L2TP / IPSec 连接失败 (Kubuntu 17.10)

Question

我正在尝试从 Kubuntu 17.10 连接到企业 VPN。我安装了 network-manager-l2tp（版本 1.2.8）。我得到的输出：

Nov 28 17:20:48 T460 NetworkManager[667]: initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:20:48 T460 NetworkManager[667]: generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:20:48 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:20:48 T460 NetworkManager[667]: sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:20:48 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:20:48 T460 NetworkManager[667]: destroying IKE_SA in state CONNECTING without notification
Nov 28 17:20:48 T460 NetworkManager[667]: establishing connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332' failed
Nov 28 17:20:48 T460 nm-l2tp-service[3673]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Nov 28 17:20:48 T460 NetworkManager[667]: <info>  [1511889648.3131] vpn-connection[0x55fe5d8fe2f0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN service disappeared
Nov 28 17:20:48 T460 NetworkManager[667]: <warn>  [1511889648.3161] vpn-connection[0x55fe5d8fe2f0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9310] audit: op="connection-activate" uuid="41d2e76d-a4c4-4f56-bd6a-58ad795af332" name="WorkVPN" pid=1017 uid=1000 result="success"
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9371] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: Started the VPN service, PID 3759
Nov 28 17:23:58 T460 NetworkManager[667]: <info>  [1511889838.9477] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: Saw the service appear; activating connection
Nov 28 17:24:01 T460 nm-l2tp-service[3759]: Check port 1701
Nov 28 17:24:01 T460 NetworkManager[667]: Stopping strongSwan IPsec failed: starter is not running
Nov 28 17:24:03 T460 NetworkManager[667]: Starting strongSwan 5.5.1 IPsec [starter]...
Nov 28 17:24:03 T460 NetworkManager[667]: Loading config setup
Nov 28 17:24:03 T460 NetworkManager[667]: Loading conn '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:03 T460 NetworkManager[667]: found netkey IPsec stack
Nov 28 17:24:03 T460 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.14.2-041402-generic, x86_64)
Nov 28 17:24:03 T460 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 28 17:24:03 T460 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Nov 28 17:24:03 T460 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 28 17:24:03 T460 charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-41d2e76d-a4c4-4f56-bd6a-58ad795af332.secrets'
Nov 28 17:24:03 T460 charon: 00[CFG]   loaded IKE secret for %any
Nov 28 17:24:03 T460 charon: 00[LIB] loaded plugins: charon test-vectors aesni aes rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic
Nov 28 17:24:03 T460 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Nov 28 17:24:03 T460 charon: 00[JOB] spawning 16 worker threads
Nov 28 17:24:03 T460 charon: 05[CFG] received stroke: add connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:03 T460 charon: 05[CFG] added configuration '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:04 T460 charon: 07[CFG] rereading secrets
Nov 28 17:24:04 T460 charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Nov 28 17:24:04 T460 charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-41d2e76d-a4c4-4f56-bd6a-58ad795af332.secrets'
Nov 28 17:24:04 T460 charon: 07[CFG]   loaded IKE secret for %any
Nov 28 17:24:04 T460 charon: 10[CFG] received stroke: initiate '41d2e76d-a4c4-4f56-bd6a-58ad795af332'
Nov 28 17:24:04 T460 charon: 11[IKE] initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:24:04 T460 charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:24:04 T460 charon: 11[NET] sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:08 T460 charon: 12[IKE] sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:24:08 T460 charon: 12[NET] sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: Stopping strongSwan IPsec...
Nov 28 17:24:14 T460 charon: 00[DMN] signal of type SIGINT received. Shutting down
Nov 28 17:24:14 T460 charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Nov 28 17:24:14 T460 NetworkManager[667]: initiating Main Mode IKE_SA 41d2e76d-a4c4-4f56-bd6a-58ad795af332[1] to xxx.xxx.xxx.xxx
Nov 28 17:24:14 T460 NetworkManager[667]: generating ID_PROT request 0 [ SA V V V V V ]
Nov 28 17:24:14 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: sending retransmit 1 of request message ID 0, seq 1
Nov 28 17:24:14 T460 NetworkManager[667]: sending packet: from 192.168.43.232[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
Nov 28 17:24:14 T460 NetworkManager[667]: destroying IKE_SA in state CONNECTING without notification
Nov 28 17:24:14 T460 NetworkManager[667]: establishing connection '41d2e76d-a4c4-4f56-bd6a-58ad795af332' failed
Nov 28 17:24:14 T460 nm-l2tp-service[3759]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Nov 28 17:24:14 T460 NetworkManager[667]: <info>  [1511889854.5718] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN plugin: state changed: stopped (6)
Nov 28 17:24:14 T460 NetworkManager[667]: <info>  [1511889854.5779] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN service disappeared
Nov 28 17:24:14 T460 NetworkManager[667]: <warn>  [1511889854.5803] vpn-connection[0x55fe5d8fe4e0,41d2e76d-a4c4-4f56-bd6a-58ad795af332,"WorkVPN",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

编辑：

这是调试信息输出：

van@z97:/opt/testing$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[24282] <debug> nm-l2tp-service (version 1.2.8) starting...
nm-l2tp[24282] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[24282] <info>  ipsec enable flag: yes
** Message: Check port 1701
** Message: Can't bind to port 1701
nm-l2tp[24282] <warn>  L2TP port 1701 is busy, using ephemeral.
connection
        id : "Work" (s)
        uuid : "71468d41-cd5a-4c91-a70a-c6bc7e1db86a" (s)
        interface-name : NULL (sd)
        type : "vpn" (s)
        permissions : ["user:van:"] (s)
        autoconnect : TRUE (sd)
        autoconnect-priority : 0 (sd)
        autoconnect-retries : -1 (sd)
        timestamp : 0 (sd)
        read-only : FALSE (sd)
        zone : NULL (sd)
        master : NULL (sd)
        slave-type : NULL (sd)
        autoconnect-slaves : ((NMSettingConnectionAutoconnectSlaves) NM_SETTING_CONNECTION_AUTOCONNECT_SLAVES_DEFAULT) (sd)
        secondaries : NULL (sd)
        gateway-ping-timeout : 0 (sd)
        metered : ((NMMetered) NM_METERED_UNKNOWN) (sd)
        lldp : -1 (sd)
        stable-id : NULL (sd)


ipv6
        method : "auto" (s)
        dns : [] (s)
        dns-search : [] (s)
        dns-options : NULL (sd)
        dns-priority : 0 (sd)
        addresses : ((GPtrArray*) 0x5645b3895ae0) (s)
        gateway : NULL (sd)
        routes : ((GPtrArray*) 0x5645b3895ae0) (s)
        route-metric : -1 (sd)
        ignore-auto-routes : FALSE (sd)
        ignore-auto-dns : FALSE (sd)
        dhcp-hostname : NULL (sd)
        dhcp-send-hostname : TRUE (sd)
        never-default : FALSE (sd)
        may-fail : TRUE (sd)
        dad-timeout : -1 (sd)
        dhcp-timeout : 0 (sd)
        ip6-privacy : ((NMSettingIP6ConfigPrivacy) NM_SETTING_IP6_CONFIG_PRIVACY_UNKNOWN) (sd)
        addr-gen-mode : 1 (sd)
        token : NULL (sd)


proxy
        method : 0 (sd)
        browser-only : FALSE (sd)
        pac-url : NULL (sd)
        pac-script : NULL (sd)


vpn
        service-type : "org.freedesktop.NetworkManager.l2tp" (s)
        user-name : "van" (s)
        persistent : FALSE (sd)
        data : ((GHashTable*) 0x7fef54006de0) (s)
        secrets : ((GHashTable*) 0x7fef54006cc0) (s)
        timeout : 0 (sd)


ipv4
        method : "auto" (s)
        dns : [] (s)
        dns-search : [] (s)
        dns-options : NULL (sd)
        dns-priority : 0 (sd)
        addresses : ((GPtrArray*) 0x5645b38957a0) (s)
        gateway : NULL (sd)
        routes : ((GPtrArray*) 0x5645b3895a00) (s)
        route-metric : -1 (sd)
        ignore-auto-routes : FALSE (sd)
        ignore-auto-dns : FALSE (sd)
        dhcp-hostname : NULL (sd)
        dhcp-send-hostname : TRUE (sd)
        never-default : FALSE (sd)
        may-fail : TRUE (sd)
        dad-timeout : -1 (sd)
        dhcp-timeout : 0 (sd)
        dhcp-client-id : NULL (sd)
        dhcp-fqdn : NULL (sd)


nm-l2tp[24282] <info>  starting ipsec
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.5.1 IPsec [starter]...
Loading config setup
Loading conn '71468d41-cd5a-4c91-a70a-c6bc7e1db86a'
found netkey IPsec stack
nm-l2tp[24282] <info>  Spawned ipsec up script with PID 24345.
initiating Main Mode IKE_SA 71468d41-cd5a-4c91-a70a-c6bc7e1db86a[1] to xxx.xxx.xxx.xxx
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.0.2[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
sending retransmit 1 of request message ID 0, seq 1
sending packet: from 192.168.0.2[500] to xxx.xxx.xxx.xxx[500] (240 bytes)
nm-l2tp[24282] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[24282] <info>  Terminating ipsec script with PID 24345.
Stopping strongSwan IPsec...
destroying IKE_SA in state CONNECTING without notification
establishing connection '71468d41-cd5a-4c91-a70a-c6bc7e1db86a' failed
nm-l2tp[24282] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:24282): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

Answer 1

经过几个小时的挖掘，我发现了问题所在，以及解决方案。

问题：

1. Linux 不再支持 3DES 密码，但许多设备仍在使用它。
2. Kubuntu 17.10 缺少IPSec 设置下的 phase1 和 phase2 算法条目字段（这是一个已知错误），这是设置 L2TP/IPSec 连接以使用 3DES 所必需的。

解决方案：

1. 从“backports” PPA 安装最新版本的 KDE Plasma。
2. 重新启动，然后创建一个新的 L2TP/IPSec VPN 连接 - 现在应该存在阶段 1 和阶段 2 算法条目字段。
3. 对于 Phase1 算法，输入：3des-sha1-modp1024！
4. 对于 Phase2 算法，输入：3des-sha1!

根据记忆，我做了以下事情：

sudo add-apt-repository ppa:kubuntu-ppa/backports
sudo apt update && sudo apt upgrade
sudo reboot
sudo apt install network-manager-l2tp-gnome
sudo apt install strongswan
sudo apt install libstrongswan-extra-plugins
sudo apt install libcharon-extra-plugins

重新启动，然后正常添加 L2TP/IPSec。您现在应该看到 Phase1 和 Phase2 算法文本框，如附图所示。

重要的是要注意，如果您安装了最新的 Linux 内核（我相信 4.14 或更高版本），则上述步骤将不起作用，因此这种使 L2TP/IPSec 与 3DES 密码一起工作的变通方法很可能在以下情况下不起作用即将发布的 *Ubuntu 18.04 LTS 已发布。

Answer 2

我知道这个问题是关于让 L2TP/IPSec 在 Kubuntu 17.10 上工作的。但是，现在 18.04 已经发布了，下面是我如何让L2TP/IPSec 在 Kubuntu 18.04 上工作：

1. $ sudo apt install network-manager-l2tp
2. $ sudo systemctl stop xl2tpd.service
3. $ sudo systemctl disable xl2tpd.service

由于Phase1 算法和Phase2 算法文本输入现在包含在默认网络管理器中，因此不再需要使用反向移植。