Форум русскоязычного сообщества Ubuntu


Получить помощь и пообщаться с другими пользователями Ubuntu можно
на irc канале #ubuntu-ru в сети Freenode
и в Jabber конференции ubuntu@conference.jabber.ru

Автор Тема: После обновления с 18.04 до 20.04 перестало работать VPN (L2TP/IPsec) соединение  (Прочитано 2701 раз)

0 Пользователей и 1 Гость просматривают эту тему.

Оффлайн nockdown

  • Автор темы
  • Новичок
  • *
  • Сообщений: 27
  • kubuntu 20.04.3 64bit
    • Просмотр профиля
После обновления с 18.04 до 20.04 перестало работать VPN (L2TP/IPsec) соединение из дома к pfSense 2.5.2.
Настройки IPsec на pfSense:
Key Exchange version - IKEv1
Internet Protocol - IPv4
Phase 1 Proposal (Authentication) Authentication Method - Matual PSK
Phase 1 Proposal (Authentication) Negotiation mode - Main
1й:
Phase 1 Proposal (Encryption Algorithm) Encryption Algorithm - Algorithm - AES
Phase 1 Proposal (Encryption Algorithm) Encryption Algorithm - Key length - 256 bits
Phase 1 Proposal (Encryption Algorithm) Encryption Algorithm - Hash - SHA1
Phase 1 Proposal (Encryption Algorithm) Encryption Algorithm - DH Group - 14 (2048 bits)
2й:
Phase 1 Proposal (Encryption Algorithm) Encryption Algorithm - Algorithm - AES
Phase 1 Proposal (Encryption Algorithm) Encryption Algorithm - Key length - 128 bits
Phase 1 Proposal (Encryption Algorithm) Encryption Algorithm - Hash - SHA1
Phase 1 Proposal (Encryption Algorithm) Encryption Algorithm - DH Group - 2 (1024 bits)

Алгоритмы IKEv1, которые предлагает VPN-сервер:
sudo ./ike-scan.sh XXX.XXX.XXX.XXX | grep SA=
        SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
        SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=PSK LifeType=Seconds LifeDuration=28800)
        SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=14:modp2048 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)


Дома задано:
Gateway: gate.xxx.ru
User name: login
Password: password
Enable IPsec tunnel to L2TP host - галка стоит
Pre-shared Key - secret
Phase1 algorithms: пусто
Phase2 algorithms пусто
Enforce UDP encapsulation - галка стоит

Дома используется:
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal

Установлены:
libreswan 3.29-2build1
network-manager-l2tp 1.2.16-1

Проверка реализации, которую использует IPsec
ipsec --version
Linux Libreswan v4.5-769-g0427fd2bc6-main (XFRM) on 5.4.0-91-generic

