| Summary: | Не работает IPSec | ||
|---|---|---|---|
| Product: | [ROSA-based products] ROSA Fresh | Reporter: | Yaroslav <yaroslav.belykh> |
| Component: | Net (ssh, samba, ssl, NM...) | Assignee: | Mikhail Novosyolov <m.novosyolov> |
| Status: | IN_PROGRESS --- | QA Contact: | ROSA Linux Bugs <bugs> |
| Severity: | normal | ||
| Priority: | Normal | CC: | a.proklov, pastordidi |
| Version: | All | ||
| Target Milestone: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Platform: | --- | ROSA Vulnerability identifier: | |
| RPM Package: | ISO-related: | ||
| Bad POT generating: | Upstream: | ||
Наверно пакет libreswan удалить надо. rpm -e --nodeps. Вместо него strongswan. Включил в networkmanager-l2tp поддержку dh2, в 2023.1 она уже давно включена. networkmanager-l2tp 1.8.2-4 https://abf.io/build_lists/4818373 https://abf.io/build_lists/4818374 (х64) https://abf.io/build_lists/4818375 https://abf.io/build_lists/4818376 https://abf.io/build_lists/4818377 Возможно это не полностью поможет и нужно будет в самом libreswan включить опцию USE_DH2, но для начала пробуем networkmanager-l2tp (In reply to Dmitry Postnikov from comment #1) > Наверно пакет libreswan удалить надо. rpm -e --nodeps. Вместо него > strongswan. Пакет libreswan перед вторым листингом удалял. (In reply to Aleksandr Proklov from comment #2) > Включил в networkmanager-l2tp поддержку dh2, в 2023.1 она уже давно включена. > > networkmanager-l2tp 1.8.2-4 > > https://abf.io/build_lists/4818373 > https://abf.io/build_lists/4818374 (х64) > https://abf.io/build_lists/4818375 > https://abf.io/build_lists/4818376 > https://abf.io/build_lists/4818377 > > Возможно это не полностью поможет и нужно будет в самом libreswan включить > опцию USE_DH2, но для начала пробуем networkmanager-l2tp К сожалению, не помогло. 036 "SAME_UUID": failed to add connection: IKE DH algorithm 'modp1024!' is not recognized nm-l2tp[4449] <warn> Could not establish IPsec tunnel. rpm -qa | grep l2tp openl2tp-1.8-14.x86_64 xl2tpd-1.3.16-3.x86_64 networkmanager-l2tp-1.8.2-4.x86_64 Отключить использования протоколов aes128-sha1-modp1024!, aes128-sha1!не могу. Сервер, к которому подключаюсь, их требует на фазах подключения libreswan 4.6-4 включена поддержка dh2, dh22, dh23 https://abf.io/build_lists/4818398 https://abf.io/build_lists/4818399 (x64) https://abf.io/build_lists/4818400 https://abf.io/build_lists/4818401 https://abf.io/build_lists/4818402 (In reply to Aleksandr Proklov from comment #5) > libreswan 4.6-4 > > включена поддержка dh2, dh22, dh23 > > https://abf.io/build_lists/4818398 > https://abf.io/build_lists/4818399 (x64) > https://abf.io/build_lists/4818400 > https://abf.io/build_lists/4818401 > https://abf.io/build_lists/4818402 Ярослав, есть возможность проверить сборки? Он их уже проверил, не помогло. да и в интернетах историй успеха что-то не видно, совметы включить dh2 есть, но дальше что-то непонятно помогает или нет. А если libreswan на strongswan заменять? Может, зависимости сделать (libreswan or strongswan) где-нибудь |
Сбой произошел между февралем, когда последний раз использовал неработающее подключение и сегодняшним днем. Подключения просто отваливаются как на libreswan, так и на strongSwan Создать в NetworkManager новое подключение L2TP IPSec (с указанными в логе параметрами), подключиться. IPSec через LibreSwan /usr/libexec/nm-l2tp-service --debug nm-l2tp[20936] <debug> nm-l2tp-service (version 1.8.2) starting... nm-l2tp[20936] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp" nm-l2tp[20936] <info> ipsec enable flag: yes ** Message: 13:19:21.407: Check port 1701 connection id : 'My Need VPN' permissions : ['user:myuser:'] type : 'vpn' uuid : 'SAME_UUID' vpn data : {'gateway': 'vpn-host.remote_domain.ru', 'ipsec-enabled': 'yes', 'ipsec-esp': 'aes128-sha1!', 'ipsec-ike': 'aes128-sha1-modp1024!', 