[strongSwan] help setting up basic VPN on ubuntu

Imran Akbar skunkwerk at gmail.com
Wed Dec 3 06:00:12 CET 2014


I'd like to try to get EAP/PSK working, as certificates introduce
additional complexity on the client side.
Does anyone have a working configuration they can share with me?  Or
suggest changes I could make to my configuration?

regards,
imran

On Sun, Nov 30, 2014 at 4:25 PM, Imran Akbar <skunkwerk at gmail.com> wrote:

> Success!
> I finally got it working by using certificates and following this example:
> http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
> Still don't know what the issue was with the EAP/PSK config.
>
> many thanks,
> imran
>
> On Sun, Nov 30, 2014 at 2:43 PM, Imran Akbar <skunkwerk at gmail.com> wrote:
>
>> Sure Noel,
>>
>> Here's the complete server log from startup up to and including the
>> authentication request: http://pastebin.com/X8a0xunC
>> And this is a screenshot
>> <https://s3.amazonaws.com/pushbullet-uploads/ujBvnCpT4IC-kZXEDbaZszgiNSnbFKRLvu9QxRtio85p/Screenshot_2014-11-30-14-35-29.png>
>> of how I'm connecting via the StrongSwan Android app
>>
>> yours,
>> imran
>>
>> On Sun, Nov 30, 2014 at 1:23 PM, Noel Kuntze <noel at familie-kuntze.de>
>> wrote:
>>
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA256
>>>
>>> Hello Imran,
>>>
>>> Do you mind posting the complete log from daemon start to the error?
>>>
>>> And yes, PSK is the easiest way, but if you are experienced with
>>> certificates, you can also take that approach.
>>>
>>>
>>> Mit freundlichen Grüßen/Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 30.11.2014 um 20:34 schrieb Imran Akbar:
>>> > Hey Noel,
>>> >     I feel like it's close to working, but still getting the same
>>> message after making that change and restarting.  Do you think it's the
>>> "config inacceptable" error that's causing authentication to fail, or is it
>>> something in my secrets file?
>>> >
>>> > ipsec.conf now looks like: http://pastebin.com/tUN6jmaS
>>> >
>>> > the server log says:
>>> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] looking for peer
>>> configs matching 172.31.25.2[%any]...76.126.165.62[app]
>>> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] selected peer config
>>> 'vpn'
>>> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] peer requested EAP,
>>> config inacceptable
>>> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] no alternative config
>>> found
>>> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] received
>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] peer supports MOBIKE
>>> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[ENC] generating IKE_AUTH
>>> response 1 [ N(AUTH_FAILED) ]
>>> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[NET] sending packet: from
>>> 172.31.25.2[4500] to 76.126.165.62[37721] (76 bytes)
>>> >
>>> > and the client log says "parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>> >
>>> > Is using a PSK the easiest way to setup StrongSwan?  I assumed that
>>> was the case, but I tried using certificates as well by following this
>>> example (http://kleinerman.org/ipsec-with-strongswan/) but I get stuck
>>> at the last step, as the Android app wants a client certificate as well,
>>> which I haven't generated.
>>> >
>>> > thanks again,
>>> > imran
>>> >
>>> >
>>> >
>>> > On Sun, Nov 30, 2014 at 2:39 AM, Noel Kuntze <noel at familie-kuntze.de
>>> <mailto:noel at familie-kuntze.de>> wrote:
>>> >
>>> >
>>> > Hello Imran,
>>> >
>>> > I gave you wrong information in my last email. I'm sorry.
>>> >
>>> > The correct setting is "eap-mschapv2", not "eap-mschap".
>>> >
>>> >
>>> > Mit freundlichen Grüßen/Regards,
>>> > Noel Kuntze
>>> >
>>> > GPG Key ID: 0x63EC6658
>>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> >
>>> > Am 30.11.2014 um 05:09 schrieb Imran Akbar:
>>> > > thanks Noel,
>>> >
>>> > > I've made those changes and restarted ipsec, but I'm still getting
>>> the same error in my server log:
>>> >
>>> > > "peer requested EAP, config inacceptable"
>>> > > "no alternative config found"
>>> >
>>> > > This is my updated ipsec: http://pastebin.com/TnZaiZX8
>>> >
>>> > > Does that look correct?
>>> >
>>> > > appreciate the help,
>>> > > imran
>>> >
>>> > > On Sat, Nov 29, 2014 at 5:47 PM, Noel Kuntze <noel at familie-kuntze.de
>>> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
>>> noel at familie-kuntze.de>>> wrote:
>>> >
>>> >
>>> > > Hello Imram,
>>> >
>>> > > If you want to use psk-mschapv2, you need to specify
>>> > > leftauth=psk
>>> > > rightauth=psk
>>> > > rightauth2=eap-mschap
>>> >
>>> > > Please make sure this is in your configuration.
>>> >
>>> > > Mit freundlichen Grüßen/Regards,
>>> > > Noel Kuntze
>>> >
>>> > > GPG Key ID: 0x63EC6658
>>> > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> >
>>> > > Am 30.11.2014 um 02:09 schrieb Imran Akbar:
>>> > > > thanks for pointing me in the right direction Noel.
>>> >
>>> > > > I've installed strongswan-plugin-eap-mschapv2, added
>>> rightauth=eap-mschapv2 to my ipsec.conf file, and restart ipsec.
>>> > > > I now see the following when I try to connect:
>>> >
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] looking for peer
>>> configs matching 172.31.25.2[%any]...76.126.165.62[app]
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] selected peer
>>> config 'vpn'
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] using configured
>>> EAP-Identity app
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] initiating
>>> EAP_MSCHAPV2 method (id 0xBE)
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] received
>>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] peer supports MOBIKE
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] no IDr configured,
>>> fall back on IP address
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] no private key
>>> found for '172.31.25.2'
>>> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[ENC] generating IKE_AUTH
>>> response 1 [ N(AUTH_FAILED) ]
>>> >
>>> > > > It seems like I need to tell it to use the username/password,
>>> instead of looking for a key... or is a certificate mandatory for all EAP
>>> configurations, even using a username/password?
>>> >
>>> > > > regards,
>>> > > > imran
>>> >
>>> > > > On Sat, Nov 29, 2014 at 4:03 PM, Noel Kuntze <
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> wrote:
>>> >
>>> >
>>> > > > Hello Imran,
>>> >
>>> > > > You need to specify rightauth2=eap-mschapv2, so strongSwan is
>>> configured correctly to accept
>>> > > > eap authentication using mschapv2 in round 2.
>>> >
>>> > > > You also lack the eap-mschapv2 modules, that you need for
>>> eap-mschapv2.
>>> > > > Install it via your package manager or, if you built strongSwan
>>> yourself, configure the strongSwan sources with --enable-eap-mschapv2,
>>> > > > "make uninstall" "make clean" "make" and "make install".
>>> >
>>> > > > Also, please make sure you send your answer to all parties
>>> involved, not just me.
>>> >
>>> > > > Mit freundlichen Grüßen/Regards,
>>> > > > Noel Kuntze
>>> >
>>> > > > GPG Key ID: 0x63EC6658
>>> > > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> >
>>> > > > Am 30.11.2014 um 00:54 schrieb Imran Akbar:
>>> > > > > Hey Noel and Thomas,
>>> >
>>> > > > > thanks for your help.
>>> > > > > I've made some progress - I'm now getting an "AUTH FAILED" error
>>> from my client.
>>> > > > > I'm trying to connect via the StrongSwan client on Android using
>>> IKEv2 EAP (username/password).
>>> >
>>> > > > > Here is my ipsec.conf: http://pastebin.com/Ap5gUX0f
>>> >
>>> > > > > Here is my secrets.conf: http://pastebin.com/hhX9micY
>>> >
>>> > > > > Here is my server log: http://pastebin.com/W99PPKt3 (looks like
>>> the key issue is "peer requested EAP, config inacceptable")
>>> >
>>> > > > > Here is my client log: http://pastebin.com/2w9NS1Zs
>>> >
>>> > > > > I'm going to keep tweaking the authentication configs to see if
>>> I can make it work.
>>> >
>>> > > > > yours,
>>> > > > > imran
>>> >
>>> >
>>> > > > > On Sat, Nov 29, 2014 at 9:04 AM, Noel Kuntze <
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:
>>> noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>> wrote:
>>> >
>>> >
>>> > > > > Hello Imran,
>>> >
>>> > > > > IPsec/L2TP is mostly used with IKEv1, not IKEv2. Please tell us
>>> what clients you're trying to use,
>>> > > > > to make sure they try to use IKEv2, too.
>>> >
>>> > > > > L2TP is not handled by strongSwan. You need to use xl2tp for
>>> that. Most clients try to use transport mode
>>> > > > > for the IPsec connection. Make sure your peer configuration has
>>> that specified. Also, plese make strongSwan
>>> > > > > write a log [1] with the settings shown in [2], show us the log
>>> that was created and show us your ipsec.conf.
>>> >
>>> > > > > [1]
>>> https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>>> >
>>> > > > > [2]
>>> > > > >                         default = 3
>>> > > > >                         mgr = 1
>>> > > > >                         ike = 1
>>> > > > >                         net = 1
>>> > > > >                         enc = 0
>>> > > > >                         cfg = 2
>>> > > > >                         asn = 1
>>> > > > >                         job = 1
>>> > > > >                         knl = 1
>>> > > > >                         append=no
>>> > > > >                         ike_name=no
>>> > > > >                         flush_line=yes
>>> >
>>> >
>>> > > > > Mit freundlichen Grüßen/Regards,
>>> > > > > Noel Kuntze
>>> >
>>> > > > > GPG Key ID: 0x63EC6658
>>> > > > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>> >
>>> > > > > Am 29.11.2014 um 17:53 schrieb Imran Akbar:
>>> > > > > > Hi everyone,
>>> > > > > >     thanks for such a well-developed and maintained library.
>>> >
>>> > > > > > I'm trying to setup Ipsec/L2TP on my Ubuntu 14 server with
>>> IKEv2 and a PSK.
>>> >
>>> > > > > > I've read through a bunch of tutorials online:
>>> > > > > >
>>> http://trick77.com/2014/05/04/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/
>>> > > > > > http://www.foteviken.de/?p=2175
>>> > > > > >
>>> http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
>>> >
>>> > > > > > and I've opened up UDP ports 500 & 4500, but I still have
>>> clients complaining about gateway timeouts and not being able to connect to
>>> the VPN.
>>> >
>>> > > > > > Is there some sort of a configuration script that can walk you
>>> through all the necessary steps to get this working, or a gist that someone
>>> could share of their config?
>>> > > > > > I don't see anything in my /var/log/auth.conf that's
>>> indicative of VPN traffic.
>>> >
>>> > > > > > yours,
>>> > > > > > imran
>>> >
>>> >
>>> > > > > > _______________________________________________
>>> > > > > > Users mailing list
>>> > > > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org
>>> >>>>
>>> > > > > > https://lists.strongswan.org/mailman/listinfo/users
>>> >
>>> >
>>> >
>>> > > > >     _______________________________________________
>>> > > > >     Users mailing list
>>> > > > >     Users at lists.strongswan.org <mailto:
>>> Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:
>>> Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:
>>> Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:
>>> Users at lists.strongswan.org>>> <mailto:Users at lists.strongswan.org
>>> <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org
>>> <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org
>>> <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org
>>> <mailto:Users at lists.strongswan.org>>>>
>>> > > > >     https://lists.strongswan.org/mailman/listinfo/users
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v2
>>>
>>> iQIcBAEBCAAGBQJUe4q3AAoJEDg5KY9j7GZYLegP/iLQwOkSohCgavmb86tucBe0
>>> dznDUF9RAlfnnwQSjxaYLEMYOHpDKjzpQcXbvvPydmCF6UsY30w4k271ZrfyE8e0
>>> H3Xp4r6aXJ+WZLzQXqxsjznp/rBzDyApZ9IR1kIKssqsA2cA0Um+C8CAE+VGxIwv
>>> k39SBDlbv7QTv9B8Ak2+42zmgMdAPyxWiBe1qvULenYtA0NVutPqcK3o8j1pyWA+
>>> 8MXQlGqFIDwflCoAR5hs0XMegHT86ALXPL70bLDu5PaT211esHGCB6BGUGnp2lWS
>>> 7wCMnoD170/J+xSU/fi5xpRhbsy7acT5DwLWQrwo9p+NXWvCBEjvsjHRpXR/EYdu
>>> 5PkXyjUJAiG0alrCW2ppZCD6l/TCjwusq9qvLrhA4uDbdYifYO+ZUMOtl62F5K7U
>>> 9xn+3UfsnrohFaVDey+dOd49yusnhjQL6AL1UsoUHQQP0diFnCA9D4nVIbE0aGYx
>>> uJW+j/yqDvYBPi0hF1N0W+V+o08vM/3Cymz6Rx4rWCQ6RJ/6uo7mD6rn1/YCWbXW
>>> VyWl9cM2ckWgraETwy2VXj6fWWVNEevLI0WLLiOW9HboiZbYfTSUkYweBIfYJ/2R
>>> C0fZS02dn1sdBm5BLd1TIwik8X4wCmq7yFW//w7Sb+gyBoRAaiUkyYAB6Ej63pHR
>>> 1sdzXK6XJTFf9auBROqu
>>> =BmbJ
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141202/c4f6581e/attachment-0001.html>


More information about the Users mailing list