我的公司给了我 IP 地址、用户名、密码和预共享密钥,以便使用 L2TP 连接到 VPN。
我的工作站:Fedora 32 + Gnome。
安装了 xl2tpd、NetworkManager-l2tp、NetworkManager-l2tp-gnome、ike-scan 软件包。
通过注释 modprobe 文件中的黑名单行来启用 L2TP 内核模块:/etc/modprobe.d/l2tp_ppp-blacklist.conf
&/etc/modprobe.d/l2tp_netlink-blacklist.conf
重新启动。从 Gnome 设置创建 VPN 连接。没用。在日志中得到这个:NO_PROPOSAL_CHOSEN
发现,我缺少连接中的 Phase1 和 Phase2 算法配置。
跑了一个提到的脚本这里向 VPN 服务器查询其 IKEv1 算法建议。得到输出:
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
基于上面的输出,分别使用这些作为 Phase1 和 Phase2 算法:
3des-sha1-modp1024,3des-md5-modp1024
aes256-sha1,aes128-sha1,3des-sha1,3des-md5
还是不行。从journalctl日志中获取此内容:
Jun 29 19:19:40 localhost.localdomain NetworkManager[829]: <info> [1593438580.8130] audit: op="connection-activate" uuid="4dd9b863-c9f3-4c0a-9f41-240078fa51d1" name="RMP" pid=6295 uid=1000 result="success"
Jun 29 19:19:40 localhost.localdomain NetworkManager[829]: <info> [1593438580.8190] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: Started the VPN service, PID 6406
Jun 29 19:19:40 localhost.localdomain NetworkManager[829]: <info> [1593438580.8288] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: Saw the service appear; activating connection
Jun 29 19:19:40 localhost.localdomain NetworkManager[829]: <info> [1593438580.8839] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN connection: (ConnectInteractive) reply received
Jun 29 19:19:40 localhost.localdomain nm-l2tp-service[6406]: Check port 1701
Jun 29 19:19:40 localhost.localdomain NetworkManager[6417]: whack: Pluto is not running (no "/run/pluto/pluto.ctl")
Jun 29 19:19:40 localhost.localdomain NetworkManager[6420]: Redirecting to: systemctl restart ipsec.service
Jun 29 19:19:41 localhost.localdomain NetworkManager[6705]: 002 listening for IKE messages
Jun 29 19:19:41 localhost.localdomain NetworkManager[6705]: 002 forgetting secrets
Jun 29 19:19:41 localhost.localdomain NetworkManager[6705]: 002 loading secrets from "/etc/ipsec.secrets"
Jun 29 19:19:41 localhost.localdomain NetworkManager[6705]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: debugging mode enabled
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: end of file /var/run/nm-l2tp-4dd9b863-c9f3-4c0a-9f41-240078fa51d1/ipsec.conf
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: Loading conn 4dd9b863-c9f3-4c0a-9f41-240078fa51d1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: starter: left is KH_DEFAULTROUTE
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgdns=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgdomains=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" modecfgbanner=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark-in=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" mark-out=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" vti_iface=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" redirect-to=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" accept-redirect-to=<unset>
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" esp=aes256-sha1,aes128-sha1,3des-sha1,3des-md5
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: conn: "4dd9b863-c9f3-4c0a-9f41-240078fa51d1" ike=3des-sha1-modp1024,3des-md5-modp1024
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: opening file: /var/run/nm-l2tp-4dd9b863-c9f3-4c0a-9f41-240078fa51d1/ipsec.conf
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: loading named conns: 4dd9b863-c9f3-4c0a-9f41-240078fa51d1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst via 192.168.0.1 dev wlp3s0 src table 254
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: set nexthop: 192.168.0.1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.0 via dev wlp3s0 src 192.168.0.107 table 254
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.122.0 via dev virbr0 src 192.168.122.1 table 254
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.0 via dev wlp3s0 src 192.168.0.107 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.107 via dev wlp3s0 src 192.168.0.107 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.255 via dev wlp3s0 src 192.168.0.107 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.122.0 via dev virbr0 src 192.168.122.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.122.1 via dev virbr0 src 192.168.122.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.122.255 via dev virbr0 src 192.168.122.1 table 255 (ignored)
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: dst 192.168.0.1 via dev wlp3s0 src 192.168.0.107 table 254
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: set addr: 192.168.0.107
Jun 29 19:19:41 localhost.localdomain NetworkManager[6709]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
Jun 29 19:19:41 localhost.localdomain nm-l2tp-service[6406]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Jun 29 19:19:41 localhost.localdomain NetworkManager[829]: <info> [1593438581.3082] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN plugin: state changed: stopped (6)
Jun 29 19:19:41 localhost.localdomain NetworkManager[829]: <info> [1593438581.3107] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN service disappeared
Jun 29 19:19:41 localhost.localdomain NetworkManager[829]: <warn> [1593438581.3118] vpn-connection[0x56139c388540,4dd9b863-c9f3-4c0a-9f41-240078fa51d1,"RMP",0]: VPN connection: failed to connect: 'Remote peer disconnected'
不明白我在这里做错了什么。非常感谢任何解决此问题的帮助!我必须尽快连接到 VPN 才能继续工作。相同的连接属性在 Windows 中工作没有任何问题。我什至不需要配置任何解密算法。它开箱即用。
在这种情况下,我的公司希望我使用 Windows,但我无法忍受该操作系统。它使我的机器突然停止并不停地敲打我的硬盘。
请帮助我连接到 VPN。
答案1
libreswan >= 3.30 默认情况下不再支持 DH (modp1024)。我不知道为什么你没有收到 libreswan 的算法“modp1024”不支持的错误。看:
使用 NetworkManager-l2tp >= 1.2.16,您不需要输入阶段 1 和阶段 2 算法,因为它会覆盖默认的 libreswan 或 Strongswan 建议并使用 Win10 和 iOS 算法的组合(如果检测到正在使用 libreswan,则减去 modp1024) 。
我会尝试删除第 1 阶段和第 2 阶段算法,并从 libreswan 切换到 Strongswan,这可以通过安装 Strongswan 并卸载 libreswan 来完成(或者至少!
在使用 Strongswan 时在第 1 阶段和第 2 阶段行的末尾添加一个感叹号):
sudo dnf install strongswan
sudo rpm -e libreswan
不确定,但 NetworkManager、strongswan 和 Fedora 32 可能存在一些 SElinux 问题,但现在可能已修复。