[Bug 2068687] Re: L2TP VPN is not working in Ubuntu 24.04
Upstream go-l2tp issue that's been resolved: https://github.com/katalix/go-l2tp/issues/6 In the network-manager-l2tp PPA I've created a no-modification backport of golang-github-katalix-go-l2tp-0.1.8-1 for Ubuntu 24.04 : https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp So, Ubuntu 24.04 users wanting the latest network-manager-l2tp from the PPA will also get a newer go-l2tp package which includes the fix for this issue. ** Bug watch added: github.com/katalix/go-l2tp/issues #6 https://github.com/katalix/go-l2tp/issues/6 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2068687 Title: L2TP VPN is not working in Ubuntu 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-github-katalix-go-l2tp/+bug/2068687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2068687] Re: L2TP VPN is not working in Ubuntu 24.04
Regarding the original go-l2tp kl2tpd error: level=error tunnel_name=t1 message="bad control message" message_type=avpMsgTypeSli error="no specification for v2 message avpMsgTypeSli" Looks like the missing avpMsgTypeSli message_type was recently fixed with the following commit that's in go-l2tp 0.1.8 : https://github.com/katalix/go-l2tp/commit/5720acff49c0deda96b132c21c7431ae5300a56a I'm changing the package from network-manager-l2tp to go-l2tp for this bug. ** Package changed: network-manager-l2tp (Ubuntu) => golang-github-katalix-go-l2tp (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2068687 Title: L2TP VPN is not working in Ubuntu 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-github-katalix-go-l2tp/+bug/2068687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2068687] Re: L2TP VPN is not working in Ubuntu 24.04
I'm not sure why the user authentication is failing for you with go-l2tp's kl2tpd, you could try disabling all of the authentication methods in the PPP settings other than MSCHAPv2. You could also try switching to xl2tpd and see if you have the same problem, e.g.: sudo apt install xl2tpd sudo apt purge go-l2tp the other Linux distros you mentioned don't ship with go-l2tp, so they would have been defaulting to xl2tpd. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2068687 Title: L2TP VPN is not working in Ubuntu 24.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/2068687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1970068] Re: L2TP+IPSec not working after upgrade to 22.04 LTS
I think this is a duplicate of the following, although the xl2tpd errors manifest slightly differently : https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832 https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1968336 But as others have confirmed, Ubuntu 22.05's xl2tpd-1.3.16-1 is broken, so the most likely culprit. network-manager-l2tp uses kl2tpd as its default L2TP daemon and falls back to xl2tpd if it can't find kl2tpd. To confirm it is only xl2tpd that is broken for you, try installing kl2tpd with the following : sudo apt install golang-go go install "github.com/katalix/go-l2tp/...@latest" sudo mkdir /usr/local/sbin sudo cp go/bin/kl2tpd /usr/local/sbin -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1970068 Title: L2TP+IPSec not working after upgrade to 22.04 LTS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1970068/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1951832] Re: xl2tpd "Can not find tunnel" in jammy
For those using network-manager-l2tp, another workaround is to use Katalix go-l2tp which is from the authors of the L2TP kernel modules (which xl2tpd also happens to use). With Networkmanager-l2tp >= 1.20.0, it has switched to kl2tpd as the default L2TP daemon and falls back to xl2tpd if it can't find it. kl2tpd can readily be installed with : sudo apt install golang-go go install "github.com/katalix/go-l2tp/...@latest" sudo mkdir /usr/local/sbin sudo cp go/bin/kl2tpd /usr/local/sbin -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1951832 Title: xl2tpd "Can not find tunnel" in jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1951832/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890814] Re: Handle PPP non-compliant success packets
Nim's status change of no longer affects ppp I think was just a mistake and rectified, but the rectification wasn't recorded in a new message. This bug report no longer affects ppp >= 2.4.9, as it was fixed upstream and is the reason the corresponding Debian bug was closed. This SRU patch request is for Ubuntu 20.04 which is still using an older ppp. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890814 Title: Handle PPP non-compliant success packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ppp/+bug/1890814/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890814] Re: Handle PPP non-compliant success packets
