-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ubuntu and Debian known issues #12
Comments
Will there be a PPA for this? |
Been waiting for the AppArmor fix and want to incorporate a compatibility fix for older IPsec VPN servers that only support weak cyphers that are no longer included with the strongSwan default proposal before doing a PPA. Maybe in the next couple of weeks. I'm hoping to eventually submit a package to Debian so it makes it to all the Debian derivatives including Ubuntu. |
Does anyone have a bug in Ubuntu proper for this? If not, perhaps we should create one and all express interest in it. If the official ubuntu repos contained the updated xl2tpd and apparmor profiles wouldn't this issue be resolved with a simple |
I did provide a link above for the AppArmor name space issue with strongswan when NetworkManager is involved. The Ubuntu bug has been given an importance of High and even given a status of One Hundred Papercuts which is intended to make the Ubuntu experience a pleasure : I agree someone should report the xl2tpd issue, but unfortunately it only affects a minority of people and no one with the issue has officially reported it to Ubuntu or even upstream to xl2tpd. I'm no longer able to reproduce the issue, but once was able to with a laptop I no longer have access to. Back then through trial and error, I thought the issue was related to the -fstack-protector-strong gcc flag that the system xl2tpd gets built with. Unfortunately I never got around to completing any through diagnostics, so wasn't able to submit a xl2tpd bug report myself. The xl2tpd issue isn't holding me back from submitting a package to Debian, but the AppArmor strongSwan issue is as it affects everyone that wants to use IPsec with this VPN plugin. I'll probably do a PPA for network-manager-l2tp-1.2.4 once I finish the version 1.2.4 code. |
@dkosovic I installed network-manager-l2tp on Ubuntu 16 and followed above mentioned steps to disable two strongSwan AppArmor profiles. However, when I connect to VPN, I can access sites in network with IP. However, DNS is not getting resolved. In syslog, I am getting below error:
|
Thanks, I've updated the strongSwan AppArmor section so that the two profiles are disabled permanently by creating sym-links in |
@dkosovic Error fixed by changing name resolving priority list in /etc/nsswitch.conf Our VPN network has DNS ending with .local. So I changed priority in this file to below
Basically we wanted to have dns before mdns. |
Sometimes the following error is got while connecting to l2tp VPN: In this case the following steps can help to fix the problem:
The interesting thing here is that it was found out that for the same VPN server one client can connect with the default PPP settings without any error and another client should update its settings. It will be nice to add this issue in wiki, just in case it can help someone. |
In Ubuntu 17.04 (Zesty Zapus) NetworkManager has switched from DNSMasq to Systemd-resolved for DNS. Unfortunately - because the PPP interface isn't "managed" by NetworkManager - the VPN DNS servers are discarded and not used by the systemd-resolve plugin.. The only current solution is to rollback to using DNSMasq:
|
@daramos thanks, I've updated the wiki which now contains the currently know issues with your comments. @dstepanovsrc sorry I lost track of your comment, I'm happy to add it, but was thinking of reorganizing things, maybe splitting general issues from Linux distro specific issues in possibly separate pages. I might have a new wiki page with common error messages and how to fix them and include your comment, but haven't thought it out yet on how to split things. Now that the strongswan AppArmor bug has been fixed and recently been pushed to yakkety-proposed and xenial-proposed (and hopefully beyond soon), I now have the incentive to create a PPA package for networkmanager-l2tp. |
Thanks! |
Sorry to spam, but NetworkManager accepted and resolved the bug. The patch was added to the 1.6 branch so hopefully Ubuntu/Debian will pull it in. |
There is now a new PPA, network-manager-l2tp 1.2.4 packages for 17.04 (zesty), 16.10 (yakkety) and 16.04 (xenial) can be found here: |
Hey there!
|
Probably the same reason kernel 4.11.3 broke L2TP/IPsec on Fedora : See the following for the kernel patch: |
network-manager-l2tp 1.2.6-2 was accepted into Debian Sid (unstable) today : Once the builds make their way to mirrors, I'll submit an Ubuntu "sync network-manager-l2tp from debian" request. For Ubuntu xenial (16.04) and yakkety (16.10) I suspect it'll need to be a merge request rather than a sync, as the xenial and yakkety packages require explicit revisions of strongswan and xl2tpd packages from xenial-updates and yakkety-updates due to bug fixes. |
I've requested an Ubuntu backport of network-manager-l2tp from artful (17.10) to xenial (16.04) which includes intermediate zesty (17.04) and yakkety (16:10) releases : Please vote for the backport by clicking the "this bug affects me" link in the launchpad bug report. |
New network-manager-l2tp 1.2.8 packages have been released for Debian Sid. Ubuntu 17.10 (artful) has automatically added them. It includes new translations, bug fix for strongswan (instead of just stopping the connection, it stops the child strongswan process that is using a custom config file) when tearing down a VPN connection and cleans up the generated files. I've created network-manager-l2tp 1.2.8 backport PPA packages for Ubuntu 16.04 and 17.10 : as it doesn't look like Ubuntu will be officially backporting the packages any time soon for Ubuntu 16.04 and 17.10, LP bug# 1697934 As Debian Sid and Ubuntu 17.04 are shipping libreswan, I've changed the network-manager-l2tp 1.2.8 package dependency from strongswan to either strongwan or libreswan. I've also backported libreswan to Ubuntu 16.04. To use libreswan instead of strongswan, issue:
With libreswan, there shouldn't be a need to specify phase 1 and phase 2 algorithms in the IPsec advanced settings. To check if there are IPsec system issues, the Libreswan verify command sometimes comes in handy, e.g.:
I've also released network-manager-l2tp 1.0.8 PPA packages for Ubuntu 14.04. network-manager-l2tp 1.0.8 is basically a backport of fixes from 1.2.8, but designed to work with NetworkManager 0.9.8 or 1.0.x. |
Closing this issue as it has been replaced by the wiki, there are also now packages in Debian Sid and Ubuntu 17.10 and Ubuntu strongswan and xl2tpd packages have been fixed. Nowdays, the two main issues why people using the
|
Please see https://github.com/nm-l2tp/network-manager-l2tp/wiki for current known issues, but some comments below are still relevant.
The text was updated successfully, but these errors were encountered: