dkosovic
commented
5 years ago If you supply the Gateway ID (IP address) in the IPsec dialog box, the corresponding nm-l2tp-ipsec-UUID.secrets file will only be used for that VPN connection.
Closed cry32 closed 5 years ago
dkosovic
commented
5 years ago If you supply the Gateway ID (IP address) in the IPsec dialog box, the corresponding nm-l2tp-ipsec-UUID.secrets file will only be used for that VPN connection.
dkosovic
commented
5 years ago The nm-l2tp-ipsec-UUID.secrets file is normally deleted when the VPN connection is stopped, but if the computer is turned off or you log out before stopping the VPN connection, the file might not get removed.
dkosovic
commented
5 years ago forgot mention if you are wondering why the the Gateway ID is an IP address, see :
When using IKEv1 an additional complexity arises in the case of authentication by preshared secret: the responder will need to look up the secret before the Peer's ID payload has been decoded, so the ID used will be the IP address.
cry32
commented
5 years ago thanks, but i could not, both sides are behind NAT, so it's not matching gw id. i tryied set it to fqdn but it does not work with this error:
VPN connection: failed to connect: 'invalid ipsec-gateway-id 'ipsec-gateway-id''
dkosovic
commented
5 years ago The code used to delete the nm-l2tp-ipsec-UUID.secrets file immediate after the PSK was read. Unfortunately for long running VPN connections, whenever a rekeying happens, the connection would fail as it can't find the PSK because the file has been deleted. So now the file is only deleted when a VPN connection is disconnected by the user.
A FQDN ID will only work for IPsec IKEv2 (which doesn't need L2TP and has a separate GUI client NetworkManager-strongswan).
It is okay to use the NAT IP address for the Gateway ID as long as it is static, which I guess in your case it isn't? The Peer ID (i.e. Gateway ID) that it is using is usually somewhere in the logs.
If the VPN server is configured to use a string literal for its ID, you can use a string literal starting with @ for the Gateway ID, but this option needs commit# https://github.com/nm-l2tp/network-manager-l2tp/commit/1d3844ffa860eeb75d3b0c9c9f8eec5fd1f4cbb0 which will be available in NetworkManager-l2tp 1.2.12 and later.
But having said all that, the only chance of having multiple nm-l2tp-ipsec-UUID.secrets files is if someone deletes and recreates VPN connections, which results in a new UUID each time they are saved or they actually have multiple VPN connections saved for different VPN servers.
But if you want to automate the deleting of the nm-l2tp-ipsec-UUID.secrets files, you could write a script and add it as a startup application in your desktop environment (most desktop environments have a GUI application to configure startups). A suitable SUID root script would be the following:
#! /bin/sh
rm -f /etc/ipsec.d/nm-l2tp-ipsec-*.secretsTo SUID root the script, do something like:
sudo chmod a+rx nm-l2tp-ipsec-delete-secrets.sh
sudo chown root nm-l2tp-ipsec-delete-secrets.sh
sudo chmod u+s nm-l2tp-ipsec-delete-secrets.shForgot to mention, the following error message you provided has a bug :
VPN connection: failed to connect: 'invalid ipsec-gateway-id 'ipsec-gateway-id''The 'ipsec-gateway-id' at the end of the error message was supposed to be the value of the Gateway ID that was entered in the GUI and was fixed with commit#
https://github.com/nm-l2tp/network-manager-l2tp/commit/1d3844ffa860eeb75d3b0c9c9f8eec5fd1f4cbb0 which was also mentioned previously.
dkosovic
commented
5 years ago With commit https://github.com/nm-l2tp/network-manager-l2tp/commit/70c5f7257dfd3b27bbf29deec0037a07051aebda, /etc/ipsec.d/ipsec.nm-l2tp.secrets is now used instead of /etc/ipsec.d/nm-l2tp-ipsec-UUID.secrets. I've given up on the idea of running multiple instances of NetworkManager-l2tp, consequently only one instance of IPsec secrets file is required.
With strongSwan the following include line is now added to the /etc/ipsec.secrets file at runtime :
include ipsec.d/ipsec.nm-l2tp.secretsinstead of:
include /etc/ipsec.d/*.secretsFor the NetworkManager-l2tp Linux distro packages I manage, I'll add a pre-install script that cleans out any legacy files with rm -rf /etc/ipsec.d/nm-l2tp-ipsec-*.secrets
Hello, as title say, I sometimes have problem connect, because nm-l2tp-ipsec-UUID.secrets file with IPSec PSK exist in /etc/ipsec.d/ It stay there after inproper disconnect maybe? I am unable to reproduce this problem, it just not work sometimes. It’s known i think but is there fix for this? Maybe some sort of script which remove all .secret files on some event? I found no answers to this problem.