L2TP / IPSec 连接失败(Ubuntu 19.10)

L2TP / IPSec 连接失败(Ubuntu 19.10)

在 ubuntu 18.04 LTE VPN 连接正常工作,但在 19.10 上我得到:

hidden@hidden:~$ tail -f /var/log/syslog
hidden NetworkManager[862]: <info>  [1574066091.0450] audit: op="connection-activate" uuid="88936113-b02d-48b7-a98e-04758a426172" name="hidden" pid=1761 uid=1000 result="success"
hidden NetworkManager[862]: <info>  [1574066091.0486] vpn-connection[0x564b018846f0,88936113-b02d-48b7-a98e-04758a426172,"hidden",0]: Saw the service appear; activating connection
hidden NetworkManager[862]: <info>  [1574066091.1669] vpn-connection[0x564b018846f0,88936113-b02d-48b7-a98e-04758a426172,"hidden",0]: VPN connection: (ConnectInteractive) reply received
hidden systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
hidden whack[10939]: 002 shutting down
hidden ipsec[10942]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[10944]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden systemd[1]: ipsec.service: Succeeded.
hidden systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
hidden systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
hidden addconn[10948]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[10948]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden _stackmanager[10950]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[10960]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden _stackmanager[10950]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[10968]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden ipsec[11252]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[11254]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden ipsec[11252]: nflog ipsec capture disabled
hidden systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
hidden libipsecconf[11273]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden CRON[11287]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)
hidden NetworkManager[862]: <info>  [1574066101.9098] vpn-connection[0x564b018846f0,88936113-b02d-48b7-a98e-04758a426172,"hidden",0]: VPN plugin: state changed: stopped (6)
hidden xdg-desktop-por[1696]: Failed to get application states: GDBus.Error:org.freedesktop.portal.Error.Failed: Could not get window list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: App introspection not allowed
hidden@hidden:~$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
[sudo] password for hidden: 
nm-l2tp[10839] <debug> nm-l2tp-service (version 1.2.10) starting...
nm-l2tp[10839] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[10839] <info>  ipsec enable flag: yes
** Message: 11:34:51.169: Check port 1701
** Message: 11:34:51.169: Can't bind to port 1701
nm-l2tp[10839] <warn>  L2TP port 1701 is busy, using ephemeral.
proxy

ipv6
    address-data : []
    dns : []
    dns-search : []
    method : 'auto'
    route-data : []

connection
    autoconnect : false
    id : 'hidden'
    permissions : ['user:hidden:']
    type : 'vpn'
    uuid : '88936113-b02d-48b7-a98e-04758a426172'

vpn
    data : {'gateway': 'x.xxx.xxx.xx', 'ipsec-enabled': 'yes', 'ipsec-esp': '3des-sha1', 'ipsec-ike': '3des-sha1;modp1024', 'ipsec-psk': '************', 'password-flags': '1', 'user': 'hidden'}
    secrets : {'password': '************'}
    service-type : 'org.freedesktop.NetworkManager.l2tp'
    user-name : 'hidden'

ipv4
    address-data : []
    dns : []
    dns-search : []
    method : 'auto'
    route-data : []

