modp2048!
ipsec-psk=fluttertestvpn.com
password-flags=0
require-mppe=yes
user=flutter
service-type=org.freedesktop.NetworkManager.l2tp

[vpn-secrets]
password=testvpn

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=ignore

The nm-l2tp-service outputs:

$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[11421] <debug> nm-l2tp-service (version 1.2.8) starting...
nm-l2tp[11421] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"

nm-l2tp[11421] <info>  ipsec enable flag: yes
** Message: Check port 1701
** Message: Can't bind to port 1701
nm-l2tp[11421] <warn>  L2TP port 1701 is busy, using ephemeral.
connection
    id : "flutter" (s)
    uuid : "04cd896d-f843-483e-b383-2cc0a90915b0" (s)
    interface-name : NULL (sd)
    type : "vpn" (s)
    permissions : [] (s)
    autoconnect : TRUE (sd)
    autoconnect-priority : 0 (sd)
    autoconnect-retries : -1 (sd)
    timestamp : 0 (sd)
    read-only : FALSE (sd)
    zone : NULL (sd)
    master : NULL (sd)
    slave-type : NULL (sd)
    autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
    secondaries : NULL (sd)
    gateway-ping-timeout : 0 (sd)
    metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
    lldp : -1 (sd)
    stable-id : NULL (sd)

ipv6
    method : "ignore" (s)
    dns : [] (s)
    dns-search : [] (s)
    dns-options : NULL (sd)
    dns-priority : 0 (sd)
    addresses : ((GPtrArray*) 0x5555baa14200) (s)
    gateway : NULL (sd)
    routes : ((GPtrArray*) 0x5555baa14160) (s)
    route-metric : -1 (sd)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-hostname : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    dad-timeout : -1 (sd)
    dhcp-timeout : 0 (sd)
    ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_DISABLED) (s)
    addr-gen-mode : 1 (sd)
    token : NULL (sd)

proxy
    method : 0 (sd)
    browser-only : FALSE (sd)
    pac-url : NULL (sd)
    pac-script : NULL (sd)

vpn
    service-type : "org.freedesktop.NetworkManager.l2tp" (s)
    user-name : NULL (sd)
    persistent : FALSE (sd)
    data : ((GHashTable*) 0x5555baa1e520) (s)
    secrets : ((GHashTable*) 0x7f9474004aa0) (s)
    timeout : 0 (sd)

ipv4
    method : "auto" (s)
    dns : [] (s)
    dns-search : [] (s)
    dns-options : NULL (sd)
    dns-priority : 0 (sd)
    addresses : ((GPtrArray*) 0x5555baa14380) (s)
    gateway : NULL (sd)
    routes : ((GPtrArray*) 0x5555baa14300) (s)
    route-metric : -1 (sd)
    ignore-auto-routes : FALSE (sd)
    ignore-auto-dns : FALSE (sd)
    dhcp-hostname : NULL (sd)
    dhcp-send-hostname : TRUE (sd)
    never-default : FALSE (sd)
    may-fail : TRUE (sd)
    dad-timeout : -1 (sd)
    dhcp-timeout : 0 (sd)
    dhcp-client-id : NULL (sd)
    dhcp-fqdn : NULL (sd)

nm-l2tp[11421] <info>  starting ipsec
Stopping strongSwan IPsec...
Starting strongSwan 5.5.3 IPsec [starter]...
Loading config setup
Loading conn '04cd896d-f843-483e-b383-2cc0a90915b0'
found netkey IPsec stack
nm-l2tp[11421] <info>  Spawned ipsec up script with PID 11548.
initiating Main Mode IKE_SA 04cd896d-f843-483e-b383-2cc0a90915b0[1] to 18.221.140.253
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.0.17.228[500] to 18.221.140.253[500] (284 bytes)
received packet: from 18.221.140.253[500] to 10.0.17.228[500] (144 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.0.17.228[500] to 18.221.140.253[500] (244 bytes)
received packet: from 18.221.140.253[500] to 10.0.17.228[500] (244 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.0.17.228[4500] to 18.221.140.253[4500] (76 bytes)
received packet: from 18.221.140.253[500] to 10.0.17.228[500] (244 bytes)
received retransmit of response with ID 0, but next request already sent
received packet: from 18.221.140.253[500] to 10.0.17.228[500] (244 bytes)
received retransmit of response with ID 0, but next request already sent
received packet: from 18.221.140.253[500] to 10.0.17.228[500] (244 bytes)
received retransmit of response with ID 0, but next request already sent
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 10.0.17.228[4500] to 18.221.140.253[4500] (76 bytes)
received packet: from 18.221.140.253[500] to 10.0.17.228[500] (244 bytes)
received retransmit of response with ID 0, but next request already sent
received packet: from 18.221.140.253[500] to 10.0.17.228[500] (244 bytes)
received retransmit of response with ID 0, but next request already sent
nm-l2tp[11421] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[11421] <info>  Terminating ipsec script with PID 11548.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
establishing connection '04cd896d-f843-483e-b383-2cc0a90915b0' failed
nm-l2tp[11421] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:11421): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
^T%

ike-scan.sh outputs:

$ sudo ./ike-scan.sh 18.221.140.253|grep 'SA='
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=5:modp1536 LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=14:modp2048 LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES Hash=SHA1 Auth=PSK Group=2:modp1024 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES Hash=SHA1 Auth=PSK Group=5:modp1536 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES Hash=SHA1 Auth=PSK Group=14:modp2048 KeyLength=128 LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
    SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)

Version

dkosovic commented 6 years ago

Which kernel version ? Some kernel versions especially version 4.14 break IPsec.

Which Linux distribution? Some people have switched from strongswan to libreswan and their IPsec connection started to work. But don't use the exclamation mark (!) with libreswan for the pahe 1 & 2 algorithms.

jouyouyun commented 6 years ago

Kernel version is 4.14

After change the ipsec-ike and ipsec-esp lines, connected successfully!

ipsec-esp=aes128-sha1,3des-md5
ipsec-ike=aes128-sha1-modp1024,3des-sha1-modp1024