** Bug watch added: Debian Bug tracker #968040 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968040 ** Also affects: ppp (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968040 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890814 Title: Handle PPP non-compliant success packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ppp/+bug/1890814/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890814] [NEW] Handle PPP non-compliant success packets
Public bug reported: [Impact] According to RFC2759, the format of PPP success packets is : "S= M=" Recently Windows Server 2019 has started producing non-complaint PPP success packets which have a space missing before the M= characters. PPP based (e.g. PPTP, L2TP, etc) VPN clients connecting to an affected Windows Server 2019 VPN server will get the following error message during MS-CHAPv2 authentication : MS-CHAPv2 Success packet is badly formed If the following upstream ppp patch is applied, it will handle the non-compliant, missing-space before M= success packets : https://github.com/paulusmack/ppp/commit/3cd95baf3f1de1d5a9bc89be0f4c3215ceb5aefe.patch ** Affects: ppp (Ubuntu) Importance: Undecided Status: New ** Tags: sru -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890814 Title: Handle PPP non-compliant success packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ppp/+bug/1890814/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1890814] Re: Handle PPP non-compliant success packets
macOS already handles the missing space before M=, extract from : https://opensource.apple.com/source/ppp/ppp-862.120.2/Helpers/pppd/chap_ms.c.auto.html //we'll allow the missing-space case from the server, even though //it's non-conforming to spec! dbglog("Rcvd non-conforming MSCHAPv2 Success packet, len=%d", len); if(len >= 2 && !strncmp((char*)msg, "M=", 2)) msg += 2; else { error("MS-CHAPv2 Success packet is badly formed."); return 0; } -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890814 Title: Handle PPP non-compliant success packets To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ppp/+bug/1890814/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875784] Re: Impossible create or edit L2TP vpn, missing form
** Changed in: network-manager-l2tp (Ubuntu) Status: New => Invalid ** Changed in: network-manager-l2tp (Ubuntu) Assignee: (unassigned) => Douglas Kosovic (dkosovic) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875784 Title: Impossible create or edit L2TP vpn, missing form To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1875784/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875784] Re: Impossible create or edit L2TP vpn, missing form
Did you install networkmanager-l2tp-gnome package which has the GNOME L2TP VPN plug-in for the GNOME NetworkManager connection editor? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875784 Title: Impossible create or edit L2TP vpn, missing form To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1875784/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1875784] Re: Impossible create or edit L2TP vpn, missing form
correction I meant network-manager-l2tp-gnome package -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875784 Title: Impossible create or edit L2TP vpn, missing form To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1875784/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1849930] Re: Additional L2TP VPN Breaks First VPN
** Project changed: l2tp-ipsec-vpn => ubuntu ** Changed in: ubuntu Status: New => Confirmed ** Package changed: ubuntu => network-manager-l2tp (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1849930 Title: Additional L2TP VPN Breaks First VPN To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-control-center/+bug/1849930/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1778946] Re: No dns resolution after closing a vpn/pptp connection
Comment 6 and 7 in the upstream GNOME NetworkManager-pptp bug report : https://bugzilla.gnome.org/show_bug.cgi?id=785771#c6 are relevant to this bug (but not the 'cp -a' issue). As mentioned, the following exit in /etc/ppp/ip-up.d/000resolvconf when the interface is managed by NM, seems the right solution. case "$6" in nm-pptp-service-*|nm-l2tp-service-*|/org/freedesktop/NetworkManager/PPP/*) # NetworkManager handles it exit 0 ;; esac Perhaps the exit should be added to /etc/ppp/ip-up.d/usepeerdns for instances when resolvconf package isn't installed? ** Bug watch added: GNOME Bug Tracker #785771 https://bugzilla.gnome.org/show_bug.cgi?id=785771 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1778946 Title: No dns resolution after closing a vpn/pptp connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1778946/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1778946] Re: No dns resolution after closing a vpn/pptp connection