nm-l2tp[10839] <info>  starting ipsec
Redirecting to: systemctl restart ipsec.service
002 listening for IKE messages
002 Kernel supports NIC esp-hw-offload
002 adding interface wlp2s0/wlp2s0 (esp-hw-offload=no) xxx.xxx.x.xx:500
002 adding interface wlp2s0/wlp2s0 xxx.xxx.x.xx:4500
002 Kernel supports NIC esp-hw-offload
002 adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
002 adding interface lo/lo 127.0.0.1:4500
002 Kernel supports NIC esp-hw-offload
002 adding interface lo/lo (esp-hw-offload=no) ::1:500
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-147f9a0d-9b02-4cc9-8942-b4e5b4061110.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-6a6bdfbd-3ad5-4b01-82cd-a32cd48d067f.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-88936113-b02d-48b7-a98e-04758a426172.secrets"
opening file: /run/nm-l2tp-ipsec-88936113-b02d-48b7-a98e-04758a426172.conf
debugging mode enabled
end of file /run/nm-l2tp-ipsec-88936113-b02d-48b7-a98e-04758a426172.conf
Loading conn 88936113-b02d-48b7-a98e-04758a426172
starter: left is KH_DEFAULTROUTE
loading named conns: 88936113-b02d-48b7-a98e-04758a426172
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst  via xxx.xxx.x.x dev wlp2s0 src  table 254
set nexthop: xxx.xxx.x.x
dst xxx.xxx.x.x via  dev wlp2s0 src  table 254
dst xxx.xxx.x.x via  dev wlp2s0 src xxx.xxx.x.xx table 254
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
dst xxx.xxx.x.x via  dev wlp2s0 src xxx.xxx.x.xx table 255 (ignored)
dst xxx.xxx.x.xx via  dev wlp2s0 src xxx.xxx.x.xx table 255 (ignored)
dst xxx.xxx.x.xxx via  dev wlp2s0 src xxx.xxx.x.xx table 255 (ignored)

seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst xxx.xxx.x.x via  dev wlp2s0 src xxx.xxx.x.xx table 254
set addr: xxx.xxx.x.xx

seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "88936113-b02d-48b7-a98e-04758a426172" modecfgdns=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" modecfgdomains=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" modecfgbanner=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" mark=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" mark-in=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" mark-out=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" vti_iface=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" redirect-to=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" accept-redirect-to=<unset>
conn: "88936113-b02d-48b7-a98e-04758a426172" esp=3des-sha1
conn: "88936113-b02d-48b7-a98e-04758a426172" ike=3des-sha1;modp1024
002 added connection description "88936113-b02d-48b7-a98e-04758a426172"
nm-l2tp[10839] <info>  Spawned ipsec auto --up script with PID 11280.
002 "88936113-b02d-48b7-a98e-04758a426172" #1: initiating v2 parent SA
133 "88936113-b02d-48b7-a98e-04758a426172" #1: initiate
002 "88936113-b02d-48b7-a98e-04758a426172": constructed local IKE proposals for 88936113-b02d-48b7-a98e-04758a426172 (IKE SA initiator selecting KE): 1:IKE:ENCR=3DES;PRF=HMAC_SHA1;INTEG=HMAC_SHA1_96;DH=MODP1024
133 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response
010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response
010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 2 seconds for response
010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 4 seconds for response
010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 8 seconds for response
nm-l2tp[10839] <warn>  Timeout trying to establish IPsec connection
nm-l2tp[10839] <info>  Terminating ipsec script with PID 11280.
nm-l2tp[10839] <warn>  Could not establish IPsec tunnel.

(nm-l2tp-service:10839): GLib-GIO-CRITICAL **: 11:35:01.908: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 16 seconds for response
010 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: retransmission; will wait 32 seconds for response
031 "88936113-b02d-48b7-a98e-04758a426172" #1: STATE_PARENT_I1: 60 second timeout exceeded after 7 retransmits.  No response (or no acceptable response) to our first IKEv2 message
000 "88936113-b02d-48b7-a98e-04758a426172" #1: starting keying attempt 2 of an unlimited number, but releasing whack

幫助修復該問題。

ps 升级到 network-manager-l2tp:1.2.16-1 后,新日志:

