subject:"Re\: \[Swan\] Issue with networkmanager and l2tp"

Re: [Swan] Issue with networkmanager and l2tp

2020-10-26 Thread Brian McKee

Hi Paul and Doug,

I couldn't figure out how to get 4.1 to work and went back to libreswan
3.32.

I imagine I will have to face this again soon...

Thanks again for trying to help me.

On Mon, Oct 26, 2020 at 8:54 AM Paul Wouters  wrote:

> That is a configuration mismatch. So the end that is doing the wrong
> intention should change - I can’t tell which end that is
>
> Sent from my iPhone
>
> On Oct 26, 2020, at 11:26, Brian McKee  wrote:
>
> 
> Hi Paul,
> I have to admit, I misunderstood way back in the beginning and made too
> many changes to the ebuild. I thought that the whole config directory had
> moved, when it was only the nss directory. I have sorted that out now. All
> I had to do was have the ebuild create the /var/lib/ipsec/nss directory
> just like you suggested.
>
> All that is sorted out now. Here is the latest error message.
>
> Oct 26 08:11:27.500126: loading secrets from "/etc/ipsec.secrets"
> Oct 26 08:11:27.500164: loading secrets from
> "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
> Oct 26 08:11:27.511475: added IKEv1 connection
> "9a088450-2a7b-4012-befe-facf564c77e0"
> Oct 26 08:11:27.522480: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
> initiating IKEv1 Main Mode connection
> Oct 26 08:11:27.522658: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent
> Main Mode request
> Oct 26 08:11:28.023076: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
> STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
> Oct 26 08:11:28.029379: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent
> Main Mode I2
> Oct 26 08:11:28.530045: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
> STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response
> Oct 26 08:11:28.593729: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent
> Main Mode I3
> Oct 26 08:11:28.689015: "9a088450-2a7b-4012-befe-facf564c77e0" #1: Peer ID
> is ID_IPV4_ADDR: '[[server ip_address]]'
> Oct 26 08:11:28.689218: "9a088450-2a7b-4012-befe-facf564c77e0" #1: IKE SA
> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1
> group=MODP2048}
> Oct 26 08:11:28.689336: "9a088450-2a7b-4012-befe-facf564c77e0" #2:
> initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+IKE_FRAG_ALLOW+ESN_NO
> {using isakmp#1 msgid:84d31f03 proposal=AES_CBC_256-HMAC_SHA1_96,
> AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP2048}
> Oct 26 08:11:28.692241: "9a088450-2a7b-4012-befe-facf564c77e0" #2: sent
> Quick Mode request
> Oct 26 08:11:29.193066: "9a088450-2a7b-4012-befe-facf564c77e0" #2:
> STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
> Oct 26 08:11:29.586945: "9a088450-2a7b-4012-befe-facf564c77e0" #2:
> NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
> Oct 26 08:11:29.587049: "9a088450-2a7b-4012-befe-facf564c77e0" #2: our
> client subnet returned doesn't match my proposal - us: [[machine home net
> IP addy]]/32 vs them: [[my internet IP address]]/32
> Oct 26 08:11:29.587089: "9a088450-2a7b-4012-befe-facf564c77e0" #2: sending
> encrypted notification INVALID_ID_INFORMATION to [[server ip_address]]:4500
> Oct 26 08:11:29.587339: "9a088450-2a7b-4012-befe-facf564c77e0" #2:
> deleting state (STATE_QUICK_I1) aged 0.898044s and NOT sending notification
> Oct 26 08:11:29.587451: "9a088450-2a7b-4012-befe-facf564c77e0" #2: ERROR:
> netlink response for Del SA esp.cfdd97dd@[[server ip_address]] included
> errno 3: No such process
> Oct 26 08:11:43.789943: "9a088450-2a7b-4012-befe-facf564c77e0":
> terminating SAs using this connection
> Oct 26 08:11:43.790008: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
> deleting state (STATE_MAIN_I4) aged 16.267541s and sending notification
>
> This looks like a configuration error as the remote host is confused about
> my home network IP address and my internet IP address.
>
> We're close, I think. Thanks again for your help.
>
> On Mon, Oct 26, 2020 at 7:04 AM Paul Wouters  wrote:
>
>> On Sun, 25 Oct 2020, Brian McKee wrote:
>>
>> > THANKS! That was a great idea!I found this in /var/log/pluto.log: (Let
>> me know if you need to see more, this is
>> > just the end of it)
>>
>> > Oct 25 15:47:46.268455: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
>> initiating IKEv1 Main Mode connection
>> > Oct 25 15:47:46.268593: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent
>> Main Mode request
>> > Oct 25 15:47:46.339726: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
>> Can't authenticate: no preshared key found
>> > for `10.1.10.221' and `[[IP_ADDRESS]]'.  Attribute
>> OAKLEY_AUTHENTICATION_METHOD
>>
>> Your machine cannot find it's own PSK ?
>>
>> Normally, NetworkManager writes a secrets file that is read via the
>> include statement in /etc/ipsec.secrets for /etc/ipsec.d/*.secrets
>> and then it runs "ipsec secrets" to re-read it, and it deletes the file
>> again.
>>
>> Perhaps libreswan was compiled with ipsecddir at a different location?
>>
>> > Based on this, I guess there's a pre-shared-key issue. But I set that
>> in kde's network manager's systems
>> > settings module. Is it possible that the

Re: [Swan] Issue with networkmanager and l2tp

2020-10-26 Thread Paul Wouters

That is a configuration mismatch. So the end that is doing the wrong intention 
should change - I can’t tell which end that is

