L2TP / IPSec não consegue se conectar (Kubuntu 17.10)

Navegue suas respostas
2

Estou tentando conectar-me à VPN corporativa do Kubuntu 17.10. Eu tenho o network-manager-l2tp instalado (versão 1.2.8). A saída que estou recebendo: 

Nov 28 17:20:48 T460 NetworkManager[667]: initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:20:48 T460 NetworkManager[667]: generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:20:48 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:20:48 T460 NetworkManager[667]: sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:20:48 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:20:48 T460 NetworkManager[667]: destroying IKE_SA in state CONNECTING without notification
Nov 28 17:20:48 T460 NetworkManager[667]: establishing connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332' failed
Nov 28 17:20:48 T460 nm-l2tp-service[3673]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Nov 28 17:20:48 T460 NetworkManager[667]: <info>  [1511889648.3131] vpn-connection[0x55fe5d8fe2f0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN service disappeared
Nov 28 17:20:48 T460 NetworkManager[667]: <warn>  [1511889648.3161] vpn-connection[0x55fe5d8fe2f0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9310] audit: op="connection-activate" uuid="41d2e76d-a4c4-4f56-bd6a-58ad795af332" name="WorkVPN" pid=1017 uid=1000 result="success"
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9371] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: Started the VPN service, PID 3759
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9477] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: Saw the service appear; activating connection
Nov 28 17:24:01 T460 nm-l2tp-service[3759]: Check port 1701
Nov 28 17:24:01 T460 NetworkManager[667]: Stopping strongSwan IPsec failed: starter is not running
Nov 28 17:24:03 T460 NetworkManager[667]: Starting strongSwan 5.5.1 IPsec [starter]...
Nov 28 17:24:03 T460 NetworkManager[667]: Loading config setup
Nov 28 17:24:03 T460 NetworkManager[667]: Loading conn '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:03 T460 NetworkManager[667]: found netkey IPsec stack
Nov 28 17:24:03 T460 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.14.2-041402-generic, x86_64)
Nov 28 17:24:03 T460 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 28 17:24:03 T460 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 28 17:24:03 T460 charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-41d2e76d-a4c4-4f56-bd6a-58ad795af332.secrets'
Nov 28 17:24:03 T460 charon: 00[CFG]   loaded IKE secret for %any
Nov 28 17:24:03 T460 charon: 00[LIB] loaded plugins: charon test-vectors aesni aes rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
Nov 28 17:24:03 T460 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Nov 28 17:24:03 T460 charon: 00[JOB] spawning 16 worker threads
Nov 28 17:24:03 T460 charon: 05[CFG] received stroke: add connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:03 T460 charon: 05[CFG] added configuration '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:04 T460 charon: 07[CFG] rereading secrets
Nov 28 17:24:04 T460 charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 28 17:24:04 T460 charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-41d2e76d-a4c4-4f56-bd6a-58ad795af332.secrets'
Nov 28 17:24:04 T460 charon: 07[CFG]   loaded IKE secret for %any
Nov 28 17:24:04 T460 charon: 10[CFG] received stroke: initiate '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:04 T460 charon: 11[IKE] initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:24:04 T460 charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:24:04 T460 charon: 11[NET] sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:08 T460 charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:24:08 T460 charon: 12[NET] sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: Stopping strongSwan IPsec...
Nov 28 17:24:14 T460 charon: 00[DMN] signal of type SIGINT received. Shutting down
Nov 28 17:24:14 T460 charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Nov 28 17:24:14 T460 NetworkManager[667]: initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:24:14 T460 NetworkManager[667]: generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:24:14 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:24:14 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: destroying IKE_SA in state CONNECTING without notification
Nov 28 17:24:14 T460 NetworkManager[667]: establishing connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332' failed
Nov 28 17:24:14 T460 nm-l2tp-service[3759]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Nov 28 17:24:14 T460 NetworkManager[667]: <info>  [1511889854.5718] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN plugin: state changed: stopped (6)
Nov 28 17:24:14 T460 NetworkManager[667]: <info>  [1511889854.5779] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN service disappeared
Nov 28 17:24:14 T460 NetworkManager[667]: <warn>  [1511889854.5803] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

EDITAR:

Aqui está a saída das informações de depuração: 

van@z97:/opt/testing$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[24282] <debug> nm-l2tp-service (version 1.2.8) starting...
nm-l2tp[24282] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[24282] <info>  ipsec enable flag: yes
** Message: Check port 1701
** Message: Can't bind to port 1701
nm-l2tp[24282] <warn>  L2TP port 1701 is busy, using ephemeral.
connection
        id : "Work" (s)
        uuid : "71468d41-cd5a-4c91-a70a-c6bc7e1db86a" (s)
        interface-name : NULL (sd)
        type : "vpn" (s)
        permissions : ["user:van:"] (s)
        autoconnect : TRUE (sd)
        autoconnect-priority : 0 (sd)
        autoconnect-retries : -1 (sd)
        timestamp : 0 (sd)
        read-only : FALSE (sd)
        zone : NULL (sd)
        master : NULL (sd)
        slave-type : NULL (sd)
        autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
        secondaries : NULL (sd)
        gateway-ping-timeout : 0 (sd)
        metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
        lldp : -1 (sd)
        stable-id : NULL (sd)


