[strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1
David H Durgee
dhdurgee at verizon.net
Mon Jun 28 13:44:54 CEST 2021
I added that package and got further this time:
> Jun 28 07:33:57 Z560 charon-nm: 13[IKE] server requested EAP_IDENTITY
> (id 0x00), sending 'dhdurgee'
> Jun 28 07:33:57 Z560 charon-nm: 13[ENC] generating IKE_AUTH request 2
> [ EAP/RES/ID ]
> Jun 28 07:33:57 Z560 charon-nm: 13[NET] sending packet: from
> 192.168.1.114[47031] to 108.31.28.59[4500] (92 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 15[NET] received packet: from
> 108.31.28.59[4500] to 192.168.1.114[47031] (108 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 15[ENC] parsed IKE_AUTH response 2 [
> EAP/REQ/MSCHAPV2 ]
> Jun 28 07:33:58 Z560 charon-nm: 15[IKE] server requested EAP_MSCHAPV2
> authentication (id 0xB0)
> Jun 28 07:33:58 Z560 charon-nm: 15[ENC] generating IKE_AUTH request 3
> [ EAP/RES/MSCHAPV2 ]
> Jun 28 07:33:58 Z560 charon-nm: 15[NET] sending packet: from
> 192.168.1.114[47031] to 108.31.28.59[4500] (140 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 01[NET] received packet: from
> 108.31.28.59[4500] to 192.168.1.114[47031] (140 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 01[ENC] parsed IKE_AUTH response 3 [
> EAP/REQ/MSCHAPV2 ]
> Jun 28 07:33:58 Z560 charon-nm: 01[IKE] EAP-MS-CHAPv2 succeeded:
> 'Welcome2strongSwan'
> Jun 28 07:33:58 Z560 charon-nm: 01[ENC] generating IKE_AUTH request 4
> [ EAP/RES/MSCHAPV2 ]
> Jun 28 07:33:58 Z560 charon-nm: 01[NET] sending packet: from
> 192.168.1.114[47031] to 108.31.28.59[4500] (76 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 07[NET] received packet: from
> 108.31.28.59[4500] to 192.168.1.114[47031] (76 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 07[ENC] parsed IKE_AUTH response 4 [
> EAP/SUCC ]
> Jun 28 07:33:58 Z560 charon-nm: 07[IKE] EAP method EAP_MSCHAPV2
> succeeded, MSK established
> Jun 28 07:33:58 Z560 charon-nm: 07[IKE] authentication of 'dhdurgee'
> (myself) with EAP
> Jun 28 07:33:58 Z560 charon-nm: 07[ENC] generating IKE_AUTH request 5
> [ AUTH ]
> Jun 28 07:33:58 Z560 charon-nm: 07[NET] sending packet: from
> 192.168.1.114[47031] to 108.31.28.59[4500] (92 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 06[NET] received packet: from
> 108.31.28.59[4500] to 192.168.1.114[47031] (124 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 06[ENC] parsed IKE_AUTH response 5 [
> AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] authentication of
> 'durgeeenterprises.publicvm.com' with EAP successful
> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] IKE_SA Durgee Enterprises,
> LLC[1] established between
> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] scheduling rekeying in 35606s
> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] maximum IKE_SA lifetime 36206s
> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED
> notify, no CHILD_SA built
> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] failed to establish CHILD_SA,
> keeping IKE_SA
> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] peer supports MOBIKE
> Jun 28 07:33:58 Z560 charon-nm: 08[IKE] deleting IKE_SA Durgee
> Enterprises, LLC[1] between
> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
> Jun 28 07:33:58 Z560 charon-nm: 08[IKE] sending DELETE for IKE_SA
> Durgee Enterprises, LLC[1]
> Jun 28 07:33:58 Z560 charon-nm: 08[ENC] generating INFORMATIONAL
> request 6 [ D ]
> Jun 28 07:33:58 Z560 charon-nm: 08[NET] sending packet: from
> 192.168.1.114[47031] to 108.31.28.59[4500] (76 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 09[NET] received packet: from
> 108.31.28.59[4500] to 192.168.1.114[47031] (76 bytes)
> Jun 28 07:33:58 Z560 charon-nm: 09[ENC] parsed INFORMATIONAL response
> 6 [ ]
> Jun 28 07:33:58 Z560 charon-nm: 09[IKE] IKE_SA deleted
Obviously I am still missing something or have a setting wrong. Any
suggestions?
Dave
> Charles Fadipe wrote: Hi David,
>
>
> Please confirm you have StrongSwann’seap-mschapv2 plugin installed.
>
> If not try Installing,libcharon-extra-plugins on your client.
>
>
> Kind Regards
>
> /Charles Fadipe/
>
> /Junior Penetration and Security Tester
> /
> /University Information Services
> /
>
> /University of Cambridge/
>
>
> ------------------------------------------------------------------------
> *From:* Users <users-bounces at lists.strongswan.org> on behalf of David
> H Durgee <dhdurgee at verizon.net>
> *Sent:* Sunday, June 27, 2021 10:42 pm
> *To:* users at lists.strongswan.org
> *Subject:* [strongSwan] problem connecting linux laptop to VPN using
> network-manager-strongswan 1.4.5-2.1
> I am encountering a problem attempting to access a VPN using strongswan
> from my linux laptop. I have it working from an android phone and
> tablet as well as a windows laptop, so I know the server is configured
> properly.
>
> The connection appears to start normally and then fails at the EAP
> stage. Log on the linux laptop shows:
>
> > Jun 27 17:05:15 Z560 charon-nm: 06[IKE] authentication of
> > 'durgeeenterprises.publicvm.com' with RSA_EMSA_PKCS1_SHA2_384 successful
> > Jun 27 17:05:15 Z560 charon-nm: 06[IKE] server requested EAP_IDENTITY
> > (id 0x00), sending 'dhdurgee'
> > Jun 27 17:05:15 Z560 charon-nm: 06[IKE] EAP_IDENTITY not supported,
> > sending EAP_NAK
> > Jun 27 17:05:15 Z560 charon-nm: 06[ENC] generating IKE_AUTH request 2
> > [ EAP/RES/NAK ]
> > Jun 27 17:05:15 Z560 charon-nm: 06[NET] sending packet: from
> > 192.168.1.114[60298] to 108.31.28.59[4500] (76 bytes)
> > Jun 27 17:05:15 Z560 charon-nm: 09[NET] received packet: from
> > 108.31.28.59[4500] to 192.168.1.114[60298] (76 bytes)
> > Jun 27 17:05:15 Z560 charon-nm: 09[ENC] parsed IKE_AUTH response 2 [
> > EAP/FAIL ]
> > Jun 27 17:05:15 Z560 charon-nm: 09[IKE] received EAP_FAILURE, EAP
> > authentication failed
> > Jun 27 17:05:15 Z560 charon-nm: 09[ENC] generating INFORMATIONAL
> > request 3 [ N(AUTH_FAILED) ]
> > Jun 27 17:05:15 Z560 charon-nm: 09[NET] sending packet: from
> > 192.168.1.114[60298] to 108.31.28.59[4500] (76 bytes)
>
> While on the server end I see:
>
> > Jun 27 17:05:15 DG41TY charon: 06[CFG] looking for peer configs
> > matching 192.168.80.11[%any]...172.58.187.218[dhdurgee]
> > Jun 27 17:05:15 DG41TY charon: 06[CFG] selected peer config 'ikev2-vpn'
> > Jun 27 17:05:15 DG41TY charon: 06[IKE] initiating EAP_IDENTITY method
> > (id 0x00)
> > Jun 27 17:05:15 DG41TY charon: 06[IKE] peer supports MOBIKE
> > Jun 27 17:05:15 DG41TY charon: 06[IKE] authentication of
> > 'durgeeenterprises.publicvm.com' (myself) with RSA_EMSA_PKCS1_SHA384
> > successful
> > Jun 27 17:05:15 DG41TY charon: 06[IKE] sending end entity cert "C=US,
> > O=Durgee Enterprises LLC, CN=durgeeenterprises.publicvm.com"
> > Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> > [ IDr CERT AUTH EAP/REQ/ID ]
> > Jun 27 17:05:15 DG41TY charon: 06[ENC] splitting IKE message with
> > length of 2092 bytes into 5 fragments
> > Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> > [ EF(1/5) ]
> > Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> > [ EF(2/5) ]
> > Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> > [ EF(3/5) ]
> > Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> > [ EF(4/5) ]
> > Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> > [ EF(5/5) ]
> > Jun 27 17:05:15 DG41TY charon: 06[NET] sending packet: from
> > 192.168.80.11[4500] to 172.58.187.218[54591] (544 bytes)
> > Jun 27 17:05:15 DG41TY charon: message repeated 3 times: [ 06[NET]
> > sending packet: from 192.168.80.11[4500] to 172.58.187.218[54591] (544
> > bytes)]
> > Jun 27 17:05:15 DG41TY charon: 06[NET] sending packet: from
> > 192.168.80.11[4500] to 172.58.187.218[54591] (176 bytes)
> > Jun 27 17:05:15 DG41TY charon: 05[NET] received packet: from
> > 172.58.187.218[54591] to 192.168.80.11[4500] (76 bytes)
> > Jun 27 17:05:15 DG41TY charon: 05[ENC] parsed IKE_AUTH request 2 [
> > EAP/RES/NAK ]
> > Jun 27 17:05:15 DG41TY charon: 05[IKE] received EAP_NAK, sending
> > EAP_FAILURE
> > Jun 27 17:05:15 DG41TY charon: 05[ENC] generating IKE_AUTH response 2
> > [ EAP/FAIL ]
> > Jun 27 17:05:15 DG41TY charon: 05[NET] sending packet: from
> > 192.168.80.11[4500] to 172.58.187.218[54591] (76 bytes)
>
> What am I doing wrong here? I assume I have an error in the linux
> client configuration, since android and windows clients work with the
> server. What did I miss?
>
> Dave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210628/97ab581e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210628/97ab581e/attachment-0001.bin>
More information about the Users
mailing list