Additional L2TP VPN Breaks First VPN

Bug #1849930 reported by Lonnie Lee Best on 2019-10-26
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
NetworkManager
New
Unknown
gnome-control-center
Fix Released
Unknown
strongSwan
New
Undecided
Unassigned
gnome-control-center (Ubuntu)
Low
Unassigned
network-manager-l2tp (Ubuntu)
Low
Unassigned

Bug Description

When I add only one L2TP VPN profile to gnome-control-center's Network > VPN settings, it works fine.

However, if I add a 2nd L2TP VPN, the 2nd L2TP VPN, not only doesn't work, but it corrupts the first L2TP VPN so that it too stops working.

Furthermore, if I remove 2nd L2TP VPN profile (that corrupted the first L2TP VPN) this does NOT repair the corruption to the first L2TP VPN, it remains corrupted.

Additionally, removing all VPN profiles and re-adding the first one back, doesn't repair the corruption. Rebooting and adding them back doesn't work either.

The only thing that works, that I've found, is completely reinstalling Ubuntu 19.10. Please advise better workarounds than reinstalling.

In case it matters, these additional packages were also required for my initial VPN setup:

sudo apt-get install -y network-manager-l2tp network-manager-l2tp-gnome strongswan

Here's what's in the syslog on a failed VPN Connection attempt:

