[strongSwan] help setting up basic VPN on ubuntu

Imran Akbar skunkwerk at gmail.com
Sun Nov 30 02:09:39 CET 2014 

thanks for pointing me in the right direction Noel.

I've installed strongswan-plugin-eap-mschapv2, added rightauth=eap-mschapv2
to my ipsec.conf file, and restart ipsec.
I now see the following when I try to connect:

Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] looking for peer configs
matching 172.31.25.2[%any]...76.126.165.62[app]
Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] selected peer config 'vpn'
Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] using configured
EAP-Identity app
Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] initiating EAP_MSCHAPV2
method (id 0xBE)
Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] peer supports MOBIKE
Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] no IDr configured, fall back
on IP address
Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] no private key found for
'172.31.25.2'
Nov 30 00:29:27 ip-172-31-25-2 charon: 01[ENC] generating IKE_AUTH response
1 [ N(AUTH_FAILED) ]

It seems like I need to tell it to use the username/password, instead of
looking for a key... or is a certificate mandatory for all EAP
configurations, even using a username/password?

regards,
imran

On Sat, Nov 29, 2014 at 4:03 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Imran,
>
> You need to specify rightauth2=eap-mschapv2, so strongSwan is configured
> correctly to accept
> eap authentication using mschapv2 in round 2.
>
> You also lack the eap-mschapv2 modules, that you need for eap-mschapv2.
> Install it via your package manager or, if you built strongSwan yourself,
> configure the strongSwan sources with --enable-eap-mschapv2,
> "make uninstall" "make clean" "make" and "make install".
>
> Also, please make sure you send your answer to all parties involved, not
> just me.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 30.11.2014 um 00:54 schrieb Imran Akbar:
> > Hey Noel and Thomas,
> >
> > thanks for your help.
> > I've made some progress - I'm now getting an "AUTH FAILED" error from my
> client.
> > I'm trying to connect via the StrongSwan client on Android using IKEv2
> EAP (username/password).
> >
> > Here is my ipsec.conf: http://pastebin.com/Ap5gUX0f
> >
> > Here is my secrets.conf: http://pastebin.com/hhX9micY
> >
> > Here is my server log: http://pastebin.com/W99PPKt3 (looks like the key
> issue is "peer requested EAP, config inacceptable")
> >
> > Here is my client log: http://pastebin.com/2w9NS1Zs
> >
> > I'm going to keep tweaking the authentication configs to see if I can
> make it work.
> >
> > yours,
> > imran
> >
> >
> > On Sat, Nov 29, 2014 at 9:04 AM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Imran,
> >
> > IPsec/L2TP is mostly used with IKEv1, not IKEv2. Please tell us what
> clients you're trying to use,
> > to make sure they try to use IKEv2, too.
> >
> > L2TP is not handled by strongSwan. You need to use xl2tp for that. Most
> clients try to use transport mode
> > for the IPsec connection. Make sure your peer configuration has that
> specified. Also, plese make strongSwan
> > write a log [1] with the settings shown in [2], show us the log that was
> created and show us your ipsec.conf.
> >
> > [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
> >
> > [2]
> >                         default = 3
> >                         mgr = 1
> >                         ike = 1
> >                         net = 1
> >                         enc = 0
> >                         cfg = 2
> >                         asn = 1
> >                         job = 1
> >                         knl = 1
> >                         append=no
> >                         ike_name=no
> >                         flush_line=yes
> >
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 29.11.2014 um 17:53 schrieb Imran Akbar:
> > > Hi everyone,
> > >     thanks for such a well-developed and maintained library.
> >
> > > I'm trying to setup Ipsec/L2TP on my Ubuntu 14 server with IKEv2 and a
> PSK.
> >
> > > I've read through a bunch of tutorials online:
> > >
> http://trick77.com/2014/05/04/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/
> > > http://www.foteviken.de/?p=2175
> > >
> http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
> >
> > > and I've opened up UDP ports 500 & 4500, but I still have clients
> complaining about gateway timeouts and not being able to connect to the VPN.
> >
> > > Is there some sort of a configuration script that can walk you through
> all the necessary steps to get this working, or a gist that someone could
> share of their config?
> > > I don't see anything in my /var/log/auth.conf that's indicative of VPN
> traffic.
> >
> > > yours,
> > > imran
> >
> >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >     _______________________________________________
> >     Users mailing list
> >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> >     https://lists.strongswan.org/mailman/listinfo/users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUel6+AAoJEDg5KY9j7GZY1ncQAJvIX5GrOL7raDE2noJ4PINy
> 6Z8TndKdOFN1uSmH8k7xuywLB4tRs3lljkBy9CNe3S0RkfnkNiSPP082MKVSaOdg
> +L08vNxzcd2UOjxlEDtziIIAazhb5bGCss+fxjSuLyacW63Pk1knhaHb0u3GtxAJ
> uP02g2CHhzr439CgncBUH1+F4EgOT5aK1VbrmcQiTJRG2JnXvZ9iuX1rN9gGAt0R
> z166Rf92yi3VVkZTFTAv3gx/nnbTzommukhICW6CMriPoQi84pcaiNi8o8EBxO1L
> 8O2to2iMZayAukFWZKP/CqN8DVTFBf9kmul2irNvkg1Mg3+QgkAiTTbxKaYWNceX
> YvbS5B5TkB9tKbeJo5Y91SPYJsQ9Ff3GyWv8eSgDzVY8DWargDZvU1vFZfzc8It2
> X4dVxYs0+Ifbq0gBc4wub8eJbopnIdS7F6T5WriwORonBWSN9axMzJXIM3mFl14l
> Dlq0qlNvmg5xo77vpQn4CK1VHo4Gw6yNFQC09Aokux9NxnHXXdHpcH9jl2bkn8p3
> Rwoxfy7YFlAkFCJMzpt8ztLOdnlZzJ6/oM+D83osCeJhUN0zHc9mNVYcbBqQ/4Z0
> hmhTFX1RoJGHq3rkv49vwam9VnLKY9hxyg/R7pLiXhyg7mVNa5ybyHKryALebcR0
> UKDDEavL0ddn9ohcy2ai
> =Sw+u
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141129/ca872393/attachment.html>

More information about the Users mailing list