Is there anyway to get an error log for a failed VPN connection attempt? All I get is this notification and I have no idea where to go from there.
Zanna♦
68.9k56 gold badges215 silver badges327 bronze badges
asked Dec 3, 2010 at 23:05
Olivier LalondeOlivier Lalonde
57.1k62 gold badges125 silver badges146 bronze badges
Log is written to /var/log/syslog
.
Open gnome-terminal and do sudo tail -f /var/log/syslog
This will follow the file (prints to terminal new log messages).
Now try to connect to the vpn, the messages then will start showing in the terminal.
When you are done following the log just click Ctrl+c to quit tail.
One can add markers to the log by opening another terminal and doing something like that:
logger "............... Starting VPN... "
answered Feb 6, 2013 at 19:17
1
The new (systemd-)variant to get the logs is
journalctl -u NetworkManager.service
answered Jan 22, 2016 at 9:49
1
In Fedora and other systemd distro’s that do not have /var/log/syslog, the VPN logs can be accessed with «sudo journalctl -f»
-f is for follow.
answered Dec 3, 2014 at 14:38
Ray FossRay Foss
3635 silver badges14 bronze badges
1
What kind of VPN are you trying to establish?
Is it PPTP (Microsoft proprietary) or Cisco-compatible ?
The easiest way would be for you to run pptp (for PPTP) or vpnc (for Cisco) from a console and see the possible errors interactively.
I think that vpnc is quite straight forward, you just need to type in the necessary info (gateway ip, group name/pass, user name/pass).
I haven’t actually used a PPTP VPN, but some info about setting it up can be found here at cyberciti
Zanna♦
68.9k56 gold badges215 silver badges327 bronze badges
answered Dec 4, 2010 at 5:22
Pavlos G.Pavlos G.
8,7143 gold badges32 silver badges35 bronze badges
0
Open the Advanced options, and tick Use a TCP connection.
That fixed it for me. Ubuntu 14.04 LTS, OpenVPN.
Zanna♦
68.9k56 gold badges215 silver badges327 bronze badges
answered Nov 14, 2015 at 23:58
Try enabling «Advanced» -> «Use Point to Point Encryption (MPPE)», this worked for me.
answered Jul 28, 2019 at 9:10
I just confirm the problem on ubuntu 14.04 LTS.
Add that if you launch the vpn manually with the following command it works at least for me:
sudo vpnc --domain "" --local-port 0 --enable-1des mypcffile
answered Jan 20, 2015 at 7:37
Проблема следующая, у меня в общаге доступен только интернет предоставляемый университетом и подключиться к нему можно только через vpn, на windows все работает хорошо, а на ubuntu никак не хочет устанавливаться соединение.
Я создаю новое соединение через Network Manager:
Потом прописываю логин, который мне выдали в универе и имя сервера, пароль опускаю, чтобы ввести при выполнении подключения, вычитал в гугле что иначе вообще работать не будет:
Доп настройки такие:
В результате при подключении получаю сообщение что соединение разорвано, т.к. vpn служба была остановлена.
Вот логи, пробовал устанавливать соединение с подключенным wifi(раздавал с телефона) и без, инфа в логах при этом разная, но понять что не так самому не получается.
Без wifi:
Nov 25 17:24:11 dicobi NetworkManager[936]: <info> [1543141451.2162] audit: op="connection-activate" uuid="eb5caaec-41f0-44a8-b35d-70f7f7622e5f" name="VPN_TSU" pid=2062 uid=1000 result="success"
Nov 25 17:24:11 dicobi NetworkManager[936]: <info> [1543141451.2207] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: Started the VPN service, PID 5227
Nov 25 17:24:11 dicobi NetworkManager[936]: <info> [1543141451.2294] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: Saw the service appear; activating connection
Nov 25 17:24:11 dicobi gnome-session[1852]: Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
Nov 25 17:24:18 dicobi NetworkManager[936]: <info> [1543141458.8835] keyfile: update /etc/NetworkManager/system-connections/VPN_TSU (eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU")
Nov 25 17:24:18 dicobi NetworkManager[936]: <info> [1543141458.8918] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN connection: (ConnectInteractive) reply received
Nov 25 17:24:18 dicobi NetworkManager[936]: <warn> [1543141458.8958] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN connection: failed to connect: 'не удалось найти IP-адрес шлюза PPTP VPN «vpdn.tsu.ru» (-3)'
Nov 25 17:24:18 dicobi NetworkManager[936]: <info> [1543141458.8974] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN plugin: state changed: stopped (6)
Nov 25 17:24:18 dicobi NetworkManager[936]: <info> [1543141458.8985] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN service disappeared
С wifi:
Nov 25 17:26:43 dicobi NetworkManager[936]: <info> [1543141603.4339] audit: op="connection-activate" uuid="eb5caaec-41f0-44a8-b35d-70f7f7622e5f" name="VPN_TSU" pid=2062 uid=1000 result="success"
Nov 25 17:26:43 dicobi NetworkManager[936]: <info> [1543141603.4380] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: Started the VPN service, PID 5400
Nov 25 17:26:43 dicobi NetworkManager[936]: <info> [1543141603.4467] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: Saw the service appear; activating connection
Nov 25 17:26:43 dicobi gnome-session[1852]: Gtk-Message: GtkDialog mapped without a transient parent. This is discouraged.
