Unable to connect to (NO_PROPOSAL_CHOSEN)

[Frozen-byte]

When I try to connect to my companies L2TP/IPsec via PSK it is not working. On Android Device I can connect without any problems-

Logs when I try to connect to the VPN: nm-l2tp --debug

** Message: starting ipsec
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...
Loading config setup
Loading conn 'nm-ipsec-l2tp-4631'
found netkey IPsec stack
initiating Main Mode IKE_SA nm-ipsec-l2tp-4631[1] to *snip*
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.77.66[500] to *snip*[500] (248 bytes)
received packet: from *snip*[500] to 192.168.77.66[500] (56 bytes)
parsed INFORMATIONAL_V1 request 4204653677 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'nm-ipsec-l2tp-4631' failed
** Message: ipsec ready for action
** Message: xl2tpd started with pid 4740
xl2tpd[4740]: setsockopt recvref[30]: Protocol not available
xl2tpd[4740]: Using l2tp kernel support.
xl2tpd[4740]: xl2tpd version xl2tpd-1.3.7 started on Laptop PID:4740
xl2tpd[4740]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[4740]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[4740]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[4740]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[4740]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[4740]: get_call: allocating new tunnel for host *snip*, port 1701.
xl2tpd[4740]: Connecting to host *snip*, port 1701
xl2tpd[4740]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[4740]: control_finish: sending SCCRQ

** (nm-l2tp-service:4631): WARNING **: Looks like pppd didn't initialize our dbus module
** Message: Terminated xl2tpd daemon with PID 4740.
xl2tpd[4740]: death_handler: Fatal signal 15 received
xl2tpd[4740]: Connection 0 closed to *snip*, port 1701 (Server closing)
** Message: ipsec shut down

** (nm-l2tp-service:4631): WARNING **: xl2tpd exited with error code 1
** Message: ipsec shut down

syslog:

