L2TP / IPSec failing to connect (Ubuntu 19.10)
I think the following is the issue:
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-147f9a0d-9b02-4cc9-8942-b4e5b4061110.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-6a6bdfbd-3ad5-4b01-82cd-a32cd48d067f.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-88936113-b02d-48b7-a98e-04758a426172.secrets"
I would delete those nm-l2tp-ipsec-*.secrets files as they didn't get cleaned up most likely due to ungraceful shutdown of the corresponding VPN connections. I'm guessing you are not using a Gateway ID
which qualifies the PSK in those nm-l2tp-ipsec-*.secrets files, so strongswan is probably picking the wrong PSK found in the last nm-l2tp-ipsec-*.secrets file.
Another alternative is to upgrade from network-manager-l2tp 1.2.10 to version 1.2.16 from the PPA on the following page. The new version no longer uses different nm-l2tp-ipsec-*.secrets files for different VPN connections and the new package deletes any stray nm-l2tp-ipsec-*.secrets files from earlier versions :
With version 1.2.16 you could also remove the Phase 1 & 2 algorithms as it now uses a merge of Windows 10 and macOS/iOS/iPadOS L2TP/IPsec clients' IKEv1 proposals for its default (instead of the strongswan default set of proposals). The weakest proposals that were not common to both Win10 and iOS were dropped, but all of the strongest ones were kept.
![PMV](https://lh5.googleusercontent.com/-ctA8i_qfIzw/AAAAAAAAAAI/AAAAAAAAAZk/rvF9rAHjfjo/photo.jpg?sz=256)
PMV
Updated on September 18, 2022Comments
-
PMV almost 2 years
On ubuntu 18.04 LTE VPN connection works properly, but on 19.10 I got:
hidden@hidden:~$ tail -f /var/log/syslog hidden NetworkManager[862]: <info> [1574066091.0450] audit: op="connection-activate" uuid="88936113-b02d-48b7-a98e-04758a426172" name="hidden" pid=1761 uid=1000 result="success" hidden NetworkManager[862]: <info> [1574066091.0486] vpn-connection[0x564b018846f0,88936113-b02d-48b7-a98e-04758a426172,"hidden",0]: Saw the service appear; activating connection hidden NetworkManager[862]: <info> [1574066091.1669] vpn-connection[0x564b018846f0,88936113-b02d-48b7-a98e-04758a426172,"hidden",0]: VPN connection: (ConnectInteractive) reply received hidden systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec... hidden whack[10939]: 002 shutting down hidden ipsec[10942]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[10944]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden systemd[1]: ipsec.service: Succeeded. hidden systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec. hidden systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec... hidden addconn[10948]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[10948]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden _stackmanager[10950]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[10960]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden _stackmanager[10950]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[10968]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden ipsec[11252]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[11254]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden ipsec[11252]: nflog ipsec capture disabled hidden systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec. hidden libipsecconf[11273]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden CRON[11287]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1) hidden NetworkManager[862]: <info> [1574066101.9098] vpn-connection[0x564b018846f0,88936113-b02d-48b7-a98e-04758a426172,"hidden",0]: VPN plugin: state changed: stopped (6) hidden xdg-desktop-por[1696]: Failed to get application states: GDBus.Error:org.freedesktop.portal.Error.Failed: Could not get window list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: App introspection not allowed
hidden@hidden:~$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug [sudo] password for hidden: nm-l2tp[10839] <debug> nm-l2tp-service (version 1.2.10) starting... nm-l2tp[10839] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp" nm-l2tp[10839] <info> ipsec enable flag: yes ** Message: 11:34:51.169: Check port 1701 ** Message: 11:34:51.169: Can't bind to port 1701 nm-l2tp[10839] <warn> L2TP port 1701 is busy, using ephemeral. proxy ipv6 address-data : [] dns : [] dns-search : [] method : 'auto' route-data : [] connection autoconnect : false id : 'hidden' permissions : ['user:hidden:'] type : 'vpn' uuid : '88936113-b02d-48b7-a98e-04758a426172' vpn data : {'gateway': 'x.xxx.xxx.xx', 'ipsec-enabled': 'yes', 'ipsec-esp': '3des-sha1', 