I wasn't able to redirect the stderr from the following line in /etc/ppp /ip-up.d/usepeerdns (probably because of something pppd is doing) : cp -a "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" So I modified the cp.c source from the coreutils package and redirected stderr to a file. The error message I now see is : cp: failed to preserve ownership for '/run/systemd/resolve/stub-resolv.conf.pppd-backup.ppp0': Operation not permitted cp.c is using the lchown() function which is failing with that message. Looks like only preserving ownership is failing as I tried the following and it works: cp --preserve=mode,timestamps "$REALRESOLVCONF" "$REALRESOLVCONF.pppd- backup.$PPP_IFACE" The way /run is mounted might be the reason why 'cp -a' and lchown() is failing. Ignore what I said able $? being 0 after the cp -a line. Doing the following line confirms $? is 1 : cp -a "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" || echo ERROR $? >> /tmp/usepeerdns-up.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1778946 Title: No dns resolution after closing a vpn/pptp connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1778946/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1778946] Re: No dns resolution after closing a vpn/pptp connection
Sorry ignore comment #16 as the following line in /etc/ppp/ip- up.d/usepeerdns will exit because of the '#!/bin/sh -e' shebang line: cp -Lp "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" So my original suggestion of replacing the following line: cp -a "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" to: cp "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" chmod 644 "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" was correct and won't prematurely exit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1778946 Title: No dns resolution after closing a vpn/pptp connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1778946/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1778946] Re: No dns resolution after closing a vpn/pptp connection
Correction the following line in /etc/ppp/ip-up.d/usepeerdns probably should be changed from : cp -a "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" to: cp -Lp "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" chmod 644 "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1778946 Title: No dns resolution after closing a vpn/pptp connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1778946/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1778946] Re: No dns resolution after closing a vpn/pptp connection
I can confirm the issue is the following line in /etc/ppp/ip- up.d/usepeerdns as previously mentioned : cp -a "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" The variable expansion of that line is : cp -a /run/systemd/resolve/stub-resolv.conf /run/systemd/resolve/stub-resolv.conf.pppd-backup.ppp0 I had to modify the shebang line of that script from : #!/bin/sh -e to : #!/bin/sh to get past that line and output debugging output I inserted, which included : ls -l /run/systemd/resolve/stub-resolv.conf -rw-r--r-- 1 systemd-resolve systemd-resolve 720 Jan 17 21:47 /run/systemd/resolve/stub-resolv.conf ls -l /run/systemd/resolve/stub-resolv.conf.pppd-backup.ppp0 -rw--- 1 root root 720 Jan 17 21:47 /run/systemd/resolve/stub-resolv.conf.pppd-backup.ppp0 So 'cp -a' isn't copying the permissions. Oddly, $? is 0 after running that 'cp -a' line, therefor seems correct, also umask is 0022, so I'm not sure what is going wrong. Anyway a fix seems to be to change the following line in /etc/ppp/ip-up.d/usepeerdns from : cp -a "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" to: cp "$REALRESOLVCONF" "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" chmod 644 "$REALRESOLVCONF.pppd-backup.$PPP_IFACE" For Ubuntu 18.04 setups that have the pppconfig package installed, the following lines in /etc/ppp/ip-up.d/0dns-up probably should be changed from : /bin/cp -Lp "$RESOLVCONF" "$RESOLVBAK" || exit 1 /bin/cp -Lp "$TEMPRESOLV" "$RESOLVCONF" || exit 1 chmod 644 "$RESOLVCONF" || exit 1 to: /bin/cp -Lp "$RESOLVCONF" "$RESOLVBAK" || exit 1 chmod 644 "$RESOLVBAK" || exit 1 /bin/cp -Lp "$TEMPRESOLV" "$RESOLVCONF" || exit 1 chmod 644 "$RESOLVCONF" || exit 1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1778946 Title: No dns resolution after closing a vpn/pptp connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1778946/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1760796] Re: kernel 4.15 breaks xl2tpd