Oct 26 02:58:35 workstation5 NetworkManager[1241]: <info> [1572076715.5632] audit: op="connection-activate" uuid="1942cf95-93b1-4e74-a44a-947a46bffb5a" name="L2TP VPN1" pid=3531 uid=1000 result="success"
Oct 26 02:58:35 workstation5 NetworkManager[1241]: <info> [1572076715.5702] vpn-connection[0x5642f421c750,1932cf95-91b1-4e85-a44a-498a56befb5a,"L2TP VPN1",0]: Started the VPN service, PID 7273
Oct 26 02:58:35 workstation5 NetworkManager[1241]: <info> [1572076715.5747] vpn-connection[0x5642f421c750,1932cf95-91b1-4e85-a44a-498a56befb5a,"L2TP VPN1",0]: Saw the service appear; activating connection
Oct 26 02:58:35 workstation5 NetworkManager[1241]: <info> [1572076715.6566] vpn-connection[0x5642f421c750,1932cf95-91b1-4e85-a44a-498a56befb5a,"L2TP VPN1",0]: VPN connection: (ConnectInteractive) reply received
Oct 26 02:58:35 workstation5 NetworkManager[1241]: Stopping strongSwan IPsec failed: starter is not running
Oct 26 02:58:37 workstation5 NetworkManager[1241]: Starting strongSwan 5.7.2 IPsec [starter]...
Oct 26 02:58:37 workstation5 NetworkManager[1241]: Loading config setup
Oct 26 02:58:37 workstation5 NetworkManager[1241]: Loading conn '1942cf95-93b1-4e74-a44a-947a46bffb5a'
Oct 26 02:58:37 workstation5 NetworkManager[1241]: found netkey IPsec stack
Oct 26 02:58:48 workstation5 NetworkManager[1241]: Stopping strongSwan IPsec...
Oct 26 02:58:48 workstation5 NetworkManager[1241]: initiating Main Mode IKE_SA 1942cf95-93b1-4e74-a44a-947a46bffb5a[1] to 49.230.24.121
Oct 26 02:58:48 workstation5 NetworkManager[1241]: generating ID_PROT request 0 [ SA V V V V V ]
Oct 26 02:58:48 workstation5 NetworkManager[1241]: sending packet: from 192.168.1.2[500] to 49.230.24.121[500] (236 bytes)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: received packet: from 49.230.24.121[500] to 192.168.1.2[500] (156 bytes)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: parsed ID_PROT response 0 [ SA V V V V ]
Oct 26 02:58:48 workstation5 NetworkManager[1241]: received XAuth vendor ID
Oct 26 02:58:48 workstation5 NetworkManager[1241]: received DPD vendor ID
Oct 26 02:58:48 workstation5 NetworkManager[1241]: received FRAGMENTATION vendor ID
Oct 26 02:58:48 workstation5 NetworkManager[1241]: received NAT-T (RFC 3947) vendor ID
Oct 26 02:58:48 workstation5 NetworkManager[1241]: selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 26 02:58:48 workstation5 NetworkManager[1241]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 26 02:58:48 workstation5 NetworkManager[1241]: sending packet: from 192.168.1.2[500] to 49.230.24.121[500] (244 bytes)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: received packet: from 49.230.24.121[500] to 192.168.1.2[500] (244 bytes)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 26 02:58:48 workstation5 NetworkManager[1241]: local host is behind NAT, sending keep alives
Oct 26 02:58:48 workstation5 NetworkManager[1241]: generating ID_PROT request 0 [ ID HASH ]
Oct 26 02:58:48 workstation5 NetworkManager[1241]: sending packet: from 192.168.1.2[4500] to 49.230.24.121[4500] (68 bytes)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: received packet: from 49.230.24.121[500] to 192.168.1.2[500] (68 bytes)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: invalid HASH_V1 payload length, decryption failed?
Oct 26 02:58:48 workstation5 NetworkManager[1241]: could not decrypt payloads
Oct 26 02:58:48 workstation5 NetworkManager[1241]: message parsing failed
Oct 26 02:58:48 workstation5 NetworkManager[1241]: ignore malformed INFORMATIONAL request
Oct 26 02:58:48 workstation5 NetworkManager[1241]: INFORMATIONAL_V1 request with message ID 3016741680 processing failed
Oct 26 02:58:48 workstation5 NetworkManager[1241]: sending retransmit 1 of request message ID 0, seq 3
Oct 26 02:58:48 workstation5 NetworkManager[1241]: sending packet: from 192.168.1.2[4500] to 49.230.24.121[4500] (68 bytes)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: received packet: from 49.230.24.121[500] to 192.168.1.2[500] (68 bytes)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: invalid HASH_V1 payload length, decryption failed?
Oct 26 02:58:48 workstation5 NetworkManager[1241]: could not decrypt payloads
Oct 26 02:58:48 workstation5 NetworkManager[1241]: message parsing failed
Oct 26 02:58:48 workstation5 NetworkManager[1241]: ignore malformed INFORMATIONAL request
Oct 26 02:58:48 workstation5 NetworkManager[1241]: INFORMATIONAL_V1 request with message ID 394520243 processing failed
Oct 26 02:58:48 workstation5 NetworkManager[1241]: destroying IKE_SA in state CONNECTING without notification
Oct 26 02:58:48 workstation5 NetworkManager[1241]: establishing connection '1942cf95-93b1-4e74-a44a-947a46bffb5a' failed
Oct 26 02:58:48 workstation5 NetworkManager[1241]: <info> [1572076728.9330] vpn-connection[0x5642f421c750,1932cf95-91b1-4e85-a44a-498a56befb5a,"L2TP VPN1",0]: VPN plugin: state changed: stopped (6)
Oct 26 02:58:48 workstation5 NetworkManager[1241]: <info> [1572076728.9348] vpn-connection[0x5642f421c750,1932cf95-91b1-4e85-a44a-498a56befb5a,"L2TP VPN1",0]: VPN service disappeared
Oct 26 02:58:48 workstation5 NetworkManager[1241]: <warn> [1572076728.9356] vpn-connection[0x5642f421c750,1932cf95-91b1-4e85-a44a-498a56befb5a,"L2TP VPN1",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: gnome-control-center 1:3.34.1-1ubuntu2
ProcVersionSignature: Ubuntu 5.3.0-19.20-generic 5.3.1
Uname: Linux 5.3.0-19-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu8
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Sat Oct 26 02:36:56 2019
InstallationDate: Installed on 2019-10-19 (6 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: gnome-control-center
UpgradeStatus: No upgrade log present (probably fresh install)

I've attached the syslog for easier viewing.

description: updated
Changed in gnome-control-center:
status: Unknown → New

How is it possible that adding an additional VPN profile can corrupted an "already added and working" vpn? Which packages would be responsible for that type of corruption?

