Ubuntu 20.04 L2TP VPN connection not working
I'm trying to connect my Ubuntu 20.04 installation with my company VPN. VPN in based on SOPHOS firewall. According to details provided by IT department we should use L2TP connection with IPsec and preshared key. Standard configuration as per all the manuals I found on the network simply doesn't work. I've report that issue to IT and they run some tests. It turns out that they can't managed to connect Ubuntu installation but they managed to connect CentOS 8 without any problems. They are not going to run any more test. Myself and the other colleagues are the only once which are using linux for work. So I invest some time and try to find a reason for that.
I've install CentOS on VM and try to connect with company VPN. Fresh installation doesn't have all required packages. I've installed missing once:
NetworkManager-l2tp.x86_64 1.8.6-5.el8 @epel
NetworkManager-l2tp-gnome.x86_64 1.8.6-5.el8 @epel
libreswan.x86_64 3.32-7.el8_3 @appstream
nss-tools.x86_64 3.53.1-17.el8_3 @appstream
ppp.x86_64 2.4.7-26.el8_1 @baseos
strongswan.x86_64 5.9.1-1.el8 @epel
unbound-libs.x86_64 1.7.3-14.el8 @appstream
xl2tpd.x86_64 1.3.15-1.el8 @epel
Whit above packages installed, VPN connection was working without any problems. I've checked what is installed in Ubuntu by default. The difference is that in Ubuntu libreswan and strongswan can't be installed at the same time. I've read somewhere on the internet that it can be an issue with strongswan (default in Ubuntu). I've remove strongswan and install libreswan. The same effect connection is not working. For the test purpose, I've set-up the same type VPN server on my NAS at home. Ubuntu default installation is working fine. When I change to libreswan, connection with that VPN doesn't work any more. I think is important to say that I can't create a VPN link with my home server with CentOS.
For a test I've compiled libreswan from source to make sure that the latest version is used.
System log when trying to connect with office VPN:
May 1 14:52:35 T480-SA NetworkManager[1240]: <info> [1619873555.9585] audit: op="connection-activate" uuid="ac38efb7-59d6-4dcb-98bf-bf0145318677" name="CC-OFFICE" pid=2968 uid=1000 result="success"
May 1 14:52:35 T480-SA NetworkManager[1240]: <info> [1619873555.9618] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: Started the VPN service, PID 24875
May 1 14:52:35 T480-SA NetworkManager[1240]: <info> [1619873555.9676] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: Saw the service appear; activating connection
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Unhandled VPN connection state change: 2
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: virtual NMVariantMapMap SecretAgent::GetSecrets(const NMVariantMapMap&, const QDBusObjectPath&, const QString&, const QStringList&, uint)
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Path: "/org/freedesktop/NetworkManager/Settings/4"
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Setting name: "vpn"
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Hints: ()
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Flags: 4
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Unhandled VPN connection state change: 3
May 1 14:52:35 T480-SA NetworkManager[1240]: <info> [1619873555.9841] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN connection: (ConnectInteractive) reply received
May 1 14:52:35 T480-SA nm-l2tp-service[24875]: Check port 1701
May 1 14:52:35 T480-SA nm-l2tp-service[24875]: Can't bind to port 1701
May 1 14:52:35 T480-SA NetworkManager[24889]: Stopping strongSwan IPsec failed: starter is not running
May 1 14:52:38 T480-SA NetworkManager[24886]: Starting strongSwan 5.8.2 IPsec [starter]...
May 1 14:52:38 T480-SA NetworkManager[24886]: Loading config setup
May 1 14:52:38 T480-SA NetworkManager[24886]: Loading conn 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May 1 14:52:38 T480-SA charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.8.0-50-generic, x86_64)
May 1 14:52:38 T480-SA charon: 00[CFG] PKCS11 module '<name>' lacks library path
May 1 14:52:38 T480-SA charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 1 14:52:38 T480-SA charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 1 14:52:38 T480-SA charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 1 14:52:38 T480-SA charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 1 14:52:38 T480-SA charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 1 14:52:38 T480-SA charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 1 14:52:38 T480-SA charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
May 1 14:52:38 T480-SA charon: 00[CFG] loaded IKE secret for %any
May 1 14:52:38 T480-SA charon: 00[CFG] loaded 0 RADIUS server configurations
May 1 14:52:38 T480-SA charon: 00[CFG] HA config misses local/remote address
May 1 14:52:38 T480-SA charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 1 14:52:38 T480-SA charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 1 14:52:38 T480-SA charon: 00[JOB] spawning 16 worker threads
May 1 14:52:38 T480-SA charon: 06[CFG] received stroke: add connection 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May 1 14:52:38 T480-SA charon: 06[CFG] added configuration 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May 1 14:52:39 T480-SA charon: 09[CFG] rereading secrets
May 1 14:52:39 T480-SA charon: 09[CFG] loading secrets from '/etc/ipsec.secrets'
May 1 14:52:39 T480-SA charon: 09[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
May 1 14:52:39 T480-SA charon: 09[CFG] loaded IKE secret for %any
May 1 14:52:39 T480-SA charon: 10[CFG] received stroke: initiate 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May 1 14:52:39 T480-SA charon: 12[IKE] initiating Main Mode IKE_SA ac38efb7-59d6-4dcb-98bf-bf0145318677[1] to xxx.xxx.xxx.xxx
May 1 14:52:39 T480-SA charon: 12[ENC] generating ID_PROT request 0 [ SA V V V V V ]
May 1 14:52:39 T480-SA charon: 12[NET] sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May 1 14:52:43 T480-SA charon: 16[IKE] sending retransmit 1 of request message ID 0, seq 1
May 1 14:52:43 T480-SA charon: 16[NET] sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May 1 14:52:44 T480-SA akonadi_davgroupware_resource[3335]: org.kde.pim.davresource: Error when uploading item: 420 "There was a problem with the request. The item was not modified on the server.\nCould not connect to host localhost: Connection refused. (0)."