Hi Eric and Ćukasz, I uninstalled existing xl2tpd from test PPA on xenial and bionic before installing xl2tpd from respective proposed repository. On xenial I installed and tested xl2tpd_1.3.6+dfsg- 4ubuntu0.16.04.2_amd64.deb and can confirm I'm able to establish L2TP/IPsec VPN connection with following kernels : * kernel 4.4.0-124-generic. * kernel 4.13.0-36-generic. * kernel 4.15.0-29-generic. Similarly on bionic with xl2tpd_1.3.10-1ubuntu1_amd64.deb, I can confirm VPN connection with following kernels : * kernel 4.13.0-36-generic. * kernel 4.15.0-29-generic. I've changed verification-needed-bionic and verification-needed-xenial to verification-done-bionic and verification-done-xenial respectively. I didn't change the verification-needed tag, but guess I should have. -- Doug ** Tags removed: verification-needed-bionic verification-needed-xenial ** Tags added: verification-done-bionic verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1760796 Title: kernel 4.15 breaks xl2tpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1760796] Re: kernel 4.15 breaks xl2tpd
@Billy thanks for the Xenial xl2tpd test package. I setup an Ubuntu 16.04.4 VM which came with kernel 4.13.0-36-generic and did an apt update followed by an apt upgrade and it installed kernel 4.15.0-29-generic. I didn't know the proper way to downgrade to kernel 4.4, so manually downloaded and installed the following : linux-headers-4.4.0-124_4.4.0-124.148_all.deb linux-headers-4.4.0-124-generic_4.4.0-124.148_amd64.deb linux-image-4.4.0-124-generic_4.4.0-124.148_amd64.deb Following is a summary of the tests performed, first with unpatched xl2tpd followed by the test PPA xl2tpd. Ubuntu 16.04.4 with xl2tpd-1.3.6+dfsg-4ubuntu0.16.04.1 : * didn't check kernel 4.4.0-124-generic. * kernel 4.13.0-36-generic - works as expected. * kernel 4.15.0-29-generic - results in following error as expected : xl2tpd[2189]: udp_xmit failed ... with err=-1:No such device Ubuntu 16.04.4 upgrade to xl2tpd-1.3.6+dfsg-4ubuntu0.16.04.1+lp1760796 : * kernel 4.4.0-124-generic - works! * kernel 4.13.0-36-generic - works! * kernel 4.15.0-29-generic - works! So things look okay to me in regards to xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1760796 Title: kernel 4.15 breaks xl2tpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1760796] Re: kernel 4.15 breaks xl2tpd
I can confirm I am able to establish a L2TP/IPsec connection with xl2tpd_1.3.10-1+lp1760796_amd64.deb test package with Bionic's latest 4.15 kernel. I'll need to bring up a VM for xenial, but happy to test with kernel 4.4 and 4.15 on xenial for any backport. The version of xl2tpd in xenial updates is currently 1.3.6+dfsg-4ubuntu0.16.04.1 and suspect the patch should apply cleanly to it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1760796 Title: kernel 4.15 breaks xl2tpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1760796] Re: kernel 4.15 breaks xl2tpd
** Tags added: sts sts-sru-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1760796 Title: kernel 4.15 breaks xl2tpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1771223] Re: Cannot connect to L2TP network
** Changed in: network-manager-l2tp (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1771223 Title: Cannot connect to L2TP network To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1771223/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1771223] Re: Cannot connect to L2TP network
I'm guessing there is a firewall between the client and VPN server when the client is in the outside world. See the "Issue with not stopping system xl2tpd service" section in the README.md file : https://github.com/nm-l2tp/network-manager-l2tp/blob/nm-1-2/README.md I'm guessing the firewall doesn't like clients that are trying to connect with an ephemeral port. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1771223 Title: Cannot connect to L2TP network To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1771223/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1771223] Re: Cannot connect to L2TP network