'ipsec-ike': '3des-sha1;modp1024', 'ipsec-psk': '************', 'password-flags': '1', 'user': 'hidden'} secrets : {'password': '************'} service-type : 'org.freedesktop.NetworkManager.l2tp' user-name : 'hidden' ipv4 address-data : [] dns : [] dns-search : [] method : 'auto' route-data : [] nm-l2tp[10839] <info> starting ipsec Redirecting to: systemctl restart ipsec.service 002 listening for IKE messages 002 Kernel supports NIC esp-hw-offload 002 adding interface wlp2s0/wlp2s0 (esp-hw-offload=no) xxx.xxx.x.xx:500 002 adding interface wlp2s0/wlp2s0 xxx.xxx.x.xx:4500 002 Kernel supports NIC esp-hw-offload 002 adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500 002 adding interface lo/lo 127.0.0.1:4500 002 Kernel supports NIC esp-hw-offload 002 adding interface lo/lo (esp-hw-offload=no) ::1:500 002 loading secrets from "/etc/ipsec.secrets" 002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-147f9a0d-9b02-4cc9-8942-b4e5b4061110.secrets" 002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-6a6bdfbd-3ad5-4b01-82cd-a32cd48d067f.secrets" 002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-88936113-b02d-48b7-a98e-04758a426172.secrets" opening file: /run/nm-l2tp-ipsec-88936113-b02d-48b7-a98e-04758a426172.conf debugging mode enabled end of file /run/nm-l2tp-ipsec-88936113-b02d-48b7-a98e-04758a426172.conf Loading conn 88936113-b02d-48b7-a98e-04758a426172 starter: left is KH_DEFAULTROUTE loading named conns: 88936113-b02d-48b7-a98e-04758a426172 seeking_src = 1, seeking_gateway = 1, has_peer = 1 seeking_src = 0, seeking_gateway = 1, has_dst = 1 dst via xxx.xxx.x.x dev wlp2s0 src table 254 set nexthop: xxx.xxx.x.x dst xxx.xxx.x.x via dev wlp2s0 src table 254 dst xxx.xxx.x.x via dev wlp2s0 src xxx.xxx.x.xx table 254 dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored) dst xxx.xxx.x.x via dev wlp2s0 src xxx.xxx.x.xx table 255 (ignored) dst xxx.xxx.x.xx via dev wlp2s0 src xxx.xxx.x.xx table 255 (ignored) dst xxx.xxx.x.xxx via dev wlp2s0 src xxx.xxx.x.xx table 255 (ignored) seeking_src = 1, seeking_gateway = 0, has_peer = 1 seeking_src = 1, seeking_gateway = 0, has_dst = 1 dst xxx.xxx.x.x via dev wlp2s0 src xxx.xxx.x.xx table 254 set addr: xxx.xxx.x.xx seeking_src = 0, seeking_gateway = 0, has_peer = 1 conn: "88936113-b02d-48b7-a98e-04758a426172" modecfgdns=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" modecfgdomains=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" modecfgbanner=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" mark=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" mark-in=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" mark-out=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" vti_iface=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" redirect-to=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" accept-redirect-to=<unset> conn: "88936113-b02d-48b7-a98e-04758a426172" esp=3des-sha1 conn: "88936113-b02d-48b7-a98e-04758a426172" ike=3des-sha1;modp1024 002 added connection description "88936113-b02d-48b7-a98e-04758a426172" nm-l2tp[10839] <info> Spawned ipsec auto --up script with PID 11280. 002 "88936113-b02d-48b7-a98e-04758a426172" #1: initiating v2 parent SA 133 "88936113-b02d-48b7-a98e-04758a426172" #1: initiate 002 "88936113-b02d-48b7-a98e-04758a426172": constructed local IKE proposals for 88936113-b02d-48b7-a98e-04758a426172 (IKE SA initiator selecting KE): 1:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024 133 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response 010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response 010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 2 seconds for response 010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 4 seconds for response 010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 8 seconds for response nm-l2tp[10839] <warn> Timeout trying to establish IPsec connection nm-l2tp[10839] <info> Terminating ipsec script with PID 11280. nm-l2tp[10839] <warn> Could not establish IPsec tunnel. (nm-l2tp-service:10839): GLib-GIO-CRITICAL **: 11:35:01.908: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed 010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 16 seconds for response 010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 32 seconds for response 031 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: 60 second timeout exceeded after 7 retransmits. No response (or no acceptable response) to our first IKEv2 message 000 "88936113-b02d-48b7-a98e-04758a426172" #1: starting keying attempt 2 of an unlimited number, but releasing whack
Help to fix the problem.
