Bug 1807024
Summary: | Can't connect to L2TP/IPsec VPN after upgrade | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | jezekus | ||||
Component: | NetworkManager-l2tp | Assignee: | Douglas Kosovic <doug> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 31 | CC: | code, doug, drizt72, jwildman, philbates35, redhat-bugzilla | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | NetworkManager-l2tp-1.8.0-5.fc31 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-03-06 02:23:04 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
libreswan 3.30 is no longer built with modp1024 (aka DH2) support, see following upstream NetworkManager-l2tp bug report for more details: https://github.com/nm-l2tp/NetworkManager-l2tp/issues/123 I'm in the process of releasing new NetworkManager-l2tp RPMs which no longer use modp1024 with libreswan: https://src.fedoraproject.org/rpms/NetworkManager-l2tp/commits If you need modp1024 support, apart from rebuilding libreswan-3.20 with USE_DH2=true, or reverting to a libreswan < 3.30, you can switch to strongswan with: sudo rpm -e libreswan sudo dnf install strongswan If you don't need modp1024, as suggested in the upstream NetworkManager-l2tp bug report, as a workaround, you could enter the following for Phase 1 Algorithms in the IPsec advanced settings: aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-ecp_384,aes128-sha1-ecp_256,3des-sha1-modp2048 FEDORA-2020-627629882a has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-627629882a NetworkManager-l2tp-1.8.0-4.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-627629882a For others who are trying the NetworkManager-l2tp RPMs pushed to testings. If you are no longer able to connect after a kernel update, then the issue is most likely with xl2tpd, not the libreswan 3.30 update. Fedora >= 31 have blacklisted the L2TP kernel modules. Unblacklisting the L2TP kernel modules should fix the xl2tpd issue (and not to mention, make the connection faster), see the following for details: https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#issue-with-blacklisting-of-l2tp-kernel-modules Note: The patch in the package pushed to testing (and the suggested Phase 1 Algorithms workaround for older versions of this package) is just to avoid the following config file syntax error with libreswan-3.30 : ike string error: IKE DH algorithm 'modp1024' is not supported NetworkManager-l2tp-1.8.0-5.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 1809687 has been marked as a duplicate of this bug. *** |
Created attachment 1665640 [details] Log from dnf about performed upgrade Description of problem: After last upgrade containing following upgraded packages Upgrade libreswan-3.30-1.fc31.x86_64 @updates Upgraded libreswan-3.29-2.fc31.x86_64 @@System I'm not able to connect to ANY L2TP/IPsec VPN which was working before and which are woking (tested via Android 10 phone). Version-Release number of selected component (if applicable): libreswan-3.30-1.fc31.x86_64 How reproducible: Upgrade to latest libreswan-3.30-1.fc31.x86_64 Actual results: Connection to VPN fails, no connection attempt on the server side. Expected results: Connection to VPN established. Additional info: Linux x270 5.5.5-200.fc31.x86_64 #1 SMP Wed Feb 19 23:28:07 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Logs from journalctl: Feb 25 14:22:40 x270 nm-l2tp-service[31255]: Check port 1701 Feb 25 14:22:40 x270 NetworkManager[1227]: Redirecting to: systemctl restart ipsec.service Feb 25 14:22:41 x270 NetworkManager[1227]: 002 listening for IKE messages Feb 25 14:22:41 x270 NetworkManager[1227]: 002 forgetting secrets Feb 25 14:22:41 x270 NetworkManager[1227]: 002 loading secrets from "/etc/ipsec.secrets" Feb 25 14:22:41 x270 NetworkManager[1227]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets" Feb 25 14:22:41 x270 NetworkManager[1227]: debugging mode enabled Feb 25 14:22:41 x270 NetworkManager[1227]: end of file /var/run/nm-l2tp-37dc9eb7-a7c7-419e-a953-421c2ae210fd/ipsec.conf Feb 25 14:22:41 x270 NetworkManager[1227]: Loading conn 37dc9eb7-a7c7-419e-a953-421c2ae210fd Feb 25 14:22:41 x270 NetworkManager[1227]: starter: left is KH_DEFAULTROUTE Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" modecfgdns=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" modecfgdomains=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" modecfgbanner=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" mark=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" mark-in=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" mark-out=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" vti_iface=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" redirect-to=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" accept-redirect-to=<unset> Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" esp=aes256-sha1,aes128-sha1,3des-sha1 Feb 25 14:22:41 x270 NetworkManager[1227]: conn: "37dc9eb7-a7c7-419e-a953-421c2ae210fd" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp_384,aes128-sha1-modp1024,aes128-sha1-ecp_256,3des-sha1-modp2048,3des-sha> Feb 25 14:22:41 x270 NetworkManager[1227]: opening file: /var/run/nm-l2tp-37dc9eb7-a7c7-419e-a953-421c2ae210fd/ipsec.conf Feb 25 14:22:41 x270 NetworkManager[1227]: loading named conns: 37dc9eb7-a7c7-419e-a953-421c2ae210fd Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 1, seeking_gateway = 1, has_peer = 1 Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 0, seeking_gateway = 1, has_dst = 1 Feb 25 14:22:41 x270 NetworkManager[1227]: dst via 192.168.44.1 dev bnep0 src table 254 Feb 25 14:22:41 x270 NetworkManager[1227]: set nexthop: 192.168.44.1 Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.0 via dev bnep0 src 192.168.44.87 table 254 Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.122.0 via dev virbr0 src 192.168.122.1 table 254 Feb 25 14:22:41 x270 NetworkManager[1227]: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.0 via dev bnep0 src 192.168.44.87 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.87 via dev bnep0 src 192.168.44.87 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.255 via dev bnep0 src 192.168.44.87 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.122.0 via dev virbr0 src 192.168.122.1 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.122.1 via dev virbr0 src 192.168.122.1 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.122.255 via dev virbr0 src 192.168.122.1 table 255 (ignored) Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 1, seeking_gateway = 0, has_peer = 1 Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 1, seeking_gateway = 0, has_dst = 1 Feb 25 14:22:41 x270 NetworkManager[1227]: dst 192.168.44.1 via dev bnep0 src 192.168.44.87 table 254 Feb 25 14:22:41 x270 NetworkManager[1227]: set addr: 192.168.44.87 Feb 25 14:22:41 x270 NetworkManager[1227]: seeking_src = 0, seeking_gateway = 0, has_peer = 1 Feb 25 14:22:41 x270 nm-l2tp-service[31255]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed Feb 25 14:22:41 x270 NetworkManager[1227]: <info> [1582636961.5909] vpn-connection[0x55f874bb0790,37dc9eb7-a7c7-419e-a953-421c2ae210fd,"Jirinova",0]: VPN plugin: state changed: stopped (6) Feb 25 14:22:41 x270 NetworkManager[1227]: <info> [1582636961.5970] vpn-connection[0x55f874bb0790,37dc9eb7-a7c7-419e-a953-421c2ae210fd,"Jirinova",0]: VPN service disappeared Feb 25 14:22:41 x270 NetworkManager[1227]: <warn> [1582636961.5982] vpn-connection[0x55f874bb0790,37dc9eb7-a7c7-419e-a953-421c2ae210fd,"Jirinova",0]: VPN connection: failed to connect: 'Remote peer disconnected' Full upgrade info in attachment. In case more info/testing needed please let me know.