Results 1 to 2 of 2

Thread: l2tp/strongswan/NetworkManager: no connection to a remote server

  1. #1

    Default l2tp/strongswan/NetworkManager: no connection to a remote server

    After solving a printer issue by buying a new one I am now struggling with a networking problem. My company offers access to remote folders via a l2tp vpn connection. Everything works with Windows 10 with the credentials provided. The connection needs IPSec.

    Packages installed:

    Code:
    $ sudo zypper search -i | grep l2tp
    i+ | NetworkManager-l2tp                        | NetworkManager VPN support for L2TP and L2TP/IPsec                                    | Paket    
    i+ | openSUSE-2017-1312                         | Feature update adding NetworkManager-l2tp                                             | Patch    
    i+ | plasma-nm5-l2tp                            | L2TP support for plasma-nm5                                                           | Paket    
    i  | xl2tpd                                     | Layer 2 Tunnelling Protocol Daemon (RFC 2661)                                         | Paket 
    
    $ sudo zypper search -i | grep swan
    i+ | strongswan                                 | OpenSource IPsec-based VPN Solution                                                   | Paket    
    i  | strongswan-ipsec                           | OpenSource IPsec-based VPN Solution                                                   | Paket    
    i  | strongswan-libs0                           | OpenSource IPsec-based VPN Solution                                                   | Paket
    I checked for phase 1 and 2 algorithms as advised here by using ike-scan and was using the entries in the IPSec options windows in NetworkManager:

    Code:
    "phase 1" algorithm: 3des-md5-modp1024,3des-sha1-modp1024,aes128-sha1-modp768,aes128-sha1-modp1024
    "phase 2" algorithm: aes128-sha1,3des-md5
    No luck. Here is the systemd log (some data replaced by "xxx" due to privacy concerns):