Jun 12 13:12:31 Laptop NetworkManager[859]: <info>  [1465729951.2480] audit: op="connection-activate" uuid="923f0286-bff7-494f-831a-599ca05962e1" name="VPNpsk" pid=3973 uid=1000 result="success"
Jun 12 13:12:31 Laptop NetworkManager[859]: <info>  [1465729951.2508] vpn-connection[0xc871d0,923f0286-bff7-494f-831a-599ca05962e1,"VPNpsk",0]: Saw the service appear; activating connection
Jun 12 13:12:31 Laptop charon: 00[DMN] signal of type SIGINT received. Shutting down
Jun 12 13:12:33 Laptop charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-24-generic, x86_64)
Jun 12 13:12:33 Laptop charon: 00[CFG] disabling load-tester plugin, not configured
Jun 12 13:12:33 Laptop charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Jun 12 13:12:33 Laptop charon: 00[CFG] dnscert plugin is disabled
Jun 12 13:12:33 Laptop charon: 00[CFG] ipseckey plugin is disabled
Jun 12 13:12:33 Laptop charon: 00[CFG] attr-sql plugin: database URI not set
Jun 12 13:12:33 Laptop charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun 12 13:12:33 Laptop charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun 12 13:12:33 Laptop charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun 12 13:12:33 Laptop charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun 12 13:12:33 Laptop charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 12 13:12:33 Laptop charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 12 13:12:33 Laptop charon: 00[CFG]   loaded IKE secret for @vpnpsk @psk
Jun 12 13:12:33 Laptop charon: 00[CFG] sql plugin: database URI not set
Jun 12 13:12:33 Laptop charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
Jun 12 13:12:33 Laptop charon: 00[CFG] eap-simaka-sql database URI missing
Jun 12 13:12:33 Laptop charon: 00[CFG] loaded 0 RADIUS server configurations
Jun 12 13:12:33 Laptop charon: 00[CFG] no threshold configured for systime-fix, disabled
Jun 12 13:12:33 Laptop charon: 00[CFG] coupling file path unspecified
Jun 12 13:12:33 Laptop charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Jun 12 13:12:33 Laptop charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 12 13:12:33 Laptop charon: 00[JOB] spawning 16 worker threads
Jun 12 13:12:33 Laptop charon: 04[CFG] received stroke: add connection 'nm-ipsec-l2tp-4631'
Jun 12 13:12:33 Laptop charon: 04[CFG] added configuration 'nm-ipsec-l2tp-4631'
Jun 12 13:12:34 Laptop charon: 02[CFG] rereading secrets
Jun 12 13:12:34 Laptop charon: 02[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 12 13:12:34 Laptop charon: 02[CFG]   loaded IKE secret for @vpnpsk @psk
Jun 12 13:12:34 Laptop charon: 09[CFG] received stroke: initiate 'nm-ipsec-l2tp-4631'
Jun 12 13:12:34 Laptop charon: 10[IKE] initiating Main Mode IKE_SA nm-ipsec-l2tp-4631[1] to *snip*
Jun 12 13:12:34 Laptop charon: 10[ENC] generating ID_PROT request 0 [ SA V V V V ]
Jun 12 13:12:34 Laptop charon: 10[NET] sending packet: from 192.168.77.66[500] to *snip*[500] (248 bytes)
Jun 12 13:12:34 Laptop charon: 11[NET] received packet: from *snip*[500] to 192.168.77.66[500] (56 bytes)
Jun 12 13:12:34 Laptop charon: 11[ENC] parsed INFORMATIONAL_V1 request 4204653677 [ N(NO_PROP) ]
Jun 12 13:12:34 Laptop charon: 11[IKE] received NO_PROPOSAL_CHOSEN error notify
Jun 12 13:12:34 Laptop charon: 12[CFG] rereading secrets
Jun 12 13:12:34 Laptop charon: 12[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 12 13:12:34 Laptop NetworkManager[859]: <info>  [1465729954.4582] vpn-connection[0xc871d0,923f0286-bff7-494f-831a-599ca05962e1,"VPNpsk",0]: VPN plugin: state changed: starting (3)
Jun 12 13:12:44 Laptop NetworkManager[859]: <warn>  [1465729964.4688] vpn-connection[0xc871d0,923f0286-bff7-494f-831a-599ca05962e1,"VPNpsk",0]: VPN plugin: failed: (7) (7)
Jun 12 13:12:44 Laptop NetworkManager[859]: <warn>  [1465729964.4693] vpn-connection[0xc871d0,923f0286-bff7-494f-831a-599ca05962e1,"VPNpsk",0]: VPN plugin: failed: connect-failed (1)
Jun 12 13:12:44 Laptop NetworkManager[859]: <info>  [1465729964.4693] vpn-connection[0xc871d0,923f0286-bff7-494f-831a-599ca05962e1,"VPNpsk",0]: VPN plugin: state changed: stopping (5)
Jun 12 13:12:44 Laptop charon: 07[CFG] received stroke: terminate 'nm-ipsec-l2tp-4631'
Jun 12 13:12:44 Laptop charon: 07[CFG] no IKE_SA named 'nm-ipsec-l2tp-4631' found
Jun 12 13:12:44 Laptop NetworkManager[859]: <info>  [1465729964.4733] vpn-connection[0xc871d0,923f0286-bff7-494f-831a-599ca05962e1,"VPNpsk",0]: VPN plugin: state changed: stopped (6)
Jun 12 13:12:44 Laptop NetworkManager[859]: <info>  [1465729964.4738] vpn-connection[0xc871d0,923f0286-bff7-494f-831a-599ca05962e1,"VPNpsk",0]: VPN plugin: state change reason: unknown (0)
Jun 12 13:12:44 Laptop org.kde.kdeconnect[1575]: "No such interface 'org.freedesktop.DBus.Properties' on object at path /org/freedesktop/NetworkManager/ActiveConnection/9"
Jun 12 13:12:44 Laptop charon: 04[CFG] received stroke: terminate 'nm-ipsec-l2tp-4631'
Jun 12 13:12:44 Laptop charon: 04[CFG] no IKE_SA named 'nm-ipsec-l2tp-4631' found
Jun 12 13:12:44 Laptop NetworkManager[859]: <warn>  [1465729964.4868] vpn-connection[0xc871d0,923f0286-bff7-494f-831a-599ca05962e1,"VPNpsk",0]: VPN plugin: failed: connect-failed (1)