See "Issue with VPN servers only proposing IPsec IKEv1 weak legacy algorithms" in the README.md file: https://github.com/nm-l2tp/network-manager-l2tp/blob/nm-1-2/README.md I can confirm with the ike-scan.sh script mentioned in the README.md file that the VPN server you are trying to connect to only provides proposals that the newer version of strongSwan now considers weak. If you can modify the VPN servers settings, the current strongest proposal it provides contain modp1536, but it needs to be at least mod2048. Otherwise, you can specify IPsec phase 1 and phase 2 algorithms in the IPsec Options dialog box: - Phase1 Algorithms : aes256-sha1-modp1536 - Phase2 Algorithms : aes256-sha1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1771223 Title: Cannot connect to L2TP network To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1771223/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1771223] Re: Cannot connect to L2TP network
Can you confirm you are seeing the "udp_xmit failed ... with err=-1:No such device" error ? If you are, this is not a network-manager-l2tp bug, but a kernel 4.15 bug, I posted a xl2tpd bug report and workaround patch for Ubuntu 18.04's xl2tpd package almost a month before Bionic Beaver was released : https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796 The bug is receiving very little user attention, only 7 people have voted for it, ho[pefully the more people vote for it the sooner it will receive attention and someone will apply the patch. xl2tpd 1.3.12 hasn't been released yet, can you confirm you built from the xl2tpd 1.3.12 git branch? i.e. : git clone -b 1.3.12 https://github.com/xelerance/xl2tpd.git cd xl2tpd make sudo cp xl2tpd /usr/sbin/xl2tpd xl2tpd 1.3.12 git branch definitely fixed the issue for me on Ubuntu 18.04. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1771223 Title: Cannot connect to L2TP network To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1771223/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1771223] Re: Cannot connect to L2TP network
** Changed in: network-manager-l2tp (Ubuntu) Assignee: (unassigned) => Douglas Kosovic (dkosovic) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1771223 Title: Cannot connect to L2TP network To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1771223/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1760796] Re: kernel 4.15 breaks xl2tpd
** Bug watch added: Red Hat Bugzilla #1562512 https://bugzilla.redhat.com/show_bug.cgi?id=1562512 ** Also affects: xl2tpd (Fedora) via https://bugzilla.redhat.com/show_bug.cgi?id=1562512 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1760796 Title: kernel 4.15 breaks xl2tpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1760796] [NEW] kernel 4.15 breaks xl2tpd
Public bug reported: Kernel 4.15 breaks xl2tpd, please see following upstream issue for more details : https://github.com/xelerance/xl2tpd/issues/147 The following commit/patch fixes the issue: https://github.com/xelerance/xl2tpd/commit/9c2cd4933478a83075df5b10f24af7589e90abc3.patch As Ubuntu 18.04 (Bionic Beaver) is no longer accepting Debian packages, I'm guessing then that the patch would need to be added and applied to the existing xl2tpd-1.3.10-1 package. The linux-image kernel package on Ubuntu 18.04 is currently linux- image-4.15.0-13 ** Affects: xl2tpd (Ubuntu) Importance: Undecided Status: New ** Affects: xl2tpd (Debian) Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #894674 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894674 ** Also affects: xl2tpd (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894674 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1760796 Title: kernel 4.15 breaks xl2tpd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/1760796/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 400748] Re: xl2tpd connection speed is too low
I just saw this bug report now while looking foranother xl2tpd bug. You might have already worked it out by now, but in regards to the xl2tpd max transmit and receive speeds, the default max is 10 Mbps. See the xl2tpd.conf manpage for the 'tx bps' and 'rx bps' options to set it higher. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/400748 Title: xl2tpd connection speed is too low To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xl2tpd/+bug/400748/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1692066] Re: [Request] Libreswan plugin for Network Manager