Журнал NetworkManager
journalctl -u NetworkManager.serviceNetworkManager[985]: <info>  [1639930984.4586] audit: op="statistics" arg="refresh-rate-ms" pid=1575 uid=1000 result="success"
NetworkManager[985]: <info>  [1639930985.6551] audit: op="connection-activate" uuid="4bcada90-93e5-4afa-9e11-1c3aec8e1937" name="speech" pid=1575 uid=1000 result="success"
NetworkManager[985]: <info>  [1639930985.6580] vpn-connection[0x55b189866570,4bcada90-93e5-4afa-9e11-1c3aec8e1937,"speech",0]: Started the VPN service, PID 44306
NetworkManager[985]: <info>  [1639930985.6630] vpn-connection[0x55b189866570,4bcada90-93e5-4afa-9e11-1c3aec8e1937,"speech",0]: Saw the service appear; activating connection
nm-l2tp-service[44306]: Check port 1701
nm-l2tp-service[44306]: Can't bind to port 1701
NetworkManager[44317]: Redirecting to: systemctl restart ipsec.service
NetworkManager[44636]: 002 listening for IKE messages
NetworkManager[44636]: 002 forgetting secrets
NetworkManager[44636]: 002 loading secrets from "/etc/ipsec.secrets"
NetworkManager[44636]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
NetworkManager[44641]: debugging mode enabled
NetworkManager[44641]: end of file /run/nm-l2tp-4bcada90-93e5-4afa-9e11-1c3aec8e1937/ipsec.conf
NetworkManager[44641]: Loading conn 4bcada90-93e5-4afa-9e11-1c3aec8e1937
NetworkManager[44641]: starter: left is KH_DEFAULTROUTE
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" modecfgdns=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" modecfgdomains=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" modecfgbanner=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" mark=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" mark-in=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" mark-out=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" vti_iface=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" redirect-to=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" accept-redirect-to=<unset>
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" esp=aes256-sha1,aes128-sha1,3des-sha1
NetworkManager[44641]: conn: "4bcada90-93e5-4afa-9e11-1c3aec8e1937" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp_384,aes128-sha1-modp1024,aes128-sha1-ecp>
NetworkManager[44641]: opening file: /run/nm-l2tp-4bcada90-93e5-4afa-9e11-1c3aec8e1937/ipsec.conf
NetworkManager[44641]: loading named conns: 4bcada90-93e5-4afa-9e11-1c3aec8e1937
NetworkManager[44641]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
NetworkManager[44641]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
NetworkManager[44641]: dst  via 192.168.1.1 dev enp39s0 src  table 254
NetworkManager[44641]: set nexthop: 192.168.1.1
NetworkManager[44641]: dst 169.254.0.0 via  dev enp39s0 src  table 254
NetworkManager[44641]: dst 192.168.0.0 via  dev enp39s0 src 192.168.100.5 table 254
NetworkManager[44641]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
NetworkManager[44641]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
NetworkManager[44641]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
NetworkManager[44641]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
NetworkManager[44641]: dst 192.168.0.0 via  dev enp39s0 src 192.168.100.5 table 255 (ignored)
NetworkManager[44641]: dst 192.168.100.5 via  dev enp39s0 src 192.168.100.5 table 255 (ignored)
NetworkManager[44641]: dst 192.168.255.255 via  dev enp39s0 src 192.168.100.5 table 255 (ignored)
NetworkManager[44641]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
NetworkManager[44641]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
NetworkManager[44641]: dst 192.168.1.1 via  dev enp39s0 src 192.168.100.5 table 254
NetworkManager[44641]: set addr: 192.168.100.5
NetworkManager[44641]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
NetworkManager[44643]: 002 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #1: initiating Main Mode
NetworkManager[44643]: 104 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #1: STATE_MAIN_I1: initiate
NetworkManager[44643]: 002 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #1: WARNING: connection 4bcada90-93e5-4afa-9e11-1c3aec8e1937 PSK length of 8 bytes is too short for sha PRF in FIPS mode (10 bytes required)
NetworkManager[44643]: 106 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #1: STATE_MAIN_I2: sent MI2, expecting MR2
NetworkManager[44643]: 108 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #1: STATE_MAIN_I3: sent MI3, expecting MR3
NetworkManager[44643]: 002 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #1: Peer ID is ID_IPV4_ADDR: 'XXX.XXX.XXX.XXX'
NetworkManager[44643]: 004 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP2048}
NetworkManager[44643]: 002 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:5b192655 proposal=AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA>
NetworkManager[44643]: 117 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: initiate
NetworkManager[44643]: 010 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
NetworkManager[44643]: 010 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
NetworkManager[44643]: 010 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
NetworkManager[44643]: 010 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
NetworkManager[44643]: 010 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
nm-l2tp-service[44306]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
NetworkManager[985]: <info>  [1639930996.0948] vpn-connection[0x55b189866570,4bcada90-93e5-4afa-9e11-1c3aec8e1937,"speech",0]: VPN plugin: state changed: stopped (6)
NetworkManager[985]: <info>  [1639930996.0971] vpn-connection[0x55b189866570,4bcada90-93e5-4afa-9e11-1c3aec8e1937,"speech",0]: VPN service disappeared
NetworkManager[985]: <warn>  [1639930996.0982] vpn-connection[0x55b189866570,4bcada90-93e5-4afa-9e11-1c3aec8e1937,"speech",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
NetworkManager[985]: <info>  [1639930999.1694] audit: op="statistics" arg="refresh-rate-ms" pid=1575 uid=1000 result="success"
NetworkManager[44643]: 010 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: retransmission; will wait 16 seconds for response
NetworkManager[44643]: 010 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: retransmission; will wait 32 seconds for response
NetworkManager[44643]: 031 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: STATE_QUICK_I1: 60 second timeout exceeded after 7 retransmits.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
NetworkManager[44643]: 000 "4bcada90-93e5-4afa-9e11-1c3aec8e1937" #2: starting keying attempt 2 of an unlimited number, but releasing whack

Насколько я понимаю, В Libreswan версии 3.30 (13 февраля 2020) отключена поддержка DH2 / modp1024 во время компиляции. Ubuntu 20.04 был последним выпуском, который включал Libreswan 3.29.
Как вы думаете, почему перестало работать соединение VPN?

Оффлайн damix

  • Активист
  • *
  • Сообщений: 664
    • Просмотр профиля
nockdown, это, возможно, не связано с обновлением. У меня 18.04, те же пакеты и настройки, libreswan 3.23-4, и ipsec валится с таким же логом. Как в итоге решили проблему?

https://github.com/nm-l2tp/NetworkManager-l2tp/issues/125

 

Страница сгенерирована за 0.057 секунд. Запросов: 25.