in addition here is the ike-scan report:

sudo ike-scan -M *snip*
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
*snip*    Main Mode Handshake returned
        HDR=(CKY-R=*snip*)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00007080)
        VID=*snip* (MS NT5 ISAKMPOAKLEY)
        VID=*snip* (RFC 3947 NAT-T)
        VID=*snip* (draft-ietf-ipsec-nat-t-ike-02\n)
        VID=*snip* (IKE Fragmentation)
        VID=*snip*
        VID=*snip*

Ending ike-scan 1.9: 1 hosts scanned in 0.045 seconds (22.39 hosts/sec).  1 returned handshake; 0 returned notify

I've installed: Kubuntu 16.04 xl2tpd-1.3.7 (compiled from master branch) pppd 2.4.7 strongSwan U5.3.5/K4.4.0-24-generic network manager 1.2.0 and applied: apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.stroke

[dkosovic]

Comparing to my /var/log/syslog, you seem to have a lot more strongswan packages installed, I only have the following :

• strongswan
• strongswan-charon
• strongswan-libcharon
• strongswan-starter

I've had connection issues when one of the extra strongswan plugins was installed.

From the following line : loaded IKE secret for @vpnpsk @psk for the IPSec Options, you seem to be filling in the Group Name and Gateway ID which I've always left blank.

Are you using "vpnpsk" and "psk" for the Group Name and Gateway ID on the Android device?

[dkosovic]

Sorry just noticed you were using Kubuntu, so I assume you are using Plasma-nm KDE front-end for NetworkManager-l2tp. I don't know if that front-end needs to be modified to support the changes to NetworkManager-l2tp1.2.2.

Unfortunately in some situations strongSwan's "ipsec up {connection name}" command doesn't return failure if the IPsec connection was unsuccessful, and I'm not able to check with "ipsec status", which I've submitted a bug : https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886 I'm still looking into it.

[Frozen-byte]

Temporary Workaround for the Apparmor bug is to execute as sudo:

apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon
apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.stroke

I've uninstalled many modules and left the Groupname nad GatewayID blank, no changes. My error stays. The server answers NO_PROPOSAL_CHOSEN all the time.

Do you may know the android default settings? I may setup ipsec/xl2dp manually and test the connection.

[dkosovic]

Unless you have a Cisco VPN server, the default on most operating systems is to keep the Group details blank.

Sorry I have no idea what Android is using.

You can have a look at /var/run/nm-ipsec-l2tp.????/ipsec.conf for a strongswan connection sample and you will also need to add the PSK to /etc/ipsec.secrets.

After doing an 'ipsec up {connection name}' make sure it is really up with an 'ipsec status {connection name}'

[dkosovic]

one other option is to remove strongswan, then build and install libreswan into /usr/local (like you did with xl2tpd)

[Frozen-byte]

Files are created when I attempt to connect the VPN:

cat /var/run/nm-ipsec-l2tp.28766/ipsec.conf

conn nm-ipsec-l2tp-28766
  auto=add
  type=transport
  authby=secret
  keyingtries=0
  left=%defaultroute
  leftprotoport=udp/l2tp
  rightprotoport=udp/l2tp
  right=*snip*
  keyexchange=ikev1

cat /var/run/nm-ppp-options.xl2tpd.28766

ipparam nm-l2tp-service-28766
nodetach
usepeerdns
noipdefault
nodefaultroute
noauth
noccp
refuse-pap
nopcomp
noaccomp
lcp-echo-failure 0
lcp-echo-interval 0
plugin /usr/lib/pppd/2.4.7//nm-l2tp-pppd-plugin.so

cat /var/run/nm-xl2tpd.conf.28766

[global]
access control = yes
port = 1701
[lac l2tp]
lns = *snip*
pppoptfile = /var/run/nm-ppp-options.xl2tpd.28766
autodial = yes
tunnel rws = 8
tx bps = 100000000
rx bps = 100000000

BTW: My network Interfaces are named enp0s25 and wlo1 and '/usr/lib/pppd/2.4.7//nm-l2tp-pppd-plugin.so' exists

[dkosovic]

Sorry I meant you could use the connection in /var/run/nm-ipsec-l2tp.28766/ipsec.conf as a starting template to possiblly add and/or remove options till it works with the strongSwan command-line.

