[strongSwan] help setting up basic VPN on ubuntu

Imran Akbar skunkwerk at gmail.com
Sun Nov 30 20:34:21 CET 2014 

Hey Noel,
    I feel like it's close to working, but still getting the same message
after making that change and restarting.  Do you think it's the "config
inacceptable" error that's causing authentication to fail, or is it
something in my secrets file?

ipsec.conf now looks like: http://pastebin.com/tUN6jmaS

the server log says:
Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] looking for peer configs
matching 172.31.25.2[%any]...76.126.165.62[app]
Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] selected peer config 'vpn'
Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] peer requested EAP, config
inacceptable
Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] no alternative config found
Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] peer supports MOBIKE
Nov 30 19:16:02 ip-172-31-25-2 charon: 14[ENC] generating IKE_AUTH response
1 [ N(AUTH_FAILED) ]
Nov 30 19:16:02 ip-172-31-25-2 charon: 14[NET] sending packet: from
172.31.25.2[4500] to 76.126.165.62[37721] (76 bytes)

and the client log says "parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Is using a PSK the easiest way to setup StrongSwan?  I assumed that was the
case, but I tried using certificates as well by following this example (
http://kleinerman.org/ipsec-with-strongswan/) but I get stuck at the last
step, as the Android app wants a client certificate as well, which I
haven't generated.