Most importantly, short of reinstalling Ubuntu 19.10 what would be a workaround that may remove this corruption?

For example, many times in the past, when I've had applications get corrupted, I could usually delete some .hiddenFolder or configuration file, and it would repair the corruption after rebooting.

Do any of you know which files would have to be deleted to get my VPN situation back to "fresh install quality" (short of actually reinstalling)?

description: updated

This doesn't fix the underlying bug, but I was able to find a workaround that repairs the corruption caused by the bug. See here:
https://askubuntu.com/a/1184070/256054

Sebastien Bacher (seb128) wrote :

Thank you for your bug report, how do you configure those? Using gnome-control-center? Do you have the same issue if you use nm-connection-editor?
It seems more likely to be an issue in n-m or in the l2tp plugin, could you report it upstream on https://github.com/nm-l2tp/NetworkManager-l2tp/issues?

Changed in gnome-control-center (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
summary: - Additional VPN Breaks First VPN
+ Additional L2TP VPN Breaks First VPN

@seb128 : By default, GNOME provides the gnome-control-center for accomplishing this in Ubuntu 19.10.

I didn't know I could still use the nm-connection-editor GUI in Ubuntu 19.10. I was simply using what GNOME provided. I'm a big fan of Unity 7, so I'm glad to see that nm-connection-editor GUI again. Thanks.

Here are the VPN related packages that I've added to the default Ubuntu 19.10 installation:
sudo apt install network-manager-l2tp network-manager-l2tp-gnome strongswan

Of these packages, launchpad will not allow specifying these two packages:
network-manager-l2tp
network-manager-l2tp-gnome

I submitted a bug here, but couldn't associate it in the bug header above:
https://github.com/nm-l2tp/NetworkManager-l2tp/issues/112

tags: added: upgrade-software-version

The actual programmer of this module says we need to upgrade-software-version.

 1) https://gitlab.gnome.org/GNOME/gnome-control-center/issues/746#note_634394
 2) https://github.com/nm-l2tp/NetworkManager-l2tp/issues/112#issuecomment-547218557

He believes that this issue is fixed in NetworkManager-l2tp 1.2.12 and later.

Who at Ubuntu can accomplish getting this upgraded in 19.10 instead of having to wait for 20.04?

Ideally, the upgrade should just be provided via the standard Ubuntu Update GUI or CLI:
sudo apt update ; sudo apt upgrade

At this point, upstream has already addressed this bug in a later version, and it is now up to Ubuntu to upgrade the package in the repositories.

What is the likelihood that this will be upgraded in Upgraded 19.10?

Sebastien Bacher (seb128) wrote :

You should be able to install the debs from the newest Ubuntu serie for testing
https://launchpad.net/ubuntu/+source/network-manager-l2tp/1.2.14-1/+build/17969079

The new versions are not only bugfixes so might not comply for SRUing but we backport a fix

Changed in network-manager:
importance: Undecided → Unknown
status: New → Unknown
Changed in network-manager:
status: Unknown → New

I confirm that the packages provided by Douglas Kosovic's PPA work successfully:
https://github.com/nm-l2tp/NetworkManager-l2tp/issues/112#issuecomment-548593238

affects: l2tp-ipsec-vpn → ubuntu
Changed in ubuntu:
status: New → Confirmed
affects: ubuntu → network-manager-l2tp (Ubuntu)
Changed in gnome-control-center (Ubuntu):
status: Incomplete → Invalid
Changed in network-manager-l2tp (Ubuntu):
status: Confirmed → Fix Released
importance: Undecided → Low
Sebastien Bacher (seb128) wrote :

Closing then, it should be fixed in the current serie. The fix can still be SRUed but the ppa package would need some change to be SRU compliant

THis change
  * Ensure NM configures /etc/resolv.conf, not pppd (LP: #1778946)
references to a bug that doesn't impact the package nor describe the problem in lt2p

The bugs references should also be made SRU compliant (description of the impact, testcase to be able to verify the problem and the fix, regression potential section describing things that could go wrong/potential side effects of the SRU)

Changed in gnome-control-center:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.