You will need to add a pre-shared key to /etc/ipsec.secrets with a line something like:

: PSK this-is-my-PSK

with this-is-my-PSK replaced by the actual PSK.

Either add the connection to /etc/ipsec.conf or load your own ipsec.conf file with something like the following, then bring up the IPsec connection:

sudo ipsec restart --conf /var/run/nm-ipsec-l2tp.28766/ipsec.conf --debug
sudo ipsec up nm-ipsec-l2tp-28766
sudo ipsec status

You can see all the ipsec.conf options here : https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

Some IKEv1 PSK examples here : https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples

[Frozen-byte]

FINALLY! I connected with the following config values:

conn nm-ipsec-l2tp-7828
  auto=add
  type=transport
  authby=psk
  left=%any
  fragmentation=yes
  leftprotoport=udp/l2tp
  rightprotoport=udp/l2tp
  right=*snip*
  keyexchange=ikev1
  ike=3des-sha1-modp1024

and added the PSK into /etc/ipsec-secrets the magic line is: ike=3des-sha1-modp1024 to establish the Tunnel.

ipsec status also returns positive.

Guess I have to gamble with the xl2tpd settings now, since the Tunnel does not answer:

echo "c l2tp" > /var/run/xl2tpd/l2tp-control
xl2tpd[3525]: Calling on tunnel 30933
Maximum retries exceeded for tunnel 30933.  Closing.

[dkosovic]

Glad to hear you got it working with that line. Sounds like a bug with the negotiation of the proposal.

For xl2tpd command-line usage, I wouldn't use unmodified xl2tp config files generated by NetworkManager-l2tp as it is required to talk to the /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so plugin specified in one of the generated config files.

Another option is to modify the following line in src/nm-l2tp-service.c :

write_config_option (ipsec_fd,      "  authby=secret\n"
                    "  keyingtries=0\n"
                    "  left=%%defaultroute\n"
                    "  leftprotoport=udp/l2tp\n"
                    "  rightprotoport=udp/l2tp\n");

to add ike=3des-sha1-modp1024 or just add the following line after that code:

write_config_option (ipsec_fd,      "  ike=3des-sha1-modp1024\n");

and then make and sudo make install

[Frozen-byte]

Works good (forked your repo with the changes I made) But I am afraid to tell you, the pppd is still not able to create the DBus interface:

connection 'nm-ipsec-l2tp-31736' established successfully
** Message: ipsec ready for action
sh: 0: getcwd() failed: No such file or directory
sh: 0: getcwd() failed: No such file or directory
** Message: xl2tpd started with pid 31805
xl2tpd[31805]: setsockopt recvref[30]: Protocol not available
xl2tpd[31805]: Using l2tp kernel support.
xl2tpd[31805]: xl2tpd version xl2tpd-1.3.7 started on Laptop PID:31805
xl2tpd[31805]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[31805]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[31805]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[31805]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[31805]: Listening on IP address 0.0.0.0, port 38165
xl2tpd[31805]: get_call: allocating new tunnel for host *snip*, port 1701.
xl2tpd[31805]: Connecting to host *snip*, port 1701
xl2tpd[31805]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[31805]: control_finish: sending SCCRQ

** (nm-l2tp-service:31736): WARNING **: Looks like pppd didn't initialize our dbus module

[dkosovic]

The "Looks like pppd didn't initialize our dbus module" message happens after a 10 second timeout waiting for xl2tpd/pppd.

The timeout value can be bumped up by changing the following line in src/nm-l2tp-service.c :

 #define NM_L2TP_WAIT_PPPD 10000 /* 10 seconds */

The KDE frontend might need to be updated to match the DBus changes in commit https://github.com/nm-l2tp/network-manager-l2tp/commit/66a5355c971a77aaa7b06540025521084116609a , I'll try and install Kubuntu on top of Ubuntu and see if I can reproduce.