Nov 25 17:26:49 dicobi NetworkManager[936]: <info> [1543141609.4287] keyfile: update /etc/NetworkManager/system-connections/VPN_TSU (eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU")
Nov 25 17:26:49 dicobi NetworkManager[936]: <info> [1543141609.4378] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN connection: (ConnectInteractive) reply received
Nov 25 17:26:49 dicobi NetworkManager[936]: ** Message: pppd started with pid 5417
Nov 25 17:26:49 dicobi NetworkManager[936]: <info> [1543141609.4489] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN plugin: state changed: starting (3)
Nov 25 17:26:49 dicobi pppd[5417]: Plugin /usr/lib/pppd/2.4.7/nm-pptp-pppd-plugin.so loaded.
Nov 25 17:26:49 dicobi NetworkManager[936]: Plugin /usr/lib/pppd/2.4.7/nm-pptp-pppd-plugin.so loaded.
Nov 25 17:26:49 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (plugin_init): initializing
Nov 25 17:26:49 dicobi pppd[5417]: pppd 2.4.7 started by root, uid 0
Nov 25 17:26:49 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
Nov 25 17:26:49 dicobi pppd[5417]: Using interface ppp0
Nov 25 17:26:49 dicobi NetworkManager[936]: nm_device_get_device_type: assertion 'NM_IS_DEVICE (self)' failed
Nov 25 17:26:49 dicobi NetworkManager[936]: Using interface ppp0
Nov 25 17:26:49 dicobi NetworkManager[936]: Connect: ppp0 <--> /dev/pts/7
Nov 25 17:26:49 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Nov 25 17:26:49 dicobi pppd[5417]: Connect: ppp0 <--> /dev/pts/7
Nov 25 17:26:49 dicobi NetworkManager[936]: <info> [1543141609.4602] manager: (ppp0): new Generic device (/org/freedesktop/NetworkManager/Devices/12)
Nov 25 17:26:49 dicobi pptp[5423]: nm-pptp-service-5400 log[main:pptp.c:350]: The synchronous pptp option is NOT activated
Nov 25 17:26:49 dicobi NetworkManager[936]: <info> [1543141609.4697] devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Nov 25 17:26:49 dicobi NetworkManager[936]: <info> [1543141609.4706] device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
Nov 25 17:26:49 dicobi pptp[5435]: nm-pptp-service-5400 log[ctrlp_rep:pptp_ctrl.c:259]: Sent control packet type is 1 'Start-Control-Connection-Request'
Nov 25 17:26:49 dicobi pptp[5435]: nm-pptp-service-5400 log[ctrlp_disp:pptp_ctrl.c:781]: Received Start Control Connection Reply
Nov 25 17:26:49 dicobi pptp[5435]: nm-pptp-service-5400 log[ctrlp_disp:pptp_ctrl.c:815]: Client connection established.
Nov 25 17:26:50 dicobi pptp[5435]: nm-pptp-service-5400 log[ctrlp_rep:pptp_ctrl.c:259]: Sent control packet type is 7 'Outgoing-Call-Request'
Nov 25 17:26:50 dicobi pptp[5435]: nm-pptp-service-5400 log[ctrlp_disp:pptp_ctrl.c:900]: Received Outgoing Call Reply.
Nov 25 17:26:50 dicobi pptp[5435]: nm-pptp-service-5400 log[ctrlp_disp:pptp_ctrl.c:939]: Outgoing call established (call ID 10129, peer's call ID 17426).
Nov 25 17:26:50 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 6 / phase 'authenticate'
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (get_credentials): passwd-hook, requesting credentials...
