连接到VPN的问题

Question

我正在尝试使用L2TP和StrongSwan连接到虚拟专用网。阅读从journalctl -f -u NetworkManager获得的日志，看起来我确实获得了与VPN的连接。只是在某个地方它坠毁了，我不知道它到底在哪里发生。这是日志：

NetworkManager[772]: [1568791368.4794] audit: op="connection-activate" uuid="9ec1ad72-bf05-4576-a623-22605eeeb1f7" name="VPN 1" pid=2599 uid=1000 result="success" 
NetworkManager[772]: [1568791368.4861] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: Started the VPN service, PID 14422
NetworkManager[772]: [1568791368.4929] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: Saw the service appear; activating connection
NetworkManager[772]: [1568791368.5593] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: VPN connection: (ConnectInteractive) reply received
nm-l2tp-service[14422]: Check port 1701 Sep 18 09:22:48 floris-XPS-13-9360 NetworkManager[772]: Stopping strongSwan IPsec failed: starter is not running 
NetworkManager[772]: Starting strongSwan 5.6.2 IPsec [starter]... 
NetworkManager[772]: Loading config setup 
NetworkManager[772]: Loading conn '9ec1ad72-bf05-4576-a623-22605eeeb1f7' 
ipsec_starter[14439]: Starting strongSwan 5.6.2 IPsec [starter]... 
ipsec_starter[14439]: Loading config setup 
ipsec_starter[14439]: Loading conn '9ec1ad72-bf05-4576-a623-22605eeeb1f7' 
NetworkManager[772]: found netkey IPsec stack 
ipsec_starter[14439]: found netkey IPsec stack 
ipsec_starter[14460]: Attempting to start charon... 
charon[14461]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-27-generic, x86_64) 
charon[14461]: 00[CFG] PKCS11 module '' lacks library path 
charon[14461]: 00[CFG] disabling load-tester plugin, not configured charon[14461]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL 
charon[14461]: 00[CFG] dnscert plugin is disabled 
charon[14461]: 00[CFG] ipseckey plugin is disabled 
charon[14461]: 00[CFG] attr-sql plugin: database URI not set 
charon[14461]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 
charon[14461]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 
charon[14461]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 
charon[14461]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 
charon[14461]: 00[CFG] loading crls from '/etc/ipsec.d/crls' 
charon[14461]: 00[CFG] loading secrets from '/etc/ipsec.secrets' 
charon[14461]: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-9ec1ad72-bf05-4576-a623-22605eeeb1f7.secrets' 
charon[14461]: 00[CFG] loaded IKE secret for %any 
charon[14461]: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-a168f087-5f2b-42c2-949a-dd18c8af1217.secrets' 
charon[14461]: 00[CFG] loaded IKE secret for %any 
charon[14461]: 00[CFG] sql plugin: database URI not set 
charon[14461]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory 
charon[14461]: 00[CFG] eap-simaka-sql database URI missing 
charon[14461]: 00[CFG] loaded 0 RADIUS server configurations 
charon[14461]: 00[CFG] HA config misses local/remote address 
charon[14461]: 00[CFG] no threshold configured for systime-fix, disabled 
charon[14461]: 00[CFG] coupling file path unspecified 
charon[14461]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters 
charon[14461]: 00[LIB] dropped capabilities, running as uid 0, gid 0 
charon[14461]: 00[JOB] spawning 16 worker threads ipsec_starter[14460]: 
charon (14461) started after 40 ms 
charon[14461]: 05[CFG] received stroke: add connection '9ec1ad72-bf05-4576-a623-22605eeeb1f7' 
charon[14461]: 05[CFG] algorithm 'ecp_384' not recognized 
charon[14461]: 05[CFG] skipped invalid proposal string: aes256-sha1-ecp_384 
charon[14461]: 10[CFG] rereading secrets 
charon[14461]: 10[CFG] loading secrets from '/etc/ipsec.secrets' 
charon[14461]: 10[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-9ec1ad72-bf05-4576-a623-22605eeeb1f7.secrets' 
charon[14461]: 10[CFG] loaded IKE secret for %any 
charon[14461]: 10[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-a168f087-5f2b-42c2-949a-dd18c8af1217.secrets' 
charon[14461]: 10[CFG] loaded IKE secret for %any 
charon[14461]: 13[CFG] received stroke: initiate '9ec1ad72-bf05-4576-a623-22605eeeb1f7' 
charon[14461]: 13[CFG] no config named '9ec1ad72-bf05-4576-a623-22605eeeb1f7' 
NetworkManager[772]: no config named '9ec1ad72-bf05-4576-a623-22605eeeb1f7' 
NetworkManager[772]: Stopping strongSwan IPsec... 
charon[14461]: 00[DMN] signal of type SIGINT received. Shutting down 
ipsec_starter[14460]: child 14461 (charon) has quit (exit code 0) 
ipsec_starter[14460]: ipsec_starter[14460]: charon stopped after 200 ms 
ipsec_starter[14460]: ipsec starter stopped nm-l2tp-service[14422]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed 
NetworkManager[772]: [1568791372.0377] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: VPN plugin: state changed: stopped (6) 
NetworkManager[772]: [1568791372.0476] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: VPN service disappeared 
NetworkManager[772]: [1568791372.0524] vpn-connection[0x559cbd21a730,9ec1ad72-bf05-4576-a623-22605eeeb1f7,"VPN 1",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

我没有看到一个明确的警告或声明，说明它失败的原因。我是不是遗漏了什么？

Answer 1

ecp_384 not recognised错误是因为strongswan使用了ecp384，请参见：

• https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

您似乎也有两个PSK文件，我建议删除它们，因为错误的PSK可能会被使用。

数独rm /etc/ipsec.d/nm-l2tp-ipsec-9ec1ad72-bf05-4576-a623-22605eeeb1f7.secrets -f

数独rm /etc/ipsec.d/nm-l2tp-ipsec-a168f087-5f2b-42c2-949a-dd18c8af1217.secrets -f

我建议从这个PPA升级到network L2TP 1.2.16，它有一个来自Debian sid的后端端口：

• https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

它解决了PSK /etc/ipsec.d/nm-L2TP-ipsec-*秘密文件未被删除和使用错误PSK的问题。您也不需要为第一阶段和第二阶段算法输入任何内容，因为它使用来自Win 10和macOS/iOS/iPadOS L2TP/IPsec客户端的建议的合并，并且不再使用libreswan或strongswan默认提案集。