Ubuntu 20.04 L2TP VPN 连接不起作用

Ubuntu 20.04 L2TP VPN 连接不起作用

我正在尝试将我的 Ubuntu 20.04 安装与公司 VPN 连接。VPN 基于 SOPHOS 防火墙。根据 IT 部门提供的详细信息,我们应该使用带有 IPsec 和预共享密钥的 L2TP 连接。根据我在网络上找到的所有手册,标准配置根本不起作用。我已将该问题报告给 IT,他们进行了一些测试。结果发现他们无法连接 Ubuntu 安装,但他们成功连接了 CentOS 8,没有任何问题。他们不会再进行任何测试了。我和其他同事是唯一使用 Linux 工作的人。所以我花了一些时间试图找出原因。

我在虚拟机上安装了 CentOS,并尝试连接公司 VPN。全新安装没有所有必需的软件包。我安装了一次缺失的软件包:

NetworkManager-l2tp.x86_64                         1.8.6-5.el8        @epel
NetworkManager-l2tp-gnome.x86_64                   1.8.6-5.el8        @epel
libreswan.x86_64                                   3.32-7.el8_3       @appstream
nss-tools.x86_64                                   3.53.1-17.el8_3    @appstream
ppp.x86_64                                         2.4.7-26.el8_1     @baseos
strongswan.x86_64                                  5.9.1-1.el8        @epel
unbound-libs.x86_64                                1.7.3-14.el8       @appstream
xl2tpd.x86_64                                      1.3.15-1.el8       @epel 

安装上述软件包后,VPN 连接没有任何问题。我检查了 Ubuntu 中默认安装的内容。不同之处在于 Ubuntu 中不能同时安装 libreswan 和 strongswan。我在互联网上读到过,这可能是 strongswan(Ubuntu 中的默认软件)的问题。我删除了 strongswan 并安装了 libreswan。同样的效果,连接不起作用。为了测试目的,我在家里的 NAS 上设置了相同类型的 VPN 服务器。Ubuntu 默认安装运行良好。当我更改为 libreswan 时,与该 VPN 的连接不再起作用。我认为有必要说的是,我无法使用 CentOS 与我的家庭服务器创建 VPN 链接。

为了测试,我从源代码编译了 libreswan,以确保使用了最新版本。

尝试连接办公室 VPN 时的系统日志:

May  1 14:52:35 T480-SA NetworkManager[1240]: <info>  [1619873555.9585] audit: op="connection-activate" uuid="ac38efb7-59d6-4dcb-98bf-bf0145318677" name="CC-OFFICE" pid=2968 uid=1000 result="success"
May  1 14:52:35 T480-SA NetworkManager[1240]: <info>  [1619873555.9618] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: Started the VPN service, PID 24875
May  1 14:52:35 T480-SA NetworkManager[1240]: <info>  [1619873555.9676] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: Saw the service appear; activating connection
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Unhandled VPN connection state change:  2
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: virtual NMVariantMapMap SecretAgent::GetSecrets(const NMVariantMapMap&, const QDBusObjectPath&, const QString&, const QStringList&, uint)
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Path: "/org/freedesktop/NetworkManager/Settings/4"
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Setting name: "vpn"
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Hints: ()
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Flags: 4
May  1 14:52:35 T480-SA kded5[2876]: plasma-nm: Unhandled VPN connection state change:  3
May  1 14:52:35 T480-SA NetworkManager[1240]: <info>  [1619873555.9841] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN connection: (ConnectInteractive) reply received
May  1 14:52:35 T480-SA nm-l2tp-service[24875]: Check port 1701
May  1 14:52:35 T480-SA nm-l2tp-service[24875]: Can't bind to port 1701
May  1 14:52:35 T480-SA NetworkManager[24889]: Stopping strongSwan IPsec failed: starter is not running
May  1 14:52:38 T480-SA NetworkManager[24886]: Starting strongSwan 5.8.2 IPsec [starter]...
May  1 14:52:38 T480-SA NetworkManager[24886]: Loading config setup
May  1 14:52:38 T480-SA NetworkManager[24886]: Loading conn 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May  1 14:52:38 T480-SA charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.8.0-50-generic, x86_64)
May  1 14:52:38 T480-SA charon: 00[CFG] PKCS11 module '<name>' lacks library path
May  1 14:52:38 T480-SA charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May  1 14:52:38 T480-SA charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May  1 14:52:38 T480-SA charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May  1 14:52:38 T480-SA charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May  1 14:52:38 T480-SA charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May  1 14:52:38 T480-SA charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May  1 14:52:38 T480-SA charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
May  1 14:52:38 T480-SA charon: 00[CFG]   loaded IKE secret for %any
May  1 14:52:38 T480-SA charon: 00[CFG] loaded 0 RADIUS server configurations
May  1 14:52:38 T480-SA charon: 00[CFG] HA config misses local/remote address
May  1 14:52:38 T480-SA charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May  1 14:52:38 T480-SA charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May  1 14:52:38 T480-SA charon: 00[JOB] spawning 16 worker threads
May  1 14:52:38 T480-SA charon: 06[CFG] received stroke: add connection 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May  1 14:52:38 T480-SA charon: 06[CFG] added configuration 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May  1 14:52:39 T480-SA charon: 09[CFG] rereading secrets
May  1 14:52:39 T480-SA charon: 09[CFG] loading secrets from '/etc/ipsec.secrets'
May  1 14:52:39 T480-SA charon: 09[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
May  1 14:52:39 T480-SA charon: 09[CFG]   loaded IKE secret for %any
May  1 14:52:39 T480-SA charon: 10[CFG] received stroke: initiate 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May  1 14:52:39 T480-SA charon: 12[IKE] initiating Main Mode IKE_SA ac38efb7-59d6-4dcb-98bf-bf0145318677[1] to xxx.xxx.xxx.xxx
May  1 14:52:39 T480-SA charon: 12[ENC] generating ID_PROT request 0 [ SA V V V V V ]
May  1 14:52:39 T480-SA charon: 12[NET] sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May  1 14:52:43 T480-SA charon: 16[IKE] sending retransmit 1 of request message ID 0, seq 1
May  1 14:52:43 T480-SA charon: 16[NET] sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May  1 14:52:44 T480-SA akonadi_davgroupware_resource[3335]: org.kde.pim.davresource: Error when uploading item: 420 "There was a problem with the request. The item was not modified on the server.\nCould not connect to host localhost: Connection refused. (0)."
May  1 14:52:44 T480-SA akonadi_davgroupware_resource[3335]: org.kde.pim.davresource: Error when uploading item: 420 "There was a problem with the request. The item was not modified on the server.\nCould not connect to host localhost: Connection refused. (0)."
May  1 14:52:49 T480-SA NetworkManager[24963]: Stopping strongSwan IPsec...
May  1 14:52:49 T480-SA NetworkManager[24934]: initiating Main Mode IKE_SA ac38efb7-59d6-4dcb-98bf-bf0145318677[1] to xxx.xxx.xxx.xxx
May  1 14:52:49 T480-SA NetworkManager[24934]: generating ID_PROT request 0 [ SA V V V V V ]
May  1 14:52:49 T480-SA NetworkManager[24934]: sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May  1 14:52:49 T480-SA NetworkManager[24934]: sending retransmit 1 of request message ID 0, seq 1
May  1 14:52:49 T480-SA NetworkManager[24934]: sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May  1 14:52:49 T480-SA NetworkManager[24934]: destroying IKE_SA in state CONNECTING without notification
May  1 14:52:49 T480-SA NetworkManager[24934]: establishing connection 'ac38efb7-59d6-4dcb-98bf-bf0145318677' failed
May  1 14:52:49 T480-SA charon: 00[DMN] signal of type SIGINT received. Shutting down
May  1 14:52:49 T480-SA charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
May  1 14:52:49 T480-SA nm-l2tp-service[24875]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
May  1 14:52:49 T480-SA NetworkManager[1240]: <info>  [1619873569.1349] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN plugin: state changed: stopped (6)
May  1 14:52:49 T480-SA NetworkManager[1240]: <info>  [1619873569.1382] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN service disappeared
May  1 14:52:49 T480-SA NetworkManager[1240]: <warn>  [1619873569.1393] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

提前感谢您对如何解决此问题的任何建议。

答案1

您能否从以下页面安装较新的 network-manager-l2tp 1.8.6:

由于您使用的是 KDE plasma-nm,因此无需安装 network-manager-l2tp-gnome 包。

在IPsec设置中,请不要填写阶段1和2算法,将其留空。上述日志中,strongswan的charon目前在主模式(即阶段1)处失败。

但看起来它甚至无法联系 VPN 服务器并收到响应。如果超过了 network-manager-l2tp 建立 IPsec 连接的 10 秒超时,它会终止(即向其发送 SIGINT)/usr/sbin/ipsec 进程。

您能否安装 ike-scan 包并运行以下ike-scan.sh脚本:

运行以下命令确认您是否能够从 Ubuntu 连接 VPN 服务器(地址为 123.54.76.9):

sudo ipsec stop
sudo ./ike-scan.sh 123.54.76.9 | grep SA=

您提到您编译了 libreswan,但上面的日志似乎表明正在使用 strongswan。如果您想使用 libreswan,我会坚持使用 Ubuntu 20.04 附带的旧版 libreswan 软件包,因为它比更高版本更兼容(除非您使用旧版构建标志构建较新版本)。虽然 libreswan 和 strongswan 不能同时安装在 Ubuntu 上,但当您尝试安装另一个时,一个会替换另一个,这对于 network-manager-l2tp 来说是没问题的,因为它会自动检测在 VPN 连接开始时正在使用哪一个。

如果将 strongswan 与 Sophos VPN 服务器一起使用,据报告称您需要禁用 strongswan unity 插件:

显然,Sophos VPN 服务器使用 Libreswan,因此从理论上讲,如果在客户端使用,Libreswan 应该提供更大的兼容性。

虽然在这种情况下还不是问题,但是 CentOS 默认情况下没有运行系统 xl2tpd,但是 Ubuntu 有,请参阅以下内容了解如何禁用系统 xl2tpd :

相关内容