hidden@hidden:~$  tail -f /var/log/syslog
hidden xdg-desktop-por[1688]: Failed to get application states: GDBus.Error:org.freedesktop.portal.Error.Failed: Could not get window list: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: App introspection not allowed
hidden gnome-software[3460]: enabled plugins: desktop-categories, fwupd, os-release, packagekit, packagekit-local, packagekit-offline, packagekit-proxy, packagekit-refine-repos, packagekit-refresh, packagekit-upgrade, packagekit-url-to-app, shell-extensions, ubuntuone, appstream, desktop-menu-path, hardcoded-blacklist, hardcoded-featured, hardcoded-popular, modalias, odrs, packagekit-refine, rewrite-resource, steam, packagekit-history, provenance, snap, systemd-updates, generic-updates, provenance-license, icons, key-colors, key-colors-metadata
hidden gnome-software[3460]: disabled plugins: dpkg, dummy, repos, epiphany
hidden dbus-daemon[872]: [system] Activating via systemd: service name='org.freedesktop.fwupd' unit='fwupd.service' requested by ':1.609' (uid=1000 pid=3460 comm="/usr/bin/gnome-software --gapplication-service " label="unconfined")
hidden systemd[1]: Starting Firmware update daemon...
hidden fwupd[3486]: 19:03:15:0057 FuPluginUefi         kernel efivars support missing: /sys/firmware/efi/efivars
hidden dbus-daemon[872]: [system] Activating via systemd: service name='org.freedesktop.bolt' unit='bolt.service' requested by ':1.613' (uid=0 pid=3486 comm="/usr/lib/fwupd/fwupd " label="unconfined")
hidden systemd[1]: Starting Thunderbolt system service...
hidden boltd[3499]: bolt 0.8 starting up.
hidden boltd[3499]: store: located at: /var/lib/boltd
hidden boltd[3499]: config: loading user config
hidden boltd[3499]: bouncer: initializing polkit
hidden boltd[3499]: udev: initializing udev
hidden boltd[3499]: store: loading domains
hidden boltd[3499]: store: loading devices
hidden boltd[3499]: power: state located at: /run/boltd/power
hidden boltd[3499]: power: force power support: no
hidden boltd[3499]: udev: enumerating devices
hidden dbus-daemon[872]: [system] Successfully activated service 'org.freedesktop.bolt'
hidden systemd[1]: Started Thunderbolt system service.
hidden dbus-daemon[872]: [system] Successfully activated service 'org.freedesktop.fwupd'
hidden systemd[1]: Started Firmware update daemon.
hidden systemd-resolved[837]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
hidden systemd-resolved[837]: message repeated 5 times: [ Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.]
hidden gnome-shell[1751]: [AppIndicatorSupport-DEBUG] Registering StatusNotifierItem :1.105/org/ayatana/NotificationItem/software_update_available
hidden gnome-shell[1751]: [AppIndicatorSupport-FATAL] unable to update overlay icon
hidden gnome-shell[1751]: [AppIndicatorSupport-FATAL] unable to update overlay icon
hidden PackageKit: refresh-cache transaction /3129_eaecacde from uid 1000 finished with success after 12792ms
hidden sudo: pam_ecryptfs: pam_sm_authenticate: /home/hidden is already mounted
hidden gnome-software[3460]: g_path_get_basename: assertion 'file_name != NULL' failed
hidden gnome-software[3460]: g_regex_match_full: assertion 'string != NULL' failed
hidden gnome-software[3460]: g_path_get_basename: assertion 'file_name != NULL' failed
hidden gnome-software[3460]: g_regex_match_full: assertion 'string != NULL' failed
hidden gnome-software[3460]: not GsPlugin error g-io-error-quark:35: Invalid string value converting to GVariant
hidden gnome-software[3460]: not handling error failed for action refine: Invalid string value converting to GVariant
hidden PackageKit: resolve transaction /3130_bddeccae from uid 1000 finished with success after 1842ms
hidden PackageKit: resolve transaction /3131_eedbdbed from uid 1000 finished with success after 364ms
hidden PackageKit: search-file transaction /3132_aececcba from uid 1000 finished with success after 1402ms
hidden PackageKit: search-file transaction /3133_bddabebe from uid 1000 finished with success after 473ms
