Bug 1807024

Summary: Can't connect to L2TP/IPsec VPN after upgrade
Product: [Fedora] Fedora Reporter: jezekus
Component: NetworkManager-l2tpAssignee: Douglas Kosovic <doug>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 31CC: code, doug, drizt72, jwildman, philbates35, redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: NetworkManager-l2tp-1.8.0-5.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-06 02:23:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Log from dnf about performed upgrade none

Description jezekus 2020-02-25 13:36:33 UTC 
Created attachment 1665640 [details]
Log from dnf about performed upgrade

Description of problem:
After last upgrade containing following upgraded packages
    Upgrade  libreswan-3.30-1.fc31.x86_64                 @updates
    Upgraded libreswan-3.29-2.fc31.x86_64                 @@System

I'm not able to connect to ANY L2TP/IPsec VPN which was working before and which are woking (tested via Android 10 phone).


Version-Release number of selected component (if applicable):
libreswan-3.30-1.fc31.x86_64

How reproducible:
Upgrade to latest libreswan-3.30-1.fc31.x86_64


Actual results:
Connection to VPN fails, no connection attempt on the server side.

Expected results:
Connection to VPN established.

Additional info:
Linux x270 5.5.5-200.fc31.x86_64 #1 SMP Wed Feb 19 23:28:07 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Logs from journalctl:
Feb 25 14:22:40 x270 nm-l2tp-service[31255]: Check port 1701
Feb 25 14:22:40 x270 NetworkManager[1227]: Redirecting to: systemctl restart ipsec.service
Feb 25 14:22:41 x270 NetworkManager[1227]: 002 listening for IKE messages
Feb 25 14:22:41 x270 NetworkManager[1227]: 002 forgetting secrets
Feb 25 14:22:41 x270 NetworkManager[1227]: 002 loading secrets from "/etc/ipsec.secrets"
Feb 25 14:22:41 x270 NetworkManager[1227]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Feb 25 14:22:41 x270 NetworkManager[1227]: debugging mode enabled
Feb 25 14:22:41 x270 NetworkManager[1227]: end of file /var/run/nm-l2tp-37dc9eb7-a7c7-419e-a953-421c2ae210fd/ipsec.conf
Feb 25 14:22:41 x270 NetworkManager[1227]: Loading conn 37dc9eb7-a7c7-419e-a953-421c2ae210fd
Feb 25 14:22:41 x270 NetworkManager[1227]: starter: left is KH_DEFAULTROUTE
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" modecfgdns=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" modecfgdomains=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" modecfgbanner=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" mark=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" mark-in=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" mark-out=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" vti_iface=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" redirect-to=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" accept-redirect-to=<unset>
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" esp=aes256-sha1,aes128-sha1,3des-sha1
Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp_384,aes128-sha1-modp1024,aes128-sha1-ecp_256,3des-sha1-modp2048,3des-sha>
Feb 25 14:22:41 x270 NetworkManager[1227]: opening file: /var/run/nm-l2tp-37dc9eb7-a7c7-419e-a953-421c2ae210fd/ipsec.conf
Feb 25 14:22:41 x270 NetworkManager[1227]: loading named conns: 37dc9eb7-a7c7-419e-a953-421c2ae210fd
Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Feb 25 14:22:41 x270 NetworkManager[1227]: dst  via 192.168.44.1 dev bnep0 src  table 254
Feb 25 14:22:41 x270 NetworkManager[1227]: set nexthop: 192.168.44.1
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.0 via  dev bnep0 src 192.168.44.87 table 254
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.0 via  dev bnep0 src 192.168.44.87 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.87 via  dev bnep0 src 192.168.44.87 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.255 via  dev bnep0 src 192.168.44.87 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255 (ignored)
Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.1 via  dev bnep0 src 192.168.44.87 table 254
Feb 25 14:22:41 x270 NetworkManager[1227]: set addr: 192.168.44.87
Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
Feb 25 14:22:41 x270 nm-l2tp-service[31255]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Feb 25 14:22:41 x270 NetworkManager[1227]: <info>  [1582636961.5909] vpn-connection[0x55f874bb0790,37dc9eb7-a7c7-419e-a953-421c2ae210fd,"Jirinova",0]: VPN plugin: state changed: stopped (6)
Feb 25 14:22:41 x270 NetworkManager[1227]: <info>  [1582636961.5970] vpn-connection[0x55f874bb0790,37dc9eb7-a7c7-419e-a953-421c2ae210fd,"Jirinova",0]: VPN service disappeared
Feb 25 14:22:41 x270 NetworkManager[1227]: <warn>  [1582636961.5982] vpn-connection[0x55f874bb0790,37dc9eb7-a7c7-419e-a953-421c2ae210fd,"Jirinova",0]: VPN connection: failed to connect: 'Remote peer disconnected'


Full upgrade info in attachment.


In case more info/testing needed please let me know.
Comment 1 Douglas Kosovic 2020-02-25 14:48:25 UTC 
libreswan 3.30 is no longer built with modp1024 (aka DH2) support, see following upstream NetworkManager-l2tp bug report for more details:

https://github.com/nm-l2tp/NetworkManager-l2tp/issues/123

I'm in the process of releasing new NetworkManager-l2tp RPMs which no longer use modp1024 with libreswan:
https://src.fedoraproject.org/rpms/NetworkManager-l2tp/commits

If you need modp1024 support, apart from rebuilding libreswan-3.20 with USE_DH2=true, or reverting to a libreswan < 3.30, you can switch to strongswan with:

sudo rpm -e libreswan
sudo dnf install strongswan
Comment 2 Douglas Kosovic 2020-02-25 14:56:51 UTC 
If you don't need modp1024, as suggested in the upstream NetworkManager-l2tp bug report, as a workaround, you could enter the following for Phase 1 Algorithms in the IPsec advanced settings:

aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-ecp_384,aes128-sha1-ecp_256,3des-sha1-modp2048
Comment 3 Fedora Update System 2020-02-25 21:56:19 UTC 
FEDORA-2020-627629882a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-627629882a
Comment 4 Fedora Update System 2020-02-27 18:34:58 UTC 
NetworkManager-l2tp-1.8.0-4.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-627629882a
Comment 5 Douglas Kosovic 2020-03-04 00:18:30 UTC 
For others who are trying the NetworkManager-l2tp RPMs pushed to testings.
 
If you are no longer able to connect after a kernel update, then the issue is most likely with xl2tpd, not the libreswan 3.30 update. Fedora >= 31 have blacklisted the L2TP kernel modules. Unblacklisting the L2TP kernel modules should fix the xl2tpd issue (and not to mention, make the connection faster), see the following for details:

https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#issue-with-blacklisting-of-l2tp-kernel-modules


Note: The patch in the package pushed to testing (and the suggested Phase 1 Algorithms workaround for older versions of this package) is just to avoid the following config file syntax error with libreswan-3.30 :

  ike string error: IKE DH algorithm 'modp1024' is not supported
Comment 6 Fedora Update System 2020-03-06 02:23:04 UTC 
NetworkManager-l2tp-1.8.0-5.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Douglas Kosovic 2020-03-22 03:27:34 UTC 
*** Bug 1809687 has been marked as a duplicate of this bug. ***