#1007901 network-manager: L2TP-VPN doesn't work with network-manager version 1.36.2-1 (works with 1.34.0-1)

Package:
network-manager-l2tp
Source:
network-manager-l2tp
Description:
network management framework (L2TP plugin core)
Submitter:
Marcel Jira
Date:
2022-04-22 02:15:03 UTC
Severity:
important
Tags:
#1007901#5
Date:
2022-03-18 09:50:10 UTC
From:
To:
I used to connect to a VPN using network-manager-l2tp and network-manager-l2tp-
gnome.

The connection recently stopped working (see log below). A connection is
established but terminates quickly after logging a series of "Received out of
order control packet" messages. Also the connection is not usable (no ping to a
machine in the vpn possible) in the short amount of time the connection is
present.

Downgrading the packages "libnm0" and "network-manager" to version 1.34.0-1
solves the problem and makes the VPN usable again.

A similar problem was described at
* https://forum.manjaro.org/t/stable-update-2022-03-14-kernels-kde-libreoffice-
kodi-qt5-mozilla-networkmanager-pipewire/105493/53?page=3

A big shoutout to eggy and michaa7 in the German Debian forum who helped me
find a temporary solution for the problem:
https://debianforum.de/forum/viewtopic.php?t=183809

Log snippet of failing VPN connection:

Mär 08 09:24:32 austernpilz-marcel charon[5989]: 01[ENC] parsed
INFORMATIONAL_V1 request 2021249469 [ HASH N(DPD) ]
Mär 08 09:24:32 austernpilz-marcel charon[5989]: 01[ENC] generating
INFORMATIONAL_V1 request 356123565 [ HASH N(DPD_ACK) ]
Mär 08 09:24:32 austernpilz-marcel charon[5989]: 01[NET] sending packet: from
192.168.0.180[4500] to <Public IP>[4500] (92 bytes)
Mär 08 09:24:45 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]:
check_control: Received out of order control packet on tunnel 61041 (got 3,
expected 4)
Mär 08 09:24:45 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]:
handle_control: bad control packet!
Mär 08 09:24:45 austernpilz-marcel charon[5989]: 07[NET] received packet: from
<Public IP>[4500] to 192.168.0.180[4500] (84 bytes)
Mär 08 09:24:45 austernpilz-marcel charon[5989]: 07[ENC] parsed
INFORMATIONAL_V1 request 3124328840 [ HASH N(DPD) ]
Mär 08 09:24:45 austernpilz-marcel charon[5989]: 07[ENC] generating
INFORMATIONAL_V1 request 1656922586 [ HASH N(DPD_ACK) ]
Mär 08 09:24:45 austernpilz-marcel charon[5989]: 07[NET] sending packet: from
192.168.0.180[4500] to <Public IP>[4500] (92 bytes)
Mär 08 09:24:47 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]:
check_control: Received out of order control packet on tunnel 61041 (got 3,
expected 4)
Mär 08 09:24:47 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]:
handle_control: bad control packet!
Mär 08 09:24:51 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]:
check_control: Received out of order control packet on tunnel 61041 (got 3,
expected 4)
Mär 08 09:24:51 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]:
handle_control: bad control packet!
Mär 08 09:24:59 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]:
check_control: Received out of order control packet on tunnel 61041 (got 3,
expected 4)
Mär 08 09:24:59 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]:
handle_control: bad control packet!
Mär 08 09:25:05 austernpilz-marcel charon[5989]: 11[IKE] sending keep alive to
<Public IP>[4500]
Mär 08 09:25:06 austernpilz-marcel charon[5989]: 12[NET] received packet: from
<Public IP>[4500] to 192.168.0.180[4500] (84 bytes)
Mär 08 09:25:06 austernpilz-marcel charon[5989]: 12[ENC] parsed
INFORMATIONAL_V1 request 2249792635 [ HASH D ]
Mär 08 09:25:06 austernpilz-marcel charon[5989]: 12[IKE] received DELETE for
IKE_SA 016e39e7-c775-46be-85d3-215b15580b02[1]
Mär 08 09:25:06 austernpilz-marcel charon[5989]: 12[IKE] deleting IKE_SA
016e39e7-c775-46be-85d3-215b15580b02[1] between
192.168.0.180[192.168.0.180]...<Public IP>[<Public IP>]
Mär 08 09:25:06 austernpilz-marcel charon[5989]: 12[IKE] deleting IKE_SA
016e39e7-c775-46be-85d3-215b15580b02[1] between
192.168.0.180[192.168.0.180]...<Public IP>[<Public IP>]
Mär 08 09:25:14 austernpilz-marcel NetworkManager[6024]: xl2tpd[6024]: Maximum
retries exceeded for tunnel 62233.  Closing.

#1007901#10
Date:
2022-03-18 10:57:19 UTC
From:
To:
Am 18.03.22 um 10:50 schrieb Marcel Jira:
#1007901#21
Date:
2022-03-22 20:38:53 UTC
From:
To:
As mentioned to the upstream NetworkManager 1.36.2 VPN routing bug:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/946

The routing issue when the "Use this connection only for resources on its network" IPv4 setting is enabled, no longer appears to occur with NetworkManager 1.37.2.

As 1.37.2 is a developer release, I believe this issue will resolve itself once the Debian network-manager package is upgraded to whatever the next NetworkManager non-developer release will be.

#1007901#26
Date:
2022-04-20 11:12:42 UTC
From:
To:
Hi Marcel ,

I was about to close this still open bug (which was cloned from a bug that was closed), but decided to check the forum link you posted first :
https://debianforum.de/forum/viewtopic.php?t=183809

and noticed you said there you were still having an issue with network-manager-l2tp and network-manager 1.36.4-2.

Sorry to hear that network-manager 1.36.4-2 didn't solve your issue and wish I heard it here earlier. Unfortunately I'm not able to reproduce the bug with Debian Sid, but happy to look into it.

I suspect it is an issue with strongswan, do you have the issue if you switch to libreswan? e.g. :

   sudo apt install libreswan


To revert back to strongswan, issue:

   sudo apt install strongswan


If it works with libreswan, I suspect the strongswan issue with network-manager version 1.36 is with one of its modules.




Cheers,
Doug

#1007901#31
Date:
2022-04-22 02:10:06 UTC
From:
To:
Hi Marcel ,


Actually you might be having an issue with your existing VPN network connection still having ipv4.ignore-auto-routes enabled, see:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/946#note_1350911


my previous suggestion of switching from strongswan to libreswan, may or may not help. I wasn't able to see the strongswan issues with network-manager >= 1.36 on Debian I saw with Arch Linux, but doesn't mean others wouldn't.



Cheers,
Doug