Network-manager locks up when adding strongSwan VPN connection

Bug #872824 reported by amay82 on 2011-10-12
482
This bug affects 99 people
Affects Status Importance Assigned to Milestone
plasma-widget-networkmanagement (Ubuntu)
Critical
Mathieu Trudel-Lapierre
Oneiric
Critical
Unassigned
Precise
Critical
Unassigned
strongswan (Ubuntu)
Medium
Mathieu Trudel-Lapierre
Oneiric
Medium
Unassigned
Precise
Medium
Unassigned

Bug Description

Steps to reproduce:
1) Take fresh install
2) Install network-manager-strongswan
3) Create a new strongSwan connection in network manager
4) network-manager locks up (doesn't react anymore)

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: network-manager-strongswan 1.1.2-2build1
ProcVersionSignature: Ubuntu 3.0.0-12.19-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 1.23-0ubuntu2
Architecture: amd64
Date: Wed Oct 12 14:18:41 2011
ProcEnviron:
 LANGUAGE=de_AT:de
 PATH=(custom, no user)
 LANG=de_AT.UTF-8
 SHELL=/bin/bash
SourcePackage: network-manager-strongswan
UpgradeStatus: No upgrade log present (probably fresh install)

Luke Pascoe (luke-pascoe) wrote :

I'm having the same problem. This is a serious show stopper for me as I use VPNs extensively for work.

First I dist-upgraded from 11.04 and found I couldn't add a new VPN (The add dialog freezes immediately on clicking "Create" as described above), so I tried clearing my profile (moved /home/pest to /home/pest.old, created new /home/pest with contents from /etc/skel) but it still didn't work, then tried installing from scratch from CD and it's still not working.

In each case the network-manager process does not respond to "kill" but can be killed with -9. Load does not increase noticeably, so it does not appear to be stuck in a loop or anything.

Doesn't seem to matter if it's 32 or 64 bit. Dist-upgrade was 32 bit, reinstall was 64 bit, symptoms were identical.

Note: This is all in a VirtualBox VM (not that it should matter in this case)

Luke.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-strongswan (Ubuntu):
status: New → Confirmed
Martin Willi (martinwilli) wrote :

The strongSwan plugin to NetworkManager is not compatible to NM 0.9. But I've published a new release 1.3 at http://download.strongswan.org/NetworkManager/ that updates the plugin for NM 0.9. Debian upload is still pending.

Unfortunately, the new NetworkManager also breaks compatibility with strongSwan itself, and we can't fix it from our end (see: http://mail.gnome.org/archives/networkmanager-list/2011-September/msg00037.html).

Matthias Niess (mniess) wrote :

Shouldn't we make sure this lands in precise?

Stéphane Graber (stgraber) wrote :

From the duplicate I just filled on an up to date 12.04 install:
stgraber@castiana:~$ nm-connection-editor
** WARNING **: Invalid setting VPN: remote
** WARNING **: Invalid setting VPN: remote
** WARNING **: Invalid setting VPN: remote
GLib-GObject-WARNING **: cannot register existing type `GtkWidget'
GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion `G_TYPE_IS_INSTANTIATABLE (instance_type)' failed
GLib-GObject-WARNING **: cannot register existing type `GtkBuildable'
GLib-GObject-CRITICAL **: g_type_interface_add_prerequisite: assertion `G_TYPE_IS_INTERFACE (interface_type)' failed
GLib-CRITICAL **: g_once_init_leave: assertion `result != 0' failed
GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion `G_TYPE_IS_INSTANTIATABLE (instance_type)' failed
GLib-GObject-CRITICAL **: g_type_register_static: assertion `parent_type > 0' failed
GLib-CRITICAL **: g_once_init_leave: assertion `result != 0' failed
GLib-GObject-CRITICAL **: g_type_register_static: assertion `parent_type > 0' failed
GLib-CRITICAL **: g_once_init_leave: assertion `result != 0' failed
GLib-GObject-CRITICAL **: g_type_get_qdata: assertion `node != NULL' failed
GLib-GObject-CRITICAL **: g_type_set_qdata: assertion `node != NULL' failed
GLib-GObject-CRITICAL **: g_type_get_qdata: assertion `node != NULL' failed
GLib-GObject-CRITICAL **: g_type_get_qdata: assertion `node != NULL' failed
GLib-GObject-CRITICAL **: g_type_set_qdata: assertion `node != NULL' failed
GLib-GObject-CRITICAL **: g_type_get_qdata: assertion `node != NULL' failed
GLib-GObject-WARNING **: cannot register existing type `GtkWidget'
GLib-GObject-CRITICAL **: g_type_add_interface_static: assertion `G_TYPE_IS_INSTANTIATABLE (instance_type)' failed

That's when opening nm-connection-editor and trying to add a strongswan IPSEC VPN, I confirmed that selecting another VPN type doesn't freeze the UI.

