| Summary: | l2tp w ipsec isn't work after the upgrade to M9, looks like a libreswan problem | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | mesb mesb <b116d> |
| Component: | RPM Packages | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, geiger.david68210, herman.viaene, marja11, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8TOO MGA9-64-OK MGA8-64-OK | ||
| Source RPM: | networkmanager-l2tp | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 31865 | ||
|
Description
mesb mesb
2023-08-30 17:48:48 CEST
It looks like when strongswan and libreswan is installed network manager prefer libreswan. So ipsec --version command shows libreswan. So after i have deleted libreswan from the machine it started to use strongswan, Maybe this one helps to solve problem with libreswan: https://www.reddit.com/r/Fedora/comments/y43c4x/problem_with_l2tp_vpn_after_upgrading_to_fedora_37/ Atleast it is doing something, but still not working for my setup with strongswan. Well, it looks like if someone needs temporary fix asap for libreswan like i do:
Edit with root privileges: /usr/sbin/ipsec
Find string: echo "Libreswan ${IPSEC_VERSION}"
Change it to: echo "Linux Libreswan ${IPSEC_VERSION}"
Save file.
Now your system will connect fine like mageia 8 do.
But please some of the developers take a look for the proper fix of it.
I have changed only one string number 563. There was a couple more, but you don't need to change it. Thank you for this helpful report. Can you say whether your temporary fix comment 2 is also effective if you use strongswan (rather than libreswan)? /usr/sbin/ipsec comes from libreswan. The Fedora reference talks about downgrading libreswan from 4.8 to 4.7, we are long past that. Assigning to Stig for libreswan, but you may want to pass this elsewhere. CC'ing DavidG for strongswan, since that did not work either. CC:
(none) =>
geiger.david68210 It's networkmanager-l2tp that needs this backported: https://github.com/nm-l2tp/NetworkManager-l2tp/commit/3c6ccfe331e65c7af8be4df78cac67c030e96958 Source RPM:
libreswan-4.11-1.mga9.src.rpm, strongswan =>
networkmanager-l2tp (In reply to Lewis Smith from comment #4) > Thank you for this helpful report. > > Can you say whether your temporary fix comment 2 is also effective if you > use strongswan (rather than libreswan)? > /usr/sbin/ipsec comes from libreswan. > There is no any /usr/sbin/ipsec for strongswan as far as i can see. At least network manager stops complaining about is it found or not. I can't provide if there is a problem for strongswan with this fix, as i can't connect to my vpn servers with it out of the box even before fix. It looks like it might takes a lot more time to get why it doesn't work for my infrustructure, as all i get after tons of logs with strongswan: IPsec SA: unsupported mode So as a first time fix it would be nice to get libreswan running with networkmanager-l2tp. (In reply to mesb mesb from comment #2) > Well, it looks like if someone needs temporary fix asap for libreswan like i > do: > > Edit with root privileges: /usr/sbin/ipsec > Find string: echo "Libreswan ${IPSEC_VERSION}" > Change it to: echo "Linux Libreswan ${IPSEC_VERSION}" > Save file. > > Now your system will connect fine like mageia 8 do. > > But please some of the developers take a look for the proper fix of it. revert your change, and try this package: http://ftp.free.fr/mirrors/mageia.org/people/tmb/9/32211/x86_64/networkmanager-l2tp-1.8.8-1.1.mga9.x86_64.rpm (In reply to Thomas Backlund from comment #7) > > revert your change, and try this package: > > http://ftp.free.fr/mirrors/mageia.org/people/tmb/9/32211/x86_64/ > networkmanager-l2tp-1.8.8-1.1.mga9.x86_64.rpm Done. Works just fine for my usecase for libreswan. Is there anything else i can check? (In reply to mesb mesb from comment #8) > (In reply to Thomas Backlund from comment #7) > > > > revert your change, and try this package: > > > > http://ftp.free.fr/mirrors/mageia.org/people/tmb/9/32211/x86_64/ > > networkmanager-l2tp-1.8.8-1.1.mga9.x86_64.rpm > > Done. > Works just fine for my usecase for libreswan. Great, thanks for confirming. > > Is there anything else i can check? I'll submit it as an official update Assigning to QA, This fixes networkmanager-l2tp to work with libreswan >= 4.9 in mageia 9 This will also affect mga8 soon as it will get libreswan 4.12 as part of a security update in bug 31865 Mga8: SRPM: networkmanager-l2tp-1.8.2-1.1.mga8.src.rpm i586: networkmanager-l2tp-1.8.2-1.1.mga8.i586.rpm x86_64: networkmanager-l2tp-1.8.2-1.1.mga8.x86_64.rpm Mga9: SRPM: networkmanager-l2tp-1.8.8-1.1.mga9.src.rpm i586: networkmanager-l2tp-1.8.8-1.1.mga9.i586.rpm x86_64: networkmanager-l2tp-1.8.8-1.1.mga9.x86_64.rpm Whiteboard:
(none) =>
MGA8TOO
Thomas Backlund
2023-09-01 16:08:29 CEST
Blocks:
(none) =>
31865 MGA8-64 Xfce on Acer Aspire 5253 No installation issues Have been struggling to be able to start the wifi from the nmcli command, but gave up. Displaying the devices and not-active connections all work OK. Leaving fot others to complete the test. CC:
(none) =>
herman.viaene Advisory from comment 10 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete". CC:
(none) =>
marja11 Anyone ???? I set up OK for mageia 8 y 9 64 bit, but I need a guide for dumb to test this Whiteboard:
MGA8TOO =>
MGA8TOO MGA9-64-OK MGA8-64-OK "I need a guide for dumb to test this." So would I. Comment 9 reads like it was good enough for TMB, and the reporter says it works in comment 8, so I'm going to validate based on that and clean installs by Herman and katnatek. CC:
(none) =>
andrewsfarm, sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2023-0092.html Status:
NEW =>
RESOLVED |