p.s. after upgrading to network-manager-l2tp:1.2.16-1. New logs:
hidden@hidden:~$ tail -f /var/log/syslog hidden xdg-desktop-por[1688]: Failed to get application states: GDBus.Error:org.freedesktop.portal.Error.Failed: Could not get window list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: App introspection not allowed hidden gnome-software[3460]: enabled plugins: desktop-categories, fwupd, os-release, packagekit, packagekit-local, packagekit-offline, packagekit-proxy, packagekit-refine-repos, packagekit-refresh, packagekit-upgrade, packagekit-url-to-app, shell-extensions, ubuntuone, appstream, desktop-menu-path, hardcoded-blacklist, hardcoded-featured, hardcoded-popular, modalias, odrs, packagekit-refine, rewrite-resource, steam, packagekit-history, provenance, snap, systemd-updates, generic-updates, provenance-license, icons, key-colors, key-colors-metadata hidden gnome-software[3460]: disabled plugins: dpkg, dummy, repos, epiphany hidden dbus-daemon[872]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.609' (uid=1000 pid=3460 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined") hidden systemd[1]: Starting Firmware update daemon... hidden fwupd[3486]: 19:03:15:0057 FuPluginUefi kernel efivars support missing: /sys/firmware/efi/efivars hidden dbus-daemon[872]: [system] Activating via systemd: service name='org.freedesktop.bolt' unit='bolt.service' requested by ':1.613' (uid=0 pid=3486 comm="/usr/lib/fwupd/fwupd " label="unconfined") hidden systemd[1]: Starting Thunderbolt system service... hidden boltd[3499]: bolt 0.8 starting up. hidden boltd[3499]: store: located at: /var/lib/boltd hidden boltd[3499]: config: loading user config hidden boltd[3499]: bouncer: initializing polkit hidden boltd[3499]: udev: initializing udev hidden boltd[3499]: store: loading domains hidden boltd[3499]: store: loading devices hidden boltd[3499]: power: state located at: /run/boltd/power hidden boltd[3499]: power: force power support: no hidden boltd[3499]: udev: enumerating devices hidden dbus-daemon[872]: [system] Successfully activated service 'org.freedesktop.bolt' hidden systemd[1]: Started Thunderbolt system service. hidden dbus-daemon[872]: [system] Successfully activated service 'org.freedesktop.fwupd' hidden systemd[1]: Started Firmware update daemon. hidden systemd-resolved[837]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP. hidden systemd-resolved[837]: message repeated 5 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.] hidden gnome-shell[1751]: [AppIndicatorSupport-DEBUG] Registering StatusNotifierItem :1.105/org/ayatana/NotificationItem/software_update_available hidden gnome-shell[1751]: [AppIndicatorSupport-FATAL] unable to update overlay icon hidden gnome-shell[1751]: [AppIndicatorSupport-FATAL] unable to update overlay icon hidden PackageKit: refresh-cache transaction /3129_eaecacde from uid 1000 finished with success after 12792ms hidden sudo: pam_ecryptfs: pam_sm_authenticate: /home/hidden is already mounted hidden gnome-software[3460]: g_path_get_basename: assertion 'file_name != NULL' failed hidden gnome-software[3460]: g_regex_match_full: assertion 'string != NULL' failed hidden gnome-software[3460]: g_path_get_basename: assertion 'file_name != NULL' failed hidden gnome-software[3460]: g_regex_match_full: assertion 'string != NULL' failed hidden gnome-software[3460]: not GsPlugin error g-io-error-quark:35: Invalid string value converting to GVariant hidden gnome-software[3460]: not handling error failed for action refine: Invalid string value converting to GVariant hidden PackageKit: resolve transaction /3130_bddeccae from uid 1000 finished with success after 1842ms hidden PackageKit: resolve transaction /3131_eedbdbed from uid 1000 finished with success after 364ms hidden PackageKit: search-file transaction /3132_aececcba from uid 1000 finished with success after 1402ms hidden PackageKit: search-file