Sent from my iPhone

> On Oct 26, 2020, at 11:26, Brian McKee  wrote:
> 
> 
> Hi Paul,
> I have to admit, I misunderstood way back in the beginning and made too many 
> changes to the ebuild. I thought that the whole config directory had moved, 
> when it was only the nss directory. I have sorted that out now. All I had to 
> do was have the ebuild create the /var/lib/ipsec/nss directory just like you 
> suggested.
> 
> All that is sorted out now. Here is the latest error message. 
> 
> Oct 26 08:11:27.500126: loading secrets from "/etc/ipsec.secrets"
> Oct 26 08:11:27.500164: loading secrets from 
> "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
> Oct 26 08:11:27.511475: added IKEv1 connection 
> "9a088450-2a7b-4012-befe-facf564c77e0"
> Oct 26 08:11:27.522480: "9a088450-2a7b-4012-befe-facf564c77e0" #1: initiating 
> IKEv1 Main Mode connection
> Oct 26 08:11:27.522658: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent Main 
> Mode request
> Oct 26 08:11:28.023076: "9a088450-2a7b-4012-befe-facf564c77e0" #1: 
> STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
> Oct 26 08:11:28.029379: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent Main 
> Mode I2
> Oct 26 08:11:28.530045: "9a088450-2a7b-4012-befe-facf564c77e0" #1: 
> STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response
> Oct 26 08:11:28.593729: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent Main 
> Mode I3
> Oct 26 08:11:28.689015: "9a088450-2a7b-4012-befe-facf564c77e0" #1: Peer ID is 
> ID_IPV4_ADDR: '[[server ip_address]]'
> Oct 26 08:11:28.689218: "9a088450-2a7b-4012-befe-facf564c77e0" #1: IKE SA 
> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 
> group=MODP2048}
> Oct 26 08:11:28.689336: "9a088450-2a7b-4012-befe-facf564c77e0" #2: initiating 
> Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+IKE_FRAG_ALLOW+ESN_NO {using 
> isakmp#1 msgid:84d31f03 proposal=AES_CBC_256-HMAC_SHA1_96, 
> AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP2048}
> Oct 26 08:11:28.692241: "9a088450-2a7b-4012-befe-facf564c77e0" #2: sent Quick 
> Mode request
> Oct 26 08:11:29.193066: "9a088450-2a7b-4012-befe-facf564c77e0" #2: 
> STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
> Oct 26 08:11:29.586945: "9a088450-2a7b-4012-befe-facf564c77e0" #2: 
> NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
> Oct 26 08:11:29.587049: "9a088450-2a7b-4012-befe-facf564c77e0" #2: our client 
> subnet returned doesn't match my proposal - us: [[machine home net IP 
> addy]]/32 vs them: [[my internet IP address]]/32
> Oct 26 08:11:29.587089: "9a088450-2a7b-4012-befe-facf564c77e0" #2: sending 
> encrypted notification INVALID_ID_INFORMATION to [[server ip_address]]:4500
> Oct 26 08:11:29.587339: "9a088450-2a7b-4012-befe-facf564c77e0" #2: deleting 
> state (STATE_QUICK_I1) aged 0.898044s and NOT sending notification
> Oct 26 08:11:29.587451: "9a088450-2a7b-4012-befe-facf564c77e0" #2: ERROR: 
> netlink response for Del SA esp.cfdd97dd@[[server ip_address]] included errno 
> 3: No such process
> Oct 26 08:11:43.789943: "9a088450-2a7b-4012-befe-facf564c77e0": terminating 
> SAs using this connection
> Oct 26 08:11:43.790008: "9a088450-2a7b-4012-befe-facf564c77e0" #1: deleting 
> state (STATE_MAIN_I4) aged 16.267541s and sending notification
> 
> This looks like a configuration error as the remote host is confused about my 
> home network IP address and my internet IP address.
> 
> We're close, I think. Thanks again for your help.
> 
>> On Mon, Oct 26, 2020 at 7:04 AM Paul Wouters  wrote:
>> On Sun, 25 Oct 2020, Brian McKee wrote:
>> 
>> > THANKS! That was a great idea!I found this in /var/log/pluto.log: (Let me 
>> > know if you need to see more, this is
>> > just the end of it)
>> 
>> > Oct 25 15:47:46.268455: "9a088450-2a7b-4012-befe-facf564c77e0" #1: 
>> > initiating IKEv1 Main Mode connection
>> > Oct 25 15:47:46.268593: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent 
>> > Main Mode request
>> > Oct 25 15:47:46.339726: "9a088450-2a7b-4012-befe-facf564c77e0" #1: Can't 
>> > authenticate: no preshared key found
>> > for `10.1.10.221' and `[[IP_ADDRESS]]'.  Attribute 
>> > OAKLEY_AUTHENTICATION_METHOD
>> 
>> Your machine cannot find it's own PSK ?
>> 
>> Normally, NetworkManager writes a secrets file that is read via the
>> include statement in /etc/ipsec.secrets for /etc/ipsec.d/*.secrets
>> and then it runs "ipsec secrets" to re-read it, and it deletes the file
>> again.
>> 
>> Perhaps libreswan was compiled with ipsecddir at a different location?
>> 
>> > Based on this, I guess there's a pre-shared-key issue. But I set that in 
>> > kde's network manager's systems
>> > settings module. Is it possible that the PSK has changed location in the 
>> > conf files?
>> 
>> check if you have an /etc/ipsec.secrets file and if it has an include
>> line for /etc/ipsec.d/*.secrets ?
>> 
>> You can always

Re: [Swan] Issue with networkmanager and l2tp

2020-10-26 Thread Brian McKee

Hi Paul,
I have to admit, I misunderstood way back in the beginning and made too
many changes to the ebuild. I thought that the whole config directory had
moved, when it was only the nss directory. I have sorted that out now. All
I had to do was have the ebuild create the /var/lib/ipsec/nss directory
just like you suggested.

All that is sorted out now. Here is the latest error message.

Oct 26 08:11:27.500126: loading secrets from "/etc/ipsec.secrets"
Oct 26 08:11:27.500164: loading secrets from
"/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Oct 26 08:11:27.511475: added IKEv1 connection
"9a088450-2a7b-4012-befe-facf564c77e0"
Oct 26 08:11:27.522480: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
initiating IKEv1 Main Mode connection
Oct 26 08:11:27.522658: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent
Main Mode request
Oct 26 08:11:28.023076: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
Oct 26 08:11:28.029379: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent
Main Mode I2
Oct 26 08:11:28.530045: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
STATE_MAIN_I2: retransmission; will wait 0.5 seconds for response
Oct 26 08:11:28.593729: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent
Main Mode I3
Oct 26 08:11:28.689015: "9a088450-2a7b-4012-befe-facf564c77e0" #1: Peer ID
is ID_IPV4_ADDR: '[[server ip_address]]'
Oct 26 08:11:28.689218: "9a088450-2a7b-4012-befe-facf564c77e0" #1: IKE SA
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1
group=MODP2048}
Oct 26 08:11:28.689336: "9a088450-2a7b-4012-befe-facf564c77e0" #2:
initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:84d31f03 proposal=AES_CBC_256-HMAC_SHA1_96,
AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP2048}
Oct 26 08:11:28.692241: "9a088450-2a7b-4012-befe-facf564c77e0" #2: sent
Quick Mode request
Oct 26 08:11:29.193066: "9a088450-2a7b-4012-befe-facf564c77e0" #2:
STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
Oct 26 08:11:29.586945: "9a088450-2a7b-4012-befe-facf564c77e0" #2:
NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
Oct 26 08:11:29.587049: "9a088450-2a7b-4012-befe-facf564c77e0" #2: our
client subnet returned doesn't match my proposal - us: [[machine home net
IP addy]]/32 vs them: [[my internet IP address]]/32
Oct 26 08:11:29.587089: "9a088450-2a7b-4012-befe-facf564c77e0" #2: sending
encrypted notification INVALID_ID_INFORMATION to [[server ip_address]]:4500
Oct 26 08:11:29.587339: "9a088450-2a7b-4012-befe-facf564c77e0" #2: deleting
state (STATE_QUICK_I1) aged 0.898044s and NOT sending notification
Oct 26 08:11:29.587451: "9a088450-2a7b-4012-befe-facf564c77e0" #2: ERROR:
netlink response for Del SA esp.cfdd97dd@[[server ip_address]] included
errno 3: No such process
Oct 26 08:11:43.789943: "9a088450-2a7b-4012-befe-facf564c77e0": terminating
SAs using this connection
Oct 26 08:11:43.790008: "9a088450-2a7b-4012-befe-facf564c77e0" #1: deleting
state (STATE_MAIN_I4) aged 16.267541s and sending notification

This looks like a configuration error as the remote host is confused about
my home network IP address and my internet IP address.

We're close, I think. Thanks again for your help.

On Mon, Oct 26, 2020 at 7:04 AM Paul Wouters  wrote:

> On Sun, 25 Oct 2020, Brian McKee wrote:
>
> > THANKS! That was a great idea!I found this in /var/log/pluto.log: (Let
> me know if you need to see more, this is
> > just the end of it)
>
> > Oct 25 15:47:46.268455: "9a088450-2a7b-4012-befe-facf564c77e0" #1:
> initiating IKEv1 Main Mode connection
> > Oct 25 15:47:46.268593: "9a088450-2a7b-4012-befe-facf564c77e0" #1: sent
> Main Mode request
> > Oct 25 15:47:46.339726: "9a088450-2a7b-4012-befe-facf564c77e0" #1: Can't
> authenticate: no preshared key found
> > for `10.1.10.221' and `[[IP_ADDRESS]]'.  Attribute
> OAKLEY_AUTHENTICATION_METHOD
>
> Your machine cannot find it's own PSK ?
>
> Normally, NetworkManager writes a secrets file that is read via the
> include statement in /etc/ipsec.secrets for /etc/ipsec.d/*.secrets
> and then it runs "ipsec secrets" to re-read it, and it deletes the file
> again.
>
> Perhaps libreswan was compiled with ipsecddir at a different location?
>
> > Based on this, I guess there's a pre-shared-key issue. But I set that in
> kde's network manager's systems
> > settings module. Is it possible that the PSK has changed location in the
> conf files?
>
> check if you have an /etc/ipsec.secrets file and if it has an include
> line for /etc/ipsec.d/*.secrets ?
>
> You can always drop in a permanent file or entry in /etc/ipsec.secrets
> with:
>
> 0.0.0.0  [[IP_ADDRESS]] : PSK "yourstrongsecret"
>
> Paul
>


-- 
-- Consciousness moves everything.
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Issue with networkmanager and l2tp

2020-10-25 Thread Paul Wouters


On Sun, 25 Oct 2020, Brian McKee wrote:


I don't use systemd. I use openrc.