hidden PackageKit: search-file transaction /3134_ecaacead from uid 1000 finished with success after 441ms
hidden PackageKit: search-file transaction /3135_bdedbdac from uid 1000 finished with success after 419ms
hidden PackageKit: search-file transaction /3136_aeecdcae from uid 1000 finished with success after 440ms
hidden PackageKit: search-file transaction /3137_eabbbcba from uid 1000 finished with success after 449ms
hidden PackageKit: search-file transaction /3138_bbbdddca from uid 1000 finished with success after 464ms
hidden NetworkManager[873]: <info>  [1574535815.0927] audit: op="connection-activate" uuid="147f9a0d-9b02-4cc9-8942-b4e5b4061110" name="center 2m main office" pid=1751 uid=1000 result="success"
hidden NetworkManager[873]: <info>  [1574535815.0965] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: Saw the service appear; activating connection
hidden NetworkManager[873]: <info>  [1574535815.1410] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN connection: (ConnectInteractive) reply received
hidden systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
hidden whack[4248]: 002 shutting down
hidden PackageKit: search-file transaction /3139_bdeeeabd from uid 1000 finished with success after 463ms
hidden ipsec[4251]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[4253]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden systemd[1]: ipsec.service: Succeeded.
hidden systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
hidden systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
hidden addconn[4257]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[4257]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden _stackmanager[4261]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[4271]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden _stackmanager[4261]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[4280]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden ipsec[4563]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden libipsecconf[4565]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden ipsec[4563]: nflog ipsec capture disabled
hidden systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
hidden libipsecconf[4584]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
hidden PackageKit: search-file transaction /3140_cdbdbeab from uid 1000 finished with success after 441ms
hidden NetworkManager[873]: <info>  [1574535815.8584] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: state changed: starting (3)
hidden PackageKit: search-file transaction /3141_cbccdeba from uid 1000 finished with success after 464ms
hidden PackageKit: search-file transaction /3142_eebdcacd from uid 1000 finished with success after 438ms
hidden pppd[4639]: Plugin pppol2tp.so loaded.
hidden pppd[4639]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] initializing
hidden pppd[4639]: pppd 2.4.7 started by hidden, uid 0
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] phasechange: status 3 / phase 'serial connection'
hidden pppd[4639]: using channel 2
hidden pppd[4639]: Using interface ppp0
hidden pppd[4639]: Connect: ppp0 <--> 
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] phasechange: status 5 / phase 'establish'
hidden pppd[4639]: Overriding mtu 1500 to 1400
hidden pppd[4639]: PPPoL2TP options: debugmask 0
hidden pppd[4639]: Overriding mru 1500 to mtu value 1400
hidden pppd[4639]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x59575e93>]
hidden systemd-udevd[4264]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
hidden NetworkManager[873]: <info>  [1574535816.8802] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/6)
hidden pppd[4639]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
hidden pppd[4639]: sent [LCP ConfReq id=0x2 <mru 1400> <magic 0x59575e93>]
hidden pppd[4639]: rcvd [LCP ConfAck id=0x2 <mru 1400> <magic 0x59575e93>]
hidden pppd[4639]: rcvd [LCP ConfReq id=0x1 <mru 1376> <auth chap MS-v2> <magic 0x4b7d3524>]