transaction /3133_bddabebe from uid 1000 finished with success after 473ms hidden PackageKit: search-file transaction /3134_ecaacead from uid 1000 finished with success after 441ms hidden PackageKit: search-file transaction /3135_bdedbdac from uid 1000 finished with success after 419ms hidden PackageKit: search-file transaction /3136_aeecdcae from uid 1000 finished with success after 440ms hidden PackageKit: search-file transaction /3137_eabbbcba from uid 1000 finished with success after 449ms hidden PackageKit: search-file transaction /3138_bbbdddca from uid 1000 finished with success after 464ms hidden NetworkManager[873]: <info> [1574535815.0927] audit: op="connection-activate" uuid="147f9a0d-9b02-4cc9-8942-b4e5b4061110" name="center 2m main office" pid=1751 uid=1000 result="success" hidden NetworkManager[873]: <info> [1574535815.0965] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: Saw the service appear; activating connection hidden NetworkManager[873]: <info> [1574535815.1410] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN connection: (ConnectInteractive) reply received hidden systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec... hidden whack[4248]: 002 shutting down hidden PackageKit: search-file transaction /3139_bdeeeabd from uid 1000 finished with success after 463ms hidden ipsec[4251]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[4253]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden systemd[1]: ipsec.service: Succeeded. hidden systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec. hidden systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec... hidden addconn[4257]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[4257]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden _stackmanager[4261]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[4271]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden _stackmanager[4261]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[4280]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden ipsec[4563]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden libipsecconf[4565]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden ipsec[4563]: nflog ipsec capture disabled hidden systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec. hidden libipsecconf[4584]: warning: could not open include filename: '/etc/ipsec.d/*.conf' hidden PackageKit: search-file transaction /3140_cdbdbeab from uid 1000 finished with success after 441ms hidden NetworkManager[873]: <info> [1574535815.8584] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: state changed: starting (3) hidden PackageKit: search-file transaction /3141_cbccdeba from uid 1000 finished with success after 464ms hidden PackageKit: search-file transaction /3142_eebdcacd from uid 1000 finished with success after 438ms hidden pppd[4639]: Plugin pppol2tp.so loaded. hidden pppd[4639]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded. hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] initializing hidden pppd[4639]: pppd 2.4.7 started by hidden, uid 0 hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] phasechange: status 3 / phase 'serial connection' hidden pppd[4639]: using channel 2 hidden pppd[4639]: Using interface ppp0 hidden pppd[4639]: Connect: ppp0 <--> hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] phasechange: status 5 / phase 'establish' hidden pppd[4639]: Overriding mtu 1500 to 1400 hidden pppd[4639]: PPPoL2TP options: debugmask 0 hidden pppd[4639]: Overriding mru 1500 to mtu value 1400 hidden pppd[4639]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x59575e93>] hidden systemd-udevd[4264]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. hidden NetworkManager[873]: <info> [1574535816.8802] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/6) hidden pppd[4639]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>] hidden