Erro ao conectar na VPN L2TP com IPSec [RESOLVIDO]

jaclinton
(usa Debian)

Enviado em 09/09/2021 - 16:34h

Boa tarde, prezados!

Estou com uma demanda para liberar o acesso a VPN no Ubuntu usando L2TP. E fiz a instalação dos pacotes:
network-manager-l2tp
network-manager-l2tp-gnome

basicamente, segui esse procedimento: https://www.bfnetworks.com.br/vpn-cliente-l2tp-ipsec-ubuntu/


ep 9 12:30:29 PE-REC-VMTESTLINUX NetworkManager[758]: <info> [1631215829.3926] audit: op="connection-activate" uuid="69106949-46aa-44aa-9cad-a69fcc5fb859" name="VPN BERNHOEFT" pid=2439 uid=1000 result="success"
Sep 9 12:30:29 PE-REC-VMTESTLINUX NetworkManager[758]: <info> [1631215829.3983] vpn-connection[0x56175d704590,69106949-46aa-44aa-9cad-a69fcc5fb859,"VPN BERNHOEFT",0]: Started the VPN service, PID 6869
Sep 9 12:30:29 PE-REC-VMTESTLINUX NetworkManager[758]: <info> [1631215829.4054] vpn-connection[0x56175d704590,69106949-46aa-44aa-9cad-a69fcc5fb859,"VPN BERNHOEFT",0]: Saw the service appear; activating connection
Sep 9 12:30:29 PE-REC-VMTESTLINUX NetworkManager[758]: <info> [1631215829.4709] vpn-connection[0x56175d704590,69106949-46aa-44aa-9cad-a69fcc5fb859,"VPN BERNHOEFT",0]: VPN connection: (ConnectInteractive) reply received
Sep 9 12:30:42 PE-REC-VMTESTLINUX nm-l2tp-service[6869]: Check port 1701
Sep 9 12:30:42 PE-REC-VMTESTLINUX NetworkManager[6882]: Redirecting to: systemctl restart ipsec.service
Sep 9 12:30:42 PE-REC-VMTESTLINUX systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Sep 9 12:30:42 PE-REC-VMTESTLINUX whack[6886]: 002 shutting down
Sep 9 12:30:42 PE-REC-VMTESTLINUX ipsec[6891]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:42 PE-REC-VMTESTLINUX libipsecconf[6891]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:42 PE-REC-VMTESTLINUX systemd[1]: ipsec.service: Succeeded.
Sep 9 12:30:42 PE-REC-VMTESTLINUX systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Sep 9 12:30:42 PE-REC-VMTESTLINUX systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Sep 9 12:30:42 PE-REC-VMTESTLINUX addconn[6895]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:42 PE-REC-VMTESTLINUX libipsecconf[6895]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:42 PE-REC-VMTESTLINUX _stackmanager[6898]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:42 PE-REC-VMTESTLINUX libipsecconf[6898]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:42 PE-REC-VMTESTLINUX _stackmanager[6903]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:42 PE-REC-VMTESTLINUX libipsecconf[6903]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:43 PE-REC-VMTESTLINUX ipsec[7160]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:43 PE-REC-VMTESTLINUX libipsecconf[7160]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:43 PE-REC-VMTESTLINUX ipsec[7158]: nflog ipsec capture disabled
Sep 9 12:30:43 PE-REC-VMTESTLINUX systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Sep 9 12:30:43 PE-REC-VMTESTLINUX libipsecconf[7172]: warning: could not open include filename: '/etc/ipsec.d/*.conf'
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7175]: 002 listening for IKE messages
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7175]: 002 forgetting secrets
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7175]: 002 loading secrets from "/etc/ipsec.secrets"
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7175]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: debugging mode enabled
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: end of file /run/nm-l2tp-69106949-46aa-44aa-9cad-a69fcc5fb859/ipsec.conf
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: Loading conn 69106949-46aa-44aa-9cad-a69fcc5fb859
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: starter: left is KH_DEFAULTROUTE
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" modecfgdns=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" modecfgdomains=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" modecfgbanner=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" mark=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" mark-in=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" mark-out=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" vti_iface=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" redirect-to=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" accept-redirect-to=<unset>
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" esp=3des-sha1
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: conn: "69106949-46aa-44aa-9cad-a69fcc5fb859" ike=3des-sha1-modp1024
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: opening file: /run/nm-l2tp-69106949-46aa-44aa-9cad-a69fcc5fb859/ipsec.conf
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: loading named conns: 69106949-46aa-44aa-9cad-a69fcc5fb859
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: seeking_src = 1, seeking_gateway = 1, has_peer = 1
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst via 192.168.149.2 dev ens33 src table 254
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: set nexthop: 192.168.149.2
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 169.254.0.0 via dev ens33 src table 254
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 192.168.149.0 via dev ens33 src 192.168.149.129 table 254
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 192.168.149.0 via dev ens33 src 192.168.149.129 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 192.168.149.129 via dev ens33 src 192.168.149.129 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 192.168.149.255 via dev ens33 src 192.168.149.129 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: seeking_src = 1, seeking_gateway = 0, has_peer = 1
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 192.168.149.2 via dev ens33 src 192.168.149.129 table 254
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: set addr: 192.168.149.129
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: seeking_src = 0, seeking_gateway = 0, has_peer = 1
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 002 "69106949-46aa-44aa-9cad-a69fcc5fb859" #1: initiating Main Mode
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 104 "69106949-46aa-44aa-9cad-a69fcc5fb859" #1: STATE_MAIN_I1: initiate
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 003 "69106949-46aa-44aa-9cad-a69fcc5fb859" #1: ignoring unknown Vendor ID payload [5b362bc820f60008]
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 106 "69106949-46aa-44aa-9cad-a69fcc5fb859" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 108 "69106949-46aa-44aa-9cad-a69fcc5fb859" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 003 "69106949-46aa-44aa-9cad-a69fcc5fb859" #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 002 "69106949-46aa-44aa-9cad-a69fcc5fb859" #1: Peer ID is ID_IPV4_ADDR: '200.143.98.173'
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 004 "69106949-46aa-44aa-9cad-a69fcc5fb859" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1024}
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 002 "69106949-46aa-44aa-9cad-a69fcc5fb859" #2: initiating Quick Mode PSK+ENCRYPT+COMPRESS+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:baf946ba proposal=3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP1024}
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 117 "69106949-46aa-44aa-9cad-a69fcc5fb859" #2: STATE_QUICK_I1: initiate
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7182]: 010 "69106949-46aa-44aa-9cad-a69fcc5fb859" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
Sep 9 12:30:44 PE-REC-VMTESTLINUX NetworkManager[7182]: 010 "69106949-46aa-44aa-9cad-a69fcc5fb859" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
Sep 9 12:30:45 PE-REC-VMTESTLINUX NetworkManager[7182]: 010 "69106949-46aa-44aa-9cad-a69fcc5fb859" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
Sep 9 12:30:47 PE-REC-VMTESTLINUX NetworkManager[7182]: 010 "69106949-46aa-44aa-9cad-a69fcc5fb859" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
Sep 9 12:30:51 PE-REC-VMTESTLINUX NetworkManager[7182]: 010 "69106949-46aa-44aa-9cad-a69fcc5fb859" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
Sep 9 12:30:53 PE-REC-VMTESTLINUX nm-l2tp-service[6869]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
Sep 9 12:30:53 PE-REC-VMTESTLINUX NetworkManager[758]: <info> [1631215853.0847] vpn-connection[0x56175d704590,69106949-46aa-44aa-9cad-a69fcc5fb859,"VPN BERNHOEFT",0]: VPN service disappeared