'ipsec-psk': 'VPN_PSK', 'no-vj-comp': 'yes', 'noaccomp': 'yes', 'nobsdcomp': 'yes', 'nodeflate': 'yes', 'nopcomp': 'yes', 'password-flags': '1', 'refuse-chap': 'yes', 'refuse-eap': 'yes', 'refuse-mschap': 'yes', 'refuse-mschapv2': 'yes', 'user': 'remote_user@remote_domain.loc'} secrets : {'password': 'password'} service-type : 'org.freedesktop.NetworkManager.l2tp' user-name : 'myuser' ipv4 address-data : [] dns : [] dns-search : [] method : 'auto' route-data : [] ipv6 address-data : [] dns : [] dns-search : [] method : 'auto' route-data : [] proxy nm-l2tp[21799] <info> starting ipsec whack: Pluto is not running (no "/run/pluto/pluto.ctl") Redirecting to: systemctl restart ipsec.service 002 listening for IKE messages 002 forgetting secrets 002 loading secrets from "/etc/ipsec.secrets" 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets" opening file: /var/run/nm-l2tp-SAME_UUID/ipsec.conf debugging mode enabled end of file /var/run/nm-l2tp-SAME_UUID/ipsec.conf Loading conn SAME_UUID starter: left is KH_DEFAULTROUTE loading named conns: SAME_UUID resolving src = <defaultroute> gateway = <defaultroute> peer REMOTE_IP seeking gateway query getroute +REQUEST +ROOT +MATCH add dst REMOTE_IP (peer->addr) src <unset-address> prefsrc <unset-address> gateway MY_GATEWAY dst <unset-address> dev enp3s0 priority 100 pref -1 table 254 found gateway (host_nexthop): MY_GATEWAY please-call-again: src = <defaultroute> gateway = MY_GATEWAY resolving src = <defaultroute> gateway = MY_GATEWAY peer REMOTE_IP seeking prefsrc query getroute +REQUEST add dst MY_GATEWAY (host->nexthop) ignoring 25 src <unset-address> prefsrc MY_IP gateway <unset-address> dst MY_GATEWAY dev enp3s0 priority -1 pref -1 table 254 +cacheinfo found prefsrc (host_addr): MY_IP success: src = MY_IP gateway = MY_GATEWAY resolving src = REMOTE_IP gateway = <not-set> peer MY_IP seeking nothing conn: "SAME_UUID" modecfgdns=<unset> conn: "SAME_UUID" modecfgdomains=<unset> conn: "SAME_UUID" modecfgbanner=<unset> conn: "SAME_UUID" mark=<unset> conn: "SAME_UUID" mark-in=<unset> conn: "SAME_UUID" mark-out=<unset> conn: "SAME_UUID" vti_iface=<unset> conn: "SAME_UUID" redirect-to=<unset> conn: "SAME_UUID" accept-redirect-to=<unset> conn: "SAME_UUID" esp=aes128-sha1! conn: "SAME_UUID" ike=aes128-sha1-modp1024! 036 "SAME_UUID": failed to add connection: IKE DH algorithm 'modp1024!' is not recognized nm-l2tp[21799] <warn> Could not establish IPsec tunnel. (nm-l2tp-service:21799): GLib-GIO-CRITICAL **: 13:34:39.234: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed IPSec через StrongSwan /usr/libexec/nm-l2tp-service --debug nm-l2tp[20936] <debug> nm-l2tp-service (version 1.8.2) starting... nm-l2tp[20936] <debug> uses default --bus-name "org.freedesktop.NetworkManager.l2tp" nm-l2tp[20936] <info> ipsec enable flag: yes ** Message: 13:19:21.407: Check port 1701 connection id : 'My Need VPN' permissions : ['user:myuser:'] type : 'vpn' uuid : 'SAME_UUID' vpn data : {'gateway': 'vpn-host.remote_domain.ru', 'ipsec-enabled': 'yes', 'ipsec-esp': 'aes128-sha1!', 'ipsec-ike': 'aes128-sha1-modp1024!', 'ipsec-psk': 'VPN_PSK', 'no-vj-comp': 'yes', 'noaccomp': 'yes', 'nobsdcomp': 'yes', 'nodeflate': 'yes', 'nopcomp': 'yes', 'password-flags': '1', 'refuse-chap': 'yes', 'refuse-eap': 'yes', 'refuse-mschap': 'yes', 'refuse-mschapv2': 'yes', 'user': 'remote_user@remote_domain.loc'} secrets : {'password': 'password'} service-type : 'org.freedesktop.NetworkManager.l2tp' user-name : 'myuser' ipv4 address-data : [] dns : [] dns-search : [] method : 'auto' route-data : [] ipv6 address-data : [] dns : [] dns-search : [] method : 'auto' route-data : [] proxy nm-l2tp[20936] <info> starting ipsec Stopping strongSwan IPsec failed: starter is not running Starting strongSwan 5.9.10 IPsec [starter]... Loading config setup