May 1 14:52:44 T480-SA akonadi_davgroupware_resource[3335]: org.kde.pim.davresource: Error when uploading item: 420 "There was a problem with the request. The item was not modified on the server.\nCould not connect to host localhost: Connection refused. (0)."
May 1 14:52:49 T480-SA NetworkManager[24963]: Stopping strongSwan IPsec...
May 1 14:52:49 T480-SA NetworkManager[24934]: initiating Main Mode IKE_SA ac38efb7-59d6-4dcb-98bf-bf0145318677[1] to xxx.xxx.xxx.xxx
May 1 14:52:49 T480-SA NetworkManager[24934]: generating ID_PROT request 0 [ SA V V V V V ]
May 1 14:52:49 T480-SA NetworkManager[24934]: sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May 1 14:52:49 T480-SA NetworkManager[24934]: sending retransmit 1 of request message ID 0, seq 1
May 1 14:52:49 T480-SA NetworkManager[24934]: sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May 1 14:52:49 T480-SA NetworkManager[24934]: destroying IKE_SA in state CONNECTING without notification
May 1 14:52:49 T480-SA NetworkManager[24934]: establishing connection 'ac38efb7-59d6-4dcb-98bf-bf0145318677' failed
May 1 14:52:49 T480-SA charon: 00[DMN] signal of type SIGINT received. Shutting down
May 1 14:52:49 T480-SA charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
May 1 14:52:49 T480-SA nm-l2tp-service[24875]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
May 1 14:52:49 T480-SA NetworkManager[1240]: <info> [1619873569.1349] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN plugin: state changed: stopped (6)
May 1 14:52:49 T480-SA NetworkManager[1240]: <info> [1619873569.1382] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN service disappeared
May 1 14:52:49 T480-SA NetworkManager[1240]: <warn> [1619873569.1393] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
Thank you in advance for any suggestions how can I fix this.
Could you install the newer network-manager-l2tp 1.8.6 from the following page :
- https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp
As you are using KDE plasma-nm, no need to install network-manager-l2tp-gnome package.
In the IPsec settings, please do not fill in the phase 1 & 2 algorithms, leave them blank. strongswan's charon is currently failing at main mode (i.e. phase 1) in the above log.
But it looks like it is not even able to contact the VPN server and receive a response. If network-manager-l2tp's 10 second timeout in establishing a IPsec connection is exceeded, it kills (i.e. sends SIGINT to) the /usr/sbin/ipsec process.
Could you install the ike-scan package and run the following ike-scan.sh script:
- https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#querying-vpn-server-for-its-ikev1-algorithm-proposals
Running the following will confirm if you are able to contact the VPN server (with address 123.54.76.9) from Ubuntu :
sudo ipsec stop
sudo ./ike-scan.sh 123.54.76.9 | grep SA=
You mentioned you compiled libreswan, but the above log seems to indicate strongswan is being used. If you want to use libreswan, I would stick to the older version of the libreswan package that comes with Ubuntu 20.04 as it is more compatible than later versions (unless you build the newer versions with legacy build flags). Although libreswan and strongswan can't be installed at the same time on Ubuntu, one will replace the other when you try to install the other which is fine for network-manager-l2tp as it automatically detects which one is being used at the start of a VPN connection.
If using strongswan with Sophos VPN server, it has been reported that you need to disable the strongswan unity plugin :
- https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#strongswan-no-acceptable-traffic-selectors-found
Apparently Sophos VPN server uses Libreswan, so in theory Libreswan should provide greater compatibility if used on the client side.
Although not yet an issue in this case, CentOS doesn't have the system xl2tpd running by default, but Ubuntu does, see the following on how to disable the system xl2tpd :
- https://github.com/nm-l2tp/NetworkManager-l2tp#issue-with-not-stopping-system-xl2tpd-service