我正在尝试将我的 Ubuntu 20.04 安装与公司 VPN 连接。VPN 基于 SOPHOS 防火墙。根据 IT 部门提供的详细信息,我们应该使用带有 IPsec 和预共享密钥的 L2TP 连接。根据我在网络上找到的所有手册,标准配置根本不起作用。我已将该问题报告给 IT,他们进行了一些测试。结果发现他们无法连接 Ubuntu 安装,但他们成功连接了 CentOS 8,没有任何问题。他们不会再进行任何测试了。我和其他同事是唯一使用 Linux 工作的人。所以我花了一些时间试图找出原因。
我在虚拟机上安装了 CentOS,并尝试连接公司 VPN。全新安装没有所有必需的软件包。我安装了一次缺失的软件包:
NetworkManager-l2tp.x86_64 1.8.6-5.el8 @epel
NetworkManager-l2tp-gnome.x86_64 1.8.6-5.el8 @epel
libreswan.x86_64 3.32-7.el8_3 @appstream
nss-tools.x86_64 3.53.1-17.el8_3 @appstream
ppp.x86_64 2.4.7-26.el8_1 @baseos
strongswan.x86_64 5.9.1-1.el8 @epel
unbound-libs.x86_64 1.7.3-14.el8 @appstream
xl2tpd.x86_64 1.3.15-1.el8 @epel
安装上述软件包后,VPN 连接没有任何问题。我检查了 Ubuntu 中默认安装的内容。不同之处在于 Ubuntu 中不能同时安装 libreswan 和 strongswan。我在互联网上读到过,这可能是 strongswan(Ubuntu 中的默认软件)的问题。我删除了 strongswan 并安装了 libreswan。同样的效果,连接不起作用。为了测试目的,我在家里的 NAS 上设置了相同类型的 VPN 服务器。Ubuntu 默认安装运行良好。当我更改为 libreswan 时,与该 VPN 的连接不再起作用。我认为有必要说的是,我无法使用 CentOS 与我的家庭服务器创建 VPN 链接。
为了测试,我从源代码编译了 libreswan,以确保使用了最新版本。
尝试连接办公室 VPN 时的系统日志:
May 1 14:52:35 T480-SA NetworkManager[1240]: <info> [1619873555.9585] audit: op="connection-activate" uuid="ac38efb7-59d6-4dcb-98bf-bf0145318677" name="CC-OFFICE" pid=2968 uid=1000 result="success"
May 1 14:52:35 T480-SA NetworkManager[1240]: <info> [1619873555.9618] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: Started the VPN service, PID 24875
May 1 14:52:35 T480-SA NetworkManager[1240]: <info> [1619873555.9676] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: Saw the service appear; activating connection
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Unhandled VPN connection state change: 2
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: virtual NMVariantMapMap SecretAgent::GetSecrets(const NMVariantMapMap&, const QDBusObjectPath&, const QString&, const QStringList&, uint)
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Path: "/org/freedesktop/NetworkManager/Settings/4"
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Setting name: "vpn"
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Hints: ()
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Flags: 4
May 1 14:52:35 T480-SA kded5[2876]: plasma-nm: Unhandled VPN connection state change: 3
May 1 14:52:35 T480-SA NetworkManager[1240]: <info> [1619873555.9841] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN connection: (ConnectInteractive) reply received
May 1 14:52:35 T480-SA nm-l2tp-service[24875]: Check port 1701
May 1 14:52:35 T480-SA nm-l2tp-service[24875]: Can't bind to port 1701
May 1 14:52:35 T480-SA NetworkManager[24889]: Stopping strongSwan IPsec failed: starter is not running
May 1 14:52:38 T480-SA NetworkManager[24886]: Starting strongSwan 5.8.2 IPsec [starter]...
May 1 14:52:38 T480-SA NetworkManager[24886]: Loading config setup
May 1 14:52:38 T480-SA NetworkManager[24886]: Loading conn 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May 1 14:52:38 T480-SA charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.8.0-50-generic, x86_64)
May 1 14:52:38 T480-SA charon: 00[CFG] PKCS11 module '<name>' lacks library path
May 1 14:52:38 T480-SA charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 1 14:52:38 T480-SA charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 1 14:52:38 T480-SA charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 1 14:52:38 T480-SA charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 1 14:52:38 T480-SA charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 1 14:52:38 T480-SA charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 1 14:52:38 T480-SA charon: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
May 1 14:52:38 T480-SA charon: 00[CFG] loaded IKE secret for %any
May 1 14:52:38 T480-SA charon: 00[CFG] loaded 0 RADIUS server configurations
May 1 14:52:38 T480-SA charon: 00[CFG] HA config misses local/remote address
May 1 14:52:38 T480-SA charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 1 14:52:38 T480-SA charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 1 14:52:38 T480-SA charon: 00[JOB] spawning 16 worker threads
May 1 14:52:38 T480-SA charon: 06[CFG] received stroke: add connection 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May 1 14:52:38 T480-SA charon: 06[CFG] added configuration 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May 1 14:52:39 T480-SA charon: 09[CFG] rereading secrets
May 1 14:52:39 T480-SA charon: 09[CFG] loading secrets from '/etc/ipsec.secrets'
May 1 14:52:39 T480-SA charon: 09[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
May 1 14:52:39 T480-SA charon: 09[CFG] loaded IKE secret for %any
May 1 14:52:39 T480-SA charon: 10[CFG] received stroke: initiate 'ac38efb7-59d6-4dcb-98bf-bf0145318677'
May 1 14:52:39 T480-SA charon: 12[IKE] initiating Main Mode IKE_SA ac38efb7-59d6-4dcb-98bf-bf0145318677[1] to xxx.xxx.xxx.xxx
May 1 14:52:39 T480-SA charon: 12[ENC] generating ID_PROT request 0 [ SA V V V V V ]
May 1 14:52:39 T480-SA charon: 12[NET] sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May 1 14:52:43 T480-SA charon: 16[IKE] sending retransmit 1 of request message ID 0, seq 1
May 1 14:52:43 T480-SA charon: 16[NET] sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May 1 14:52:44 T480-SA akonadi_davgroupware_resource[3335]: org.kde.pim.davresource: Error when uploading item: 420 "There was a problem with the request. The item was not modified on the server.\nCould not connect to host localhost: Connection refused. (0)."