Then try INITSYSTEM=openrc ? It is supported but perhaps in libreswan
4.x we broke it somehow?

Paul
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Issue with networkmanager and l2tp

2020-10-25 Thread Brian McKee

I don't use systemd. I use openrc.

On Sun, Oct 25, 2020 at 10:45 AM Paul Wouters  wrote:

> On Sun, 25 Oct 2020, Brian McKee wrote:
>
> Maybe explicitely build with INITSYSTEM=systemd and see if that fixes
> things?
>
> Paul
>
> > Date: Sun, 25 Oct 2020 12:20:53
> > From: Brian McKee 
> > Cc: "Swan@lists.libreswan.org" 
> > To: Douglas Kosovic 
> > Subject: Re: [Swan] Issue with networkmanager and l2tp
> >
> > I found another beginner mistake in the ebuild and reinstalled libreswan.
> > The messages I'm getting now are:
> >
> > Oct 25 09:17:49 threads NetworkManager[6124]:   [1603642669.8190]
> audit: op="statistics"
> > arg="refresh-rate-ms" pid=10301 uid=1000 result="success"
> > Oct 25 09:17:58 threads NetworkManager[6124]:   [1603642678.4519]
> audit: op="connection-activate"
> > uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10301
> uid=1000 result="success"
> > Oct 25 09:17:58 threads NetworkManager[6124]:   [1603642678.4627]
> >
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID
> > 12655
> > Oct 25 09:17:58 threads NetworkManager[6124]:   [1603642678.4691]
> >
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear;
> > activating connection
> > Oct 25 09:17:59 threads NetworkManager[6124]:   [1603642679.1184]
> audit: op="statistics"
> > arg="refresh-rate-ms" pid=10301 uid=1000 result="success"
> > Oct 25 09:18:05 threads kernel: Initializing XFRM netlink socket
> > Oct 25 09:18:05 threads kernel: IPv4 over IPsec tunneling driver
> > Oct 25 09:18:05 threads NetworkManager[6124]:   [1603642685.7716]
> manager: (ip_vti0): new Generic device
> > (/org/freedesktop/NetworkManager/Devices/6)
> > Oct 25 09:18:05 threads kernel: IPsec XFRM device driver
> > Oct 25 09:18:15 threads NetworkManager[6124]:   [1603642695.8344]
> >
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state changed:
> > stopped (6)
> > Oct 25 09:18:15 threads NetworkManager[6124]:   [1603642695.8375]
> >
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
> > Oct 25 09:18:15 threads NetworkManager[6124]:   [1603642695.8385]
> >
> vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN connection: failed to
> > connect: 'Message recipient disconnected from message bus without
> replying'
> >
> > On Sun, Oct 25, 2020 at 9:03 AM Brian McKee  wrote:
> >   Hi Doug,
> >
> > I'm back again...
> > I found an ipsec init script produced by libreswan's compile
> in ${IPSEC_CONFDIR}/../ipsec
> > I modified the ebuild to move that script in /etc/init.d/ and it works.
> > But I still can't connect to work. Here is the output in
> /var/log/messages:
> >
> > Oct 25 08:57:15 threads NetworkManager[6097]:   [1603641435.8662]
> audit: op="statistics"
> > arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
> > Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4577]
> audit: op="connection-activate"
> > uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10312
> uid=1000 resul
> > t="success"
> > Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4623]
> >
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service,
> > PID 24090
> > Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4669]
> >
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear;
> > activating
> > connection
> > Oct 25 08:57:19 threads NetworkManager[6097]:   [1603641439.0556]
> audit: op="statistics"
> > arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
> > Oct 25 08:57:33 threads NetworkManager[6097]:   [1603641453.8567]
> >
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state
> > changed: stopped
> > (6)
> > Oct 25 08:57:33 threads NetworkManager[6097]:   [1603641453.8597]
> >
> vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
> > Oct 25 08:57:33 threads NetworkManager[6097]:

Re: [Swan] Issue with networkmanager and l2tp

2020-10-25 Thread Paul Wouters


On Sun, 25 Oct 2020, Brian McKee wrote:

Maybe explicitely build with INITSYSTEM=systemd and see if that fixes
things?

Paul


Date: Sun, 25 Oct 2020 12:20:53
From: Brian McKee 
Cc: "Swan@lists.libreswan.org" 
To: Douglas Kosovic 
Subject: Re: [Swan] Issue with networkmanager and l2tp

I found another beginner mistake in the ebuild and reinstalled libreswan.
The messages I'm getting now are:

Oct 25 09:17:49 threads NetworkManager[6124]:   [1603642669.8190] audit: 
op="statistics"
arg="refresh-rate-ms" pid=10301 uid=1000 result="success"
Oct 25 09:17:58 threads NetworkManager[6124]:   [1603642678.4519] audit: 
op="connection-activate"
uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10301 uid=1000 
result="success"
Oct 25 09:17:58 threads NetworkManager[6124]:   [1603642678.4627]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Started the VPN service, PID
12655
Oct 25 09:17:58 threads NetworkManager[6124]:   [1603642678.4691]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Saw the service appear;
activating connection
Oct 25 09:17:59 threads NetworkManager[6124]:   [1603642679.1184] audit: 
op="statistics"
arg="refresh-rate-ms" pid=10301 uid=1000 result="success"
Oct 25 09:18:05 threads kernel: Initializing XFRM netlink socket
Oct 25 09:18:05 threads kernel: IPv4 over IPsec tunneling driver
Oct 25 09:18:05 threads NetworkManager[6124]:   [1603642685.7716] 
manager: (ip_vti0): new Generic device
(/org/freedesktop/NetworkManager/Devices/6)
Oct 25 09:18:05 threads kernel: IPsec XFRM device driver
Oct 25 09:18:15 threads NetworkManager[6124]:   [1603642695.8344]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN plugin: state changed:
stopped (6)
Oct 25 09:18:15 threads NetworkManager[6124]:   [1603642695.8375]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN service disappeared
Oct 25 09:18:15 threads NetworkManager[6124]:   [1603642695.8385]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN connection: failed to
connect: 'Message recipient disconnected from message bus without replying'

On Sun, Oct 25, 2020 at 9:03 AM Brian McKee  wrote:
  Hi Doug,

I'm back again...
I found an ipsec init script produced by libreswan's compile in 
${IPSEC_CONFDIR}/../ipsec
I modified the ebuild to move that script in /etc/init.d/ and it works.
But I still can't connect to work. Here is the output in /var/log/messages:

Oct 25 08:57:15 threads NetworkManager[6097]:   [1603641435.8662] audit: 
op="statistics"
arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4577] audit: 
op="connection-activate"
uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10312 uid=1000 
resul
t="success"
Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4623]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Started the VPN service,
PID 24090
Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4669]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Saw the service appear;
activating
connection
Oct 25 08:57:19 threads NetworkManager[6097]:   [1603641439.0556] audit: 
op="statistics"
arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 25 08:57:33 threads NetworkManager[6097]:   [1603641453.8567]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN plugin: state
changed: stopped
(6)
Oct 25 08:57:33 threads NetworkManager[6097]:   [1603641453.8597]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN service disappeared
Oct 25 08:57:33 threads NetworkManager[6097]:   [1603641453.8607]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN connection: failed
to connect:
'Message recipient disconnected from message bus without replying'

/usr/sbin/ipsec start works now:
threads /etc/init.d # /usr/sbin/ipsec start
Redirecting to: rc-service ipsec start
* WARNING: ipsec has already been started

Thanks for your patience and help.

