Date: Sun, 25 Oct 2020 12:20:53
From: Brian McKee <[email protected]>
Cc: "[email protected]" <[email protected]>
To: Douglas Kosovic <[email protected]>
Subject: Re: [Swan] Issue with networkmanager and l2tp
I found another beginner mistake in the ebuild and reinstalled libreswan.
The messages I'm getting now are:
Oct 25 09:17:49 threads NetworkManager[6124]: <info> [1603642669.8190] audit:
op="statistics"
arg="refresh-rate-ms" pid=10301 uid=1000 result="success"
Oct 25 09:17:58 threads NetworkManager[6124]: <info> [1603642678.4519] audit:
op="connection-activate"
uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10301 uid=1000
result="success"
Oct 25 09:17:58 threads NetworkManager[6124]: <info> [1603642678.4627]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the VPN service, PID
12655
Oct 25 09:17:58 threads NetworkManager[6124]: <info> [1603642678.4691]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the service appear;
activating connection
Oct 25 09:17:59 threads NetworkManager[6124]: <info> [1603642679.1184] audit:
op="statistics"
arg="refresh-rate-ms" pid=10301 uid=1000 result="success"
Oct 25 09:18:05 threads kernel: Initializing XFRM netlink socket
Oct 25 09:18:05 threads kernel: IPv4 over IPsec tunneling driver
Oct 25 09:18:05 threads NetworkManager[6124]: <info> [1603642685.7716]
manager: (ip_vti0): new Generic device
(/org/freedesktop/NetworkManager/Devices/6)
Oct 25 09:18:05 threads kernel: IPsec XFRM device driver
Oct 25 09:18:15 threads NetworkManager[6124]: <info> [1603642695.8344]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin: state changed:
stopped (6)
Oct 25 09:18:15 threads NetworkManager[6124]: <info> [1603642695.8375]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service disappeared
Oct 25 09:18:15 threads NetworkManager[6124]: <warn> [1603642695.8385]
vpn-connection[0x562e3e1ca100,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN connection: failed to
connect: 'Message recipient disconnected from message bus without replying'
On Sun, Oct 25, 2020 at 9:03 AM Brian McKee <[email protected]> wrote:
Hi Doug,
I'm back again...
I found an ipsec init script produced by libreswan's compile in
${IPSEC_CONFDIR}/../ipsec
I modified the ebuild to move that script in /etc/init.d/ and it works.
But I still can't connect to work. Here is the output in /var/log/messages:
Oct 25 08:57:15 threads NetworkManager[6097]: <info> [1603641435.8662] audit:
op="statistics"
arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 25 08:57:18 threads NetworkManager[6097]: <info> [1603641438.4577] audit:
op="connection-activate"
uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=10312 uid=1000
resul
t="success"
Oct 25 08:57:18 threads NetworkManager[6097]: <info> [1603641438.4623]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the VPN service,
PID 24090
Oct 25 08:57:18 threads NetworkManager[6097]: <info> [1603641438.4669]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the service appear;
activating
connection
Oct 25 08:57:19 threads NetworkManager[6097]: <info> [1603641439.0556] audit:
op="statistics"
arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 25 08:57:33 threads NetworkManager[6097]: <info> [1603641453.8567]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin: state
changed: stopped
(6)
Oct 25 08:57:33 threads NetworkManager[6097]: <info> [1603641453.8597]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service disappeared
Oct 25 08:57:33 threads NetworkManager[6097]: <warn> [1603641453.8607]
vpn-connection[0x55bd019c0590,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN connection: failed
to connect:
'Message recipient disconnected from message bus without replying'
/usr/sbin/ipsec start works now:
threads /etc/init.d # /usr/sbin/ipsec start
Redirecting to: rc-service ipsec start
* WARNING: ipsec has already been started
Thanks for your patience and help.
On Sun, Oct 25, 2020 at 8:13 AM Brian McKee <[email protected]> wrote:
You are right. ipsec won't start because there is no
service:/usr/sbin/ipsec start
Redirecting to: rc-service ipsec start
* rc-service: service `ipsec' does not exist
I have to figure out how to create a service script for it.
Perhaps I can get some help from the libreswan ebuild maintainer.
I'll post in the bug report I created.
Thanks for your help.
On Sun, Oct 25, 2020 at 5:49 AM Douglas Kosovic <[email protected]> wrote:
Hi Brian,
So the following doesn't work
sudo /sbin/ipsec restart
and I suspect:
sudo /sbin/ipsec start
the gentoo libreswan ebuild has both openrc and systemd, sorry I have no idea
how the gentoo
ebuild works with init script.
If you are using systemd, running the following might give a hint as to what
needs to be done
or is missing.
sudo systemctl restart ipsec.service
With systemd, I think it needs the following file to exist, but not sure with
gentoo:
/lib/systemd/system/ipsec.service
Sorry I'm not familiar with openrc or if gentoo is using some openrc/systemd
hybrid setup,
but your rcscript suspicion seems plausible.