Loading conn 'SAME_UUID' nm-l2tp[20936] <info> Spawned ipsec up script with PID 20986. initiating Main Mode IKE_SA SAME_UUID[1] to <REMOTE_ADDRESS> generating ID_PROT request 0 [ SA V V V V V ] sending packet: from <MY_LOCAL_IP>[500] to <REMOTE_ADDRESS>[500] (180 bytes) received packet: from <REMOTE_ADDRESS>[500] to <MY_LOCAL_IP>[500] (276 bytes) parsed ID_PROT response 0 [ SA V V V V V V V V V V ] received NAT-T (RFC 3947) vendor ID received draft-ietf-ipsec-nat-t-ike-03 vendor ID received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received draft-ietf-ipsec-nat-t-ike-02 vendor ID received draft-ietf-ipsec-nat-t-ike-00 vendor ID received FRAGMENTATION vendor ID received DPD vendor ID received XAuth vendor ID received unknown vendor ID: 03:10:17:e0:7f:7a:82:e3:aa:69:50:c9:99:99:01:01 received unknown vendor ID: 1d:c0:10:31:3c:49:35:59:e2:d0:87:a7:5b:9b:de:ca selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from <MY_LOCAL_IP>[500] to <REMOTE_ADDRESS>[500] (244 bytes) received packet: from <REMOTE_ADDRESS>[500] to <MY_LOCAL_IP>[500] (244 bytes) parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] local host is behind NAT, sending keep alives generating ID_PROT request 0 [ ID HASH ] sending packet: from <MY_LOCAL_IP>[4500] to <REMOTE_ADDRESS>[4500] (76 bytes) received packet: from <REMOTE_ADDRESS>[4500] to <MY_LOCAL_IP>[4500] (76 bytes) parsed ID_PROT response 0 [ ID HASH ] IKE_SA SAME_UUID[1] established between <MY_LOCAL_IP>[<MY_LOCAL_IP>]...<REMOTE_ADDRESS>[<REMOTE_ADDRESS>] scheduling reauthentication in 9763s maximum IKE_SA lifetime 10303s generating QUICK_MODE request 993333236 [ HASH SA No ID ID NAT-OA NAT-OA ] sending packet: from <MY_LOCAL_IP>[4500] to <REMOTE_ADDRESS>[4500] (204 bytes) received packet: from <REMOTE_ADDRESS>[4500] to <MY_LOCAL_IP>[4500] (204 bytes) parsed QUICK_MODE response 993333236 [ HASH SA No ID ID NAT-OA NAT-OA ] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ IPsec SA: unsupported mode failed to create SAD entry IPsec SA: unsupported mode failed to create SAD entry unable to install inbound and outbound IPsec SA (SAD) in kernel establishing connection 'SAME_UUID' failed nm-l2tp[20936] <info> strongSwan IPsec tunnel is up. ** Message: 13:19:24.771: xl2tpd started with pid 20995 xl2tpd[20995]: Not looking for kernel SAref support. xl2tpd[20995]: This binary does not support kernel L2TP. xl2tpd[20995]: xl2tpd version xl2tpd-1.3.16 started on host.myuser.zone PID:20995 xl2tpd[20995]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc. xl2tpd[20995]: Forked by Scott Balmos and David Stipp, (C) 2001 xl2tpd[20995]: Inherited by Jeff McAdams, (C) 2002 xl2tpd[20995]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016 xl2tpd[20995]: Listening on IP address 0.0.0.0, port 1701 xl2tpd[20995]: get_call: allocating new tunnel for host <REMOTE_ADDRESS>, port 1701. xl2tpd[20995]: Connecting to host <REMOTE_ADDRESS>, port 1701 xl2tpd[20995]: control_finish: message type is (null)(0). Tunnel is 0, call is 0. xl2tpd[20995]: control_finish: sending SCCRQ nm-l2tp[20936] <warn> Looks like pppd didn't initialize our dbus module nm-l2tp[20936] <info> Terminated xl2tpd daemon with PID 20995. xl2tpd[20995]: death_handler: Fatal signal 15 received Stopping strongSwan IPsec... ** Message: 13:19:38.902: ipsec shut down nm-l2tp[20936] <warn> xl2tpd exited with error code 1 Stopping strongSwan IPsec failed: starter is not running ** Message: 13:19:38.918: ipsec shut down Текущие пакеты rpm -qa | grep l2tp openl2tp-1.8-14.x86_64 xl2tpd-1.3.16-3.x86_64 networkmanager-l2tp-1.8.2-3.x86_64 rpm -qa | grep swan networkmanager-strongswan-1.6.0-1.x86_64 networkmanager-openswan-1.2.12-3.x86_64 lib64strongswan0-5.9.10-1.x86_64 strongswan-charon-nm-5.9.10-1.x86_64 strongswan-5.9.10-1.x86_64 libreswan-4.6-2.x86_64 Как исправить?