[strongSwan] help setting up basic VPN on ubuntu
Noel Kuntze
noel at familie-kuntze.de
Sun Nov 30 11:39:20 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Imran,
I gave you wrong information in my last email. I'm sorry.
The correct setting is "eap-mschapv2", not "eap-mschap".
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 30.11.2014 um 05:09 schrieb Imran Akbar:
> thanks Noel,
>
> I've made those changes and restarted ipsec, but I'm still getting the same error in my server log:
>
> "peer requested EAP, config inacceptable"
> "no alternative config found"
>
> This is my updated ipsec: http://pastebin.com/TnZaiZX8
>
> Does that look correct?
>
> appreciate the help,
> imran
>
> On Sat, Nov 29, 2014 at 5:47 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Imram,
>
> If you want to use psk-mschapv2, you need to specify
> leftauth=psk
> rightauth=psk
> rightauth2=eap-mschap
>
> Please make sure this is in your configuration.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 30.11.2014 um 02:09 schrieb Imran Akbar:
> > thanks for pointing me in the right direction Noel.
>
> > I've installed strongswan-plugin-eap-mschapv2, added rightauth=eap-mschapv2 to my ipsec.conf file, and restart ipsec.
> > I now see the following when I try to connect:
>
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] looking for peer configs matching 172.31.25.2[%any]...76.126.165.62[app]
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] selected peer config 'vpn'
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] using configured EAP-Identity app
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] initiating EAP_MSCHAPV2 method (id 0xBE)
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] peer supports MOBIKE
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] no IDr configured, fall back on IP address
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] no private key found for '172.31.25.2'
> > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> > It seems like I need to tell it to use the username/password, instead of looking for a key... or is a certificate mandatory for all EAP configurations, even using a username/password?
>
> > regards,
> > imran
>
> > On Sat, Nov 29, 2014 at 4:03 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
> > Hello Imran,
>
> > You need to specify rightauth2=eap-mschapv2, so strongSwan is configured correctly to accept
> > eap authentication using mschapv2 in round 2.
>
> > You also lack the eap-mschapv2 modules, that you need for eap-mschapv2.
> > Install it via your package manager or, if you built strongSwan yourself, configure the strongSwan sources with --enable-eap-mschapv2,
> > "make uninstall" "make clean" "make" and "make install".
>
> > Also, please make sure you send your answer to all parties involved, not just me.
>
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > Am 30.11.2014 um 00:54 schrieb Imran Akbar:
> > > Hey Noel and Thomas,
>
> > > thanks for your help.
> > > I've made some progress - I'm now getting an "AUTH FAILED" error from my client.
> > > I'm trying to connect via the StrongSwan client on Android using IKEv2 EAP (username/password).
>
> > > Here is my ipsec.conf: http://pastebin.com/Ap5gUX0f
>
> > > Here is my secrets.conf: http://pastebin.com/hhX9micY
>
> > > Here is my server log: http://pastebin.com/W99PPKt3 (looks like the key issue is "peer requested EAP, config inacceptable")
>
> > > Here is my client log: http://pastebin.com/2w9NS1Zs
>
> > > I'm going to keep tweaking the authentication configs to see if I can make it work.
>
> > > yours,
> > > imran
>
>
> > > On Sat, Nov 29, 2014 at 9:04 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> wrote:
>
>
> > > Hello Imran,
>
> > > IPsec/L2TP is mostly used with IKEv1, not IKEv2. Please tell us what clients you're trying to use,
> > > to make sure they try to use IKEv2, too.
>
> > > L2TP is not handled by strongSwan. You need to use xl2tp for that. Most clients try to use transport mode
> > > for the IPsec connection. Make sure your peer configuration has that specified. Also, plese make strongSwan
> > > write a log [1] with the settings shown in [2], show us the log that was created and show us your ipsec.conf.
>
> > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
> > > [2]
> > > default = 3
> > > mgr = 1
> > > ike = 1
> > > net = 1
> > > enc = 0
> > > cfg = 2
> > > asn = 1
> > > job = 1
> > > knl = 1
> > > append=no
> > > ike_name=no
> > > flush_line=yes
>
>
> > > Mit freundlichen Grüßen/Regards,
> > > Noel Kuntze
>
> > > GPG Key ID: 0x63EC6658
> > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > > Am 29.11.2014 um 17:53 schrieb Imran Akbar:
> > > > Hi everyone,
> > > > thanks for such a well-developed and maintained library.
>
> > > > I'm trying to setup Ipsec/L2TP on my Ubuntu 14 server with IKEv2 and a PSK.
>
> > > > I've read through a bunch of tutorials online:
> > > > http://trick77.com/2014/05/04/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/
> > > > http://www.foteviken.de/?p=2175
> > > > http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
>
> > > > and I've opened up UDP ports 500 & 4500, but I still have clients complaining about gateway timeouts and not being able to connect to the VPN.
>
> > > > Is there some sort of a configuration script that can walk you through all the necessary steps to get this working, or a gist that someone could share of their config?
> > > > I don't see anything in my /var/log/auth.conf that's indicative of VPN traffic.
>
> > > > yours,
> > > > imran
>
>
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUevPQAAoJEDg5KY9j7GZYyfgQAIkGtUnObpsbFstzvumVQ4aQ
ClVlJjlTL3AJ7jcieveHtkb4tuDejlJyIOROK+oyWNhep5Xoc9aPXctoEqv/TVPE
MWbS9S6p6VtD9oHcxKs3cJht7jbhYRIXOKYz3of1ZjGso5V1hZcFkKY4HAequeZi
P9i0BBlSnjlGEhF1sTBO/dEOCsFWH690vpMB2RS6rR7LJ8pn40N5h5lmOkhddC6H
OhE5PGG/dcWBdgqSllXjH9qXjFCyhjsYxqZgFCLClM2XE0foeX7ZoG16QVMpk3Uv
uIdEwYRa3QtglenptyGXP1dtJOGYnJ7/PEuUWyX6ySBP8M7KzucIvm5w77wzmmpE
0kP9z34PCxDmlWZluOvbREAfCEnNOkBiOMHUiDGfA2MIef/I4VyGe7QC27vKmSAx
+ZJKodO6htKM5jffoJNLI740cYBiLQy7OwhlWSsdNgXvRlNurGpgG1WSNU5Hlv1b
L0XX9jF+i/+AppzVyvYMVXtz0Varb47cKpRae9ZliSAVPiYkDsEikJjO0dxf8XB6
IsTzZhOR7vdPXs3OvHn0PC0XhmVOLBvRBiFdrf/XKOUjWNRDlp8iUT+k5d4ypD4M
3UfclCI+Www9xjjWcJ/wkxU8fK7mEpGbHuHRUAmehdWP4wCAmM+1zK/X0J1Qi27i
5jVUzyjcIpJwFS378G1o
=Hp7C
-----END PGP SIGNATURE-----
More information about the Users
mailing list