"Could not activate VPN"

Moppel · December 29, 2021, 9:14am

Hello dear Community,

today I tried connecting to my university VPN. But when I click “connect” it says “Could not activate VPN”.

I followed the instructions of my universtity.

I also tried to follow the archwiki, but one of the first commands ipsec verify does not work for me.

[jannisf@x270 ~]$ ipsec verify
/usr/bin/ipsec: unknown command `verify' (`ipsec --help' for list)

strongswan packages

[jannisf@x270 ~]$ pacman -Ss strongswan
community/networkmanager-strongswan 1.5.2-3 [Installiert]
    Strongswan NetworkManager plugin
community/strongswan 5.9.4-2 [Installiert]
    Open source IPsec implementation

strongswan service

[jannisf@x270 ~]$ systemctl | grep strongswan
  strongswan.service                                                                     loaded active running   strongSwan IPsec IKEv1/IKEv2 daemon using swanctl

inxi -F

[jannisf@x270 ~]$ inxi -F
System:
  Host: x270 Kernel: 5.15.11-arch2-1 x86_64 bits: 64
    Desktop: KDE Plasma 5.23.4 Distro: EndeavourOS
Machine:
  Type: Laptop System: LENOVO product: 20HN0016MX v: ThinkPad X270
    serial: <superuser required>
  Mobo: LENOVO model: 20HN0016MX v: SDK0J40697 WIN
    serial: <superuser required> UEFI: LENOVO v: R0IET62W (1.40 )
    date: 06/28/2020
Battery:
  ID-1: BAT0 charge: 19.4 Wh (94.6%) condition: 20.5/23.2 Wh (88.3%)
  ID-2: BAT1 charge: 20.0 Wh (100.0%) condition: 20.0/23.5 Wh (85.3%)
CPU:
  Info: dual core model: Intel Core i5-7200U bits: 64 type: MT MCP cache:
    L2: 512 KiB
  Speed (MHz): avg: 927 min/max: 400/3100 cores: 1: 963 2: 901 3: 946
    4: 900
Graphics:
  Device-1: Intel HD Graphics 620 driver: i915 v: kernel
  Device-2: Acer Integrated Camera type: USB driver: uvcvideo
  Display: x11 server: X.Org 1.21.1.2 driver: loaded: intel
    unloaded: modesetting resolution: 1920x1080~60Hz
  OpenGL: renderer: Mesa Intel HD Graphics 620 (KBL GT2) v: 4.6 Mesa 21.3.2
Audio:
  Device-1: Intel Sunrise Point-LP HD Audio driver: snd_hda_intel
  Sound Server-1: ALSA v: k5.15.11-arch2-1 running: yes
  Sound Server-2: PipeWire v: 0.3.42 running: yes
Network:
  Device-1: Intel Ethernet I219-V driver: e1000e
  IF: enp0s31f6 state: up speed: 1000 Mbps duplex: full
    mac: c8:5b:76:dd:38:f3
  Device-2: Intel Wireless 8265 / 8275 driver: iwlwifi
  IF: wlan0 state: down mac: c6:5f:1b:53:17:c0
Bluetooth:
  Device-1: Intel Bluetooth wireless interface type: USB driver: btusb
  Report: rfkill ID: hci0 rfk-id: 1 state: down bt-service: disabled
    rfk-block: hardware: no software: no address: see --recommends
Drives:
  Local Storage: total: 238.47 GiB used: 8.55 GiB (3.6%)
  ID-1: /dev/nvme0n1 vendor: Samsung model: MZVLW256HEHP-000L7
    size: 238.47 GiB
Partition:
  ID-1: / size: 224.71 GiB used: 8.55 GiB (3.8%) fs: ext4 dev: /dev/dm-0
  ID-2: /boot/efi size: 299.4 MiB used: 448 KiB (0.1%) fs: vfat
    dev: /dev/nvme0n1p1
Swap:
  ID-1: swap-1 type: partition size: 8.8 GiB used: 0 KiB (0.0%)
    dev: /dev/dm-1
Sensors:
  System Temperatures: cpu: 45.0 C pch: 41.0 C mobo: N/A
  Fan Speeds (RPM): fan-1: 0
Info:
  Processes: 178 Uptime: 25m Memory: 7.53 GiB used: 2.49 GiB (33.0%)
  Shell: Bash inxi: 3.3.11

I hope I gave enough information - feel free to ask for more.

Thank you very much in advance!

jonathon · December 29, 2021, 2:46pm

Did you also install networkmanager-l2tp ?

Interesting. It looks like this version of ipsec doesn’t have a verify command:

$ ipsec --help

ipsec command [arguments]

Commands:
	start|restart [arguments]
	update|reload|stop
	up|down|route|unroute <connectionname>
	down-srcip <start> [<end>]
	status|statusall [<connectionname>]
	listalgs|listpubkeys|listcerts [--utc]
	listcacerts|listaacerts|listocspcerts [--utc]
	listacerts|listgroups|listcainfos [--utc]
	listcrls|listocsp|listplugins|listall [--utc]
	listcounters|resetcounters [name]
	leases [<poolname> [<address>]]
	rereadsecrets|rereadcacerts|rereadaacerts
	rereadocspcerts|rereadacerts|rereadcrls|rereadall
	purgecerts|purgecrls|purgeike|purgeocsp
	scepclient|pki
	stroke
	version

Refer to the ipsec(8) man page for details.
Some commands have their own man pages, e.g. pki(1) or scepclient(8).

Is the service started? Does status provide anything interesting? Also check output against https://wiki.archlinux.org/title/Openswan_L2TP/IPsec_VPN_client_setup#Troubleshooting

Moppel · December 30, 2021, 8:06am

Yes, it’s installed.

[jannisf@x270 ~]$ systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
     Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
     Active: active (running) since Wed 2021-12-29 14:31:24 CET; 18h ago
    Process: 441 ExecStartPost=/usr/bin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
   Main PID: 403 (charon-systemd)
     Status: "charon-systemd running, strongSwan 5.9.4, Linux 5.15.11-arch2-1, x86_64"
      Tasks: 17 (limit: 9222)
     Memory: 12.4M
        CPU: 385ms
     CGroup: /system.slice/strongswan.service
             └─403 /usr/bin/charon-systemd

Seems OK, no?

journalctl | grep vpn

Dez 30 09:00:35 x270 charon-nm[9434]: 05[IKE] initiating IKE_SA uni mainz vpn[2] to 2001:4c80:40:62a:21d:d8ff:feb7:214f
Dez 30 09:00:35 x270 NetworkManager[401]: <info>  [1640851235.0135] vpn-connection[0x55bdbc604780,5a8bbe2e-828c-4e48-9221-04d494b0d9fb,"uni mainz vpn",0]: VPN plugin: state changed: starting (3)
Dez 30 09:00:35 x270 charon-nm[9434]: 09[IKE] initiating IKE_SA uni mainz vpn[2] to 2001:4c80:40:62a:21d:d8ff:feb7:214f
Dez 30 09:00:39 x270 NetworkManager[401]: <warn>  [1640851239.0272] vpn-connection[0x55bdbc604780,5a8bbe2e-828c-4e48-9221-04d494b0d9fb,"uni mainz vpn",0]: VPN plugin: failed: login-failed (0)
Dez 30 09:00:39 x270 NetworkManager[401]: <warn>  [1640851239.0279] vpn-connection[0x55bdbc604780,5a8bbe2e-828c-4e48-9221-04d494b0d9fb,"uni mainz vpn",0]: VPN plugin: failed: connect-failed (1)
Dez 30 09:00:39 x270 NetworkManager[401]: <info>  [1640851239.0280] vpn-connection[0x55bdbc604780,5a8bbe2e-828c-4e48-9221-04d494b0d9fb,"uni mainz vpn",0]: VPN plugin: state changed: stopping (5)
Dez 30 09:00:39 x270 NetworkManager[401]: <info>  [1640851239.0283] vpn-connection[0x55bdbc604780,5a8bbe2e-828c-4e48-9221-04d494b0d9fb,"uni mainz vpn",0]: VPN plugin: state changed: stopped (6)

This does look like the login information is wrong? Very strange, because I double-triple checked it.

The vpn connection over pptp works fine btw.

Looks like I have to contact the universtity IT service?

jonathon · December 30, 2021, 1:31pm

Are you using the correct username/password format? (e.g. some variants of DOMAIN\username or username@domain or just username)

It’s a good option - you’ve at least done some decent digging to try and work out what’s not working.

Moppel · January 7, 2022, 1:27pm

I reached for the university IT service.
They said it only works with debian at the moment and they don’t know why.

Sad.

Thank you for your help!

system · January 9, 2022, 1:28pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.