Justin Warkentin (xaz0r) wrote :

So is anybody on this? Will we see a fix anytime soon? It's a frustrating issue.

Whoopie (whoopie79) wrote :

Updated network-manager-strongswan 1.3.0 can be found in my testing PPA.

Whoopie (whoopie79) wrote :

@Martin: what's the status on your patch for NM? (http://article.gmane.org/gmane.linux.network.networkmanager.devel/19363)

Martin Willi (martinwilli) wrote :

The patch is more a work-around than a clean solution for the probem, and Dan of course prefers the second.

I myself currently don't have the expertise and time to implement one of the discusses approaches.

In the short term, we could integrate the patch into the Ubuntu build, but of course a long term solution is preferable.

Thomas (t.c) wrote :

Still present on stable precise :(

tags: added: apport-collected precise

ApportVersion: 2.0.1-0ubuntu6
Architecture: i386
DistroRelease: Ubuntu 12.04
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Alpha i386 (20120201.1)
Package: network-manager-strongswan 1.1.2-2build1
PackageArchitecture: i386
ProcEnviron:
 TERM=xterm
 PATH=(custom, user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
Tags: precise
Uname: Linux 3.4.0-030400rc4-generic-pae i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

apport information

Changed in network-manager-strongswan (Ubuntu):
importance: Undecided → Critical
status: Confirmed → Triaged

Hello,
I'm confirming this bug as well. Have we got any ETA for the resolution?

Thanks

Peter Matulis (petermatulis) wrote :

Setting to 'Confirmed' due to many users being affected.

Changed in network-manager-strongswan (Ubuntu):
status: Triaged → Confirmed
Stéphane Graber (stgraber) wrote :

Reverting to Triaged, please don't move bugs from Triaged to Confirmed.
The standard bug workflow is: New (when reported) => Confirmed (when affects > 1 person) => Triaged (when checked by a bug supervisor)

Changed in network-manager-strongswan (Ubuntu):
status: Confirmed → Triaged
Lisandro Laura (llaura-ippm) wrote :

I am getting the same as Stéphane Graber (stgraber) wrote on 2012-03-07 on Ubuntu 12.04 x64

René (0k5-rene-f83) wrote :

I am getting the same as Stéphane Graber (stgraber) wrote on 2012-03-07 on Ubuntu 12.04 32bit.

Chris J Arges (arges) on 2012-06-14
Changed in network-manager-strongswan (Ubuntu Precise):
milestone: none → ubuntu-12.04.1
importance: Undecided → Critical
status: New → Confirmed
status: Confirmed → Triaged
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-strongswan (Ubuntu Oneiric):
status: New → Confirmed
Changed in network-manager-strongswan (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)

Martin's patch would need major revisions to be applied on top of the current network-manager package in Quantal. Also, I'm certain there's an easier way to do this than to change how the VPN data is being applied.

Shouldn't a VPN plugin be able to simply pass, for example, the actual device over which the VPN connection is established as TUNDEV rather than a tun device?

Changed in network-manager-strongswan (Ubuntu):
status: In Progress → Triaged
Martin Willi (martinwilli) wrote :

> Shouldn't a VPN plugin be able to simply pass, for example, the actual device over which the VPN connection is established as TUNDEV rather than a tun device?

No, this doesn't seem to work, as NM does some changes to that interface, breaking things completely.

Passing "lo" seems to work, though. You may try the attached (second) patch (against strongSwan itself, version 4.5.2). The first patch fixes another issue that we fixed some time ago upstream.

While this might work as a work-around for now, I don't think this is an ideal solution. For the long term, we have our own tundev based backend in the pipeline that should work much better with NM.

Martin Willi (martinwilli) wrote :

Here the actual fix that passes "lo" as faked tundev.

The attachment "0001-Fix-initialization-of-NM-plugin.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Changed in network-manager-strongswan (Ubuntu Precise):
milestone: ubuntu-12.04.1 → precise-updates

Rock on; thanks Martin. I was expecting to work on this myself, but hadn't gotten around to it yet. I'll test and upload this hopefully today (to the development release, with n-m-strongswan 1.3.0)

For precise, it might need more work but I'll see what can be done about pushing 1.3.0 as well.

Since the patches are against strongswan itself, I'm opening the strongswan bug tasks as well, and I'll close them as I upload the patch.