I suggest you file a Debian Request for Package (RFP) for network-manager-libreswan : https://wiki.debian.org/RFP Once the package is in Debian Sid, it will automatically make its way to Ubuntu. Or if you are able to provide a package, an Intent to Package (ITP) : https://wiki.debian.org/ITP libreswan was added to Debian Sid earlier in the year and it made its way to Ubuntu 17.04. Upstream in the GNOME Projects network-manager-libreswan GIT repository in the NEWS file, you'll notice network-manager-libreswan was renamed from network-manager-openswan at version 1.2 https://git.gnome.org/browse/network-manager-libreswan/tree/ Debian/Ubuntu used to include network-manager-openswan, so that package might be a good starting point for updating to network-manager- libreswan. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1692066 Title: [Request] Libreswan plugin for Network Manager To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libreswan/+bug/1692066/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1726135] Re: need to use group name
Marked as invalid as the VPN server is using an algorithm considered broken by stronswan and workaround was provided. ** Changed in: network-manager-l2tp (Ubuntu) Assignee: (unassigned) => Douglas Kosovic (dkosovic) ** Changed in: network-manager-l2tp (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1726135 Title: need to use group name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1726135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1726135] Re: need to use group name
>From the logs, it definitely isn't using IPsec XAuth. The "NO_PROPOSAL_CHOSEN error" means your VPN server is using a legacy encryption algorithm that strongswan considers broken as it is old and weak, it is most likely 3DES : https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites It would be best if the VPN server can be updated to use stronger cipher suites, but if you can't, in the README.md file, see the "User specified IPsec IKEv1 cipher suites" section : https://github.com/nm-l2tp/network-manager-l2tp#user-specified-ipsec- ikev1-cipher-suites Extract : If you are using strongSwan with this VPN plugin and you need to use the same ciphers that older versions of strongSwan and this VPN plugin used, enter the following in the corresponding IPsec configuration dialog text boxes: Phase1 Algorithms : aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024 Phase2 Algorithms : aes128-sha1,3des-sha1 If you then get a xl2tpd failure, you might also need to stop the system xl2tpd service, see "Issue with not stopping system xl2tpd service" section in the README.md file : https://github.com/nm-l2tp/network-manager-l2tp#issue-with-not-stopping- system-xl2tpd-service I think OpenSUSE doesn't start the system xl2tpd service by default, but Ubuntu does. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1726135 Title: need to use group name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1726135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1726135] Re: need to use group name
Group Name is for IPsec Extended authentication (XAuth). Xauth support was never implemented in network-manager-l2tp and it doesn't make sense as XAuth doesn't use L2TP, so Group Name was removed from the IPsec configuration dialog box. So a summary for the differences in the two VPN connections are: - IPsec XAuth uses XAuth for the user credentials which involves a Group Name. - L2TP/IPsec uses L2TP for the PPP user credentials. The Gnome Project provides a VPN IPsec IKEv1 VPN client with Group Name called network-manager-libreswan : https://git.gnome.org/browse/network-manager-libreswan/plain/appdata/libreswan.png Did Group Name ever work for you in the old network-manager-l2tp? If it did, it was for something other than XAuth. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1726135 Title: need to use group name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-l2tp/+bug/1726135/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 264691] Re: Please add NM option for connecting to L2TP IPSEC VPN
network-manager-l2tp 1.2.6-2 was accepted into Debian sid : https://tracker.debian.org/pkg/network-manager-l2tp The Debian package was automatically added to Ubuntu artful (17.10). I've requested an Ubuntu backport of network-manager-l2tp from artful to xenial (16.04) which includes intermediate zesty (17.04) and yakkety (16:10) releases : https://bugs.launchpad.net/xenial-backports/+bug/1697934 Please vote for the backport by clicking the "this bug affects me" link in the backport request. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/264691 Title: Please add NM option for connecting to L2TP IPSEC VPN To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/264691/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677990] Re: xl2tpd crash when tearing down L2TP/IPSec VPN connection