pppd[4639]: sent [LCP ConfReq id=0x2 <mru 1400> <magic 0x59575e93>] hidden pppd[4639]: rcvd [LCP ConfAck id=0x2 <mru 1400> <magic 0x59575e93>] hidden pppd[4639]: rcvd [LCP ConfReq id=0x1 <mru 1376> <auth chap MS-v2> <magic 0x4b7d3524>] hidden pppd[4639]: sent [LCP ConfAck id=0x1 <mru 1376> <auth chap MS-v2> <magic 0x4b7d3524>] hidden pppd[4639]: PPPoL2TP options: debugmask 0 hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] phasechange: status 6 / phase 'authenticate' hidden pppd[4639]: rcvd [CHAP Challenge id=0x59 <fcd548a7fa533fed9f33e24612ed30a0>, name = ""] hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] passwd-hook: requesting credentials... hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] passwd-hook: got credentials from NetworkManager-l2tp hidden pppd[4639]: added response cache entry 0 hidden pppd[4639]: sent [CHAP Response id=0x59 <7a3e0b0bd07fec4c3799652ebef1220300000000000000005c897ac951604c4552b230b21a63b04c6712c8c5f454f4e800>, name = "mpashkin"] hidden pppd[4639]: rcvd [CHAP Failure id=0x59 "E=691 R=0"] hidden pppd[4639]: MS-CHAP authentication failed: E=691 Authentication failure hidden pppd[4639]: CHAP authentication failed hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] phasechange: status 10 / phase 'terminate' hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] phasechange: status 5 / phase 'establish' hidden pppd[4639]: Overriding mtu 1500 to 1400 hidden pppd[4639]: PPPoL2TP options: debugmask 0 hidden pppd[4639]: Overriding mru 1500 to mtu value 1400 hidden pppd[4639]: sent [LCP TermReq id=0x3 "Failed to authenticate ourselves to peer"] hidden pppd[4639]: rcvd [LCP TermReq id=0x2] hidden pppd[4639]: sent [LCP TermAck id=0x2] hidden pppd[4639]: rcvd [LCP TermAck id=0x3] hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] phasechange: status 11 / phase 'disconnect' hidden pppd[4639]: Connection terminated. hidden NetworkManager[873]: <warn> [1574535817.0972] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: failed: connect-failed (1) hidden NetworkManager[873]: <info> [1574535817.0972] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: state changed: stopping (5) hidden gnome-shell[1751]: Removing a network device that was not added hidden NetworkManager[873]: <info> [1574535817.1129] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: state changed: stopped (6) hidden NetworkManager[873]: <warn> [1574535817.1208] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: failed: connect-failed (1) hidden PackageKit: search-file transaction /3143_acddcbda from uid 1000 finished with success after 436ms hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] phasechange: status 1 / phase 'dead' hidden pppd[4639]: nm-l2tp[4198] <info> [helper-4639] exit: cleaning up hidden pppd[4639]: Exit. hidden PackageKit: search-file transaction /3144_beeddebe from uid 1000 finished with success after 457ms hidden PackageKit: search-file transaction /3145_deeddeec from uid 1000 finished with success after 422ms hidden PackageKit: search-file transaction /3146_cceaccda from uid 1000 finished with success after 450ms hidden gnome-software[3460]: Failed to find one package for libinput-gestures.desktop, /usr/share/applications/libinput-gestures.desktop, [0] hidden PackageKit: get-details transaction /3147_cdcacddd from uid 1000 finished with success after 386ms hidden gnome-software[3460]: Failed to load snap icon: local snap has no icon hidden gnome-software[3460]: message repeated 4 times: [ Failed to load snap icon: local snap has no icon] hidden systemd-resolved[837]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
