[strongSwan] Connection issues

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Jun 20 18:00:20 CEST 2017 


On 20.06.2017 17:22, Sebastian Bayer wrote:
> Dear all,
>
> I am very new to strongswan and quite excited about it: lot of interesting things to read and understand.
> The reason why I'm writing is that I want to connect to my VPN service via IKEv2 from my notebook running Arch and have troubles initiating the connection.
> As my VPN service only recently allowed for IKEv2, they do not have good Linux support yet, only mobile devices and Windows.
>
> I tried my best to find a working configuration, but now I am stuck / confused. 
>
> According to the logs:
>
>     authentication of 'xxx' with EAP successful
>     IKE_SA vpn[17] established between 192.168.178.35[xxx]...xxx[xxx]
>
>
> but at the same time:
>
>     establishing connection 'vpn' failed
>

You need to read further than the IKE_SA established. With `ipsec up`/`swanctl -i --child[...]`, you're telling the daemon to establish a CHILD_SA.
Doing that fails, so the connection fails.

>
> Below, please find the relevant files and logs. Do you have a hint what to do or try next?
>
> Regards
> Sebastian
>
>
> ### /etc/ipsec.secrets
> xxx : EAP "xxx"
>
> ###/etc/ipsec.conf
>
> config setup
> # charondebug="cfg 4, dmn 4, ike 4, net 4"
> # strictcrlpolicy=yes
> # uniqueids = no
>
> conn vpn
> # Key settings
> keyexchange=ikev2
> ike=aes128-sha1-modp1024!
> auto=add
>
> # Keep alive
> dpdaction=clear
> dpddelay=300s
>
> # Local
> eap_identity=xxx
> leftid=xxx
> leftauth=eap-mschapv2
> # Remote
> right=xxx
> rightauth=pubkey
> rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> rightid=%any
> rightcert=cert.pem
> type=tunnel
That's redundant, because it's the default.
>
>
> ### log
> [root at X230 sebastian]# ipsec up vpn
> initiating IKE_SA vpn[17] to xxx
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.178.35[500] to xxx[500] (338 bytes)
> received packet: from xxx[500] to 192.168.178.35[500] (336 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> sending cert request for "xxx"
> establishing CHILD_SA vpn
> generating IKE_AUTH request 1 [ IDi CERTREQ SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 192.168.178.35[4500] to xxx[4500] (364 bytes)
> received packet: from xxx[4500] to 192.168.178.35[4500] (1248 bytes)
> parsed IKE_AUTH response 1 [ EF(1/2) ]
> received fragment #1 of 2, waiting for complete IKE message
> received packet: from xxx[4500] to 192.168.178.35[4500] (320 bytes)
> parsed IKE_AUTH response 1 [ EF(2/2) ]
> received fragment #2 of 2, reassembling fragmented IKE message
> parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> received end entity cert "xxx"
>   using certificate "xxx"
>   using trusted ca certificate "xxx"
> checking certificate status of "xxx"
> certificate status is not available
>   reached self-signed root ca with a path length of 0
> authentication of 'xxx' with RSA_EMSA_PKCS1_SHA2_256 successful
> server requested EAP_IDENTITY (id 0x00), sending 'xxx'
> generating IKE_AUTH request 2 [ EAP/RES/ID ]
> sending packet: from 192.168.178.35[4500] to xxx[4500] (92 bytes)
> received packet: from xxx[4500] to 192.168.178.35[4500] (92 bytes)
> parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
> server requested EAP_MD5 authentication (id 0x01)
> requesting EAP_MSCHAPV2 authentication, sending EAP_NAK
> generating IKE_AUTH request 3 [ EAP/RES/NAK ]
> sending packet: from 192.168.178.35[4500] to xxx[4500] (76 bytes)
> received packet: from xxx[4500] to 192.168.178.35[4500] (108 bytes)
> parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> server requested EAP_MSCHAPV2 authentication (id 0x02)
> generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> sending packet: from 192.168.178.35[4500] to xxx[4500] (140 bytes)
> received packet: from xxx[4500] to 192.168.178.35[4500] (124 bytes)
> parsed IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
> EAP-MS-CHAPv2 succeeded: '(null)'
> generating IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
> sending packet: from 192.168.178.35[4500] to xxx[4500] (76 bytes)
> received packet: from xxx[4500] to 192.168.178.35[4500] (76 bytes)
> parsed IKE_AUTH response 5 [ EAP/SUCC ]
> EAP method EAP_MSCHAPV2 succeeded, MSK established
> authentication of 'xxx' (myself) with EAP
> generating IKE_AUTH request 6 [ AUTH ]
> sending packet: from 192.168.178.35[4500] to xxx[4500] (92 bytes)
> received packet: from xxx[4500] to 192.168.178.35[4500] (220 bytes)
> parsed IKE_AUTH response 6 [ AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
> authentication of 'xxx' with EAP successful
> IKE_SA vpn[17] established between 192.168.178.35[xxx]...xxx[xxx]
> scheduling reauthentication in 10243s
> maximum IKE_SA lifetime 10783s
> received FAILED_CP_REQUIRED notify, no CHILD_SA built
Add leftsourceip=%config4, %config6. That makes charon request an IP address from the peer.
Right now, the peer complains about charon not doing that.
> failed to establish CHILD_SA, keeping IKE_SA
> establishing connection 'vpn' failed
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170620/9a6e5c5a/attachment.sig>

More information about the Users mailing list