    Code:
    16.03.18 10:38    NetworkManager    <info>  Starting VPN service 'l2tp'...
    16.03.18 10:38    NetworkManager    <info>  VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 9679
    16.03.18 10:38    NetworkManager    <info>  VPN service 'l2tp' appeared; activating connections
    16.03.18 10:38    kdeinit5    plasma-nm: virtual NMVariantMapMap SecretAgent::GetSecrets(const NMVariantMapMap&, const QDBusObjectPath&, const QString&, const QStringList&, uint)
    16.03.18 10:38    kdeinit5    plasma-nm: Path: "/org/freedesktop/NetworkManager/Settings/2"
    16.03.18 10:38    kdeinit5    plasma-nm: Setting name: "vpn"
    16.03.18 10:38    kdeinit5    plasma-nm: Hints: ()
    16.03.18 10:38    kdeinit5    plasma-nm: Flags: 4
    16.03.18 10:38    NetworkManager    ** Message: ipsec enable flag: yes
    16.03.18 10:38    kdeinit5    plasma-nm: Unhandled VPN connection state change:  3
    16.03.18 10:38    NetworkManager    ** Message: Check port 1701
    16.03.18 10:38    NetworkManager    ** Message: starting ipsec
    16.03.18 10:38    NetworkManager    Stopping strongSwan IPsec failed: starter is not running
    16.03.18 10:38    ipsec_starter    Starting strongSwan 5.2.2 IPsec [starter]...
    16.03.18 10:38    ipsec_starter    Loading config setup
    16.03.18 10:38    ipsec_starter    Loading conn 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
    16.03.18 10:38    NetworkManager    Starting strongSwan 5.2.2 IPsec [starter]...
    16.03.18 10:38    NetworkManager    Loading config setup
    16.03.18 10:38    NetworkManager    Loading conn 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
    16.03.18 10:38    ipsec_starter    found netkey IPsec stack
    16.03.18 10:38    ipsec_starter    Attempting to start charon...
    16.03.18 10:38    NetworkManager    found netkey IPsec stack
    16.03.18 10:38    charon    00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 4.4.114-42-default, x86_64)
    16.03.18 10:38    charon    00[LIB] openssl FIPS mode(0) - disabled
    16.03.18 10:38    charon    00[CFG] HA config misses local/remote address
    16.03.18 10:38    charon    00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
    16.03.18 10:38    charon    00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
    16.03.18 10:38    charon    00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
    16.03.18 10:38    charon    00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
    16.03.18 10:38    charon    00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
    16.03.18 10:38    charon    00[CFG] loading crls from '/etc/ipsec.d/crls'
    16.03.18 10:38    charon    00[CFG] loading secrets from '/etc/ipsec.secrets'
    16.03.18 10:38    charon    00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-856af385-43e3-462f-b013-xxxxxxxxxxxxx.secrets'
    16.03.18 10:38    charon    00[CFG]   loaded IKE secret for %any
    16.03.18 10:38    charon    00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx.secrets'
    16.03.18 10:38    charon    00[CFG]   loaded IKE secret for %any
    16.03.18 10:38    charon    00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
    16.03.18 10:38    charon    00[CFG] loaded 0 RADIUS server configurations
    16.03.18 10:38    charon    00[TNC] TNC recommendation policy is 'default'
    16.03.18 10:38    charon    00[TNC] loading IMVs from '/etc/tnc_config'
    16.03.18 10:38    charon    00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
    16.03.18 10:38    charon    00[CFG] missing PDP server name, PDP disabled
    16.03.18 10:38    charon    00[TNC] loading IMCs from '/etc/tnc_config'
    16.03.18 10:38    charon    00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
    16.03.18 10:38    charon    00[CFG] coupling file path unspecified
    16.03.18 10:38    charon    00[LIB] loaded plugins: charon ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl soup attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
    16.03.18 10:38    charon    00[LIB] unable to load 16 plugin features (13 due to unmet dependencies)
    16.03.18 10:38    charon    00[LIB] dropped capabilities, running as uid 0, gid 0
    16.03.18 10:38    charon    00[JOB] spawning 16 worker threads
    16.03.18 10:38    ipsec_starter    charon (9708) started after 60 ms
    16.03.18 10:38    charon    08[CFG] received stroke: add connection 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
    16.03.18 10:38    charon    08[CFG] left nor right host is our side, assuming left=local
    16.03.18 10:38    charon    08[CFG] added configuration 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
    16.03.18 10:38    charon    11[CFG] rereading secrets
    16.03.18 10:38    charon    11[CFG] loading secrets from '/etc/ipsec.secrets'
    16.03.18 10:38    charon    11[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-856af385-43e3-462f-b013-xxxxxxxxxxxxx.secrets'
    16.03.18 10:38    charon    11[CFG]   loaded IKE secret for %any
    16.03.18 10:38    charon    11[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx.secrets'
    16.03.18 10:38    charon    11[CFG]   loaded IKE secret for %any
    16.03.18 10:38    NetworkManager    ** Message: Spawned ipsec up script with PID 9734.
    16.03.18 10:38    charon    12[CFG] received stroke: initiate 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx'
    16.03.18 10:38    charon    14[IKE] initiating Main Mode IKE_SA fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx[1] to 12.32.xxx.xxx
    16.03.18 10:38    charon    14[IKE] initiating Main Mode IKE_SA fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx[1] to 12.32.xxx.xxx
    16.03.18 10:38    charon    14[ENC] generating ID_PROT request 0 [ SA V V V V ]
    16.03.18 10:38    charon    14[NET] sending packet: from 192.168.0.108[500] to 12.32.xxx.xxx[500] (316 bytes)
    16.03.18 10:38    charon    07[NET] received packet: from 12.32.xxx.xxx[500] to 192.168.0.108[500] (80 bytes)
    16.03.18 10:38    charon    07[ENC] parsed ID_PROT response 0 [ SA ]
    16.03.18 10:38    charon    07[ENC] generating ID_PROT request 0 [ KE No ]
    16.03.18 10:38    charon    07[NET] sending packet: from 192.168.0.108[500] to 12.32.xxx.xxx[500] (196 bytes)
    16.03.18 10:38    charon    15[NET] received packet: from 12.32.xxx.xxx[500] to 192.168.0.108[500] (91 bytes)
    16.03.18 10:38    charon    15[ENC] parsed INFORMATIONAL_V1 request 3146227473 [ N(AUTH_FAILED) ]
    16.03.18 10:38    charon    15[IKE] received AUTHENTICATION_FAILED error notify
    16.03.18 10:38    NetworkManager    initiating Main Mode IKE_SA fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx[1] to 12.32.xxx.xxx
    16.03.18 10:38    NetworkManager    generating ID_PROT request 0 [ SA V V V V ]
    16.03.18 10:38    NetworkManager    sending packet: from 192.168.0.108[500] to 12.32.xxx.xxx[500] (316 bytes)
    16.03.18 10:38    NetworkManager    received packet: from 12.32.xxx.xxx[500] to 192.168.0.108[500] (80 bytes)
    16.03.18 10:38    NetworkManager    parsed ID_PROT response 0 [ SA ]
    16.03.18 10:38    NetworkManager    generating ID_PROT request 0 [ KE No ]
    16.03.18 10:38    NetworkManager    sending packet: from 192.168.0.108[500] to 12.32.xxx.xxx[500] (196 bytes)
    16.03.18 10:38    NetworkManager    received packet: from 12.32.xxx.xxx[500] to 192.168.0.108[500] (91 bytes)
    16.03.18 10:38    NetworkManager    parsed INFORMATIONAL_V1 request 3146227473 [ N(AUTH_FAILED) ]
    16.03.18 10:38    NetworkManager    received AUTHENTICATION_FAILED error notify
    16.03.18 10:38    NetworkManager    establishing connection 'fa453bf5-xxxx-48f9-a5b2-xxxxxxxxxxxxx' failed
    16.03.18 10:38    NetworkManager    Stopping strongSwan IPsec...
    16.03.18 10:38    charon    00[DMN] signal of type SIGINT received. Shutting down
    16.03.18 10:38    ipsec_starter    child 9708 (charon) has quit (exit code 0)
    16.03.18 10:38    ipsec_starter    
    
