32211 – l2tp w ipsec isn't work after the upgrade to M9, looks like a libreswan problem

Bug 32211 - l2tp w ipsec isn't work after the upgrade to M9, looks like a libreswan problem

Summary: l2tp w ipsec isn't work after the upgrade to M9, looks like a libreswan problem

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:	MGA8TOO MGA9-64-OK MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	31865
	Show dependency tree / graph

Reported:	2023-08-30 17:48 CEST by mesb mesb
Modified:	2023-10-17 16:07 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	networkmanager-l2tp
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description mesb mesb 2023-08-30 17:48:48 CEST

Description of problem:

After online upgrade via urpmi cli from 8 to 9, can't connect to l2tp w ipsec anymore.


Version-Release number of selected component (if applicable):
Mageia 9


How reproducible:
Using mageia9+xfce and network manager for vpn connection.

Steps to Reproduce:
1.Create connection to the l2tp server with ipsec.
2.Try to enable it.
3.Check logs.

All i have:

Aug 30 18:29:17 chaus-white NetworkManager[48467]: <info>  [1693409357.6311] vpn[0xae6e80,67629c61-f5d3-4e2a-b926-94721eb2f33a,"RstmTest1"]: starting l2tp
Aug 30 18:29:17 chaus-white NetworkManager[48467]: <info>  [1693409357.6349] audit: op="connection-activate" uuid="67629c61-f5d3-4e2a-b926-94721eb2f33a" name="RstmTest1" pid=6094 uid=1000 result="success"
Aug 30 18:29:18 chaus-white NetworkManager[48467]: <warn>  [1693409358.1327] vpn[0xae6e80,67629c61-f5d3-4e2a-b926-94721eb2f33a,"RstmTest1"]: failed to connect: 'Neither Libreswan nor strongSwan were found.'


System libraries:
networkmanager-libreswan-1.2.16-2.mga9
xl2tpd-1.3.17-1.mga9
networkmanager-l2tp-1.8.8-1.mga9
libreswan-4.11-1.mga9


Also i was tried to reinstall it to the strongswan - same result.
And new connection creation also doesn't help.

Comment 1 mesb mesb 2023-08-30 18:29:40 CEST

It looks like when strongswan and libreswan is installed network manager prefer libreswan.

So ipsec --version command shows libreswan.

So after i have deleted libreswan from the machine it started to use strongswan, 


Maybe this one helps to solve problem with libreswan:

https://www.reddit.com/r/Fedora/comments/y43c4x/problem_with_l2tp_vpn_after_upgrading_to_fedora_37/


Atleast it is doing something, but still not working for my setup with strongswan.

Comment 2 mesb mesb 2023-08-30 18:42:29 CEST

Well, it looks like if someone needs temporary fix asap for libreswan like i do:

Edit with root privileges: /usr/sbin/ipsec
Find string: echo "Libreswan ${IPSEC_VERSION}"
Change it to:  echo "Linux Libreswan ${IPSEC_VERSION}"
Save file.

Now your system will connect fine like mageia 8 do.

But please some of the developers take a look for the proper fix of it.

Comment 3 mesb mesb 2023-08-30 18:45:45 CEST

I have changed only one string number 563.
There was a couple more, but you don't need to change it.

Comment 4 Lewis Smith 2023-08-30 22:07:36 CEST

Thank you for this helpful report.

Can you say whether your temporary fix comment 2 is also effective if you use strongswan (rather than libreswan)?
/usr/sbin/ipsec comes from libreswan.

The Fedora reference talks about downgrading libreswan from 4.8 to 4.7, we are long past that.

Assigning to Stig for libreswan, but you may want to pass this elsewhere.
CC'ing DavidG for strongswan, since that did not work either.

CC: (none) => geiger.david68210
Assignee: bugsquad => smelror
Summary: l2tp w ipsec isn't work after the upgrade => l2tp w ipsec isn't work after the upgrade to M9, looks like a libreswan problem
Source RPM: (none) => libreswan-4.11-1.mga9.src.rpm, strongswan

Comment 5 Thomas Backlund 2023-08-30 23:04:31 CEST

It's networkmanager-l2tp that needs this backported:

https://github.com/nm-l2tp/NetworkManager-l2tp/commit/3c6ccfe331e65c7af8be4df78cac67c030e96958

Source RPM: libreswan-4.11-1.mga9.src.rpm, strongswan => networkmanager-l2tp

Comment 6 mesb mesb 2023-08-31 09:03:32 CEST

(In reply to Lewis Smith from comment #4)
> Thank you for this helpful report.
> 
> Can you say whether your temporary fix comment 2 is also effective if you
> use strongswan (rather than libreswan)?
> /usr/sbin/ipsec comes from libreswan.
> 

There is no any /usr/sbin/ipsec for strongswan as far as i can see.
At least network manager stops complaining about is it found or not.