On Sun, Oct 25, 2020 at 8:13 AM Brian McKee  wrote:
  You are right. ipsec won't start because there is no 
service:/usr/sbin/ipsec start
  Redirecting to: rc-service ipsec start
  * rc-service: service `ipsec' does not exist
I have to figure out how to create a service script for it.
Perhaps I can get some help from the libreswan ebuild maintainer.
I'll post in the bug report I created.

Thanks for your help.


On Sun, Oct 25, 2020 at 5:49 AM Douglas Koso

Re: [Swan] Issue with networkmanager and l2tp

2020-10-25 Thread Brian McKee

las Kosovic  wrote:
>>
>>> Hi Brian,
>>>
>>>
>>> So the following doesn't work
>>>
>>>   sudo /sbin/ipsec restart
>>>
>>> and I suspect:
>>>
>>>   sudo /sbin/ipsec start
>>>
>>> the gentoo libreswan ebuild has both openrc and systemd, sorry I have no
>>> idea how the gentoo ebuild works with init script.
>>>
>>> If you are using systemd, running the following might give a hint as to
>>> what needs to be done or is missing.
>>>
>>>   sudo systemctl restart ipsec.service
>>>
>>>
>>> With systemd, I think it needs the following file to exist, but not sure
>>> with gentoo:
>>>   /lib/systemd/system/ipsec.service
>>>
>>>
>>> Sorry I'm not familiar with openrc or if gentoo is using some
>>> openrc/systemd hybrid setup, but your rcscript suspicion seems plausible.
>>>
>>>
>>>
>>> Cheers,
>>> Doug
>>>
>>> --
>>> *From:* Brian McKee 
>>> *Sent:* Sunday, 25 October 2020 6:04 AM
>>> *To:* Paul Wouters 
>>> *Cc:* Douglas Kosovic ; Swan@lists.libreswan.org <
>>> Swan@lists.libreswan.org>
>>> *Subject:* Re: [Swan] Issue with networkmanager and l2tp
>>>
>>> I have /sbin/ipsec.
>>>
>>> I rebooted to get networkmanager to restart with the latest version of
>>> libreswan.
>>>
>>> I'm still getting an error message:
>>>
>>> Oct 24 12:58:23 threads NetworkManager[6097]:   [1603569503.8941]
>>> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
>>> result="success"
>>> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6586]
>>> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
>>> name="wtec-SJ" pid=10312 uid=1000 resul
>>> t="success"
>>> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6708]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> Started the VPN service, PID 11786
>>> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6779]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> Saw the service appear; activating
>>> connection
>>> Oct 24 12:58:28 threads NetworkManager[6097]:   [1603569508.6593]
>>> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
>>> result="success"
>>> Oct 24 12:58:32 threads /etc/init.d/NetworkManager[11800]: rc-service:
>>> service `ipsec' does not exist
>>> Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8038]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN connection: failed to connect:
>>> 'Could not restart the ipsec service.'
>>> Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8063]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN plugin: state changed: stopped
>>> (6)
>>> Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8081]
>>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>>> VPN service disappeared
>>>
>>> It's still looking for ipsec. I think it's looking for
>>> /etc/init.d/ipsecd or something like that based on the error message. Is an
>>> rcscript meant to be added by libreswan? So that something else is missing
>>> from the ebuild?
>>>
>>> Again, I really appreciate your patience with me. Thanks so much.
>>>
>>> On Sat, Oct 24, 2020 at 7:08 AM Paul Wouters  wrote:
>>>
>>> pluto[17294]: ignoring message from whack with bad magic 1869114160;
>>> should be 1869114159; Mismatched versions of userland tools.
>>>
>>> Sent
>>>
>>> It looks like either you have two installs (one in /usr and one in
>>> /usr/local or your pluto
>>> did not restart after installing a newer version ?
>>>
>>> Paul
>>>
>>>
>>>
>>> On Oct 23, 2020, at 23:26, Brian McKee  wrote:
>>>
>>> 
>>> Hi Paul and Doug,
>>>
>>> So I got libreswan 4.1 to install with the new folder by modifying the
>>> ebuild, but I'm still having problems. Here is the output of
>>> networkma

Re: [Swan] Issue with networkmanager and l2tp

2020-10-25 Thread Brian McKee

Hi Doug,

I'm back again...

I found an ipsec init script produced by libreswan's compile in
${IPSEC_CONFDIR}/../ipsec
I modified the ebuild to move that script in /etc/init.d/ and it works.

But I still can't connect to work. Here is the output in /var/log/messages:

Oct 25 08:57:15 threads NetworkManager[6097]:   [1603641435.8662]
audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
result="success"
Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4577]
audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
name="wtec-SJ" pid=10312 uid=1000 resul
t="success"
Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4623]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the VPN service, PID 24090
Oct 25 08:57:18 threads NetworkManager[6097]:   [1603641438.4669]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the service appear; activating
connection
Oct 25 08:57:19 threads NetworkManager[6097]:   [1603641439.0556]
audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
result="success"
Oct 25 08:57:33 threads NetworkManager[6097]:   [1603641453.8567]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin: state changed: stopped
(6)
Oct 25 08:57:33 threads NetworkManager[6097]:   [1603641453.8597]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service disappeared
Oct 25 08:57:33 threads NetworkManager[6097]:   [1603641453.8607]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN connection: failed to connect:
'Message recipient disconnected from message bus without replying'

/usr/sbin/ipsec start works now:
threads /etc/init.d # /usr/sbin/ipsec start
Redirecting to: rc-service ipsec start
* WARNING: ipsec has already been started

Thanks for your patience and help.

On Sun, Oct 25, 2020 at 8:13 AM Brian McKee  wrote:

> You are right. ipsec won't start because there is no service:
> /usr/sbin/ipsec start
> Redirecting to: rc-service ipsec start
> * rc-service: service `ipsec' does not exist
> I have to figure out how to create a service script for it.
> Perhaps I can get some help from the libreswan ebuild maintainer.
> I'll post in the bug report I created.
>
> Thanks for your help.
>
>
> On Sun, Oct 25, 2020 at 5:49 AM Douglas Kosovic  wrote:
>
>> Hi Brian,
>>
>>
>> So the following doesn't work
>>
>>   sudo /sbin/ipsec restart
>>
>> and I suspect:
>>
>>   sudo /sbin/ipsec start
>>
>> the gentoo libreswan ebuild has both openrc and systemd, sorry I have no
>> idea how the gentoo ebuild works with init script.
>>
>> If you are using systemd, running the following might give a hint as to
>> what needs to be done or is missing.
>>
>>   sudo systemctl restart ipsec.service
>>
>>
>> With systemd, I think it needs the following file to exist, but not sure
>> with gentoo:
>>   /lib/systemd/system/ipsec.service
>>
>>
>> Sorry I'm not familiar with openrc or if gentoo is using some
>> openrc/systemd hybrid setup, but your rcscript suspicion seems plausible.
>>
>>
>>
>> Cheers,
>> Doug
>>
>> --
>> *From:* Brian McKee 
>> *Sent:* Sunday, 25 October 2020 6:04 AM
>> *To:* Paul Wouters 
>> *Cc:* Douglas Kosovic ; Swan@lists.libreswan.org <
>> Swan@lists.libreswan.org>
>> *Subject:* Re: [Swan] Issue with networkmanager and l2tp
>>
>> I have /sbin/ipsec.
>>
>> I rebooted to get networkmanager to restart with the latest version of
>> libreswan.
>>
>> I'm still getting an error message:
>>
>> Oct 24 12:58:23 threads NetworkManager[6097]:   [1603569503.8941]
>> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
>> result="success"
>> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6586]
>> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
>> name="wtec-SJ" pid=10312 uid=1000 resul
>> t="success"
>> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6708]
>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>> Started the VPN service, PID 11786
>> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6779]
>> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>> Saw the service appear; activatin

Re: [Swan] Issue with networkmanager and l2tp

2020-10-25 Thread Brian McKee

You are right. ipsec won't start because there is no service:
/usr/sbin/ipsec start
Redirecting to: rc-service ipsec start
* rc-service: service `ipsec' does not exist
I have to figure out how to create a service script for it.
Perhaps I can get some help from the libreswan ebuild maintainer.
I'll post in the bug report I created.

Thanks for your help.


On Sun, Oct 25, 2020 at 5:49 AM Douglas Kosovic  wrote:

> Hi Brian,
>
>
> So the following doesn't work
>
>   sudo /sbin/ipsec restart
>
> and I suspect:
>
>   sudo /sbin/ipsec start
>
> the gentoo libreswan ebuild has both openrc and systemd, sorry I have no
> idea how the gentoo ebuild works with init script.
>
> If you are using systemd, running the following might give a hint as to
> what needs to be done or is missing.
>
>   sudo systemctl restart ipsec.service
>
>
> With systemd, I think it needs the following file to exist, but not sure
> with gentoo:
>   /lib/systemd/system/ipsec.service
>
>
> Sorry I'm not familiar with openrc or if gentoo is using some
> openrc/systemd hybrid setup, but your rcscript suspicion seems plausible.
>
>
>
> Cheers,
> Doug
>
> --
> *From:* Brian McKee 
> *Sent:* Sunday, 25 October 2020 6:04 AM
> *To:* Paul Wouters 
> *Cc:* Douglas Kosovic ; Swan@lists.libreswan.org <
> Swan@lists.libreswan.org>
> *Subject:* Re: [Swan] Issue with networkmanager and l2tp
>
> I have /sbin/ipsec.
>
> I rebooted to get networkmanager to restart with the latest version of
> libreswan.
>
> I'm still getting an error message:
>
> Oct 24 12:58:23 threads NetworkManager[6097]:   [1603569503.8941]
> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
> result="success"
> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6586]
> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
> name="wtec-SJ" pid=10312 uid=1000 resul
> t="success"
> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6708]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID 11786
> Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6779]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear; activating
> connection
> Oct 24 12:58:28 threads NetworkManager[6097]:   [1603569508.6593]
> audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
> result="success"
> Oct 24 12:58:32 threads /etc/init.d/NetworkManager[11800]: rc-service:
> service `ipsec' does not exist
> Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8038]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN connection: failed to connect:
> 'Could not restart the ipsec service.'
> Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8063]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state changed: stopped
> (6)
> Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8081]
> vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
>
> It's still looking for ipsec. I think it's looking for /etc/init.d/ipsecd
> or something like that based on the error message. Is an rcscript meant to
> be added by libreswan? So that something else is missing from the ebuild?
>
> Again, I really appreciate your patience with me. Thanks so much.
>
> On Sat, Oct 24, 2020 at 7:08 AM Paul Wouters  wrote:
>
> pluto[17294]: ignoring message from whack with bad magic 1869114160;
> should be 1869114159; Mismatched versions of userland tools.
>
> Sent
>
> It looks like either you have two installs (one in /usr and one in
> /usr/local or your pluto
> did not restart after installing a newer version ?
>
> Paul
>
>
>
> On Oct 23, 2020, at 23:26, Brian McKee  wrote:
>
> 
> Hi Paul and Doug,
>
> So I got libreswan 4.1 to install with the new folder by modifying the
> ebuild, but I'm still having problems. Here is the output of
> networkmanager:
>
> Oct 23 20:19:40 threads NetworkManager[4579]:   [1603509580.7688]
> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
> result="success"
> Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5025]
> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
> name="wtec-SJ" pid=5647 uid=1000 result
> ="success"
> Oct 23 20:

Re: [Swan] Issue with networkmanager and l2tp

2020-10-25 Thread Douglas Kosovic

Hi Brian,


So the following doesn't work

  sudo /sbin/ipsec restart

and I suspect:

  sudo /sbin/ipsec start

the gentoo libreswan ebuild has both openrc and systemd, sorry I have no idea 
how the gentoo ebuild works with init script.

If you are using systemd, running the following might give a hint as to what 
needs to be done or is missing.

  sudo systemctl restart ipsec.service


With systemd, I think it needs the following file to exist, but not sure with 
gentoo:
  /lib/systemd/system/ipsec.service


Sorry I'm not familiar with openrc or if gentoo is using some openrc/systemd 
hybrid setup, but your rcscript suspicion seems plausible.



Cheers,
Doug


From: Brian McKee 
Sent: Sunday, 25 October 2020 6:04 AM
To: Paul Wouters 
Cc: Douglas Kosovic ; Swan@lists.libreswan.org 

Subject: Re: [Swan] Issue with networkmanager and l2tp

I have /sbin/ipsec.

I rebooted to get networkmanager to restart with the latest version of 
libreswan.

I'm still getting an error message:

Oct 24 12:58:23 threads NetworkManager[6097]:   [1603569503.8941] audit: 
op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6586] audit: 
op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" 
name="wtec-SJ" pid=10312 uid=1000 resul
t="success"
Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6708] 
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Started the VPN service, PID 11786
Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6779] 
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Saw the service appear; activating
connection
Oct 24 12:58:28 threads NetworkManager[6097]:   [1603569508.6593] audit: 
op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 24 12:58:32 threads /etc/init.d/NetworkManager[11800]: rc-service: service 
`ipsec' does not exist
Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8038] 
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8063] 
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN plugin: state changed: stopped
(6)
Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8081] 
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN service disappeared

It's still looking for ipsec. I think it's looking for /etc/init.d/ipsecd or 
something like that based on the error message. Is an rcscript meant to be 
added by libreswan? So that something else is missing from the ebuild?

Again, I really appreciate your patience with me. Thanks so much.

On Sat, Oct 24, 2020 at 7:08 AM Paul Wouters 
mailto:p...@nohats.ca>> wrote:
pluto[17294]: ignoring message from whack with bad magic 
1869114160; should be 1869114159; Mismatched 
versions of userland tools.

Sent

It looks like either you have two installs (one in /usr and one in /usr/local 
or your pluto
did not restart after installing a newer version ?

Paul



On Oct 23, 2020, at 23:26, Brian McKee 
mailto:rayd...@gmail.com>> wrote:


Hi Paul and Doug,

So I got libreswan 4.1 to install with the new folder by modifying the ebuild, 
but I'm still having problems. Here is the output of networkmanager:

Oct 23 20:19:40 threads NetworkManager[4579]:   [1603509580.7688] audit: 
op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5025] audit: 
op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" 
name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5068] 
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Started the VPN service, PID 28727
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5115] 
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Saw the service appear; activating
connection
Oct 23 20:19:43 threads NetworkManager[4579]:   [1603509583.2001] audit: 
op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad 
magic 1869114160; should be 1869114159; Mismatched versions of userland tools.
Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No such 
file or directory
Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5840] 
vpn-connection[0x56488972c0a0,9a0

Re: [Swan] Issue with networkmanager and l2tp

2020-10-24 Thread Brian McKee

I have /sbin/ipsec.

I rebooted to get networkmanager to restart with the latest version of
libreswan.

I'm still getting an error message:

Oct 24 12:58:23 threads NetworkManager[6097]:   [1603569503.8941]
audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
result="success"
Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6586]
audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
name="wtec-SJ" pid=10312 uid=1000 resul
t="success"
Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6708]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the VPN service, PID 11786
Oct 24 12:58:27 threads NetworkManager[6097]:   [1603569507.6779]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the service appear; activating
connection
Oct 24 12:58:28 threads NetworkManager[6097]:   [1603569508.6593]
audit: op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000
result="success"
Oct 24 12:58:32 threads /etc/init.d/NetworkManager[11800]: rc-service:
service `ipsec' does not exist
Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8038]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8063]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin: state changed: stopped
(6)
Oct 24 12:58:32 threads NetworkManager[6097]:   [1603569512.8081]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service disappeared

It's still looking for ipsec. I think it's looking for /etc/init.d/ipsecd
or something like that based on the error message. Is an rcscript meant to
be added by libreswan? So that something else is missing from the ebuild?

Again, I really appreciate your patience with me. Thanks so much.

On Sat, Oct 24, 2020 at 7:08 AM Paul Wouters  wrote:

> pluto[17294]: ignoring message from whack with bad magic 1869114160;
> should be 1869114159; Mismatched versions of userland tools.
>
> Sent
>
> It looks like either you have two installs (one in /usr and one in
> /usr/local or your pluto
> did not restart after installing a newer version ?
>
> Paul
>
>
>
> On Oct 23, 2020, at 23:26, Brian McKee  wrote:
>
> 
> Hi Paul and Doug,
>
> So I got libreswan 4.1 to install with the new folder by modifying the
> ebuild, but I'm still having problems. Here is the output of networkmanager:
>
> Oct 23 20:19:40 threads NetworkManager[4579]:   [1603509580.7688]
> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
> result="success"
> Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5025]
> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
> name="wtec-SJ" pid=5647 uid=1000 result
> ="success"
> Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5068]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID 28727
> Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5115]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear; activating
> connection
> Oct 23 20:19:43 threads NetworkManager[4579]:   [1603509583.2001]
> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
> result="success"
> Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad
> magic 1869114160; should be 1869114159; Mismatched versions of userland
> tools.
> Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No
> such file or directory
> Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5840]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN connection: failed to connect:
> 'Could not restart the ipsec service.'
> Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5851]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state changed: stopped
> (6)
> Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5875]
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
>
> I'm guessing I'm having ipsec issues...
>
> Can you give me a shove in the right direction?
>
> On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters  wrote:
>
>> On Fri, 23 Oct 2020, Brian McKee wrote:
>>
>> > Thanks Doug!I'll open a ticket with the gentoo devs!
>>
>> They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at
>> the same
>> location if they prefer that.
>>
>> Note that libreswan-4.x also no longer builds support for DH2, and some
>> NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
>> be running into that. That required a fix to NM-libreswan in fedora at
>> least.
>>
>> Paul
>>
>> > On Fri, Oct 23, 2020 at 5:04 AM

Re: [Swan] Issue with networkmanager and l2tp

2020-10-24 Thread Paul Wouters

pluto[17294]: ignoring message from whack with bad magic 1869114160; should be 
1869114159; Mismatched versions of userland tools. 

Sent

It looks like either you have two installs (one in /usr and one in /usr/local 
or your pluto
did not restart after installing a newer version ?

Paul



> On Oct 23, 2020, at 23:26, Brian McKee  wrote:
> 
> 
> Hi Paul and Doug,
> 
> So I got libreswan 4.1 to install with the new folder by modifying the 
> ebuild, but I'm still having problems. Here is the output of networkmanager:
> 
> Oct 23 20:19:40 threads NetworkManager[4579]:   [1603509580.7688] 
> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 
> result="success" 
> Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5025] 
> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" 
> name="wtec-SJ" pid=5647 uid=1000 result
> ="success" 
> Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5068] 
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>  Started the VPN service, PID 28727 
> Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5115] 
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>  Saw the service appear; activating
> connection 
> Oct 23 20:19:43 threads NetworkManager[4579]:   [1603509583.2001] 
> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 
> result="success" 
> Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad 
> magic 1869114160; should be 1869114159; Mismatched versions of userland 
> tools. 
> Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No 
> such file or directory 
> Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5840] 
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>  VPN connection: failed to connect:
> 'Could not restart the ipsec service.' 
> Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5851] 
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>  VPN plugin: state changed: stopped
> (6) 
> Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5875] 
> vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
>  VPN service disappeared
> 
> I'm guessing I'm having ipsec issues...
> 
> Can you give me a shove in the right direction?
> 
>> On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters  wrote:
>> On Fri, 23 Oct 2020, Brian McKee wrote:
>> 
>> > Thanks Doug!I'll open a ticket with the gentoo devs!
>> 
>> They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at the 
>> same
>> location if they prefer that.
>> 
>> Note that libreswan-4.x also no longer builds support for DH2, and some
>> NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
>> be running into that. That required a fix to NM-libreswan in fedora at
>> least.
>> 
>> Paul
>> 
>> > On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic  wrote:
>> >
>> >   Hi Brian,
>> >
>> >
>> >
>> >   With Libreswan >= 4.0, the default NSS database files (*.db) have 
>> > moved from /etc/ipsec.d to
>> >   /var/lib/ipsec/nss
>> >
>> >
>> >
>> >   Try the following Libreswan command to see if you get an error :
>> >
>> >
>> >
>> >   $ sudo ipsec initnss
>> >
>> >  ERROR: destination directory "/var/lib/ipsec/nss" is missing or 
>> > permission denied
>> >
>> >
>> >
>> >   pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for 
>> > the NSS database files :
>> >
>> >  
>> > https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
>> >
>> >
>> >
>> >
>> >
>> >   you could fix the aforementioned pkg_postinst(), or issue the 
>> > following as a workaround:
>> >
>> >
>> >
>> >   sudo mkdir -p /var/lib/ipsec/nss
>> >
>> >   sudo chmod 700 /var/lib/ipsec/nss
>> >
>> >
>> >
>> >   then try sudo ipsec initnss again.
>> >
>> >
>> >
>> >   If you are using SELinux or AppArmor, a new rule might be required 
>> > for /var/lib/ipsec/nss
>> >
>> >
>> >
>> >
>> >
>> >   Cheers,
>> >
>> >   Doug
>> >
>> >
>> >
>> >   From: Swan  On Behalf Of Brian 
>> > McKee
>> >   Sent: Friday, 23 October 2020 6:06 PM
>> >   To: swan@lists.libreswan.org
>> >   Subject: [Swan] Issue with networkmanager and l2tp
>> >
>> >
>> >
>> >   Hello everyone,
>> >
>> >
>> > 
>> > I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7) 
>> > that is probably pretty out of date.
>> > It uses l2tp protocol.
>> > 
>> >  
>> > 
>> > My Gentoo box is running Networkmanager 1.26.0 and until a recent update I 
>> > was running libreswan-3.32-r1 which
>> > contains a patch to fix an NSS version issue. libreswan-3.32 without the 
>> > patch fails to connect to my work
>> > because of the NSS

Re: [Swan] Issue with networkmanager and l2tp

2020-10-24 Thread Douglas Kosovic

Hi Brian,

It is not clear from that short log snippet which ipsec command is causing an 
issue with whack.

Can you confirm you are able to start or restart the pluto ipsec daemon on 
gentoo with :

   sudo ipsec start

or

  sudo ipsec restart

then confirm it is running with :

  sudo ipsec status


if status thinks it is running, you can try bringing up the NetworkManager-l2tp 
IPsec connection with :

  sudo ipsec auto \
  --config /run/nm-l2tp-9a088450-2a7b-4012-befe-facf564c77e0/ipsec.conf 
–verbose \
  -add 9a088450-2a7b-4012-befe-facf564c77e0

  sudo ipsec auto up -add 9a088450-2a7b-4012-befe-facf564c77e0


(note it is okay to copy and paste the backslash line continuation in the above)


If you don’t have /run/nm-l2tp-9a088450-2a7b-4012-befe-facf564c77e0/ , issue 
the following:

  sudo killall -TERM nm-l2tp-service
  sudo /usr/libexec/nm-l2tp-service --debug

then try to establish the connection in the GUI. I’m just guessing 
nm-l2tp-service is located in /usr/libexec/ on gentoo.



Cheers,
Doug


From: Brian McKee 
Sent: Saturday, 24 October 2020 1:26 PM
To: Paul Wouters 
Cc: Douglas Kosovic ; swan@lists.libreswan.org
Subject: Re: [Swan] Issue with networkmanager and l2tp

Hi Paul and Doug,

So I got libreswan 4.1 to install with the new folder by modifying the ebuild, 
but I'm still having problems. Here is the output of networkmanager:

Oct 23 20:19:40 threads NetworkManager[4579]:   [1603509580.7688] audit: 
op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5025] audit: 
op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" 
name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5068] 
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Started the VPN service, PID 28727
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5115] 
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Saw the service appear; activating
connection
Oct 23 20:19:43 threads NetworkManager[4579]:   [1603509583.2001] audit: 
op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad 
magic 1869114160; should be 1869114159; Mismatched versions of userland tools.
Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No such 
file or directory
Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5840] 
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5851] 
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN plugin: state changed: stopped
(6)
Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5875] 
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN service disappeared
I'm guessing I'm having ipsec issues...

Can you give me a shove in the right direction?

On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters 
mailto:p...@nohats.ca>> wrote:
On Fri, 23 Oct 2020, Brian McKee wrote:

> Thanks Doug!I'll open a ticket with the gentoo devs!

They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at the same
location if they prefer that.

Note that libreswan-4.x also no longer builds support for DH2, and some
NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
be running into that. That required a fix to NM-libreswan in fedora at
least.

Paul

> On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic 
> mailto:d...@uq.edu.au>> wrote:
>
>   Hi Brian,
>
>
>
>   With Libreswan >= 4.0, the default NSS database files (*.db) have moved 
> from /etc/ipsec.d to
>   /var/lib/ipsec/nss
>
>
>
>   Try the following Libreswan command to see if you get an error :
>
>
>
>   $ sudo ipsec initnss
>
>  ERROR: destination directory "/var/lib/ipsec/nss" is missing or 
> permission denied
>
>
>
>   pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the 
> NSS database files :
>
>  
> https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
>
>
>
>
>
>   you could fix the aforementioned pkg_postinst(), or issue the following 
> as a workaround:
>
>
>
>   sudo mkdir -p /var/lib/ipsec/nss
>
>   sudo chmod 700 /var/lib/ipsec/nss
>
>
>
>   then try sudo ipsec initnss again.
>
>
>
>   If you are using SELinux or AppArmor, a ne

Re: [Swan] Issue with networkmanager and l2tp

2020-10-23 Thread Brian McKee

Hi Paul and Doug,

So I got libreswan 4.1 to install with the new folder by modifying the
ebuild, but I'm still having problems. Here is the output of networkmanager:

Oct 23 20:19:40 threads NetworkManager[4579]:   [1603509580.7688]
audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
result="success"
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5025]
audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5068]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the VPN service, PID 28727
Oct 23 20:19:42 threads NetworkManager[4579]:   [1603509582.5115]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the service appear; activating
connection
Oct 23 20:19:43 threads NetworkManager[4579]:   [1603509583.2001]
audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
result="success"
Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad
magic 1869114160; should be 1869114159; Mismatched versions of userland
tools.
Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No
such file or directory
Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5840]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5851]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin: state changed: stopped
(6)
Oct 23 20:19:51 threads NetworkManager[4579]:   [1603509591.5875]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service disappeared

I'm guessing I'm having ipsec issues...

Can you give me a shove in the right direction?

On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters  wrote:

> On Fri, 23 Oct 2020, Brian McKee wrote:
>
> > Thanks Doug!I'll open a ticket with the gentoo devs!
>
> They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at
> the same
> location if they prefer that.
>
> Note that libreswan-4.x also no longer builds support for DH2, and some
> NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
> be running into that. That required a fix to NM-libreswan in fedora at
> least.
>
> Paul
>
> > On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic  wrote:
> >
> >   Hi Brian,
> >
> >
> >
> >   With Libreswan >= 4.0, the default NSS database files (*.db) have
> moved from /etc/ipsec.d to
> >   /var/lib/ipsec/nss
> >
> >
> >
> >   Try the following Libreswan command to see if you get an error :
> >
> >
> >
> >   $ sudo ipsec initnss
> >
> >  ERROR: destination directory "/var/lib/ipsec/nss" is missing or
> permission denied
> >
> >
> >
> >   pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d
> for the NSS database files :
> >
> >
> https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
> >
> >
> >
> >
> >
> >   you could fix the aforementioned pkg_postinst(), or issue the
> following as a workaround:
> >
> >
> >
> >   sudo mkdir -p /var/lib/ipsec/nss
> >
> >   sudo chmod 700 /var/lib/ipsec/nss
> >
> >
> >
> >   then try sudo ipsec initnss again.
> >
> >
> >
> >   If you are using SELinux or AppArmor, a new rule might be required
> for /var/lib/ipsec/nss
> >
> >
> >
> >
> >
> >   Cheers,
> >
> >   Doug
> >
> >
> >
> >   From: Swan  On Behalf Of Brian
> McKee
> >   Sent: Friday, 23 October 2020 6:06 PM
> >   To: swan@lists.libreswan.org
> >   Subject: [Swan] Issue with networkmanager and l2tp
> >
> >
> >
> >   Hello everyone,
> >
> >
> >
> > I'm a Gentoo linux user. My work uses a linux based VPN server (Centos
> 7) that is probably pretty out of date.
> > It uses l2tp protocol.
> >
> >
> >
> > My Gentoo box is running Networkmanager 1.26.0 and until a recent update
> I was running libreswan-3.32-r1 which
> > contains a patch to fix an NSS version issue. libreswan-3.32 without the
> patch fails to connect to my work
> > because of the NSS issue.
> >
> >
> >
> > Networkmanager requires libreswan for l2tp protocol connections.
> >
> >
> >
> > In the latest update of my machine libreswan 4.1 installed and I could
> no longer connect to work. There was
> > absolutely no useful messages from Networkmanager. This is what I got in
> /var/log/messages:
> >
> >
> >
> > Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4884]
> audit: op="connection-activate"
> > uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647
> uid=1000 result
> > ="success"
> > Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4920]
> >
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID
> >

Re: [Swan] Issue with networkmanager and l2tp

2020-10-23 Thread Paul Wouters


On Fri, 23 Oct 2020, Brian McKee wrote:


Thanks Doug!I'll open a ticket with the gentoo devs!


They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at the same
location if they prefer that.

Note that libreswan-4.x also no longer builds support for DH2, and some
NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also
be running into that. That required a fix to NM-libreswan in fedora at
least.

Paul


On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic  wrote:

  Hi Brian,

   

  With Libreswan >= 4.0, the default NSS database files (*.db) have moved 
from /etc/ipsec.d to
  /var/lib/ipsec/nss

   

  Try the following Libreswan command to see if you get an error :

   

      $ sudo ipsec initnss

     ERROR: destination directory "/var/lib/ipsec/nss" is missing or 
permission denied

   

  pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the 
NSS database files :

     
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild

   

   

  you could fix the aforementioned pkg_postinst(), or issue the following 
as a workaround:

   

      sudo mkdir -p /var/lib/ipsec/nss

      sudo chmod 700 /var/lib/ipsec/nss

   

  then try sudo ipsec initnss again.

   

  If you are using SELinux or AppArmor, a new rule might be required for 
/var/lib/ipsec/nss

   

   

  Cheers,

  Doug

   

  From: Swan  On Behalf Of Brian McKee
  Sent: Friday, 23 October 2020 6:06 PM
  To: swan@lists.libreswan.org
  Subject: [Swan] Issue with networkmanager and l2tp

   

  Hello everyone,

   

I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7) that 
is probably pretty out of date.
It uses l2tp protocol.

 

My Gentoo box is running Networkmanager 1.26.0 and until a recent update I was 
running libreswan-3.32-r1 which
contains a patch to fix an NSS version issue. libreswan-3.32 without the patch 
fails to connect to my work
because of the NSS issue.

 

Networkmanager requires libreswan for l2tp protocol connections.

 

In the latest update of my machine libreswan 4.1 installed and I could no 
longer connect to work. There was
absolutely no useful messages from Networkmanager. This is what I got in 
/var/log/messages:

 

Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4884] audit: 
op="connection-activate"
uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647 uid=1000 
result
="success"
Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4920]
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Started the VPN service, PID
10712
Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4984]
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Saw the service appear;
activating
connection
Oct 22 21:30:17 threads NetworkManager[4579]:   [1603427417.1234] audit: 
op="statistics"
arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7335]
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN plugin: state changed:
stopped
(6)
Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7361]
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN service disappeared
Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7372]
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN connection: failed to
connect:
'Message recipient disconnected from message bus without replying'

I figure I have a configuration issue, except that it works fine with the old 
version of libreswan.

 

I'm hoping you guys have some idea what I'm talking about. I can email you any 
information on my machine and I
can probably get the configuration for the (openvpn, I think) VPN server.

 

I know that me using the old version of libreswan is eventually going to become 
a problem so I'd like to
proactively figure out what's wrong and fix my system so my work flow isn't 
interrupted.

 

I don't hand edit the config files, I let KDE configure network manager, so I 
figure there is something I need
to change in that configuration.

 

Anyway, thanks for reading and thanks in advance for any help you can offer.

___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan



--
-- Consciousness moves everything.



___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Issue with networkmanager and l2tp

2020-10-23 Thread Brian McKee

Thanks Doug!
I'll open a ticket with the gentoo devs!

On Fri, Oct 23, 2020 at 5:04 AM Douglas Kosovic  wrote:

> Hi Brian,
>
>
>
> With Libreswan >= 4.0, the default NSS database files (*.db) have moved
> from /etc/ipsec.d to /var/lib/ipsec/nss
>
>
>
> Try the following Libreswan command to see if you get an error :
>
>
>
> $ sudo ipsec initnss
>
>ERROR: destination directory "/var/lib/ipsec/nss" is missing or
> permission denied
>
>
>
> pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the
> NSS database files :
>
>
> https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild
>
>
>
>
>
> you could fix the aforementioned pkg_postinst(), or issue the following
> as a workaround:
>
>
>
> sudo mkdir -p /var/lib/ipsec/nss
>
> sudo chmod 700 /var/lib/ipsec/nss
>
>
>
> then try sudo ipsec initnss again.
>
>
>
> If you are using SELinux or AppArmor, a new rule might be required for
> /var/lib/ipsec/nss
>
>
>
>
>
> Cheers,
>
> Doug
>
>
>
> *From:* Swan  *On Behalf Of *Brian McKee
> *Sent:* Friday, 23 October 2020 6:06 PM
> *To:* swan@lists.libreswan.org
> *Subject:* [Swan] Issue with networkmanager and l2tp
>
>
>
> Hello everyone,
>
>
>
> I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7)
> that is probably pretty out of date. It uses l2tp protocol.
>
>
>
> My Gentoo box is running Networkmanager 1.26.0 and until a recent update I
> was running libreswan-3.32-r1 which contains a patch to fix an NSS version
> issue. libreswan-3.32 without the patch fails to connect to my work because
> of the NSS issue.
>
>
>
> Networkmanager requires libreswan for l2tp protocol connections.
>
>
>
> In the latest update of my machine libreswan 4.1 installed and I could no
> longer connect to work. There was absolutely no useful messages from
> Networkmanager. This is what I got in /var/log/messages:
>
>
>
> Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4884]
> audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
> name="wtec-SJ" pid=5647 uid=1000 result
> ="success"
> Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4920]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Started the VPN service, PID 10712
> Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4984]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> Saw the service appear; activating
> connection
> Oct 22 21:30:17 threads NetworkManager[4579]:   [1603427417.1234]
> audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000
> result="success"
> Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7335]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN plugin: state changed: stopped
> (6)
> Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7361]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN service disappeared
> Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7372]
> vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
> VPN connection: failed to connect:
> 'Message recipient disconnected from message bus without replying'
>
> I figure I have a configuration issue, except that it works fine with the
> old version of libreswan.
>
>
>
> I'm hoping you guys have some idea what I'm talking about. I can email you
> any information on my machine and I can probably get the configuration for
> the (openvpn, I think) VPN server.
>
>
>
> I know that me using the old version of libreswan is eventually going to
> become a problem so I'd like to proactively figure out what's wrong and fix
> my system so my work flow isn't interrupted.
>
>
>
> I don't hand edit the config files, I let KDE configure network manager,
> so I figure there is something I need to change in that configuration.
>
>
>
> Anyway, thanks for reading and thanks in advance for any help you can
> offer.
> ___
> Swan mailing list
> Swan@lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>


-- 
-- Consciousness moves everything.
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Issue with networkmanager and l2tp

2020-10-23 Thread Douglas Kosovic

Hi Brian,


With Libreswan >= 4.0, the default NSS database files (*.db) have moved from 
/etc/ipsec.d to /var/lib/ipsec/nss



Try the following Libreswan command to see if you get an error :



$ sudo ipsec initnss

   ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission 
denied

pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the NSS 
database files :
   
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild


you could fix the aforementioned pkg_postinst(), or issue the following as a 
workaround:

sudo mkdir -p /var/lib/ipsec/nss
sudo chmod 700 /var/lib/ipsec/nss

then try sudo ipsec initnss again.

If you are using SELinux or AppArmor, a new rule might be required for 
/var/lib/ipsec/nss


Cheers,
Doug

From: Swan  On Behalf Of Brian McKee
Sent: Friday, 23 October 2020 6:06 PM
To: swan@lists.libreswan.org
Subject: [Swan] Issue with networkmanager and l2tp

Hello everyone,

I'm a Gentoo linux user. My work uses a linux based VPN server (Centos 7) that 
is probably pretty out of date. It uses l2tp protocol.

My Gentoo box is running Networkmanager 1.26.0 and until a recent update I was 
running libreswan-3.32-r1 which contains a patch to fix an NSS version issue. 
libreswan-3.32 without the patch fails to connect to my work because of the NSS 
issue.

Networkmanager requires libreswan for l2tp protocol connections.

In the latest update of my machine libreswan 4.1 installed and I could no 
longer connect to work. There was absolutely no useful messages from 
Networkmanager. This is what I got in /var/log/messages:

Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4884] audit: 
op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" 
name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4920] 
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Started the VPN service, PID 10712
Oct 22 21:30:16 threads NetworkManager[4579]:   [1603427416.4984] 
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 Saw the service appear; activating
connection
Oct 22 21:30:17 threads NetworkManager[4579]:   [1603427417.1234] audit: 
op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7335] 
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN plugin: state changed: stopped
(6)
Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7361] 
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN service disappeared
Oct 22 21:30:27 threads NetworkManager[4579]:   [1603427427.7372] 
vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
 VPN connection: failed to connect:
'Message recipient disconnected from message bus without replying'
I figure I have a configuration issue, except that it works fine with the old 
version of libreswan.

I'm hoping you guys have some idea what I'm talking about. I can email you any 
information on my machine and I can probably get the configuration for the 
(openvpn, I think) VPN server.

I know that me using the old version of libreswan is eventually going to become 
a problem so I'd like to proactively figure out what's wrong and fix my system 
so my work flow isn't interrupted.

I don't hand edit the config files, I let KDE configure network manager, so I 
figure there is something I need to change in that configuration.

Anyway, thanks for reading and thanks in advance for any help you can offer.
___
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

Re: [Swan] Issue with networkmanager and l2tp

17 matches

Site Navigation

Mail list logo

Footer information