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (get_credentials): got credentials from NetworkManager-pptp
Nov 25 17:26:51 dicobi pppd[5417]: CHAP authentication succeeded
Nov 25 17:26:51 dicobi NetworkManager[936]: CHAP authentication succeeded
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 8 / phase 'network'
Nov 25 17:26:51 dicobi pppd[5417]: MPPE required but peer negotiation failed
Nov 25 17:26:51 dicobi NetworkManager[936]: MPPE required but peer negotiation failed
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 10 / phase 'terminate'
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
Nov 25 17:26:51 dicobi NetworkManager[936]: Connection terminated.
Nov 25 17:26:51 dicobi pppd[5417]: Connection terminated.
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: Terminated ppp daemon with PID 5417.
Nov 25 17:26:51 dicobi NetworkManager[936]: <warn> [1543141611.5554] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN plugin: failed: connect-failed (1)
Nov 25 17:26:51 dicobi NetworkManager[936]: <info> [1543141611.5555] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN plugin: state changed: stopping (5)
Nov 25 17:26:51 dicobi NetworkManager[936]: <error> [1543141611.5568] platform-linux: do-change-link[13]: failure changing link: failure 19 (Нет такого устройства)
Nov 25 17:26:51 dicobi NetworkManager[936]: <warn> [1543141611.5568] device (ppp0): failed to disable userspace IPv6LL address handling
Nov 25 17:26:51 dicobi NetworkManager[936]: <info> [1543141611.5575] vpn-connection[0x237b270,eb5caaec-41f0-44a8-b35d-70f7f7622e5f,"VPN_TSU",0]: VPN service disappeared
Nov 25 17:26:51 dicobi NetworkManager[936]: <info> [1543141611.5653] devices removed (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead'
Nov 25 17:26:51 dicobi NetworkManager[936]: Child process /usr/sbin/pptp 82.200.70.12 --nolaunchpppd --loglevel 0 --logstring nm-pptp-service-5400 (pid 5420) terminated with signal 15
Nov 25 17:26:51 dicobi NetworkManager[936]: ** Message: nm-pptp-ppp-plugin: (nm_exit_notify): cleaning up
Nov 25 17:26:51 dicobi pppd[5417]: Child process /usr/sbin/pptp 82.200.70.12 --nolaunchpppd --loglevel 0 --logstring nm-pptp-service-5400 (pid 5420) terminated with signal 15
Nov 25 17:26:51 dicobi pppd[5417]: Exit.
Nov 25 17:26:51 dicobi pptp[5423]: nm-pptp-service-5400 warn[decaps_hdlc:pptp_gre.c:220]: short read (-1): Input/output error
Nov 25 17:26:51 dicobi pptp[5423]: nm-pptp-service-5400 warn[decaps_hdlc:pptp_gre.c:232]: pppd may have shutdown, see pppd log
Nov 25 17:26:51 dicobi pptp[5435]: nm-pptp-service-5400 log[callmgr_main:pptp_callmgr.c:245]: Closing connection (unhandled)
Nov 25 17:26:51 dicobi pptp[5435]: nm-pptp-service-5400 log[ctrlp_rep:pptp_ctrl.c:259]: Sent control packet type is 12 'Call-Clear-Request'
Nov 25 17:26:51 dicobi pptp[5435]: nm-pptp-service-5400 log[call_callback:pptp_callmgr.c:84]: Closing connection (call state)
- Печать
Страницы: [1] Вниз
Тема: Не происходит подключение по vpn. (Прочитано 7058 раз)
0 Пользователей и 1 Гость просматривают эту тему.
Ferum01
Добрый день коллеги!
Настроил vpn соединение, но подключаться не хочет, ничего не происходит (ubuntu 14.04. 64 bit)…
В чем может быть проблема?
fisher74
Ferum01
Как еще объяснить? Создал соединение VPN_Work, но когда на него нажимаю, для подключения, ни ошибок ни соединения…
Такое впечатление, что значек соединения создался, а служба VPN отсутствует или не запускается.
.human
ifconfig -a в студию
Пользователь решил продолжить мысль [time]25 Май 2015, 00:57:23[/time]:
при подключении должен появиться другой интерфейс tun0
« Последнее редактирование: 25 Мая 2015, 00:00:13 от .human »
Ferum01
artur@artur-All-Series:~$ ifconfig -a
eth0 Link encap:Ethernet HWaddr 78:24:af:3a:a6:8c
inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::7a24:afff:fe3a:a68c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3358 errors:0 dropped:0 overruns:0 frame:0
TX packets:3668 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2454632 (2.4 MB) TX bytes:624541 (624.5 KB)
lo Link encap:Локальная петля (Loopback)
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:824 errors:0 dropped:0 overruns:0 frame:0
TX packets:824 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:63169 (63.1 KB) TX bytes:63169 (63.1 KB)
artur@artur-All-Series:~$
.human
« Последнее редактирование: 25 Мая 2015, 19:15:17 от .human »
Ferum01
что инструкции староваты
по одной выполнил команду о моем соединении (pppd call), почему то нет файла:
artur@artur-All-Series:~$ pppd call VPN-Work debug nodetach
pppd: Can’t open options file /etc/ppp/peers/VPN-Work: No such file or directory
artur@artur-All-Series:~$
koshev
Наверное, потому что его действительно нет?
