Ask Your Question
1

Can't connect to l2tp/ipsec vpn server

asked 2016-04-12 08:43:17 -0600

Nico Marin gravatar image

updated 2016-04-12 13:19:25 -0600

Hi,

I would like to connect to my l2tp/ipsec vpn server via Fedora 23 but I can't get it working (works fine with Windows 10). Each time I hit the connect button, i get the following error notification on the top of the screen :

Connection failed
Activation of network connection failed

image description

VPN Settings :

Name                                     : maison
Firewall Zone                            : Default
Make available to other users (checkbox) : unticked
Gateway                                  : my.gateway.ch (example)
User Name                                : my username
Password                                 : my password
NT Domain                                : (empty)

IPsec Settings :

Enable IPsec tunnel to L2TP host (checkbox) : ticked
Group Name                                  : (empty)
Pre-shared key                              : my pre-shared key

PPP Settings :

Authentication
   Allow the following authentication methods           : MSCHAP, MSCHAPv2

Security and Compression
   Use Point-to-Point encryption (MPPE) (checkbox)      : ticked
   Security                                             : All available (Default)
   Allow stateful encryption (checkbox)                 : unticked
   Allow BSD data compression (checkbox)                : ticked
   Allow Deflate data compression (checkbox)            : ticked
   Use TCP header compression (checkbox)                : ticked
   Use protocol field compression negotation (checkbox) : ticked
   Use Address/Control compression (checkbox)           : ticked

Echo
   Send PPP echo packets (checkbox)                     : ticked

Done so far:

systemctl start ipsec

and

ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                     [OK]
Libreswan 3.16 (netkey) on 4.4.6-301.fc23.x86_64
Checking for IPsec support in kernel                [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                [OK]
         ICMP default/accept_redirects              [OK]
         XFRM larval drop                           [OK]
Pluto ipsec.conf syntax                             [OK]
Hardware random device                              [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                  [OK]
Checking that pluto is running                      [OK]
 Pluto listening for IKE on udp 500                 [OK]
 Pluto listening for IKE/NAT-T on udp 4500          [OK]
 Pluto ipsec.secret syntax                        Traceback (most recent call last):
  File "/usr/libexec/ipsec/verify", line 477, in <module>
    main()
  File "/usr/libexec/ipsec/verify", line 466, in main
    plutocheck()
  File "/usr/libexec/ipsec/verify", line 121, in plutocheck
    ipsecsecretcheck()
  File "/usr/libexec/ipsec/verify", line 375, in ipsecsecretcheck
    output = output.decode(prefencoding)
AttributeError: 'str' object has no attribute 'decode'

Could someone help me solve this matter please.

Thanks !

edit retag flag offensive close merge delete

Comments

The exception AttributeError: 'str' object has no attribute 'decode' is a python exception. What version of python is installed on your machine? Do python --version to check. I am wondering if the script is expecting a unicode object which would be a python 3 thing but it's getting an ascii string instead.

dagger gravatar imagedagger ( 2016-04-12 15:29:56 -0600 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2016-04-15 11:48:08 -0600

dagger gravatar image

updated 2016-04-15 11:49:58 -0600

There seems so be some inconsistency in the libreswan verify python script (which is located at /usr/libexec/ipsec/verify).

In line 373, a subprocess.Popen object is instantiated, with the universal_newlines=True argument, which should cause the (output, err) tuple from (from the .communicate() method in line 374) to hold strings rather than bytes. However, in line 375, it assumes the output is bytes by calling the .decode() method. string objects in python do not have decode methods, which is why you're getting the AttributeError: 'str' object has no attribute 'decode' exception.

As I see it right now, you have two options. edit the verify python script by commenting out line 375 (add a # in front of that line). You shouldn't need that line because, like i said above, the output from .communicate() is already a string. Or delete the universal_newlines=True argument from line 373 so that .communicate() returns bytes instead of strings.

This does seem like a bug to me, so you could also seek help at their github repository

edit flag offensive delete link more
0

answered 2016-04-14 01:19:21 -0600

Nico Marin gravatar image

updated 2016-04-14 01:23:41 -0600

python --version

is returning

Python 2.7.11

So, id added python 3.4 as an alternative doing the following :

# alternatives --install /usr/bin/python python /usr/bin/python3.4 2
# alternatives --install /usr/bin/python python /usr/bin/python2.7 1

It now returns

# python -V
Python 3.4.1

But I still get the same error:

$ sudo ipsec verify
Mot de passe [sudo] de nh :
Verifying installed system and configuration files

Version check and ipsec on-path                     [OK]
Libreswan 3.16 (netkey) on 4.4.6-301.fc23.x86_64
Checking for IPsec support in kernel                [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                [OK]
         ICMP default/accept_redirects              [OK]
         XFRM larval drop                           [OK]
Pluto ipsec.conf syntax                             [OK]
Hardware random device                              [N/A]
Two or more interfaces found, checking IP forwarding    [OK]
Checking rp_filter                                  [ENABLED]
 /proc/sys/net/ipv4/conf/all/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/enp7s0f1/rp_filter         [ENABLED]
 /proc/sys/net/ipv4/conf/ip_vti0/rp_filter          [ENABLED]
 /proc/sys/net/ipv4/conf/virbr0/rp_filter           [ENABLED]
 /proc/sys/net/ipv4/conf/virbr0-nic/rp_filter       [ENABLED]
 /proc/sys/net/ipv4/conf/wlp6s0/rp_filter           [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                      [OK]
 Pluto listening for IKE on udp 500                 [OK]
 Pluto listening for IKE/NAT-T on udp 4500          [OK]
 Pluto ipsec.secret syntax                        Traceback (most recent call last):
  File "/usr/libexec/ipsec/verify", line 477, in <module>
    main()
  File "/usr/libexec/ipsec/verify", line 466, in main
    plutocheck()
  File "/usr/libexec/ipsec/verify", line 121, in plutocheck
    ipsecsecretcheck()
  File "/usr/libexec/ipsec/verify", line 375, in ipsecsecretcheck
    output = output.decode(prefencoding)
AttributeError: 'str' object has no attribute 'decode'
edit flag offensive delete link more

Comments

@niko-marin, I'd recommend removing this from the "answers" portion of this thread and instead updating your original question.

dagger gravatar imagedagger ( 2016-04-15 11:05:18 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2016-04-12 08:42:12 -0600

Seen: 2,410 times

Last updated: Apr 15 '16