ipv6
        method : "auto" (s)
        dns : [] (s)
        dns-search : [] (s)
        dns-options : NULL (sd)
        dns-priority : 0 (sd)
        addresses : ((GPtrArray*) 0x5645b3895ae0) (s)
        gateway : NULL (sd)
        routes : ((GPtrArray*) 0x5645b3895ae0) (s)
        route-metric : -1 (sd)
        ignore-auto-routes : FALSE (sd)
        ignore-auto-dns : FALSE (sd)
        dhcp-hostname : NULL (sd)
        dhcp-send-hostname : TRUE (sd)
        never-default : FALSE (sd)
        may-fail : TRUE (sd)
        dad-timeout : -1 (sd)
        dhcp-timeout : 0 (sd)
        ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
        addr-gen-mode : 1 (sd)
        token : NULL (sd)


proxy
        method : 0 (sd)
        browser-only : FALSE (sd)
        pac-url : NULL (sd)
        pac-script : NULL (sd)


vpn
        service-type : "org.freedesktop.NetworkManager.l2tp" (s)
        user-name : "van" (s)
        persistent : FALSE (sd)
        data : ((GHashTable*) 0x7fef54006de0) (s)
        secrets : ((GHashTable*) 0x7fef54006cc0) (s)
        timeout : 0 (sd)


ipv4
        method : "auto" (s)
        dns : [] (s)
        dns-search : [] (s)
        dns-options : NULL (sd)
        dns-priority : 0 (sd)
        addresses : ((GPtrArray*) 0x5645b38957a0) (s)
        gateway : NULL (sd)
        routes : ((GPtrArray*) 0x5645b3895a00) (s)
        route-metric : -1 (sd)
        ignore-auto-routes : FALSE (sd)
        ignore-auto-dns : FALSE (sd)
        dhcp-hostname : NULL (sd)
        dhcp-send-hostname : TRUE (sd)
        never-default : FALSE (sd)
        may-fail : TRUE (sd)
        dad-timeout : -1 (sd)
        dhcp-timeout : 0 (sd)
        dhcp-client-id : NULL (sd)
        dhcp-fqdn : NULL (sd)


nm-l2tp[24282] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.5.1 IPsec [starter]...
Loading config setup
Loading conn '71468d41-cd5a-4c91-a70a-c6bc7e1db86a'
found netkey IPsec stack
nm-l2tp[24282] <info>  Spawned ipsec up script with PID 24345.
initiating Main Mode IKE_SA 71468d41-cd5a-4c91-a70a-c6bc7e1db86a[1] to xxx.xxx.xxx.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.0.2[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 192.168.0.2[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
nm-l2tp[24282] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[24282] <info>  Terminating ipsec script with PID 24345.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
establishing connection '71468d41-cd5a-4c91-a70a-c6bc7e1db86a' failed
nm-l2tp[24282] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:24282): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
    
por Vanessa Deagan 28.11.2017 / 18:31

3 respostas

3

Depois de passar algumas horas pesquisando, descobri qual é o problema e a solução.

O problema:

  1. O Linux não suporta mais a codificação 3DES, mas muitos dispositivos ainda a usam.
  2. O Kubuntu 17.10 não possui os campos de entrada do algoritmo phase1 e phase2 em Configurações IPSec (este é um bug conhecido), necessários para configurar uma conexão L2TP / IPSec para usar o 3DES.

A solução:

  1. Instale a versão mais recente do KDE Plasma do PPA "backports".
  2. Reinicialize e crie uma nova conexão VPN L2TP / IPSec - os campos de entrada do algoritmo phase1 e phase2 agora devem estar presentes.
  3. Para o algoritmo Phase1, digite: 3des-sha1!
  4. Para o Algoritmo da Fase 2, insira: 3des-sha1-modp1024!

Da memória, fiz o seguinte: 

sudo add-apt-repository ppa:kubuntu-ppa/backports
sudo apt update && sudo apt upgrade
sudo reboot
sudo apt install network-manager-l2tp-gnome
sudo apt install strongswan
sudo apt install libstrongswan-extra-plugins
sudo apt install libcharon-extra-plugins

Reinicialize e adicione L2TP / IPSec normalmente. Agora você deve ver as caixas de texto dos algoritmos de Fase1 e Fase2, como mostra a imagem anexada.

É importante observar que as etapas acima não funcionarão se você instalou o kernel Linux mais recente (4.14 ou superior, acredito), portanto é altamente provável que essa solução alternativa para fazer com que o L2TP / IPSec trabalhe com a codificação 3DES não funciona quando o lançamento do Ubuntu 18.04 LTS é lançado.

    
por Vanessa Deagan 04.12.2017 / 15:12
1

O bug do kernel 4.14 está relacionado ao seguinte commit:

Essa confirmação do kernel 4.14 quebra o modo de transporte IPsec quando um endereço curinga é usado no lado do cliente, como é o caso do network-manager-l2tp. O commit foi revertido no kernel-4.15-rc1:

Infelizmente, o commit de reversão reintroduz um bug de pilha fora dos limites. Podemos precisar esperar que o branch 4.14 do kernel consiga uma correção após o lançamento do kernel 4.15. Mais detalhes neste tópico da lista de discussão do kernel do linux netdev:

por Douglas Kosovic 23.12.2017 / 14:06
0

Eu sei que esta questão foi no sentido de obter L2TP / IPSec trabalhando no Kubuntu 17.10. No entanto, 18.04 está fora agora, e aqui está como eu obtenho o L2TP / IPSec trabalhando no Kubuntu 18.04 :

  1. $ sudo apt install network-manager-l2tp
  2. $ sudo stop xl2tpd.service
  3. $ sudo systemctl disable xl2tpd.service

Não é mais necessário brincar com backports, pois os algoritmos Fase1 e algoritmos de Fase2 entradas de texto agora estão incluídos no Gerenciador de rede padrão.

    
por Andy Turfer 30.09.2018 / 16:16
Como tornar meu site ao vivo Como eu mudo o tipo de cursor quando uso o aplicativo Ubuntu no Windows 10?