Buckminster
(usa Debian)

Enviado em 09/09/2021 - 20:08h

Confira se tu marcou o campo: “Enable IPsec tunnel to L2TP host”

Pelas linhas abaixo o que eu posso imaginar é que tu não colocou o IP do gateway corretamente e a VPN não está encontrando o caminho. A ens33 é a placa de rede. No teu caso, nas configurações do servidor VPN o IP a ser colocado é o IP privado da placa de rede do cliente VPN.

"Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 192.168.149.0 via dev ens33 src 192.168.149.129 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 192.168.149.129 via dev ens33 src 192.168.149.129 table 255 (ignored)
Sep 9 12:30:43 PE-REC-VMTESTLINUX NetworkManager[7180]: dst 192.168.149.255 via dev ens33 src 192.168.149.129 table 255 (ignored)"

Confira no link abaixo a Solução para o cliente VPN, siga os passos e veja se resolve:
https://community.checkpoint.com/t5/Remote-Access-VPN/L2TP-over-IPSec-Linux-VPN/td-p/48860


________________________________________________
Always listen the Buck!
Sanou tua dúvida, resolveu teu problema?
Então marque como Resolvido e escolha a Melhor Resposta.
Ou então execute:

# chown -R root:root /

# mount -o remount,rw /

# reboot

e veja o sistema derreter na sua frente. 

jaclinton
(usa Debian)

Enviado em 19/09/2021 - 19:57h

Vou verificar aqui nas configurações, que já mudei tanto que nem lembro mais de cabeça. rsrs

Fiz uma verificação aqui e tenho tudo configurado "como mando o figurino". Mas acho que pode ser alguma config que estou passando despercebido. Uma vez que este tipo de VPN no Windows funciona corretamente.

Vide imagem abaixo.

Best regards,
Jaclinton Peixoto

jaclinton
(usa Debian)

Enviado em 21/09/2021 - 08:23h

Fiz uma verificação e basicamente era a questão do gateway mesmo no segunda parte que estava faltando. Fiz a configuração e a conexão agora conecta numa boa. O estranho só é que mesmo conectado não consigo chegar em nenhuma das máquinas com um ping, por exemplo.

Best regards,
Jaclinton Peixoto

Buckminster
(usa Debian)

Enviado em 21/09/2021 - 09:18h

https://www.bfnetworks.com.br/vpn-server-l2tp-ipsec-edgerouter/

https://under-linux.org/showthread.php?t=185328

https://social.technet.microsoft.com/Forums/pt-BR/85f06e5c-698e-4d25-ab3c-2327c9271d23/vpn-conecta-m...


________________________________________________
Always listen the Buck!
Sanou tua dúvida, resolveu teu problema?
Então marque como Resolvido e escolha a Melhor Resposta.

jaclinton
(usa Debian)

Enviado em 22/09/2021 - 12:40h

Buckminster,
Muito obrigado pela ajuda e aquele link das configurações me ajudou bastante.

Agora, consegui resolver o meu problema da seguinte forma:
Como eu estava conseguindo conectar, seguindo esta documentação:
https://community.checkpoint.com/t5/Remote-Access-VPN/L2TP-over-IPSec-Linux-VPN/td-p/48860

A máquina não conseguia acessar nada na rede usando a VPN. Então, em meus testes, instalei o pacote libreswan e consegui ter acesso a rede.

Meu passo a passo foi:
apt-get install -y network-manager-l2tp network-manager-gnome libreswan

E problema resolvido seguindo as configurações do link citado acima.

Best regards,
Jaclinton Peixoto

Buckminster
(usa Debian)

Enviado em 22/09/2021 - 13:07h

De nada.


________________________________________________
Always listen the Buck!
Sanou tua dúvida, resolveu teu problema?
Então marque como Resolvido e escolha a Melhor Resposta.