<div dir="ltr">o.k deleted source tree and started again. It now looks as if there's a difference between what happens when talking to the RADIUS server used by the VPN server<div><br></div><div>Below is a snippet from /var/log/syslog for the charon-nm process. As before CLI VPN connections just work. I've run the following ./configured</div><div><br></div><div>./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 --disable-fips-prf --disable-gmp --enable-openssl --enable-nm --enable-agent --enable-eap-mschapv2 --enable-eap-identity --enable-curl --enable-eap-peap --with-nm-ca-dir=/etc/ssl/certs<br></div><div><br></div><div>I've created a network manager config called Alex99, specifying a gateway server FQDN of <a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a> with no cert specified and client authentication of EAP, specifying my account ( <a href="mailto:as1558@york.ac.uk">as1558@york.ac.uk</a>)</div><div><br></div><div>On the VPN server both the CLI initiated VPN connection and the Network manager initiated one use the same VPN server connection definition</div><div><br></div><div># </div><div># Initiating vpn connection request from network manager</div><div># .. to server <a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a></div><div>#</div><div><div>Dec 1 10:40:13 deadpool charon-nm: 05[CFG] received initiate for NetworkManager connection Alex99</div><div>Dec 1 10:40:13 deadpool charon-nm: 05[CFG] C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3 is not self signed</div><div>Dec 1 10:40:13 deadpool charon-nm: 05[CFG] C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Organization Validation Secure Server CA is not self signed</div><div>Dec 1 10:40:13 deadpool charon-nm: 05[CFG] using CA certificate, gateway identity '<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>'</div><div>Dec 1 10:40:13 deadpool charon-nm: 05[IKE] initiating IKE_SA Alex99[6] to 144.32.128.199</div><div>Dec 1 10:40:13 deadpool charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 05[NET] sending packet: from 144.32.230.152[45805] to 144.32.128.199[500] (752 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 08[NET] received packet: from 144.32.128.199[500] to 144.32.230.152[45805] (38 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 08[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048</div><div>Dec 1 10:40:13 deadpool charon-nm: 08[IKE] initiating IKE_SA Alex99[6] to 144.32.128.199</div><div>Dec 1 10:40:13 deadpool charon-nm: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 08[NET] sending packet: from 144.32.230.152[45805] to 144.32.128.199[500] (944 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[NET] received packet: from 144.32.128.199[500] to 144.32.230.152[45805] (464 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[IKE] faking NAT situation to enforce UDP encapsulation</div><div>#</div><div># Why does charon do this ? these certs are located in /etc/ipsec.d/cacerts on the client machine.</div><div>#</div><div>#</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SHA-256 Organization Validation Secure Server CA"</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"</div><div>#</div><div>#</div><div>#</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[IKE] establishing CHILD_SA Alex99{6}</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 09[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (412 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 10[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1248 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 10[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 10[ENC] received fragment #1 of 3, waiting for complete IKE message</div><div>Dec 1 10:40:13 deadpool charon-nm: 11[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1248 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 11[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 11[ENC] received fragment #2 of 3, waiting for complete IKE message</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (128 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[ENC] received fragment #3 of 3, reassembling fragmented IKE message</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[IKE] received end entity cert "C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>"</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using certificate "C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>"</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using trusted intermediate ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] checking certificate status of "C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>"</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response is valid: until Dec 03 09:49:51 2017</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using cached ocsp response</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] certificate status is good</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using trusted ca certificate "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] checking certificate status of "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response verification failed, invalid signature</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response correctly signed by "C=BM, O=QuoVadis Limited, OU=OCSP Responder, CN=QuoVadis OCSP Authority