Hi Brian, I tested xl2tpd_1.3.6+dfsg-4ubuntu0.16.04.1_amd64.deb on xenial with NetworkManager-l2tp and I'm no longer able to reproduce the xl2tpd segmentation fault, nor is there any orphaned pppd process (which used to happen after the parent xl2tpd process crashed) Similarly with xl2tpd_1.3.6+dfsg-4ubuntu1_amd64.deb on yakkety. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677990 Title: xl2tpd crash when tearing down L2TP/IPSec VPN connection To manage notifications about this bug go to: https://bugs.launchpad.net/linuxmint/+bug/1677990/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 264691] Re: Please add NM option for connecting to L2TP IPSEC VPN
There is now a new PPA, network-manager-l2tp 1.2.4 for 17.04 (zesty), 16.10 (yakkety) and 16.04 (xenial) packages can be found here: https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp strongswan stable release updates for yakkety and xenial which fix the aforementioned AppArmor name space issue were released in the last couple of weeks. So I've decided to release PPA packages as Debian strongswan doesn't have the fix yet. The network-manager-l2tp 1.2.4 PPA packages on yakkety and xenial have explicit dependencies for the versions of the strongswan packages with the fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/264691 Title: Please add NM option for connecting to L2TP IPSEC VPN To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/264691/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
I can confirm NetworkManager-l2tp is working fine with the following yakkety-proposed packages: strongswan_5.3.5-1ubuntu4.1_all strongswan-charon_5.3.5-1ubuntu4.1_amd64 strongswan-libcharon_5.3.5-1ubuntu4.1_amd64 strongswan-starter_5.3.5-1ubuntu4.1_amd64 libstrongswan_5.3.5-1ubuntu4.1_amd64 libstrongswan-standard-plugins_5.3.5-1ubuntu4.1_amd64 Only strongswan AppArmor related messages I see are just status messages which are fine : Feb 18 11:50:32 ubuntu audit[506]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/ipsec/charon" pid=506 comm="apparmor_parser" Feb 18 11:50:32 ubuntu audit[507]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/ipsec/stroke" pid=507 comm="apparmor_parser" Having said that, on Yakkety Yak with the stock strongswan_5.3.5-1ubuntu4 packages, (unlike Xenial Xerus) I'm able to establish a VPN connection with NetworkManager-l2tp even though I see lots of the following AppArmor denied messages : Feb 18 11:43:33 ubuntu audit[4002]: AVC apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev- log" pid=4002 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 But I think strongswan 5.3.5-1ubuntu4.1 is definitely worthwhile to get rid of those AppArmor denied messages. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
As far as NetworkManager-l2tp is concerned, I can confirm the strongswan 5.3.5-1ubuntu3.1 xenial-proposed package worked fine for me. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
AppArmor is a Linux kernel security module that allows administrators to restrict programs' capabilities with per-program profiles. Disabling the charon and stroke Apparmor profiles is just a workaround that removes the restrictions including the issue you having. The other option is to edit the two profiles with a text editor and add 'flags=(attach_disconnected)'. But you have to be sure you know where it needs to be added. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
Sorry I gave bad advice, Apparmor complain mode won't help, it was the attach_disconnected in the patch which fixes the issue. Simplest solution without patching is to disable the charon and stroke Apparmor profiles as mentioned on: https://github.com/nm-l2tp/network-manager-l2tp/wiki -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
If you are using network-manager-l2tp, the Apparmor strongswan issue is listed in the known issues on the Wiki: https://github.com/nm-l2tp/network-manager-l2tp/wiki The patch just puts the AppArmor profiles for charon and stroke into complain mode. The same can be achieved with the following command- lines: sudo aa-complain /etc/apparmor.d/usr.lib.ipsec.charon sudo aa-complain /etc/apparmor.d/usr.lib.ipsec.stroke -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 264691] Re: Please add NM option for connecting to L2TP IPSEC VPN
