我正在尝试使用 L2TP 和 StrongSwan 连接到 VPN。阅读我从 获得的日志journalctl -f -u NetworkManager
,看起来我确实与 VPN 建立了连接。只是它在某个地方崩溃了,我不知道具体在哪里发生。以下是日志:
NetworkManager[772]: [1568791368.4794] audit: op="connection-activate" uuid="9ec1ad72-bf05-4576-a623-22605eeeb1f7" name="VPN 1" pid=2599 uid=1000 result="success"
NetworkManager[772]: [1568791368.4861] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: Started the VPN service, PID 14422
NetworkManager[772]: [1568791368.4929] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: Saw the service appear; activating connection
NetworkManager[772]: [1568791368.5593] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: VPN connection: (ConnectInteractive) reply received
nm-l2tp-service[14422]: Check port 1701 Sep 18 09:22:48 floris-XPS-13-9360 NetworkManager[772]: Stopping strongSwan IPsec failed: starter is not running
NetworkManager[772]: Starting strongSwan 5.6.2 IPsec [starter]...
NetworkManager[772]: Loading config setup
NetworkManager[772]: Loading conn '9ec1ad72-bf05-4576-a623-22605eeeb1f7'
ipsec_starter[14439]: Starting strongSwan 5.6.2 IPsec [starter]...
ipsec_starter[14439]: Loading config setup
ipsec_starter[14439]: Loading conn '9ec1ad72-bf05-4576-a623-22605eeeb1f7'
NetworkManager[772]: found netkey IPsec stack
ipsec_starter[14439]: found netkey IPsec stack
ipsec_starter[14460]: Attempting to start charon...
charon[14461]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-27-generic, x86_64)
charon[14461]: 00[CFG] PKCS11 module '' lacks library path
charon[14461]: 00[CFG] disabling load-tester plugin, not configured charon[14461]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
charon[14461]: 00[CFG] dnscert plugin is disabled
charon[14461]: 00[CFG] ipseckey plugin is disabled
charon[14461]: 00[CFG] attr-sql plugin: database URI not set
charon[14461]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon[14461]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon[14461]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon[14461]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon[14461]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
charon[14461]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon[14461]: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-9ec1ad72-bf05-4576-a623-22605eeeb1f7.secrets'
charon[14461]: 00[CFG] loaded IKE secret for %any
charon[14461]: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-a168f087-5f2b-42c2-949a-dd18c8af1217.secrets'
charon[14461]: 00[CFG] loaded IKE secret for %any
charon[14461]: 00[CFG] sql plugin: database URI not set
charon[14461]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
charon[14461]: 00[CFG] eap-simaka-sql database URI missing
charon[14461]: 00[CFG] loaded 0 RADIUS server configurations
charon[14461]: 00[CFG] HA config misses local/remote address
charon[14461]: 00[CFG] no threshold configured for systime-fix, disabled
charon[14461]: 00[CFG] coupling file path unspecified
charon[14461]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
charon[14461]: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon[14461]: 00[JOB] spawning 16 worker threads ipsec_starter[14460]:
charon (14461) started after 40 ms
charon[14461]: 05[CFG] received stroke: add connection '9ec1ad72-bf05-4576-a623-22605eeeb1f7'
charon[14461]: 05[CFG] algorithm 'ecp_384' not recognized
charon[14461]: 05[CFG] skipped invalid proposal string: aes256-sha1-ecp_384
charon[14461]: 10[CFG] rereading secrets
charon[14461]: 10[CFG] loading secrets from '/etc/ipsec.secrets'
charon[14461]: 10[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-9ec1ad72-bf05-4576-a623-22605eeeb1f7.secrets'
charon[14461]: 10[CFG] loaded IKE secret for %any
charon[14461]: 10[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-a168f087-5f2b-42c2-949a-dd18c8af1217.secrets'
charon[14461]: 10[CFG] loaded IKE secret for %any
charon[14461]: 13[CFG] received stroke: initiate '9ec1ad72-bf05-4576-a623-22605eeeb1f7'
charon[14461]: 13[CFG] no config named '9ec1ad72-bf05-4576-a623-22605eeeb1f7'
NetworkManager[772]: no config named '9ec1ad72-bf05-4576-a623-22605eeeb1f7'
NetworkManager[772]: Stopping strongSwan IPsec...
charon[14461]: 00[DMN] signal of type SIGINT received. Shutting down
ipsec_starter[14460]: child 14461 (charon) has quit (exit code 0)
ipsec_starter[14460]: ipsec_starter[14460]: charon stopped after 200 ms
ipsec_starter[14460]: ipsec starter stopped nm-l2tp-service[14422]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
NetworkManager[772]: [1568791372.0377] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: VPN plugin: state changed: stopped (6)
NetworkManager[772]: [1568791372.0476] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: VPN service disappeared
NetworkManager[772]: [1568791372.0524] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
我没有看到明确的警告,也没有看到说明失败原因的声明。我是不是漏掉了什么?
答案1
该ecp_384 not recognised
错误是因为 strongswan 使用了ecp384
,请参阅:
您似乎还有两个 PSK 文件,我建议删除它们,因为可能会使用错误的 PSK。
sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-9ec1ad72-bf05-4576-a623-22605eeeb1f7.secrets
sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec-a168f087-5f2b-42c2-949a-dd18c8af1217.secrets
我建议从这个 PPA 升级到网络管理器-l2tp 1.2.16,它具有来自 Debian sid 的反向移植:
它修复了 PSK /etc/ipsec.d/nm-l2tp-ipsec-*.secrets 文件未被删除以及使用了错误的 PSK 的问题。您也不需要为第 1 阶段和第 2 阶段算法输入任何内容,因为它默认使用来自 Win 10 和 macOS/iOS/iPadOS L2TP/IPsec 客户端的提案合并,并且不再使用 libreswan 或 strongswan 默认提案集。