I can't provide if there is a problem for strongswan with this fix, as i can't connect to my vpn servers with it out of the box even before fix. 
It looks like it might takes a lot more time to get why it doesn't work for my infrustructure, as all i get after tons of logs with strongswan:
IPsec SA: unsupported mode


So as a first time fix it would be nice to get libreswan running with networkmanager-l2tp.

Comment 7 Thomas Backlund 2023-08-31 16:17:37 CEST

(In reply to mesb mesb from comment #2)
> Well, it looks like if someone needs temporary fix asap for libreswan like i
> do:
> 
> Edit with root privileges: /usr/sbin/ipsec
> Find string: echo "Libreswan ${IPSEC_VERSION}"
> Change it to:  echo "Linux Libreswan ${IPSEC_VERSION}"
> Save file.
> 
> Now your system will connect fine like mageia 8 do.
> 
> But please some of the developers take a look for the proper fix of it.


revert your change, and try this package:

http://ftp.free.fr/mirrors/mageia.org/people/tmb/9/32211/x86_64/networkmanager-l2tp-1.8.8-1.1.mga9.x86_64.rpm

Comment 8 mesb mesb 2023-08-31 17:25:52 CEST

(In reply to Thomas Backlund from comment #7)
> 
> revert your change, and try this package:
> 
> http://ftp.free.fr/mirrors/mageia.org/people/tmb/9/32211/x86_64/
> networkmanager-l2tp-1.8.8-1.1.mga9.x86_64.rpm

Done.
Works just fine for my usecase for libreswan.

Is there anything else i can check?

Comment 9 Thomas Backlund 2023-08-31 18:09:46 CEST

(In reply to mesb mesb from comment #8)
> (In reply to Thomas Backlund from comment #7)
> > 
> > revert your change, and try this package:
> > 
> > http://ftp.free.fr/mirrors/mageia.org/people/tmb/9/32211/x86_64/
> > networkmanager-l2tp-1.8.8-1.1.mga9.x86_64.rpm
> 
> Done.
> Works just fine for my usecase for libreswan.

Great, thanks for confirming.

> 
> Is there anything else i can check?


I'll submit it as an official update

Comment 10 Thomas Backlund 2023-09-01 16:04:47 CEST

Assigning to QA,

This fixes networkmanager-l2tp to work with libreswan >= 4.9 in mageia 9

This will also affect mga8 soon as it will get libreswan 4.12 as part of a security update in bug 31865





Mga8:
SRPM:
networkmanager-l2tp-1.8.2-1.1.mga8.src.rpm

i586:
networkmanager-l2tp-1.8.2-1.1.mga8.i586.rpm

x86_64:
networkmanager-l2tp-1.8.2-1.1.mga8.x86_64.rpm



Mga9:
SRPM:
networkmanager-l2tp-1.8.8-1.1.mga9.src.rpm

i586:
networkmanager-l2tp-1.8.8-1.1.mga9.i586.rpm

x86_64:
networkmanager-l2tp-1.8.8-1.1.mga9.x86_64.rpm

Whiteboard: (none) => MGA8TOO
Assignee: smelror => qa-bugs

Thomas Backlund 2023-09-01 16:08:29 CEST

Blocks: (none) => 31865

Comment 11 Herman Viaene 2023-09-07 14:56:48 CEST

MGA8-64 Xfce on Acer Aspire 5253
No installation issues
Have been struggling to be able to start the wifi from the nmcli command, but gave up.
Displaying the devices and not-active connections all work OK.
Leaving fot others to complete the test.

CC: (none) => herman.viaene

Comment 12 Marja Van Waes 2023-10-13 11:19:39 CEST

Advisory from comment 10 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete".

CC: (none) => marja11
Keywords: (none) => advisory

Comment 13 Herman Viaene 2023-10-16 15:02:44 CEST

Anyone ????

Comment 14 katnatek 2023-10-16 20:42:31 CEST

I set up OK for mageia 8 y 9 64 bit, but I need a guide for dumb to test this

Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK MGA8-64-OK

Comment 15 Thomas Andrews 2023-10-16 23:24:11 CEST

"I need a guide for dumb to test this." So would I.

Comment 9 reads like it was good enough for TMB, and the reporter says it works in comment 8, so I'm going to validate based on that and clean installs by Herman and katnatek.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 16 Mageia Robot 2023-10-17 16:07:26 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2023-0092.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.