hidden@hidden:~$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug nm-l2tp[4198] <debug> nm-l2tp-service (version 1.2.16) starting... nm-l2tp[4198] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp" nm-l2tp[4198] <info> ipsec enable flag: yes ** Message: 22:03:35.143: Check port 1701 ** Message: 22:03:35.143: Can't bind to port 1701 nm-l2tp[4198] <warn> L2TP port 1701 is busy, using ephemeral. ipv6 address-data : [] dns : [] dns-search : [] method : 'auto' route-data : [] ipv4 address-data : [] dns : [] dns-search : [] method : 'auto' route-data : [] connection autoconnect : false id : 'hidden' permissions : ['user:hidden:'] timestamp : 1563201201 type : 'vpn' uuid : '147f9a0d-9b02-4cc9-8942-b4e5b4061110' proxy vpn data : {'gateway': 'xx.xx.xx.xx', 'ipsec-enabled': 'yes', 'ipsec-esp': '3des-sha1', 'ipsec-ike': '3des-sha1;modp1024', 'ipsec-psk': '******', 'password-flags': '1', 'user': 'hidden'} secrets : {'password': '******'} service-type : 'org.freedesktop.NetworkManager.l2tp' user-name : 'hidden' nm-l2tp[4198] <info> starting ipsec Redirecting to: systemctl restart ipsec.service 002 listening for IKE messages 002 forgetting secrets 002 loading secrets from "/etc/ipsec.secrets" 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets" opening file: /run/nm-l2tp-147f9a0d-9b02-4cc9-8942-b4e5b4061110/ipsec.conf debugging mode enabled end of file /run/nm-l2tp-147f9a0d-9b02-4cc9-8942-b4e5b4061110/ipsec.conf Loading conn 147f9a0d-9b02-4cc9-8942-b4e5b4061110 starter: left is KH_DEFAULTROUTE loading named conns: 147f9a0d-9b02-4cc9-8942-b4e5b4061110 seeking_src = 1, seeking_gateway = 1, has_peer = 1 seeking_src = 0, seeking_gateway = 1, has_dst = 1 dst via xx.xx.xx.xx dev wlp2s0 src table 254 set nexthop: xx.xx.xx.xx dst xx.xx.xx.xx via dev wlp2s0 src table 254 dst xx.xx.xx.xx via dev wlp2s0 src xx.xx.xx.xx table 254 dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored) dst xx.xx.xx.xx via dev wlp2s0 src xx.xx.xx.xx table 255 (ignored) dst xx.xx.xx.xx via dev wlp2s0 src xx.xx.xx.xx table 255 (ignored) dst xx.xx.xx.xx via dev wlp2s0 src xx.xx.xx.xx table 255 (ignored) seeking_src = 1, seeking_gateway = 0, has_peer = 1 seeking_src = 1, seeking_gateway = 0, has_dst = 1 dst xx.xx.xx.xx via dev wlp2s0 src xx.xx.xx.xx table 254 set addr: xx.xx.xx.xx seeking_src = 0, seeking_gateway = 0, has_peer = 1 conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" modecfgdns=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" modecfgdomains=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" modecfgbanner=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" mark=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" mark-in=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" mark-out=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" vti_iface=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" redirect-to=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" accept-redirect-to=<unset> conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" esp=3des-sha1 conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" ike=3des-sha1;modp1024 002 added connection description "147f9a0d-9b02-4cc9-8942-b4e5b4061110" nm-l2tp[4198] <info> Spawned ipsec auto --up script with PID 4591. 002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: initiating Main Mode 104 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: STATE_MAIN_I1: initiate 003 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: ignoring unknown Vendor ID payload [f758f22668750f03b08df6ebe1d00300] 106 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: Peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx' 004 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1024} 002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:9eb98aa5 proposal=3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP1024} 117 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: STATE_QUICK_I1: initiate 003 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=9eb98aa5, length=28 003 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed 004 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x453de9b3 <0x30c93373 