ls -lh /etc/ppp/peers/
И давайте всё-таки расскажите, чё у Вас там за VPN? А то, навскидку, ещё 3 типа внп (OpenVPN/CiscoVPN/L2TP) есть.
Ferum01
Захожу в меню настроить vpn, добавить выбираю тип vpn pptp, название (VPN-Work), далее указываю шлюз, логин и пароль.
В дополнительной настройке выбираю галочки mschap, mschapv2
шифрование mppe 128 bit
bsd
deflate
TCPtv
После всех манипуляций появлется vpn c именем VPN-Work, нажимаю на него, меню сети пропадает, и больше ничего не происходит.
Ранее на другом компе тоже настраивал vpn, когда на него нажимал, стрелки вверх и вниз блымал и появлялся значек другой, помойму с замком.
ПлутАрх
А зачем шифрование выбираете?
Ferum01
А зачем шифрование выбираете?
Так на сервере настроено, если не выбирать подключения не будет. Такие же настройки на другом компе с убунтой.
koshev
Ferum01
Выполните: lsb_release -ds; aptitude show network-manager; nmcli connection show configured; ip r s; sudo grep -Evi ‘VPN|pptp|ppp’ /var/log/syslog > $HOME/log.txt в момент попытки подлючения к сети.
Получившийся файл прикрепите к посту.
Ferum01
Ferum01
Выполните: lsb_release -ds; aptitude show network-manager; nmcli connection show configured; ip r s; sudo grep -Evi ‘VPN|pptp|ppp’ /var/log/syslog > $HOME/log.txt в момент попытки подлючения к сети.
Получившийся файл прикрепите к посту.
Запуск с ошибками
artur@artur-All-Series:/var/log$ sudo lsb_release -ds; aptitude show network-manager; nmcli connection show configured; ip r s; sudo grep -Evi ‘VPN|pptp|ppp’ /var/log/syslog > $HOME/log.txt
Ubuntu 14.04.2 LTS
Программа ‘aptitude’ на данный момент не установлена. Вы можете установить её, выполнив:
sudo apt-get install aptitude
Usage: nmcli connection { COMMAND | help }
COMMAND := { list | status | up | down | delete }
list [id <id> | uuid <id>]
status [id <id> | uuid <id> | path <path>]
up id <id> | uuid <id> [iface <iface>] [ap <BSSID>] [—nowait] [—timeout <timeout>]
down id <id> | uuid <id>
delete id <id> | uuid <id>
Ошибка: недопустимая команда «con»: «show»
default via 192.168.1.1 dev eth0 proto static
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.3 metric 1
artur@artur-All-Series:/var/log$
Пользователь решил продолжить мысль 25 Мая 2015, 23:15:33:
При попытке запуска vpn, в var/log/syslog появляются строки:
May 25 23:13:16 artur-All-Series NetworkManager[700]: <info> Starting VPN service ‘pptp’…
May 25 23:13:16 artur-All-Series NetworkManager[700]: <info> VPN service ‘pptp’ started (org.freedesktop.NetworkManager.pptp), PID 9731
May 25 23:13:16 artur-All-Series NetworkManager[700]: <info> VPN service ‘pptp’ appeared; activating connections
May 25 23:13:16 artur-All-Series NetworkManager[700]: <info> VPN plugin state changed: init (1)
May 25 23:13:16 artur-All-Series NetworkManager[700]: <error> [1432584796.596819] [nm-vpn-connection.c:1374] get_secrets_cb(): Failed to request VPN secrets #2: (6) No agents were available for this request.
May 25 23:13:16 artur-All-Series NetworkManager[700]: <info> Policy set ‘Ethernet01’ (eth0) as default for IPv4 routing and DNS.
May 25 23:13:21 artur-All-Series NetworkManager[700]: <info> VPN service ‘pptp’ disappeared
« Последнее редактирование: 25 Мая 2015, 23:15:33 от Ferum01 »
Ferum01
Загрузился с установочного DVD ubunta, там pptp работает.
Нашел вроде как решение http://unixforum.org/index.php?showtopic=135450
но как удалить ~/.dbus (и что это такое) ?
Пользователь решил продолжить мысль 30 Мая 2015, 15:45:50:
Забавный глюк наблюдал, на рабочем столе попробовал удалить архив, кнопками шифт и дел, после чего рабочий стол зависает почему то. После этого попробовал запустить vpn и он запустился, чудеса да и только.
Потом перезагрузился, опять зависнул рабочий, но vpn не заработал…(((
« Последнее редактирование: 30 Мая 2015, 15:45:50 от Ferum01 »
Ferum01
Иногда при загрузке проца на одно ядро, vpn подключается, но пока закономерности не выявил.
VPn по прежнему не работает, Ubuntu переустанавливать не хочу.
- Печать
Страницы: [1] Вверх
General troubleshooting checklist:
- Verify public and private keys. When dealing with multiple peers, it’s easy to mix these up, specially because the contents of these keys is just random data. There is nothing identifying them, and public and private keys are basically the same format-wise.
- Verify
AllowedIPs
list on all peers. - Check with
ip route
andip addr show dev <wg-interface>
if the routes and IPs are set as you expect. - Double check that you have
/proc/sys/net/ipv4/ip_forward
set to1
where needed. - When injecting the VPN users into an existing network, without routing, make sure
/proc/sys/net/ipv4/conf/all/proxy_arp
is set to1
. - Make sure the above
/proc
entries are in/etc/sysctl.conf
or a file in/etc/sysctl.d
so that they persist reboots.
It can be helpful to leave a terminal open with the watch wg
command. Here is a sample output showing a system with two peers configured, where only one has established the VPN so far:
Every 2.0s: wg j-wg: Fri Aug 26 17:44:37 2022
interface: wg0
public key: +T3T3HTMeyrEDvim8FBxbYjbz+/POeOtG3Rlvl9kJmM=
private key: (hidden)
listening port: 51000
peer: 2cJdFcNzXv4YUGyDTahtOfrbsrFsCByatPnNzKTs0Qo=
endpoint: 10.172.196.106:51000
allowed ips: 10.10.11.2/32
latest handshake: 3 hours, 27 minutes, 35 seconds ago
transfer: 3.06 KiB received, 2.80 KiB sent
peer: ZliZ1hlarZqvfxPMyME2ECtXDk611NB7uzLAD4McpgI=
allowed ips: 10.10.11.3/32
Kernel debug messages
WireGuard is also silent when it comes to logging. Being a kernel module essentially, we need to explicitly enable verbose logging of its module. This is done with the following command:
$ echo "module wireguard +p" | sudo tee /sys/kernel/debug/dynamic_debug/control
This will write WireGuard logging messages to the kernel log, which can be watched live with:
$ sudo dmesg -wT
To disable logging, run this:
$ echo "module wireguard -p" | sudo tee /sys/kernel/debug/dynamic_debug/control
Destination address required
If you ping an IP and get back an error like this:
$ ping 10.10.11.2
PING 10.10.11.2 (10.10.11.2) 56(84) bytes of data.
From 10.10.11.1 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Destination address required
This is happening because the WireGuard interface selected for this destination doesn’t know the endpoint for it. In other words, it doesn’t know where to send the encrypted traffic.
One common scenario for this is on a peer where there is no Endpoint
configuration, which is perfectly valid, and the host is trying to send traffic to that peer. Let’s take the coffee shop scenario we described earlier as an example.
The laptop is connected to the VPN and exchanging traffic as usual. Then it stops for a bit (the person went to get one more cup). Traffic ceases (WireGuard is silent, remember). If the WireGuard on the home router is now restarted, when it comes back up, it won’t know how to reach the laptop, because it was never contacted by it before. This means that at this time, if the home router tries to send traffic to the laptop in the coffee shop, it will get the above error.
Now the laptop user comes back, and generates some traffic to the home network (remember: the laptop has the home network’s Endpoint
value). The VPN “wakes up”, data is exchanged, handshakes completed, and now the home router knows the Endpoint
associated with the laptop, and can again initiate new traffic to it without issues.
Another possibility is that one of the peers is behind a NAT, and there wasn’t enough traffic for the stateful firewall to consider the “connection” alive, and it dropped the NAT mapping it had. In this case, the peer might benefit from the PersistentKeepalive
configuration, which makes WireGuard send a keepalive probe every so many seconds.
Required key not available
This error:
$ ping 10.10.11.1
PING 10.10.11.1 (10.10.11.1) 56(84) bytes of data.
From 10.10.11.2 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Required key not available
Can happen when you have a route directing traffic to the WireGuard interface, but that interface does not have the target address listed in its AllowedIPs
configuration.
If you have enabled kernel debugging for WireGuard, you will also see a message like this one in the dmesg
output:
wireguard: home0: No peer has allowed IPs matching 10.10.11.1
Hello, I have used same settings on Ubuntu 18.04, but on Ubuntu 20.04 (newly installed), VPN does not work.
Installation steps:
sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp
sudo apt-get update
sudo apt install network-manager-l2tp
sudo apt install --install-suggests network-manager-l2tp-gnome
sudo reboot
sudo systemctl stop xl2tpd
sudo systemctl disable xl2tpd
I used all the settings that worked previously
- Identity: Gateway, User Authentication Type: Password, NT Domain
- L2TP IPsec Options: Type: Pre-shared key (PSK), Pre-shared key, Advanced settings left as default
- L2TP PPP Options: only checked PAP (unckecked CHAP, MSCHAP, MSCHAPv2, EAP), the rest left as default
I’ve also tried the following:
- https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues#strongswan-no-acceptable-traffic-selectors-found
- https://github.com/nm-l2tp/NetworkManager-l2tp#ipsec-ikev1-weak-legacy-algorithms-and-backwards-compatibility
output of sudo ./ike-scan.sh ... | grep SA=
:
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=MD5 Group=5:modp1536 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=128 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=128 Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=128 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=128 Hash=MD5 Group=5:modp1536 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=192 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=192 Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=192 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=192 Hash=MD5 Group=5:modp1536 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=192 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=256 Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=256 Hash=MD5 Group=2:modp1024 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=256 Hash=MD5 Group=5:modp1536 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=256 Hash=MD5 Group=5:modp1536 Auth=RSA_Sig LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
log from journalctl --no-hostname --unit=NetworkManager
:
7월 27 19:08:32 NetworkManager[880]: <info> [1627380512.0616] audit: op="connection-activate" uuid="..." name="..." pid=2773 uid=1000 result="success"
7월 27 19:08:32 NetworkManager[880]: <info> [1627380512.0753] vpn-connection[0x564df7b5e770,...,"...",0]: Started the VPN service, PID 3252
7월 27 19:08:32 NetworkManager[880]: <info> [1627380512.0973] vpn-connection[0x564df7b5e770,...,"...",0]: Saw the service appear; activating connection
7월 27 19:08:32 NetworkManager[880]: <info> [1627380512.1976] vpn-connection[0x564df7b5e770,...,"...",0]: VPN connection: (ConnectInteractive) reply received
7월 27 19:08:32 nm-l2tp-service[3252]: Check port 1701
7월 27 19:08:32 NetworkManager[3268]: Stopping strongSwan IPsec failed: starter is not running
7월 27 19:08:34 NetworkManager[3265]: Starting strongSwan 5.8.2 IPsec [starter]...
7월 27 19:08:34 NetworkManager[3265]: Loading config setup
7월 27 19:08:34 NetworkManager[3265]: Loading conn '...'
7월 27 19:08:34 ipsec_starter[3265]: Starting strongSwan 5.8.2 IPsec [starter]...
7월 27 19:08:34 ipsec_starter[3265]: Loading config setup
7월 27 19:08:34 ipsec_starter[3265]: Loading conn '...'
7월 27 19:08:34 ipsec_starter[3276]: Attempting to start charon...
7월 27 19:08:34 charon[3277]: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.2, Linux 5.8.0-63-generic, x86_64)
7월 27 19:08:34 charon[3277]: 00[CFG] PKCS11 module '<name>' lacks library path
7월 27 19:08:34 charon[3277]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
7월 27 19:08:34 charon[3277]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
7월 27 19:08:34 charon[3277]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
7월 27 19:08:34 charon[3277]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
7월 27 19:08:34 charon[3277]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
7월 27 19:08:34 charon[3277]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
7월 27 19:08:34 charon[3277]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
7월 27 19:08:34 charon[3277]: 00[CFG] loaded IKE secret for %any
7월 27 19:08:34 charon[3277]: 00[CFG] loaded 0 RADIUS server configurations
7월 27 19:08:34 charon[3277]: 00[CFG] HA config misses local/remote address
7월 27 19:08:34 charon[3277]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs1>
7월 27 19:08:34 charon[3277]: 00[LIB] dropped capabilities, running as uid 0, gid 0
7월 27 19:08:34 charon[3277]: 00[JOB] spawning 16 worker threads
7월 27 19:08:34 ipsec_starter[3276]: charon (3277) started after 20 ms
7월 27 19:08:34 charon[3277]: 06[CFG] received stroke: add connection '...'
7월 27 19:08:34 charon[3277]: 06[CFG] added configuration '...'
7월 27 19:08:35 charon[3277]: 08[CFG] rereading secrets
7월 27 19:08:35 charon[3277]: 08[CFG] loading secrets from '/etc/ipsec.secrets'
7월 27 19:08:35 charon[3277]: 08[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
7월 27 19:08:35 charon[3277]: 08[CFG] loaded IKE secret for %any
7월 27 19:08:35 charon[3277]: 09[CFG] received stroke: initiate '...'
7월 27 19:08:35 charon[3277]: 11[IKE] initiating Main Mode IKE_SA ...[1] to ....
7월 27 19:08:35 charon[3277]: 11[IKE] initiating Main Mode IKE_SA ...[1] to ....
7월 27 19:08:35 charon[3277]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
7월 27 19:08:35 charon[3277]: 11[NET] sending packet: from ....[500] to ....[500] (532 bytes)
7월 27 19:08:35 charon[3277]: 12[NET] received packet: from ....[500] to ....[500] (180 bytes)
7월 27 19:08:35 charon[3277]: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
7월 27 19:08:35 charon[3277]: 12[IKE] received XAuth vendor ID
7월 27 19:08:35 charon[3277]: 12[IKE] received DPD vendor ID
7월 27 19:08:35 charon[3277]: 12[IKE] received Cisco Unity vendor ID
7월 27 19:08:35 charon[3277]: 12[IKE] received FRAGMENTATION vendor ID
7월 27 19:08:35 charon[3277]: 12[IKE] received NAT-T (RFC 3947) vendor ID
7월 27 19:08:35 charon[3277]: 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
7월 27 19:08:35 charon[3277]: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
7월 27 19:08:35 charon[3277]: 12[NET] sending packet: from ....[500] to ....[500] (244 bytes)
7월 27 19:08:35 charon[3277]: 13[NET] received packet: from ....[500] to ....[500] (244 bytes)
7월 27 19:08:35 charon[3277]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
7월 27 19:08:35 charon[3277]: 13[IKE] local host is behind NAT, sending keep alives
7월 27 19:08:35 charon[3277]: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
7월 27 19:08:35 charon[3277]: 13[NET] sending packet: from ....[4500] to ....[4500] (76 bytes)
7월 27 19:08:35 charon[3277]: 14[NET] received packet: from ....[500] to ....[500] (76 bytes)
7월 27 19:08:35 charon[3277]: 14[ENC] invalid HASH_V1 payload length, decryption failed?
7월 27 19:08:35 charon[3277]: 14[ENC] could not decrypt payloads
7월 27 19:08:35 charon[3277]: 14[IKE] message parsing failed
7월 27 19:08:35 charon[3277]: 14[IKE] ignore malformed INFORMATIONAL request
7월 27 19:08:35 charon[3277]: 14[IKE] INFORMATIONAL_V1 request with message ID 2175675279 processing failed
7월 27 19:08:39 charon[3277]: 05[IKE] sending retransmit 1 of request message ID 0, seq 3
7월 27 19:08:39 charon[3277]: 05[NET] sending packet: from ....[4500] to ....[4500] (76 bytes)
7월 27 19:08:39 charon[3277]: 06[NET] received packet: from ....[500] to ....[500] (76 bytes)
7월 27 19:08:39 charon[3277]: 06[ENC] invalid HASH_V1 payload length, decryption failed?
7월 27 19:08:39 charon[3277]: 06[ENC] could not decrypt payloads
7월 27 19:08:39 charon[3277]: 06[IKE] message parsing failed
7월 27 19:08:39 charon[3277]: 06[IKE] ignore malformed INFORMATIONAL request
7월 27 19:08:39 charon[3277]: 06[IKE] INFORMATIONAL_V1 request with message ID 2470614658 processing failed
7월 27 19:08:45 NetworkManager[3312]: Stopping strongSwan IPsec...
7월 27 19:08:45 charon[3277]: 00[DMN] signal of type SIGINT received. Shutting down
7월 27 19:08:45 charon[3277]: 00[IKE] destroying IKE_SA in state CONNECTING without notification
7월 27 19:08:45 NetworkManager[3306]: initiating Main Mode IKE_SA ...[1] to ....
7월 27 19:08:45 NetworkManager[3306]: generating ID_PROT request 0 [ SA V V V V V ]
7월 27 19:08:45 NetworkManager[3306]: sending packet: from ....[500] to ....[500] (532 bytes)
7월 27 19:08:45 NetworkManager[3306]: received packet: from ....[500] to ....[500] (180 bytes)
7월 27 19:08:45 NetworkManager[3306]: parsed ID_PROT response 0 [ SA V V V V V ]
7월 27 19:08:45 NetworkManager[3306]: received XAuth vendor ID
7월 27 19:08:45 NetworkManager[3306]: received DPD vendor ID
7월 27 19:08:45 NetworkManager[3306]: received Cisco Unity vendor ID
7월 27 19:08:45 NetworkManager[3306]: received FRAGMENTATION vendor ID
7월 27 19:08:45 NetworkManager[3306]: received NAT-T (RFC 3947) vendor ID
7월 27 19:08:45 NetworkManager[3306]: selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
7월 27 19:08:45 NetworkManager[3306]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
7월 27 19:08:45 NetworkManager[3306]: sending packet: from ....[500] to ....[500] (244 bytes)
7월 27 19:08:45 NetworkManager[3306]: received packet: from ....[500] to ....[500] (244 bytes)
7월 27 19:08:45 NetworkManager[3306]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
7월 27 19:08:45 NetworkManager[3306]: local host is behind NAT, sending keep alives
7월 27 19:08:45 NetworkManager[3306]: generating ID_PROT request 0 [ ID HASH ]
7월 27 19:08:45 NetworkManager[3306]: sending packet: from ....[4500] to ....[4500] (76 bytes)
7월 27 19:08:45 NetworkManager[3306]: received packet: from ....[500] to ....[500] (76 bytes)
7월 27 19:08:45 NetworkManager[3306]: invalid HASH_V1 payload length, decryption failed?
7월 27 19:08:45 NetworkManager[3306]: could not decrypt payloads
7월 27 19:08:45 NetworkManager[3306]: message parsing failed
7월 27 19:08:45 NetworkManager[3306]: ignore malformed INFORMATIONAL request
7월 27 19:08:45 NetworkManager[3306]: INFORMATIONAL_V1 request with message ID 2175675279 processing failed
7월 27 19:08:45 NetworkManager[3306]: sending retransmit 1 of request message ID 0, seq 3
7월 27 19:08:45 NetworkManager[3306]: sending packet: from ....[4500] to ....[4500] (76 bytes)
7월 27 19:08:45 NetworkManager[3306]: received packet: from ....[500] to ....[500] (76 bytes)
7월 27 19:08:45 NetworkManager[3306]: invalid HASH_V1 payload length, decryption failed?
7월 27 19:08:45 NetworkManager[3306]: could not decrypt payloads
7월 27 19:08:45 NetworkManager[3306]: message parsing failed
7월 27 19:08:45 NetworkManager[3306]: ignore malformed INFORMATIONAL request
7월 27 19:08:45 NetworkManager[3306]: INFORMATIONAL_V1 request with message ID 2470614658 processing failed
7월 27 19:08:45 NetworkManager[3306]: destroying IKE_SA in state CONNECTING without notification
7월 27 19:08:45 NetworkManager[3306]: establishing connection '...' failed
7월 27 19:08:45 ipsec_starter[3276]: child 3277 (charon) has quit (exit code 0)
7월 27 19:08:45 ipsec_starter[3276]:
7월 27 19:08:45 ipsec_starter[3276]: charon stopped after 200 ms
7월 27 19:08:45 ipsec_starter[3276]: ipsec starter stopped
7월 27 19:08:45 nm-l2tp-service[3252]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
7월 27 19:08:45 NetworkManager[880]: <info> [1627380525.3692] vpn-connection[0x564df7b5e770,...,"...",0]: VPN plugin: state changed: stopped (6)
7월 27 19:08:45 NetworkManager[880]: <info> [1627380525.3778] vpn-connection[0x564df7b5e770,...,"...",0]: VPN service disappeared
7월 27 19:13:57 NetworkManager[880]: <warn> [1627380837.4743] vpn-connection[0x564df7b5e560,...,"...",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'
From here https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec.html#phase-1-pre-shared-key-mismatch I found that my log identifies «Phase 1 Pre-Shared Key Mismatch»
charon: 09[ENC] invalid HASH_V1 payload length, decryption failed?
charon: 09[ENC] could not decrypt payloads
charon: 09[IKE] message parsing failed
But in fact my Pre-Shared Key is correct
I have no idea how to resolve it or what could be the problem, please help.