[dkosovic]

I've reproduced the issue with Kubuntu.

Looking at KDE's Plasma-nm source code on the following page: https://github.com/KDE/plasma-nm/tree/master/vpn it hasn't been updated for the DBus changes with the nm version 1.2.2 VPN plug-ins, in particular pptp and l2tp (which is based on the pptp changes).

Ubuntu 16.04 is still shipping the old network-manager-pptp 1.1.93 which still works with Plasma-nm.

For network-manager-l2tp, you should be able to do the following in the master branch to get a version old enough to still work with Plasma-nm :

git checkout 65c0ae8

I ran into a different issue with xl2tpd, so not able to confirm if it works with Plasma-nm at the moment, but will try again later.

[dkosovic]

Ignore my previous message (I somehow forgot to enable IPsec).

I'm using HEAD of the network-manager-l2tp master branch and it seems to be working for me with Kubuntu on a VM, only issue I see is a nm_device_get_device_type: assertion 'NM_IS_DEVICE (self)' failed issue :

Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: Call established with 123.54.5.87, Local: 13740, Remote: 2671, Serial: 1 (ref=0/0)
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: start_pppd: I'm running:
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "/usr/sbin/pppd"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "passive"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "nodetach"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: ":"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "file"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "/var/run/nm-ppp-options.xl2tpd.22430"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "plugin"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "pppol2tp.so"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "pppol2tp"
Jun 20 23:35:17 kubuntu NetworkManager[775]: xl2tpd[22496]: "7"
Jun 20 23:35:17 kubuntu pppd[22497]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
Jun 20 23:35:17 kubuntu NetworkManager[775]: ** Message: nm-l2tp-ppp-plugin: (plugin_init): initializing
Jun 20 23:35:17 kubuntu pppd[22497]: Plugin pppol2tp.so loaded.
Jun 20 23:35:17 kubuntu pppd[22497]: pppd 2.4.7 started by root, uid 0
Jun 20 23:35:17 kubuntu NetworkManager[775]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
Jun 20 23:35:17 kubuntu NetworkManager[775]: nm_device_get_device_type: assertion 'NM_IS_DEVICE (self)' failed
Jun 20 23:35:17 kubuntu NetworkManager[775]: <info>  [1466429717.5991] manager: (ppp0): new Generic device (/org/freedesktop/NetworkManager/Devices/5)
Jun 20 23:35:17 kubuntu pppd[22497]: Using interface ppp0
Jun 20 23:35:17 kubuntu pppd[22497]: Connect: ppp0 <-->
Jun 20 23:35:17 kubuntu NetworkManager[775]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'

[dkosovic]

Someone else reported a similar issue elsewhere with the "Looks like pppd didn't initialize our dbus module" message and I asked them to increase the 10 second timeout in src/nm-l2tp-service.c :

 #define NM_L2TP_WAIT_PPPD 10000 /* 10 seconds */

[Frozen-byte]

Thank you for your help @dkosovic I can connect to the VPN now.

To summarize my steps:

• Compile network-manager-l2tp by myself with some Changes: https://github.com/Frozen-byte/network-manager-l2tp
• Compile xl2tpd by myself (without -fstack-protector-strong flag)
• sometime I need to sudo (mostly when debugging):

apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon
apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.stroke

• DIsable EAP Authentication, protocol field compression, Adress/Control compression in PPP Settings.

[dkosovic]

Glad to hear. I'll close this issue.

To overcome the apparmor issue, I've requested a patch ( https://launchpadlibrarian.net/267770874/usr.lib.ipsec.patch ) to add attach_disconnected that is applied to:

• /etc/apparmor.d/usr.lib.ipsec.charon
• /etc/apparmor.d/usr.lib.ipsec.stroke

With the appamour issue hopefully solved, I'll be able to add a test to check the IPsec connection is really up before starting the L2TP connection.

I've got to get back to the xl2tpd issue which required a local rebuild, but as I haven't been able to reproduce in a while, I'm not sure if I can.