hidden pppd[4639]: sent [LCP ConfAck id=0x1 <mru 1376> <auth chap MS-v2> <magic 0x4b7d3524>]
hidden pppd[4639]: PPPoL2TP options: debugmask 0
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] phasechange: status 6 / phase 'authenticate'
hidden pppd[4639]: rcvd [CHAP Challenge id=0x59 <fcd548a7fa533fed9f33e24612ed30a0>, name = ""]
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] passwd-hook: requesting credentials...
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] passwd-hook: got credentials from NetworkManager-l2tp
hidden pppd[4639]: added response cache entry 0
hidden pppd[4639]: sent [CHAP Response id=0x59 <7a3e0b0bd07fec4c3799652ebef1220300000000000000005c897ac951604c4552b230b21a63b04c6712c8c5f454f4e800>, name = "mpashkin"]
hidden pppd[4639]: rcvd [CHAP Failure id=0x59 "E=691 R=0"]
hidden pppd[4639]: MS-CHAP authentication failed: E=691 Authentication failure
hidden pppd[4639]: CHAP authentication failed
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] phasechange: status 10 / phase 'terminate'
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] phasechange: status 5 / phase 'establish'
hidden pppd[4639]: Overriding mtu 1500 to 1400
hidden pppd[4639]: PPPoL2TP options: debugmask 0
hidden pppd[4639]: Overriding mru 1500 to mtu value 1400
hidden pppd[4639]: sent [LCP TermReq id=0x3 "Failed to authenticate ourselves to peer"]
hidden pppd[4639]: rcvd [LCP TermReq id=0x2]
hidden pppd[4639]: sent [LCP TermAck id=0x2]
hidden pppd[4639]: rcvd [LCP TermAck id=0x3]
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] phasechange: status 11 / phase 'disconnect'
hidden pppd[4639]: Connection terminated.
hidden NetworkManager[873]: <warn>  [1574535817.0972] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: failed: connect-failed (1)
hidden NetworkManager[873]: <info>  [1574535817.0972] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: state changed: stopping (5)
hidden gnome-shell[1751]: Removing a network device that was not added
hidden NetworkManager[873]: <info>  [1574535817.1129] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: state changed: stopped (6)
hidden NetworkManager[873]: <warn>  [1574535817.1208] vpn-connection[0x562220a064e0,147f9a0d-9b02-4cc9-8942-b4e5b4061110,"center 2m main office",0]: VPN plugin: failed: connect-failed (1)
hidden PackageKit: search-file transaction /3143_acddcbda from uid 1000 finished with success after 436ms
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] phasechange: status 1 / phase 'dead'
hidden pppd[4639]: nm-l2tp[4198] <info>  [helper-4639] exit: cleaning up
hidden pppd[4639]: Exit.
hidden PackageKit: search-file transaction /3144_beeddebe from uid 1000 finished with success after 457ms
hidden PackageKit: search-file transaction /3145_deeddeec from uid 1000 finished with success after 422ms
hidden PackageKit: search-file transaction /3146_cceaccda from uid 1000 finished with success after 450ms
hidden gnome-software[3460]: Failed to find one package for libinput-gestures.desktop, /usr/share/applications/libinput-gestures.desktop, [0]
hidden PackageKit: get-details transaction /3147_cdcacddd from uid 1000 finished with success after 386ms
hidden gnome-software[3460]: Failed to load snap icon: local snap has no icon
hidden gnome-software[3460]: message repeated 4 times: [ Failed to load snap icon: local snap has no icon]
hidden systemd-resolved[837]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
hidden@hidden:~$ sudo /usr/lib/NetworkManager/nm-l2tp-service --debug
nm-l2tp[4198] <debug> nm-l2tp-service (version 1.2.16) starting...
nm-l2tp[4198] <debug>  uses default --bus-name "org.freedesktop.NetworkManager.l2tp"
nm-l2tp[4198] <info>  ipsec enable flag: yes
** Message: 22:03:35.143: Check port 1701
** Message: 22:03:35.143: Can't bind to port 1701
nm-l2tp[4198] <warn>  L2TP port 1701 is busy, using ephemeral.
ipv6
    address-data : []
    dns : []
    dns-search : []
    method : 'auto'
    route-data : []