I've posted a summary of current NetworkManager-l2tp known issues and workarounds for Ubuntu and Debian here : https://github.com/nm-l2tp/network-manager-l2tp/issues/12 I haven't created a new network-manager-l2tp PPA because because of the strongSwan AppArmor name space issue involving NetworkManager and also some Ubuntu 16.04 users have had an issues with the system xl2tpd, but not with a locally built copy. Unfortunately I haven't been able to reproduce the xl2tpd issue since I changed computers a couple of months ago. I hope to submit a network-manager-l2tp package to Debian once the strongSwan AppArmor issue has been resolved. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/264691 Title: Please add NM option for connecting to L2TP IPSEC VPN To manage notifications about this bug go to: https://bugs.launchpad.net/network-manager/+bug/264691/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
Sorry, you are correct, I had forgotten I had changed to "complain" a while back for the two profiles to help with debugging. On a clean Ubuntu 16.04 install, I can confirm with just flags=(attach_disconnected) for the two profiles, things work as expected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
Somehow forgot the attachment, find attached. ** Patch added: "/etc/apparmor.d/usr.lib.ipsec.* patch" https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+attachment/4690136/+files/usr.lib.ipsec.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
I wasn't able to reproduce issue from the command-line with NetworkManager-l2tp, it only happens after NetworkManager-l2tp restarts strongSwan under NetworkManager. Turns out it is the same NetworkManager issue as the following : https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1244157/comments/7 I used the attached patch for : /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/usr.lib.ipsec.stroke -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
Doesn't appear to matter if bare metal PC or VM. So far haven't been able to reproduce 'ipsec status' issue other than using network-manager-l2tp, but need to do more comprehensive command- line tests that mimics better what network-manager-l2tp is doing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
Hi Simon, UEFI Lenovo desktop PC is what I'm running Xenial on. I'm the new maintainer for network-manager-l2tp VPN plugin for NetworkManger : https://github.com/nm-l2tp/network-manager-l2tp I started an IPSec/L2TP connection using network-manager-l2tp before issuing the 'sudo ipsec status'. So it may be something with network- manager-l2tp IPSec connections that triggers the issue. I've encountered a few scenarios with strongswan and network-manager-l2tp where an IPSec connection hasn't been established yet, and was hoping to check the connection status in the code by invoking 'ipsec status {connection name}', before it tries to do a L2TP connection. Tommorow I'll try and do a bit more testing on other Xenial installs and maybe try an IPSec connection without network-manager-l2tp on the PC with the issue to see if I can reproduce. Will get back to you. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1587886] [NEW] strongswan ipsec status issue with apparmor
Public bug reported: $ lsb_release -rd Description:Ubuntu 16.04 LTS Release:16.04 $ apt-cache policy strongswan strongswan: Installed: 5.3.5-1ubuntu3 Candidate: 5.3.5-1ubuntu3 Version table: *** 5.3.5-1ubuntu3 500 500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages 100 /var/lib/dpkg/status Looks like 'ipsec status' might be causing strongswan's charon to write to run/systemd/journal/dev-log instead of /run/systemd/journal/dev-log and apparmor doesn't like it. Extract from /etc/apparmor.d/abstractions/base : /{,var/}run/systemd/journal/dev-log w, With an established ipsec connection, issue the following : $ sudo ipsec status connecting to 'unix:///var/run/charon.ctl' failed: Permission denied failed to connect to stroke socket 'unix:///var/run/charon.ctl' $ journalctl ... Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 audit(1464785297.366:491): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 ... ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: strongswan 5.3.5-1ubuntu3 ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 Uname: Linux 4.4.0-22-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: Unity Date: Wed Jun 1 23:06:53 2016 InstallationDate: Installed on 2016-05-11 (21 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) PackageArchitecture: all SourcePackage: strongswan UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: strongswan (Ubuntu) Importance: Undecided Status: New ** Tags: apport-bug strongswan xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1587886 Title: strongswan ipsec status issue with apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs