Ubuntu and Debian known issues

[dkosovic]

Please see https://github.com/nm-l2tp/network-manager-l2tp/wiki for current known issues, but some comments below are still relevant.

[kmf]

Will there be a PPA for this?

[dkosovic]

Been waiting for the AppArmor fix and want to incorporate a compatibility fix for older IPsec VPN servers that only support weak cyphers that are no longer included with the strongSwan default proposal before doing a PPA. Maybe in the next couple of weeks.

I'm hoping to eventually submit a package to Debian so it makes it to all the Debian derivatives including Ubuntu.

[bash-horatio]

@dkosovic Cool, looking forward that this becomes a official package in repos
BTW, could I build this as a deb package temporarily, and upload it to DebianCN repo?

[skewty]

Does anyone have a bug in Ubuntu proper for this? If not, perhaps we should create one and all express interest in it.

If the official ubuntu repos contained the updated xl2tpd and apparmor profiles wouldn't this issue be resolved with a simple apt install xl2tpd strongswan?

[dkosovic]

I did provide a link above for the AppArmor name space issue with strongswan when NetworkManager is involved. The Ubuntu bug has been given an importance of High and even given a status of One Hundred Papercuts which is intended to make the Ubuntu experience a pleasure :

• https://blueprints.launchpad.net/hundredpapercuts/+spec/other-design-p-papercuts-shine

I agree someone should report the xl2tpd issue, but unfortunately it only affects a minority of people and no one with the issue has officially reported it to Ubuntu or even upstream to xl2tpd. I'm no longer able to reproduce the issue, but once was able to with a laptop I no longer have access to. Back then through trial and error, I thought the issue was related to the -fstack-protector-strong gcc flag that the system xl2tpd gets built with. Unfortunately I never got around to completing any through diagnostics, so wasn't able to submit a xl2tpd bug report myself.

The xl2tpd issue isn't holding me back from submitting a package to Debian, but the AppArmor strongSwan issue is as it affects everyone that wants to use IPsec with this VPN plugin.

I'll probably do a PPA for network-manager-l2tp-1.2.4 once I finish the version 1.2.4 code.

[vinod-nsi]

@dkosovic I installed network-manager-l2tp on Ubuntu 16 and followed above mentioned steps to disable two strongSwan AppArmor profiles. However, when I connect to VPN, I can access sites in network with IP. However, DNS is not getting resolved.

In syslog, I am getting below error:

Sep 4 20:45:06 vinod-laptop kernel: [ 758.624519] audit: type=1400 audit(1473002106.337:306): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=2595 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

[dkosovic]

Thanks, I've updated the strongSwan AppArmor section so that the two profiles are disabled permanently by creating sym-links in /etc/apparmor.d/disable/. The apparmor_parser -R option just disables the specified profile for the currently running kernel.

[vinod-nsi]

@dkosovic Error fixed by changing name resolving priority list in /etc/nsswitch.conf

Our VPN network has DNS ending with .local. So I changed priority in this file to below

hosts: files dns mdns4_minimal [NOTFOUND=return]

Basically we wanted to have dns before mdns.

[dstepanovsrc]

Sometimes the following error is got while connecting to l2tp VPN:
EAP: peer reports authentication failure

In this case the following steps can help to fix the problem:

1. Open the configuration window for your VPN connection.
2. Push the "PPP Settings" button.
3. Uncheck the PAP, CHAP and EAP authentication methods.
4. Check the "Use Point-to-Point encryption (MPPE)" checkbox. Set security to "All Available".

The interesting thing here is that it was found out that for the same VPN server one client can connect with the default PPP settings without any error and another client should update its settings. It will be nice to add this issue in wiki, just in case it can help someone.

[daramos]

In Ubuntu 17.04 (Zesty Zapus) NetworkManager has switched from DNSMasq to Systemd-resolved for DNS.

Unfortunately - because the PPP interface isn't "managed" by NetworkManager - the VPN DNS servers are discarded and not used by the systemd-resolve plugin..

The only current solution is to rollback to using DNSMasq:

1. Edit /etc/NetworkManager/NetworkManager.conf and add the following line under the [main] section:
   dns=dnsmasq
2. Backup the Systemd resolv.conf (NetworkManager should create a new one):
   sudo mv /etc/resolv.conf /etc/resolv.conf.systemd
3. Disable and stop the systemd-resolved service:
   sudo systemctl disable systemd-resolved.service
sudo systemctl stop systemd-resolved.service
4. Restart network-manager
sudo systemctl restart network-manager.service

[dkosovic]

@daramos thanks, I've updated the wiki which now contains the currently know issues with your comments.