May 1 14:52:44 T480-SA akonadi_davgroupware_resource[3335]: org.kde.pim.davresource: Error when uploading item: 420 "There was a problem with the request. The item was not modified on the server.\nCould not connect to host localhost: Connection refused. (0)."
May 1 14:52:49 T480-SA NetworkManager[24963]: Stopping strongSwan IPsec...
May 1 14:52:49 T480-SA NetworkManager[24934]: initiating Main Mode IKE_SA ac38efb7-59d6-4dcb-98bf-bf0145318677[1] to xxx.xxx.xxx.xxx
May 1 14:52:49 T480-SA NetworkManager[24934]: generating ID_PROT request 0 [ SA V V V V V ]
May 1 14:52:49 T480-SA NetworkManager[24934]: sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May 1 14:52:49 T480-SA NetworkManager[24934]: sending retransmit 1 of request message ID 0, seq 1
May 1 14:52:49 T480-SA NetworkManager[24934]: sending packet: from 10.1.6.132[500] to xxx.xxx.xxx.xxx[500] (532 bytes)
May 1 14:52:49 T480-SA NetworkManager[24934]: destroying IKE_SA in state CONNECTING without notification
May 1 14:52:49 T480-SA NetworkManager[24934]: establishing connection 'ac38efb7-59d6-4dcb-98bf-bf0145318677' failed
May 1 14:52:49 T480-SA charon: 00[DMN] signal of type SIGINT received. Shutting down
May 1 14:52:49 T480-SA charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
May 1 14:52:49 T480-SA nm-l2tp-service[24875]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
May 1 14:52:49 T480-SA NetworkManager[1240]: <info> [1619873569.1349] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN plugin: state changed: stopped (6)
May 1 14:52:49 T480-SA NetworkManager[1240]: <info> [1619873569.1382] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN service disappeared
May 1 14:52:49 T480-SA NetworkManager[1240]: <warn> [1619873569.1393] vpn-connection[0x5626d954c560,ac38efb7-59d6-4dcb-98bf-bf0145318677,"CC-OFFICE",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
提前感谢您对如何解决此问题的任何建议。
答案1
您能否从以下页面安装较新的 network-manager-l2tp 1.8.6:
由于您使用的是 KDE plasma-nm,因此无需安装 network-manager-l2tp-gnome 包。
在IPsec设置中,请不要填写阶段1和2算法,将其留空。上述日志中,strongswan的charon目前在主模式(即阶段1)处失败。
但看起来它甚至无法联系 VPN 服务器并收到响应。如果超过了 network-manager-l2tp 建立 IPsec 连接的 10 秒超时,它会终止(即向其发送 SIGINT)/usr/sbin/ipsec 进程。
您能否安装 ike-scan 包并运行以下ike-scan.sh脚本:
运行以下命令确认您是否能够从 Ubuntu 连接 VPN 服务器(地址为 123.54.76.9):
sudo ipsec stop
sudo ./ike-scan.sh 123.54.76.9 | grep SA=
您提到您编译了 libreswan,但上面的日志似乎表明正在使用 strongswan。如果您想使用 libreswan,我会坚持使用 Ubuntu 20.04 附带的旧版 libreswan 软件包,因为它比更高版本更兼容(除非您使用旧版构建标志构建较新版本)。虽然 libreswan 和 strongswan 不能同时安装在 Ubuntu 上,但当您尝试安装另一个时,一个会替换另一个,这对于 network-manager-l2tp 来说是没问题的,因为它会自动检测在 VPN 连接开始时正在使用哪一个。
如果将 strongswan 与 Sophos VPN 服务器一起使用,据报告称您需要禁用 strongswan unity 插件:
显然,Sophos VPN 服务器使用 Libreswan,因此从理论上讲,如果在客户端使用,Libreswan 应该提供更大的兼容性。
虽然在这种情况下还不是问题,但是 CentOS 默认情况下没有运行系统 xl2tpd,但是 Ubuntu 有,请参阅以下内容了解如何禁用系统 xl2tpd :