ipv4
    address-data : []
    dns : []
    dns-search : []
    method : 'auto'
    route-data : []

connection
    autoconnect : false
    id : 'hidden'
    permissions : ['user:hidden:']
    timestamp : 1563201201
    type : 'vpn'
    uuid : '147f9a0d-9b02-4cc9-8942-b4e5b4061110'

proxy

vpn
    data : {'gateway': 'xx.xx.xx.xx', 'ipsec-enabled': 'yes', 'ipsec-esp': '3des-sha1', 'ipsec-ike': '3des-sha1;modp1024', 'ipsec-psk': '******', 'password-flags': '1', 'user': 'hidden'}
    secrets : {'password': '******'}
    service-type : 'org.freedesktop.NetworkManager.l2tp'
    user-name : 'hidden'

nm-l2tp[4198] <info>  starting ipsec
Redirecting to: systemctl restart ipsec.service
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
opening file: /run/nm-l2tp-147f9a0d-9b02-4cc9-8942-b4e5b4061110/ipsec.conf
debugging mode enabled
end of file /run/nm-l2tp-147f9a0d-9b02-4cc9-8942-b4e5b4061110/ipsec.conf
Loading conn 147f9a0d-9b02-4cc9-8942-b4e5b4061110
starter: left is KH_DEFAULTROUTE
loading named conns: 147f9a0d-9b02-4cc9-8942-b4e5b4061110
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst  via xx.xx.xx.xx dev wlp2s0 src  table 254
set nexthop: xx.xx.xx.xx
dst xx.xx.xx.xx via  dev wlp2s0 src  table 254
dst xx.xx.xx.xx via  dev wlp2s0 src xx.xx.xx.xx table 254
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
dst xx.xx.xx.xx via  dev wlp2s0 src xx.xx.xx.xx table 255 (ignored)
dst xx.xx.xx.xx via  dev wlp2s0 src xx.xx.xx.xx table 255 (ignored)
dst xx.xx.xx.xx via  dev wlp2s0 src xx.xx.xx.xx table 255 (ignored)

seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst xx.xx.xx.xx via  dev wlp2s0 src xx.xx.xx.xx table 254
set addr: xx.xx.xx.xx

seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" modecfgdns=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" modecfgdomains=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" modecfgbanner=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" mark=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" mark-in=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" mark-out=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" vti_iface=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" redirect-to=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" accept-redirect-to=<unset>
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" esp=3des-sha1
conn: "147f9a0d-9b02-4cc9-8942-b4e5b4061110" ike=3des-sha1;modp1024
002 added connection description "147f9a0d-9b02-4cc9-8942-b4e5b4061110"
nm-l2tp[4198] <info>  Spawned ipsec auto --up script with PID 4591.
002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: initiating Main Mode
104 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: STATE_MAIN_I1: initiate
003 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: ignoring unknown Vendor ID payload [f758f22668750f03b08df6ebe1d00300]
106 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: Peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'
004 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1024}
002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: initiating Quick Mode PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:9eb98aa5 proposal=3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP1024}
117 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: STATE_QUICK_I1: initiate
003 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=9eb98aa5, length=28
003 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: NAT-Traversal: received 2 NAT-OA. Ignored because peer is not NATed
004 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x453de9b3 <0x30c93373 xfrm=3DES_CBC-HMAC_SHA1_96 NATOA=none NATD=xx.xx.xx.xx:4500 DPD=passive}
nm-l2tp[4198] <info>  Libreswan IPsec tunnel is up.
** Message: 22:03:35.857: xl2tpd started with pid 4607
xl2tpd[4607]: Not looking for kernel SAref support.
xl2tpd[4607]: Using l2tp kernel support.
xl2tpd[4607]: xl2tpd version xl2tpd-1.3.12 started on hidden PID:4607
xl2tpd[4607]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[4607]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[4607]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[4607]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[4607]: Listening on IP address 0.0.0.0, port 43162
xl2tpd[4607]: get_call: allocating new tunnel for host xx.xx.xx.xx, port 1701.
xl2tpd[4607]: Connecting to host xx.xx.xx.xx, port 1701
xl2tpd[4607]: control_finish: message type is (null)(0).  Tunnel is 0, call is 0.
xl2tpd[4607]: control_finish: sending SCCRQ
xl2tpd[4607]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
xl2tpd[4607]: protocol_version_avp: peer is using version 1, revision 0.
xl2tpd[4607]: framing_caps_avp: supported peer frames: sync
xl2tpd[4607]: hostname_avp: peer reports hostname 'N/A'
xl2tpd[4607]: assigned_tunnel_avp: using peer's tunnel 58851
xl2tpd[4607]: control_finish: message type is Start-Control-Connection-Reply(2).  Tunnel is 58851, call is 0.
xl2tpd[4607]: control_finish: sending SCCCN
xl2tpd[4607]: Connection established to xx.xx.xx.xx, 1701.  Local: 51260, Remote: 58851 (ref=0/0).
xl2tpd[4607]: Calling on tunnel 51260
xl2tpd[4607]: control_finish: message type is (null)(0).  Tunnel is 58851, call is 0.
xl2tpd[4607]: control_finish: sending ICRQ
xl2tpd[4607]: message_type_avp: message type 11 (Incoming-Call-Reply)
xl2tpd[4607]: assigned_call_avp: using peer's call 1
xl2tpd[4607]: control_finish: message type is Incoming-Call-Reply(11).  Tunnel is 58851, call is 1.
xl2tpd[4607]: control_finish: Sending ICCN
xl2tpd[4607]: Call established with xx.xx.xx.xx, Local: 3428, Remote: 1, Serial: 1 (ref=0/0)
xl2tpd[4607]: start_pppd: I'm running: 
xl2tpd[4607]: "/usr/sbin/pppd" 
xl2tpd[4607]: "plugin" 
xl2tpd[4607]: "pppol2tp.so" 
xl2tpd[4607]: "pppol2tp" 
xl2tpd[4607]: "7" 
xl2tpd[4607]: "passive" 
xl2tpd[4607]: "nodetach" 
xl2tpd[4607]: ":" 
xl2tpd[4607]: "debug" 
xl2tpd[4607]: "file" 
xl2tpd[4607]: "/run/nm-l2tp-147f9a0d-9b02-4cc9-8942-b4e5b4061110/ppp-options" 
xl2tpd[4607]: message_type_avp: message type 14 (Call-Disconnect-Notify)
xl2tpd[4607]: result_code_avp: peer closing for reason 2 (General error--Error Code indicates the problem), error = 0 ()
xl2tpd[4607]: assigned_call_avp: using peer's call 1
xl2tpd[4607]: control_finish: message type is Call-Disconnect-Notify(14).  Tunnel is 58851, call is 1.
xl2tpd[4607]: control_finish: Connection closed to xx.xx.xx.xx, serial 1 ()
xl2tpd[4607]: Terminating pppd: sending TERM signal to pid 4639
nm-l2tp[4198] <info>  Terminated xl2tpd daemon with PID 4607.
xl2tpd[4607]: death_handler: Fatal signal 15 received
xl2tpd[4607]: Connection 58851 closed to xx.xx.xx.xx, port 1701 (Server closing)
002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110": terminating SAs using this connection
002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: deleting state (STATE_QUICK_I2) aged 1.364s and sending notification
005 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #2: ESP traffic information: in=435B out=721B
002 "147f9a0d-9b02-4cc9-8942-b4e5b4061110" #1: deleting state (STATE_MAIN_I4) aged 1.493s and sending notification

