I have a problem with libreswan networkmanager and l2tp protocol. I posted a message to the libreswan mailing list and was sent this reply: Douglas Kosovic doug@uq.edu.au via lists.libreswan.org 5:04 AM (9 hours ago) to swan@lists.libreswan.org Hi Brian, With Libreswan >= 4.0, the default NSS database files (*.db) have moved from /etc/ipsec.d to /var/lib/ipsec/nss Try the following Libreswan command to see if you get an error : $ sudo ipsec initnss ERROR: destination directory "/var/lib/ipsec/nss" is missing or permission denied pkg_postinst() in the gentoo ebuild is still using /etc/ipsec.d for the NSS database files : https://gitweb.gentoo.org/repo/gentoo.git/tree/net-vpn/libreswan/libreswan-4.1.ebuild you could fix the aforementioned pkg_postinst(), or issue the following as a workaround: sudo mkdir -p /var/lib/ipsec/nss sudo chmod 700 /var/lib/ipsec/nss then try sudo ipsec initnss again. If you are using SELinux or AppArmor, a new rule might be required for /var/lib/ipsec/nss Cheers, Doug Reproducible: Always Steps to Reproduce: 1. Install latest libreswan & networkmanager 2. Create l2tp VPN connection 3. Try to connect, it fails with no message Actual Results: Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4884] audit: op="connection-activate" uuid="9a088450-2a7b-4012-befe-facf564c77e0" name="wtec-SJ" pid=5647 uid=1000 result ="success" Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4920] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Started the VPN service, PID 10712 Oct 22 21:30:16 threads NetworkManager[4579]: <info> [1603427416.4984] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: Saw the service appear; activating connection Oct 22 21:30:17 threads NetworkManager[4579]: <info> [1603427417.1234] audit: op="statistics" arg="refresh-rate-ms" pid=5647 uid=1000 result="success" Oct 22 21:30:27 threads NetworkManager[4579]: <info> [1603427427.7335] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN plugin: state changed: stopped (6) Oct 22 21:30:27 threads NetworkManager[4579]: <info> [1603427427.7361] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN service disappeared Oct 22 21:30:27 threads NetworkManager[4579]: <warn> [1603427427.7372] vpn-connection[0x56488972c2b0,9a088450-2a7b-4012-befe-facf564c77e0,"wtec-SJ",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying' Expected Results: *working VPN connection* I will modify the ebuild myself and try it later today (after I don't need the VPN connection for work). I will update this thread with the ebuild if I get it working.
More information from Doug: They can compile with FINALNSSDIR=/etc/ipsec.d to keep the nss files at the same location if they prefer that. Note that libreswan-4.x also no longer builds support for DH2, and some NM-libreswan plugins tried to use dh2+dh5 for IKEv1. So you might also be running into that. That required a fix to NM-libreswan in fedora at least.
Previous reply was from Paul, not Doug.
Created attachment 668213 [details] First attempt at a new ebuild for libreswan I managed to get it to install with the attached ebuild, but it still doesn't work for me. I am getting error messages now so I've replied to the libreswan mailing list hoping for more help. If libreswan is working for you, I suggest you not try this ebuild.
I'm not very proficient with Gentoo and I've gotten to the point where I'm beyond my experience. I need to create an ipsec rc script, because /usr/sbin/ipsec tries to use RC or systemd to start itself when you call it. Right now I'm getting this message when I try to start a VPN connection: Redirecting to: rc-service ipsec start * rc-service: service `ipsec' does not exist Doug, from the libreswan project, indicates that ipsec needs a startup script. I'll try to make one this morning, but I'm not very hopeful as I have no idea what I'm doing. If anyone could point me to one that may work, I'd appreciate it.
Created attachment 668483 [details] Second ebuild attempt. Added a mv command to put the RC init script in place.
I found that libreswan generates an init script for us and the ebuild already modified it. I just hacked a line in the ebuild to move it from IPSEC_CONFDIR to /etc/init.d/ It still doesn't work for me. I'll keep trying...
I just spotted the mistake I made with the init script... Y'all should ignore me for a while.
Created attachment 668486 [details] Third attempted ebuild: Fixed a mistake in the initscript path. I broke the ebuild on my first attempt to update it. This fixes that. It still doesn't work for me though.
Created attachment 668636 [details] Forth try at ebuild: Only add new storage directory. I jumped the gun before and made too many changes. libreswan has moved the nss storage directory, but not the config files. This ebuild fixes that. I'm still not up and running yet, but it does seem like I'm getting closer.
I could not get libreswan 4.1 to work. I could not get strongswan to work. I went back to libreswan 3.32-r1 and it works fine. I still believe the mkdir -p added to the ebuild is necessary, but since I can't prove it works for me, YMMV.
in v4.0 release notes[1]: "NSS database (*.db) are now expected in /var/lib/ipsec/nss [Tuomo] ipsec checknss called in initsystem will migrate files Use FINALNSSDIR=/etc/ipsec.d to use the pre-4.0 location" [1] https://github.com/libreswan/libreswan/blob/main/CHANGES ( lines: 74-76)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68f9f99a65dd6aa77371e9fbe9425dc40ba4d4dc commit 68f9f99a65dd6aa77371e9fbe9425dc40ba4d4dc Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2020-11-21 10:15:38 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2020-11-21 10:15:38 +0000 net-vpn/libreswan: add new NSS dir Create the new directory where the NSS database will be created and update postinst accordingly. Closes: https://bugs.gentoo.org/750932 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Hans de Graaff <graaff@gentoo.org> net-vpn/libreswan/libreswan-4.1-r1.ebuild | 120 ++++++++++++++++++++++++++++++ 1 file changed, 120 insertions(+)