Cheers,
Doug
_______________________________________________________________________________________________________________
From: Brian McKee <[email protected]>
Sent: Sunday, 25 October 2020 6:04 AM
To: Paul Wouters <[email protected]>
Cc: Douglas Kosovic <[email protected]>; [email protected]
<[email protected]>
Subject: Re: [Swan] Issue with networkmanager and l2tp
I have /sbin/ipsec.
I rebooted to get networkmanager to restart with the latest version of
libreswan.
I'm still getting an error message:
Oct 24 12:58:23 threads NetworkManager[6097]: <info> [1603569503.8941] audit:
op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 24 12:58:27 threads NetworkManager[6097]: <info> [1603569507.6586] audit:
op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
name="wtec-SJ" pid=10312
uid=1000 resul
t="success"
Oct 24 12:58:27 threads NetworkManager[6097]: <info> [1603569507.6708]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the
VPN service, PID 11786
Oct 24 12:58:27 threads NetworkManager[6097]: <info> [1603569507.6779]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the
service appear; activating
connection
Oct 24 12:58:28 threads NetworkManager[6097]: <info> [1603569508.6593] audit:
op="statistics" arg="refresh-rate-ms" pid=10312 uid=1000 result="success"
Oct 24 12:58:32 threads /etc/init.d/NetworkManager[11800]: rc-service: service
`ipsec' does
not exist
Oct 24 12:58:32 threads NetworkManager[6097]: <warn> [1603569512.8038]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN
connection: failed to connect:
'Could not restart the ipsec service.'
Oct 24 12:58:32 threads NetworkManager[6097]: <info> [1603569512.8063]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin:
state changed: stopped
(6)
Oct 24 12:58:32 threads NetworkManager[6097]: <info> [1603569512.8081]
vpn-connection[0x55bd019c0170,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service
disappeared
It's still looking for ipsec. I think it's looking for /etc/init.d/ipsecd or
something like
that based on the error message. Is an rcscript meant to be added by libreswan?
So that
something else is missing from the ebuild?
Again, I really appreciate your patience with me. Thanks so much.
On Sat, Oct 24, 2020 at 7:08 AM Paul Wouters <[email protected]> wrote:
pluto[17294]: ignoring message from whack with bad magic 1869114160;
should
be 1869114159; Mismatched versions of userland tools.
Sent
It looks like either you have two installs (one in /usr and one in /usr/local
or your
pluto
did not restart after installing a newer version ?
Paul
On Oct 23, 2020, at 23:26, Brian McKee <[email protected]> wrote:
Hi Paul and Doug,
So I got libreswan 4.1 to install with the new folder by modifying the ebuild,
but I'm still having problems. Here is the output of networkmanager:
Oct 23 20:19:40 threads NetworkManager[4579]: <info> [1603509580.7688] audit:
op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:42 threads NetworkManager[4579]: <info> [1603509582.5025] audit:
op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0"
name="wtec-SJ" pid=5647 uid=1000 result
="success"
Oct 23 20:19:42 threads NetworkManager[4579]: <info> [1603509582.5068]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Started the VPN service, PID 28727
Oct 23 20:19:42 threads NetworkManager[4579]: <info> [1603509582.5115]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
Saw the service appear; activating
connection
Oct 23 20:19:43 threads NetworkManager[4579]: <info> [1603509583.2001] audit:
op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success"
Oct 23 20:19:51 threads pluto[17294]: ignoring message from whack with bad magic
1869114160; should be 1869114159; Mismatched versions of userland tools.
Oct 23 20:19:51 threads /etc/init.d/NetworkManager[28748]: rc-service: No such
file or directory
Oct 23 20:19:51 threads NetworkManager[4579]: <warn> [1603509591.5840]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN connection: failed to connect:
'Could not restart the ipsec service.'
Oct 23 20:19:51 threads NetworkManager[4579]: <info> [1603509591.5851]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN plugin: state changed: stopped
(6)
Oct 23 20:19:51 threads NetworkManager[4579]: <info> [1603509591.5875]
vpn-connection[0x56488972c0a0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]:
VPN service disappeared
I'm guessing I'm having ipsec issues...
Can you give me a shove in the right direction?
On Fri, Oct 23, 2020 at 10:47 AM Paul Wouters <[email protected]> wrote:
On Fri, 23 Oct 2020, Brian McKee wrote:
> Thanks Doug!I'll open a ticket with the gentoo devs!
They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files
at the same
location if they prefer that.
Note that libreswan-4.x also no longer builds support for DH2, and
some
NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might
also
be running into that. That required a fix to NM-libreswan in fedora
at
least.
Pau
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
--
-- Consciousness moves everything.
--
-- Consciousness moves everything.
--
-- Consciousness moves everything.