答案1

我认为问题如下:

002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-147f9a0d-9b02-4cc9-8942-b4e5b4061110.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-6a6bdfbd-3ad5-4b01-82cd-a32cd48d067f.secrets"
002 loading secrets from "/etc/ipsec.d/nm-l2tp-ipsec-88936113-b02d-48b7-a98e-04758a426172.secrets"

我会删除这些 nm-l2tp-ipsec-*.secrets 文件,因为它们没有被清理,很可能是因为相应的 VPN 连接被不当关闭。我猜你没有使用Gateway ID符合这些 nm-l2tp-ipsec-*.secrets 文件中的 PSK 的,所以 strongswan 可能选择了在最后一个 nm-l2tp-ipsec-*.secrets 文件中找到的错误 PSK。

另一种方法是从以下页面的 PPA 将 network-manager-l2tp 1.2.10 升级到版本 1.2.16。新版本不再对不同的 VPN 连接使用不同的 nm-l2tp-ipsec-*.secrets 文件,并且新软件包会删除早期版本中任何杂散的 nm-l2tp-ipsec-*.secrets 文件:

使用版本 1.2.16,您还可以删除第 1 阶段和第 2 阶段算法,因为它现在使用 Windows 10 和 macOS/iOS/iPadOS L2TP/IPsec 客户端的 IKEv1 提案的合并作为其默认提案(而不是 strongswan 默认提案集)。Win10 和 iOS 不通用的最弱提案被删除,但所有最强的提案都被保留。

相关内容