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=xx.xx.xx.xx:4500 DPD=passive} nm-l2tp[4198] <info> Libreswan IPsec tunnel is up. ** Message: 22:03:35.857: xl2tpd started with pid 4607 xl2tpd[4607]: Not looking for kernel SAref support. xl2tpd[4607]: Using l2tp kernel support. xl2tpd[4607]: xl2tpd version xl2tpd-1.3.12 started on hidden PID:4607 xl2tpd[4607]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[4607]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[4607]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[4607]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[4607]: Listening on IP address 0.0.0.0, port 43162 xl2tpd[4607]: get_call: allocating new tunnel for host xx.xx.xx.xx, port 1701. xl2tpd[4607]: Connecting to host xx.xx.xx.xx, port 1701 xl2tpd[4607]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. xl2tpd[4607]: control_finish: sending SCCRQ xl2tpd[4607]: message_type_avp: message type 2 (Start-Control-Connection-Reply) xl2tpd[4607]: protocol_version_avp: peer is using version 1, revision 0. xl2tpd[4607]: framing_caps_avp: supported peer frames: sync xl2tpd[4607]: hostname_avp: peer reports hostname 'N/A' xl2tpd[4607]: assigned_tunnel_avp: using peer's tunnel 58851 xl2tpd[4607]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 58851, call is 0. xl2tpd[4607]: control_finish: sending SCCCN xl2tpd[4607]: Connection established to xx.xx.xx.xx, 1701. Local: 51260, Remote: 58851 (ref=0/0). xl2tpd[4607]: Calling on tunnel 51260 xl2tpd[4607]: control_finish: message type is (null)(0). Tunnel is 58851, call is 0. xl2tpd[4607]: control_finish: sending ICRQ xl2tpd[4607]: message_type_avp: message type 11 (Incoming-Call-Reply) xl2tpd[4607]: assigned_call_avp: using peer's call 1 xl2tpd[4607]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 58851, call is 1. xl2tpd[4607]: control_finish: Sending ICCN xl2tpd[4607]: Call established with xx.xx.xx.xx, Local: 3428, Remote: 1, Serial: 1 (ref=0/0) xl2tpd[4607]: start_pppd: I'm running: xl2tpd[4607]: "/usr/sbin/pppd" xl2tpd[4607]: "plugin" xl2tpd[4607]: "pppol2tp.so" xl2tpd[4607]: "pppol2tp" xl2tpd[4607]: "7" xl2tpd[4607]: "passive" xl2tpd[4607]: "nodetach" xl2tpd[4607]: ":" xl2tpd[4607]: "debug" xl2tpd[4607]: "file" xl2tpd[4607]: "/run/nm-l2tp-147f9a0d-9b02-4cc9-8942-b4e5b4061110/ppp-options" xl2tpd[4607]: message_type_avp: message type 14 (Call-Disconnect-Notify) xl2tpd[4607]: result_code_avp: peer closing for reason 2 (General error--Error Code indicates the problem), error = 0 () xl2tpd[4607]: assigned_call_avp: using peer's call 1 xl2tpd[4607]: control_finish: message type is Call-Disconnect-Notify(14). Tunnel is 58851, call is 1. xl2tpd[4607]: control_finish: Connection closed to xx.xx.xx.xx, serial 1 () xl2tpd[4607]: Terminating pppd: sending TERM signal to pid 4639 nm-l2tp[4198] <info> Terminated xl2tpd daemon with PID 4607. xl2tpd[4607]: death_handler: Fatal signal 15 received xl2tpd[4607]: Connection 58851 closed to xx.xx.xx.xx, port 1701 (Server closing) 002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110": terminating SAs using this connection 002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: deleting state (STATE_QUICK_I2) aged 1.364s and sending notification 005 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: ESP traffic information: in=435B out=721B 002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: deleting state (STATE_MAIN_I4) aged 1.493s and sending notification
-
PMV over 4 years1. deleting *.secrets didn't help
-
PMV over 4 years2. upgrading to 1.12.16 didn't work too
-
PMV over 4 yearsAdded logs after upgrading to network-manager-l2tp:1.12.16-1 to the main message
-
Douglas Kosovic over 4 yearsError 691 authentication failure means the VPN server rejected the user credentials, make sure you are using the correct username and password. In the PPP options, you could also try diabling all of the authentication options, other than MS CHAP v2.