Signature"</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] ocsp response is valid: until Dec 03 09:49:51 2017</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] using cached ocsp response</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] certificate status is good</div><div>#</div><div># Should I worry about this ? its a normal server cert</div><div>#</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] certificate policy 1.3.6.1.4.1.8024.0.2.100.1.1 for 'C=GB, ST=City of York, L=YORK, O=University of York, OU=IT Services, CN=<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>' not allowed by trustchain, ignored</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[CFG] reached self-signed root ca with a path length of 1</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[IKE] authentication of '<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>' with RSA_EMSA_PKCS1_SHA2_256 successful</div><div><br></div><div>#</div><div># So at his point the client recognises <a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a> as a valid certificate</div><div># ... so start the EAP-PEAP authentication</div><div>#</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[IKE] server requested EAP_IDENTITY (id 0x00), sending '<a href="mailto:as1558@york.ac.uk">as1558@york.ac.uk</a>'</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 12[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (92 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 13[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (76 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 13[IKE] server requested EAP_PEAP authentication (id 0x01)</div><div>Dec 1 10:40:13 deadpool charon-nm: 13[TLS] EAP_PEAP version is v1</div><div>Dec 1 10:40:13 deadpool charon-nm: 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 13[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (268 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 14[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 14[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 14[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</div><div>Dec 1 10:40:13 deadpool charon-nm: 14[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 14[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 15[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 15[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 15[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 15[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 16[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 16[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 16[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 16[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 06[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (1100 bytes)</div><div>Dec 1 10:40:13 deadpool charon-nm: 06[ENC] parsed IKE_AUTH response 6 [ EAP/REQ/PEAP ]</div><div>#</div><div># Where is this coming from ? The cert on <a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a> lives on a host called <a href="http://vpn10.york.ac.uk">vpn10.york.ac.uk</a> and has multiple SubjAlt Name entries for all the real vpn servers we might want to use the cert on.</div><div># Think this is "wrong " message, </div><div>Dec 1 10:40:13 deadpool charon-nm: 06[TLS] server certificate does not match to '<a href="http://vpn.york.ac.uk">vpn.york.ac.uk</a>'</div><div>Dec 1 10:40:13 deadpool charon-nm: 06[TLS] sending fatal TLS alert 'access denied'</div><div>#</div><div># So I guess its failed now. Now looking at the RADIUS sever end I can see a failed eap-peap auth request for my userid</div><div>#</div><div>Dec 1 10:40:13 deadpool charon-nm: 06[ENC] generating IKE_AUTH request 7 [ EAP/RES/PEAP ]</div><div>Dec 1 10:40:13 deadpool charon-nm: 06[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (92 bytes)</div><div>Dec 1 10:40:15 deadpool charon-nm: 07[NET] received packet: from 144.32.128.199[4500] to 144.32.230.152[42743] (76 bytes)</div><div>Dec 1 10:40:15 deadpool charon-nm: 07[ENC] parsed IKE_AUTH response 7 [ EAP/FAIL ]</div><div>Dec 1 10:40:15 deadpool charon-nm: 07[IKE] received EAP_FAILURE, EAP authentication failed</div><div>Dec 1 10:40:15 deadpool charon-nm: 07[ENC] generating INFORMATIONAL request 8 [ N(AUTH_FAILED) ]</div><div>Dec 1 10:40:15 deadpool charon-nm: 07[NET] sending packet: from 144.32.230.152[42743] to 144.32.128.199[4500] (76 bytes)</div></div><div><br></div><div><br></div><div>on the VPN server I can see that the same service definition is being used. On the RADIUS server I can see one connection from the VPN client succeeding and one failing</div><div><br></div><div>How can I increase charon-nm debugging on the client to see what its doing? Setting charondebug doesn't seem to do anything for network manager iVPN initiations</div><div><br></div><div>Rgds</div><div>Alex</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 1 December 2017 at 09:40, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Alex,<br>
<span class=""><br>
> What do i have to do to make the plugin use my new value ?<br>
<br>
</span>No idea. Just make sure the executables you built are actually the ones<br>
that are installed and get executed. Alternatively, you may also<br>
configure the directory via charon-nm.ca_dir in strongswan.conf.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div><br></div>