Changed in strongswan (Ubuntu):
status: New → Triaged
Changed in strongswan (Ubuntu Oneiric):
status: New → Triaged
Changed in strongswan (Ubuntu Precise):
status: New → Triaged
Changed in network-manager-strongswan (Ubuntu Oneiric):
status: Confirmed → Triaged
importance: Undecided → Critical
Changed in strongswan (Ubuntu):
importance: Undecided → Medium
Changed in strongswan (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in strongswan (Ubuntu Precise):
importance: Undecided → Medium
Changed in network-manager-strongswan (Ubuntu):
status: Triaged → In Progress
Changed in strongswan (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (mathieu-tl)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager-strongswan - 1.3.0-0ubuntu1

---------------
network-manager-strongswan (1.3.0-0ubuntu1) quantal; urgency=low

  [ Martin Willi ]
  * New upstream release, support for NetworkManager 0.9 (Closes: #639400)

  [ Mathieu Trudel-Lapierre ]
  * Update to 1.3.0 fixes lockups and NM 0.9 compatibility. (LP: #872824)
 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 20 Jun 2012 15:20:12 -0400

Changed in network-manager-strongswan (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package strongswan - 4.5.2-1.5ubuntu2

---------------
strongswan (4.5.2-1.5ubuntu2) quantal; urgency=low

  * debian/patches/0001-Fix-initialization-of-NM-plugin.patch,
    debian/patches/0002-Pass-lo-as-faked-tundev-to-NM-as-it-now-needs-a-vali.patch:
    Apply two patches from Martin Willi to fix the initialization of the
    NetworkManager plugin and allow it to be passed a "fake" tun device as
    'lo' so that the VPN can be properly brought up. (LP: #872824)
 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 29 Jun 2012 08:57:25 -0400

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released

Packages are uploaded to the development release, but it looks like it will take a few hours to build.

bettlebrox (micktimony) wrote :

If you need someone to test the package let me know.

Cheers
Mick

Morticah (dha-morticah) wrote :

So package is in Quetzal. Can we expect it to get into Pangolin as it is LTS.

Adam Stokes (adam-stokes) wrote :

Was anyone able to verify if the Quantal package fixed the UI issue?

Thanks
Adam

Morticah (dha-morticah) wrote :

I installed the new libstrongswan-4.5.1-1.5ubuntu2, strongswan-ikev2-4.5.1-1.5ubuntu2, strongswan-nm-4.5.1-1.5ubuntu2 and network-manager-strongswan-1.3.0-0ubuntu1 in a amd64 Precise.
So far it works.
You can configure a strongswan-ikev2 connection, it connects to the server and starts the tunnel.

What doesn't work is if my privateKey is encrypted. Then I get a secrets_IDX < SECRETS_REQ_LAST error.
But this could be plugin-independent as there is a report of the same error for the vpnc-Client: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1026395. So this could be a network-manager bug unrelated to the new strongswan package.

Morticah (dha-morticah) wrote :

Ok we just verified that the problem with encrypted privat keys is an other NM bug. SuSE has the same problem.
So I would say the network-manager-strongswan patch works.

Adam Stokes (adam-stokes) wrote :

Thanks Morticah, I'll get some packages built for precise and see if we can't get them tested and sponsored.

Thanks again,
Adam

Changed in strongswan (Ubuntu Precise):
milestone: none → ubuntu-12.04.2
Andreas Wirth (adwy-nd) wrote :

Hi @all,

just one question, is it possible to get the fixed packages also for the precise release?

It'll be wonderful, then I really need it for my current project.

(I managed a permanent IPCop2.x-to Fritzbox7390-IPSec-net-to-net-connection that was not so easy to realize, but I can't get my own laptop to build up a IPSec-based roadwarrior connection, which is really annoying.)

best regards,
Andreas

Still not fixed in Precise Pangolin

Mark Dammer (mark-dammer) wrote :

I just experienced the problem discussed here and I am waiting for a Precise package.

It seems that solution described here:
http://ubuntuforums.org/showthread.php?t=1874132

perhaps i resolve it! the strongswan plugin is not compile with support for gtk3 so i recompile from source and it start!
you find a guide here (http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager). you must install some libraries (as explained in the guide, and install libnm-glib-vpn-dev library) and recopile and install only network manager plugin!

Michael L. Gantz (gantzm) wrote :

Relatively new to Ubuntu (not linux) so sorry if this is a silly question. How do I get the updated packages for Precise?

Bruno Medeiros (brunojcm) wrote :

Any news about precise release?

CDGSThermi (e-noel) wrote :

Would be nice to get an update on this, guys.

It would be extremely nice if someone would make an update about the Precise situation. This is a very major bug for an LTS, and the last update was in September. 12.10 works like a charm but I'm willing to deploy strongswan IPSEC vpn and this is blocking me from using ubuntu 12.04 for clients.

Please at least explain what's blocking the fix to land in Precise. Adam in comment #34 said " I'll get some packages built for precise and see if we can't get them tested and sponsored.". Well I'm more then happy to test them, but I wonder what does he mean with sponsored.

Cheers

Colin Watson (cjwatson) on 2013-02-13
Changed in strongswan (Ubuntu Precise):
milestone: ubuntu-12.04.2 → ubuntu-12.04.3

Excerpts from Enrico Tagliavini's message of 2013-02-12 16:02:35 UTC:
> It would be extremely nice if someone would make an update about the
> Precise situation. This is a very major bug for an LTS, and the last
> update was in September. 12.10 works like a charm but I'm willing to
> deploy strongswan IPSEC vpn and this is blocking me from using ubuntu
> 12.04 for clients.
>
> Please at least explain what's blocking the fix to land in Precise. Adam
> in comment #34 said " I'll get some packages built for precise and see
> if we can't get them tested and sponsored.". Well I'm more then happy to
> test them, but I wonder what does he mean with sponsored.

Hi Enrico. You may not realize this, but StrongSWAN is not supported
officially by the Ubuntu project. It is part of the "universe" component
which is a best-effort by the community to bring most of what is in
Debian but not in Ubuntu's main archive to Ubuntu users. Often Canonical
employees (who are members of the community too) are able to spend
some time on these packages, but it is lower in priority to supporting
seeded/main packages.

If this is costing you money, you may want to think about hiring a
consultant to fix this in Ubuntu. I'm sure Canonical's support would be
willing to fix it for a fee.

Hi Clint
   thank you for your answer. I'm used to Ubuntu, so I was aware it was community supported, but now it is more clear what "sponsored" means.

The point is not the money, it is not costing me money.... at most it cost me time, but I'm paid for this so....

William Benoit (wgb9652) on 2013-05-05
affects: network-manager-strongswan (Ubuntu) → plasma-widget-networkmanagement (Ubuntu)
Henrik Holmboe (holmboe) wrote :
Download full text (5.3 KiB)

I am seeing this bug. Should it have been fixed in 12.04.3? Because it seems it is not.

I have not used this package before so this was a fresh install of the package:

root@wink:/etc/NetworkManager/system-connections $ apt-get install network-manager-strongswan
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  ipsec-tools libbonoboui2-0 libbonoboui2-common libfcgi0ldbl libglade2-0 libgnomecanvas2-0 libgnomecanvas2-common
  libgnomeui-0 libgnomeui-common libstrongswan strongswan-ikev2 strongswan-nm
The following NEW packages will be installed
  ipsec-tools libbonoboui2-0 libbonoboui2-common libfcgi0ldbl libglade2-0 libgnomecanvas2-0 libgnomecanvas2-common
  libgnomeui-0 libgnomeui-common libstrongswan network-manager-strongswan strongswan-ikev2 strongswan-nm
0 upgraded, 13 newly installed, 0 to remove and 1 not upgraded.
Need to get 1 842 kB of archives.
After this operation, 5 828 kB of additional disk space will be used.
Do you want to continue [Y/n]?
Get:1 http://se.archive.ubuntu.com/ubuntu/ precise-updates/main libglade2-0 amd64 1:2.6.4-1ubuntu1.1 [53,0 kB]
Get:2 http://se.archive.ubuntu.com/ubuntu/ precise-updates/main libgnomecanvas2-common all 2.30.3-1ubuntu1.1 [9 120 B]
Get:3 http://se.archive.ubuntu.com/ubuntu/ precise-updates/main libgnomecanvas2-0 amd64 2.30.3-1ubuntu1.1 [101 kB]
Get:4 http://se.archive.ubuntu.com/ubuntu/ precise-updates/main libbonoboui2-common all 2.24.5-0ubuntu1.1 [11,7 kB]
Get:5 http://se.archive.ubuntu.com/ubuntu/ precise-updates/main libbonoboui2-0 amd64 2.24.5-0ubuntu1.1 [189 kB]
Get:6 http://se.archive.ubuntu.com/ubuntu/ precise/main libgnomeui-common all 2.24.5-2ubuntu2 [16,5 kB]
Get:7 http://se.archive.ubuntu.com/ubuntu/ precise/main libgnomeui-0 amd64 2.24.5-2ubuntu2 [257 kB]
Get:8 http://se.archive.ubuntu.com/ubuntu/ precise/universe libfcgi0ldbl amd64 2.4.0-8.1 [283 kB]
Get:9 http://se.archive.ubuntu.com/ubuntu/ precise/universe libstrongswan amd64 4.5.2-1.2 [471 kB]
Get:10 http://se.archive.ubuntu.com/ubuntu/ precise/universe strongswan-nm amd64 4.5.2-1.2 [20,8 kB]
Get:11 http://se.archive.ubuntu.com/ubuntu/ precise/main ipsec-tools amd64 1:0.8.0-9ubuntu1 [71,6 kB]
Get:12 http://se.archive.ubuntu.com/ubuntu/ precise/universe strongswan-ikev2 amd64 4.5.2-1.2 [340 kB]
Get:13 http://se.archive.ubuntu.com/ubuntu/ precise/universe network-manager-strongswan amd64 1.1.2-2build1 [17,6 kB]
Fetched 1 842 kB in 2s (630 kB/s)
Selecting previously unselected package libglade2-0.
(Reading database ... 407219 files and directories currently installed.)
Unpacking libglade2-0 (from .../libglade2-0_1%3a2.6.4-1ubuntu1.1_amd64.deb) ...
Selecting previously unselected package libgnomecanvas2-common.
Unpacking libgnomecanvas2-common (from .../libgnomecanvas2-common_2.30.3-1ubuntu1.1_all.deb) ...
Selecting previously unselected package libgnomecanvas2-0.
Unpacking libgnomecanvas2-0 (from .../libgnomecanvas2-0_2.30.3-1ubuntu1.1_amd64.deb) ...
Selecting previously unselected package libbonoboui2-common.
Unpacking libbonoboui2-common (from .../libbonoboui2-common_2.24.5-0ubuntu1.1_all.deb) ...
Selecting previous...

Read more...

Tom Metro (tmetro+ubuntu) wrote :

Here are the steps to install the 12.10 binaries on 12.04:

% wget http://launchpadlibrarian.net/108979339/network-manager-strongswan_1.3.0-0ubuntu1_amd64.deb
% wget http://launchpadlibrarian.net/108979332/strongswan-nm_4.5.2-1.5ubuntu2_amd64.deb
% wget http://launchpadlibrarian.net/108979331/strongswan-ikev2_4.5.2-1.5ubuntu2_amd64.deb
% wget http://launchpadlibrarian.net/108979327/libstrongswan_4.5.2-1.5ubuntu2_amd64.deb
% sudo dpkg -i libstrongswan_4.5.2-1.5ubuntu2_amd64.deb
% sudo dpkg -i strongswan-ikev2_4.5.2-1.5ubuntu2_amd64.deb
% sudo dpkg -i strongswan-nm_4.5.2-1.5ubuntu2_amd64.deb
% sudo dpkg -i network-manager-strongswan_1.3.0-0ubuntu1_amd64.deb

I can confirm this gets you past the hang and lets the config dialog appear. I can't confirm that strongswan itself is functional, as the other end of the connection I'm testing requires a pre-shared key, and the strongswan wiki[1] page on the Network Manager plugin notes that, "PSK is not supported, as it is considered insecure if the secrets are not strong enough." (So PSK is supported by strongswan (as documented elsewhere), just not by the Network Manager plugin. Thanks for the value judgment.)

1. http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager

Reinstalling openswan.

 -Tom

Rolf Leggewie (r0lf) wrote :

oneiric has seen the end of its life and is no longer receiving any updates. Marking the oneiric task for this ticket as "Won't Fix".

Changed in plasma-widget-networkmanagement (Ubuntu Oneiric):
status: Triaged → Won't Fix
Rolf Leggewie (r0lf) on 2014-12-03
Changed in strongswan (Ubuntu Oneiric):
status: Triaged → Won't Fix
Richard Laager (rlaager) wrote :

I'm running Precise. The 'Pass "lo" as faked tundev to NM' patch results in Network Manager setting a 172.16.X.X IP on "lo" on VPN connect. Since this replaces 127.0.0.1, other software breaks. Then, on VPN disconnection, Network Manager takes "lo" down.

This can be trivially confirmed by running "ifconfig lo" before doing anything, after connecting a VPN, and again after disconnecting the VPN. Can someone on Trusty or higher test this?

Things work great if I change it to use "dummy0", but that requires configuring a dummy0 interface, so that's not a usable solution for the package. Has anyone looked into just fixing Network Manager to not require an interface?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers