L2tp vpn connection problem

paklie · November 18, 2020, 2:43pm

hi guys…im very very new to nix…just intall it for about a week…i have super big problem since i work need vpn l2tp connection verry verry much…but i can’t make nixos working with my office l2tp vpn…is there any body can help me…this is urgent…i do install xl2tpd and strongswan using nix-env but still not working…o yaa…im test it under gnome networkmanager and kde networkmanagere still not working…pliss help me…

#update

i do set my configuration.nix

networking.networkmanager.enableStrongSwan = true;
service.xl2tpd.enable = true;
service.strongswan.enable = true;

but still no luck

nixinator · November 18, 2020, 11:55pm

What were you using before, and how did you generate the debug logs for that system?
Logs are always helpful, not only for keeping warm in winter, but also diagnosing problems.

paklie · November 19, 2020, 8:38am

before this i use ubuntu and i just install networkmanager l2tp plugin and it work…now i use nix…i’m still verry unfamiliar with the config. at least please show me how to configure networkmanager using l2tp in nix …i already search internet for nix configuration networkmanager l2tp but cant find a decent one…still confuse…sorry.im newbie here…if its possible i prefer that working on KDE

teto · November 19, 2020, 9:49am

@grahamc is the last person I know that used l2tp. I think I was one of the first, and had lots of trouble getting it to work (but it ended up working). You can find some intel on the nixpkgs tracker and l2tp-networkmanager tracker.
I dont use it anymore but in my config I could salvage this:

   services.strongswan = {
    enable = true;
    secrets = [
      "ipsec.d/ipsec.nm-l2tp.secrets"
    ];
  };

danieldk · November 19, 2020, 10:01am

I used L2TP with NetworkManager at my previous employer. I am not sure if this is still the case, but at some point I had to add

  systemd.tmpfiles.rules = [
    "L /etc/ipsec.secrets - - - - /etc/ipsec.d/ipsec.nm-l2tp.secrets"
  ];

To my NixOS configuration, because the NetworkManager configurator (under GNOME) wrote the secrets file to a different path than where the charon deamon (I think) was expecting it. But maybe that issue is resolved in the meanwhile (this was probably in March).

I got it working by configuring the VPN using NetworkManager in GNOME and then inspecting the errors while connecting through journalctl.