@dstepanovsrc sorry I lost track of your comment, I'm happy to add it, but was thinking of reorganizing things, maybe splitting general issues from Linux distro specific issues in possibly separate pages. I might have a new wiki page with common error messages and how to fix them and include your comment, but haven't thought it out yet on how to split things.

Now that the strongswan AppArmor bug has been fixed and recently been pushed to yakkety-proposed and xenial-proposed (and hopefully beyond soon), I now have the incentive to create a PPA package for networkmanager-l2tp.

[daramos]

Thanks!
As a FYI to others in the same boat - I've filed a bug with NetworkManager to change the behavior https://bugzilla.gnome.org/show_bug.cgi?id=779087

[daramos]

Sorry to spam, but NetworkManager accepted and resolved the bug. The patch was added to the 1.6 branch so hopefully Ubuntu/Debian will pull it in.

NetworkManager/NetworkManager@9138967

[dkosovic]

There is now a new PPA, network-manager-l2tp 1.2.4 packages for 17.04 (zesty), 16.10 (yakkety) and 16.04 (xenial) can be found here:
https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

[derdjme]

Hey there!
I'm using Linux Mint 18.1. Since I've started using kernel 4.11 there are some issues:

• The client is showing that I'm connected, but webpages are not loading

[dkosovic]

Probably the same reason kernel 4.11.3 broke L2TP/IPsec on Fedora :

• https://bugzilla.redhat.com/show_bug.cgi?id=1458222

See the following for the kernel patch:

• https://src.fedoraproject.org/cgit/rpms/kernel.git/commit/?h=f25&id=abd2ac600395062e685e144cb8b1cd759bcc6cc1

[dkosovic]

network-manager-l2tp 1.2.6-2 was accepted into Debian Sid (unstable) today :

• https://tracker.debian.org/pkg/network-manager-l2tp

Once the builds make their way to mirrors, I'll submit an Ubuntu "sync network-manager-l2tp from debian" request.

For Ubuntu xenial (16.04) and yakkety (16.10) I suspect it'll need to be a merge request rather than a sync, as the xenial and yakkety packages require explicit revisions of strongswan and xl2tpd packages from xenial-updates and yakkety-updates due to bug fixes.

[dkosovic]

I've requested an Ubuntu backport of network-manager-l2tp from artful (17.10) to xenial (16.04) which includes intermediate zesty (17.04) and yakkety (16:10) releases :

• https://bugs.launchpad.net/xenial-backports/+bug/1697934

Please vote for the backport by clicking the "this bug affects me" link in the launchpad bug report.

[dkosovic]

New network-manager-l2tp 1.2.8 packages have been released for Debian Sid. Ubuntu 17.10 (artful) has automatically added them.

It includes new translations, bug fix for strongswan (instead of just stopping the connection, it stops the child strongswan process that is using a custom config file) when tearing down a VPN connection and cleans up the generated files.

I've created network-manager-l2tp 1.2.8 backport PPA packages for Ubuntu 16.04 and 17.10 :

• https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

as it doesn't look like Ubuntu will be officially backporting the packages any time soon for Ubuntu 16.04 and 17.10, LP bug# 1697934

As Debian Sid and Ubuntu 17.04 are shipping libreswan, I've changed the network-manager-l2tp 1.2.8 package dependency from strongswan to either strongwan or libreswan. I've also backported libreswan to Ubuntu 16.04. To use libreswan instead of strongswan, issue:

sudo apt install libreswan

With libreswan, there shouldn't be a need to specify phase 1 and phase 2 algorithms in the IPsec advanced settings. To check if there are IPsec system issues, the Libreswan verify command sometimes comes in handy, e.g.:

sudo ipsec restart
sudo ipsec verify

I've also released network-manager-l2tp 1.0.8 PPA packages for Ubuntu 14.04. network-manager-l2tp 1.0.8 is basically a backport of fixes from 1.2.8, but designed to work with NetworkManager 0.9.8 or 1.0.x.

[dkosovic]

Closing this issue as it has been replaced by the wiki, there are also now packages in Debian Sid and Ubuntu 17.10 and Ubuntu strongswan and xl2tpd packages have been fixed.

Nowdays, the two main issues why people using the network-manager-l2tp and network-manager-l2tp-gnome packages aren't able to connect:

1. L2TP/IPsec servers that are only using the broken 3DES algorithm (e.g. to maintain WinXP and earlier client compatibility). The VPN server should be updated to use more modern algorithms, but the README.md file provides a workaround for using broken algorithms if it can't.

2. Not able to connect if system xl2tpd service is not stopped, An ephemeral port will be used if the system xl2tpd is not stopped. Although the use of an ephemeral port is considered acceptable in RFC3193, the L2TP/IPsec standard co-authored by Microsoft and Cisco, there are some L2TP/IPsec servers and/or firewalls that will have issues if an ephemeral port is used.