thanks again,
imran



On Sun, Nov 30, 2014 at 2:39 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Imran,
>
> I gave you wrong information in my last email. I'm sorry.
>
> The correct setting is "eap-mschapv2", not "eap-mschap".
>
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 30.11.2014 um 05:09 schrieb Imran Akbar:
> > thanks Noel,
> >
> > I've made those changes and restarted ipsec, but I'm still getting the
> same error in my server log:
> >
> > "peer requested EAP, config inacceptable"
> > "no alternative config found"
> >
> > This is my updated ipsec: http://pastebin.com/TnZaiZX8
> >
> > Does that look correct?
> >
> > appreciate the help,
> > imran
> >
> > On Sat, Nov 29, 2014 at 5:47 PM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello Imram,
> >
> > If you want to use psk-mschapv2, you need to specify
> > leftauth=psk
> > rightauth=psk
> > rightauth2=eap-mschap
> >
> > Please make sure this is in your configuration.
> >
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 30.11.2014 um 02:09 schrieb Imran Akbar:
> > > thanks for pointing me in the right direction Noel.
> >
> > > I've installed strongswan-plugin-eap-mschapv2, added
> rightauth=eap-mschapv2 to my ipsec.conf file, and restart ipsec.
> > > I now see the following when I try to connect:
> >
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] looking for peer
> configs matching 172.31.25.2[%any]...76.126.165.62[app]
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] selected peer config
> 'vpn'
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] using configured
> EAP-Identity app
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] initiating EAP_MSCHAPV2
> method (id 0xBE)
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] peer supports MOBIKE
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] no IDr configured, fall
> back on IP address
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] no private key found
> for '172.31.25.2'
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[ENC] generating IKE_AUTH
> response 1 [ N(AUTH_FAILED) ]
> >
> > > It seems like I need to tell it to use the username/password, instead
> of looking for a key... or is a certificate mandatory for all EAP
> configurations, even using a username/password?
> >
> > > regards,
> > > imran
> >
> > > On Sat, Nov 29, 2014 at 4:03 PM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>> wrote:
> >
> >
> > > Hello Imran,
> >
> > > You need to specify rightauth2=eap-mschapv2, so strongSwan is
> configured correctly to accept
> > > eap authentication using mschapv2 in round 2.
> >
> > > You also lack the eap-mschapv2 modules, that you need for eap-mschapv2.
> > > Install it via your package manager or, if you built strongSwan
> yourself, configure the strongSwan sources with --enable-eap-mschapv2,
> > > "make uninstall" "make clean" "make" and "make install".
> >
> > > Also, please make sure you send your answer to all parties involved,
> not just me.
> >
> > > Mit freundlichen Grüßen/Regards,
> > > Noel Kuntze
> >
> > > GPG Key ID: 0x63EC6658
> > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > > Am 30.11.2014 um 00:54 schrieb Imran Akbar:
> > > > Hey Noel and Thomas,
> >
> > > > thanks for your help.
> > > > I've made some progress - I'm now getting an "AUTH FAILED" error
> from my client.
> > > > I'm trying to connect via the StrongSwan client on Android using
> IKEv2 EAP (username/password).
> >
> > > > Here is my ipsec.conf: http://pastebin.com/Ap5gUX0f
> >
> > > > Here is my secrets.conf: http://pastebin.com/hhX9micY
> >
> > > > Here is my server log: http://pastebin.com/W99PPKt3 (looks like the
> key issue is "peer requested EAP, config inacceptable")
> >
> > > > Here is my client log: http://pastebin.com/2w9NS1Zs
> >
> > > > I'm going to keep tweaking the authentication configs to see if I
> can make it work.
> >
> > > > yours,
> > > > imran
> >
> >
> > > > On Sat, Nov 29, 2014 at 9:04 AM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>>>> wrote:
> >
> >
> > > > Hello Imran,
> >
> > > > IPsec/L2TP is mostly used with IKEv1, not IKEv2. Please tell us what
> clients you're trying to use,
> > > > to make sure they try to use IKEv2, too.
> >
> > > > L2TP is not handled by strongSwan. You need to use xl2tp for that.
> Most clients try to use transport mode
> > > > for the IPsec connection. Make sure your peer configuration has that
> specified. Also, plese make strongSwan
> > > > write a log [1] with the settings shown in [2], show us the log that
> was created and show us your ipsec.conf.
> >
> > > > [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
> >
> > > > [2]
> > > >                         default = 3
> > > >                         mgr = 1
> > > >                         ike = 1
> > > >                         net = 1
> > > >                         enc = 0
> > > >                         cfg = 2
> > > >                         asn = 1
> > > >                         job = 1
> > > >                         knl = 1
> > > >                         append=no
> > > >                         ike_name=no
> > > >                         flush_line=yes
> >
> >
> > > > Mit freundlichen Grüßen/Regards,
> > > > Noel Kuntze
> >
> > > > GPG Key ID: 0x63EC6658
> > > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > > > Am 29.11.2014 um 17:53 schrieb Imran Akbar:
> > > > > Hi everyone,
> > > > >     thanks for such a well-developed and maintained library.
> >
> > > > > I'm trying to setup Ipsec/L2TP on my Ubuntu 14 server with IKEv2
> and a PSK.
> >
> > > > > I've read through a bunch of tutorials online:
> > > > >
> http://trick77.com/2014/05/04/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/
> > > > > http://www.foteviken.de/?p=2175
> > > > >
> http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
> >
> > > > > and I've opened up UDP ports 500 & 4500, but I still have clients
> complaining about gateway timeouts and not being able to connect to the VPN.
> >
> > > > > Is there some sort of a configuration script that can walk you
> through all the necessary steps to get this working, or a gist that someone
> could share of their config?
> > > > > I don't see anything in my /var/log/auth.conf that's indicative of
> VPN traffic.
> >
> > > > > yours,
> > > > > imran
> >
> >
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> > > >     _______________________________________________
> > > >     Users mailing list
> > > >     Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>
> > > >     https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> >
> >
> >
> >
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUevPQAAoJEDg5KY9j7GZYyfgQAIkGtUnObpsbFstzvumVQ4aQ
> ClVlJjlTL3AJ7jcieveHtkb4tuDejlJyIOROK+oyWNhep5Xoc9aPXctoEqv/TVPE
> MWbS9S6p6VtD9oHcxKs3cJht7jbhYRIXOKYz3of1ZjGso5V1hZcFkKY4HAequeZi
> P9i0BBlSnjlGEhF1sTBO/dEOCsFWH690vpMB2RS6rR7LJ8pn40N5h5lmOkhddC6H
> OhE5PGG/dcWBdgqSllXjH9qXjFCyhjsYxqZgFCLClM2XE0foeX7ZoG16QVMpk3Uv
> uIdEwYRa3QtglenptyGXP1dtJOGYnJ7/PEuUWyX6ySBP8M7KzucIvm5w77wzmmpE
> 0kP9z34PCxDmlWZluOvbREAfCEnNOkBiOMHUiDGfA2MIef/I4VyGe7QC27vKmSAx
> +ZJKodO6htKM5jffoJNLI740cYBiLQy7OwhlWSsdNgXvRlNurGpgG1WSNU5Hlv1b
> L0XX9jF+i/+AppzVyvYMVXtz0Varb47cKpRae9ZliSAVPiYkDsEikJjO0dxf8XB6
> IsTzZhOR7vdPXs3OvHn0PC0XhmVOLBvRBiFdrf/XKOUjWNRDlp8iUT+k5d4ypD4M
> 3UfclCI+Www9xjjWcJ/wkxU8fK7mEpGbHuHRUAmehdWP4wCAmM+1zK/X0J1Qi27i
> 5jVUzyjcIpJwFS378G1o
> =Hp7C
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141130/91a2f8fa/attachment.html>

More information about the Users mailing list