paklie · November 19, 2020, 1:55pm

here is journalctl -u NetworkManager output…

-- Logs begin at Sat 2020-10-31 17:42:42 WIB, end at Thu 2020-11-19 20:51:36 WIB. --
Nov 19 20:40:10 nixTerminal nm-l2tp-service[10682]: Check port 1701
Nov 19 20:40:10 nixTerminal NetworkManager[10697]: Stopping strongSwan IPsec...
Nov 19 20:40:12 nixTerminal NetworkManager[10694]: Starting strongSwan 5.8.1 IPsec [starter]...
Nov 19 20:40:12 nixTerminal NetworkManager[10694]: Loading config setup
Nov 19 20:40:12 nixTerminal NetworkManager[10694]: Loading conn '152cf1e3-4cb8-4466-a040-2a78829d508b'
Nov 19 20:40:12 nixTerminal ipsec_starter[10694]: Starting strongSwan 5.8.1 IPsec [starter]...
Nov 19 20:40:12 nixTerminal ipsec_starter[10694]: Loading config setup
Nov 19 20:40:12 nixTerminal ipsec_starter[10694]: Loading conn '152cf1e3-4cb8-4466-a040-2a78829d508b'
Nov 19 20:40:12 nixTerminal ipsec_starter[10705]: Attempting to start charon...
Nov 19 20:40:12 nixTerminal charon[10707]: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.1, Linux 5.8.16, x86_64)
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] PKCS11 module '<name>' lacks library path
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] dnscert plugin is disabled
Nov 19 20:40:12 nixTerminal charon[10707]: 00[NET] using forecast interface vboxnet0
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loading ca certificates from '/nix/store/rr08yp0cg4hg874djklvijinmwnrz81d-strongswan-5.8.1/etc/ipsec.d/cacerts'
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loading aa certificates from '/nix/store/rr08yp0cg4hg874djklvijinmwnrz81d-strongswan-5.8.1/etc/ipsec.d/aacerts'
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loading ocsp signer certificates from '/nix/store/rr08yp0cg4hg874djklvijinmwnrz81d-strongswan-5.8.1/etc/ipsec.d/ocspcerts'
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loading attribute certificates from '/nix/store/rr08yp0cg4hg874djklvijinmwnrz81d-strongswan-5.8.1/etc/ipsec.d/acerts'
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loading crls from '/nix/store/rr08yp0cg4hg874djklvijinmwnrz81d-strongswan-5.8.1/etc/ipsec.d/crls'
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loading secrets from '/nix/store/rr08yp0cg4hg874djklvijinmwnrz81d-strongswan-5.8.1/etc/ipsec.secrets'
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG]   loaded IKE secret for %any
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] opening triplet file /nix/store/rr08yp0cg4hg874djklvijinmwnrz81d-strongswan-5.8.1/etc/ipsec.d/triplets.dat failed: No such file or directory
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] loaded 0 RADIUS server configurations
Nov 19 20:40:12 nixTerminal charon[10707]: 00[CFG] no script for ext-auth script defined, disabled
Nov 19 20:40:12 nixTerminal charon[10707]: 00[LIB] loaded plugins: charon unbound pkcs11 aesni aes des rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert pem openssl af-alg fips-prf gmp curve25519 chapoly xcbc cmac hmac curl attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-radius xauth-generic xauth-eap xauth-pam dhcp counters
Nov 19 20:40:12 nixTerminal charon[10707]: 00[JOB] spawning 16 worker threads
Nov 19 20:40:12 nixTerminal ipsec_starter[10705]: charon (10707) started after 20 ms
Nov 19 20:40:12 nixTerminal charon[10707]: 06[CFG] received stroke: add connection '152cf1e3-4cb8-4466-a040-2a78829d508b'
Nov 19 20:40:12 nixTerminal charon[10707]: 06[CFG] added configuration '152cf1e3-4cb8-4466-a040-2a78829d508b'
Nov 19 20:40:13 nixTerminal charon[10707]: 07[CFG] rereading secrets
Nov 19 20:40:13 nixTerminal charon[10707]: 07[CFG] loading secrets from '/nix/store/rr08yp0cg4hg874djklvijinmwnrz81d-strongswan-5.8.1/etc/ipsec.secrets'
Nov 19 20:40:13 nixTerminal charon[10707]: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 19 20:40:13 nixTerminal charon[10707]: 07[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Nov 19 20:40:13 nixTerminal charon[10707]: 07[CFG]   loaded IKE secret for %any
Nov 19 20:40:13 nixTerminal charon[10707]: 09[CFG] received stroke: initiate '152cf1e3-4cb8-4466-a040-2a78829d508b'
Nov 19 20:40:13 nixTerminal charon[10707]: 11[IKE] initiating Main Mode IKE_SA 152cf1e3-4cb8-4466-a040-2a78829d508b[1] to 36.67.161.170
Nov 19 20:40:13 nixTerminal charon[10707]: 11[IKE] initiating Main Mode IKE_SA 152cf1e3-4cb8-4466-a040-2a78829d508b[1] to 36.67.161.170
Nov 19 20:40:13 nixTerminal charon[10707]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Nov 19 20:40:13 nixTerminal charon[10707]: 11[NET] sending packet: from 192.168.82.127[500] to 36.67.161.170[500] (204 bytes)
Nov 19 20:40:17 nixTerminal charon[10707]: 14[IKE] sending retransmit 1 of request message ID 0, seq 1
Nov 19 20:40:17 nixTerminal charon[10707]: 14[NET] sending packet: from 192.168.82.127[500] to 36.67.161.170[500] (204 bytes)
Nov 19 20:40:23 nixTerminal NetworkManager[10734]: Stopping strongSwan IPsec...
Nov 19 20:40:23 nixTerminal charon[10707]: 00[DMN] signal of type SIGINT received. Shutting down
Nov 19 20:40:23 nixTerminal charon[10707]: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Nov 19 20:40:23 nixTerminal NetworkManager[10733]: initiating Main Mode IKE_SA 152cf1e3-4cb8-4466-a040-2a78829d508b[1] to 36.67.161.170
Nov 19 20:40:23 nixTerminal NetworkManager[10733]: generating ID_PROT request 0 [ SA V V V V V ]
Nov 19 20:40:23 nixTerminal NetworkManager[10733]: sending packet: from 192.168.82.127[500] to 36.67.161.170[500] (204 bytes)
Nov 19 20:40:23 nixTerminal NetworkManager[10733]: sending retransmit 1 of request message ID 0, seq 1
Nov 19 20:40:23 nixTerminal NetworkManager[10733]: sending packet: from 192.168.82.127[500] to 36.67.161.170[500] (204 bytes)
Nov 19 20:40:23 nixTerminal NetworkManager[10733]: destroying IKE_SA in state CONNECTING without notification
Nov 19 20:40:23 nixTerminal NetworkManager[10733]: establishing connection '152cf1e3-4cb8-4466-a040-2a78829d508b' failed
Nov 19 20:40:23 nixTerminal ipsec_starter[10705]: child 10707 (charon) has quit (exit code 0)
Nov 19 20:40:23 nixTerminal ipsec_starter[10705]: 
Nov 19 20:40:23 nixTerminal ipsec_starter[10705]: charon stopped after 200 ms
Nov 19 20:40:23 nixTerminal ipsec_starter[10705]: ipsec starter stopped
Nov 19 20:40:23 nixTerminal nm-l2tp-service[10682]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Nov 19 20:40:23 nixTerminal NetworkManager[1104]: <warn>  [1605793223.8462] vpn-connection[0x202e0c0,152cf1e3-4cb8-4466-a040-2a78829d508b,"BKA",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

paklie · November 22, 2020, 10:40am

ahhhh…at last…i found the problem…it look like the version problem like discribe in nm-l2tp/NetworkManager…the problem is in phase 1 and phase 2 algorithm…i just change the algorithm from strongswan algorithm to libreswan algorithm…i think our server use libreswan instead strongswan for l2tp