    16.03.18 10:38    ipsec_starter    charon stopped after 200 ms
    16.03.18 10:38    ipsec_starter    plugin 'kernel-netlink': loaded successfully
    16.03.18 10:38    ipsec_starter    known interfaces and IP addresses:
    16.03.18 10:38    ipsec_starter      lo
    16.03.18 10:38    ipsec_starter        127.0.0.1
    16.03.18 10:38    ipsec_starter        ::1
    16.03.18 10:38    ipsec_starter      eth0
    16.03.18 10:38    ipsec_starter        192.168.0.108
    16.03.18 10:38    ipsec_starter        xxxx:8071:818e:1d00:xxxx:f4ff:xxxx:c7e4
    16.03.18 10:38    ipsec_starter        fe80::be5f:xxxx:fe75:xxxx
    16.03.18 10:38    ipsec_starter    flushing all SAD entries
    16.03.18 10:38    ipsec_starter    flushing all policies from SPD
    16.03.18 10:38    ipsec_starter    ipsec starter stopped
    16.03.18 10:38    NetworkManager    <info>  VPN connection 'company' (Connect) reply received.
    16.03.18 10:38    NetworkManager    <warn>  VPN connection 'company' failed to connect: 'Method invoked for Connect returned FALSE but did not set error'.
    16.03.18 10:38    NetworkManager    <warn>  error disconnecting VPN: Could not process the request because no VPN connection was active.
    16.03.18 10:38    NetworkManager    ** (nm-l2tp-service:9679): WARNING **: Could not establish IPsec tunnel.
    Yes, the credentials entered in NetworkManager are triple checked.

    Any ideas?

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: l2tp/strongswan/NetworkManager: no connection to a remote server

    Seems to me the following from your log are the critical errors
    Code:
    16.03.18 10:38    NetworkManager    parsed INFORMATIONAL_V1 request 3146227473 [ N(AUTH_FAILED) ]
    16.03.18 10:38    NetworkManager    received AUTHENTICATION_FAILED error notify
    Authentication failed.
    It's less clear exactly what about your authentication failed because earlier in your posted logfile there were a number of non-critical errors where specific files which could have contained details/specifications how the authentication might be handled were missing. Those missing files might have been important, but maybe not.

    Does your Windows connection generate a logfile(likely)?
    If the VPN connection files for both Linux and Windows provided to you are the same, you could compare to see what might have been successful in your Windows connection that wasn't found in the Linux connection.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •