Reply to topic

VPN (l2tp) configuration UI - Cannot disable PFS

bvz2000
Registered Member
Posts
3
Karma
0
Hello,

I have two systems running Manjaro. One is using GNOME. The other is running KDE (I am in the process of switching to KDE).

The GNOME system is able to connect to my office using a VPN. The KDE system cannot. I beleive the difference is that the GNOME system allows me to disable Perfect Forward Secrecy, while the KDE system does not offer that option.

Some details:

Both are running libreswan and networkmanager-l2tp.

networkmanager-l2tp 1.2.14-1
xl2tpd 1.3.15-1
libreswan 3.29-2
networkmanager-libreswan 1.2.12-2

When I set both of them up using their respective networking UI's, both UI's more or less have the same fields. The one exception is that the GNOME UI has an additional checkbox in the IPsec Settings called "Disable PFS". If I do NOT check this box, the GNOME system also fails to connect. Looking at the logs (using journalctl -u NetworkManager.service) shows that in this case both systems have nearly identical logs with identical error messages. I can post the logs here if needed. If I check the "Disable PFS" checkbox in the GNOME UI, however, it will successfully connect.

I am not a networking expert by any imagination (not even close... I am a 3D artist by trade) so I am quite out of my depth here. That said, I am reasonably technical.

Can anyone verify that this is a setting that should be in this networking dialog? It is listed as Layer 2 Tunneling Protocol (L2TP) when you hit the "+" sign in the Connections panel of the System Settings Module. The missing checkbox is under the IPsec Settings in the VPN (l2tp) tab.

More importantly, is there some way to force the "Disable PFS" setting when talking to libreswan? I assume that the UI stores its settings somewhere and then calls libreswan somehow and passes over these settings? Can I get in there and append this particular setting?

Thanks for any help!
bvz2000
Registered Member
Posts
3
Karma
0
Ok, I found where the UI stores its configuration files:

/etc/NetworkManager/system-connections

I opened the .nmconnection file for this VPN on both machines. Sure enough, the GNOME machine had an extra line:

ipsec-pfs=no

in the [vpn] section.

So I added that into the .nmconnection file on the KDE machine and tried to connect via the gui. Alas, it appears that when I connected, this file is re-written with the data from the gui, and this additional line has been removed. So now I am going to try to see if I can bring up the connection without the UI. Any advice on this would still be appreciated.

Secondarily, is this missing checkbox something that I should/could report to the KDE development community? I don't know if this would be considered a feature request or bug or something that I should not be bothering anyone with.

Thanks.


Edit #1:

The following command seems to try to start the connection without a UI.

nmcli con up id connection_name --ask

But it still overwrites the file and removes my edit.
bvz2000
Registered Member
Posts
3
Karma
0
Ok, I found a usable solution.

I am not super technical, but I figured this out myself so I am fairly proud. :)

Of course, I'm even MORE proud and grateful to those who actually did the real work involved in creating this software.

Anyway, after researching NetworkManager, I found this page:

https://wiki.debian.org/NetworkManager

It explains that the NetworkManager runs as a root-level daemon and after any changes to the .nmconnection file that I described above the daemon needs to be restarted. I wasn't doing that so the old settings (where I had not disabled PFS) were still in effect.

So I edited the .nmconnection file to add the line described above. Then I restarted my machine (it seemed easier than to try to restart the NetworkManager via a command since the command given on that web page is not relevant to a Manjaro system apparently).

Once it was restarted, I used this command to start the connection:

nmcli con up CONNECTIONNAME -ask

nmcli is the network manager command line interface.
con stands for "connection".
up means start up the connection.
CONNECTIONNAME is the name of the .nmconnection file in the directory /etc/NetworkManager/system-connections that contains the vpn settings you are interested in (the one you edited). Don't include the ".nmconnection", just the name of the file itself. For example: if the file is called myoffice.nmconnection, you would just use "myoffice".
-ask tells the program to ask you for your password (some vpn connections won't work if you store the password, and require it to be passed new each time you connect).

This worked like a charm.

I think the KDE applet should probably be updated to include this field, but at least now I can connect which is the important thing.
dkosovic
Registered Member
Posts
2
Karma
0
With KDE's Plasma 5.19.0 released yesterday, there is now a "Disable PFS" checkbox in the IPsec options, along with other options introduced with NetworkManager-l2tp 1.8.

Image

 
Reply to topic

Bookmarks



Who is online

Registered users: Baidu [Spider], bassamanator, Bing [Bot], bovender, Google [Bot], grosser, Majestic-12 [Bot], Merlimau, norobot, pareekyashovardhan, samidon, Sogou [Bot], Yahoo [Bot], zachalexy