[strongSwan] help setting up basic VPN on ubuntu
Noel Kuntze
noel at familie-kuntze.de
Sun Nov 30 22:23:06 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Imran,
Do you mind posting the complete log from daemon start to the error?
And yes, PSK is the easiest way, but if you are experienced with certificates, you can also take that approach.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 30.11.2014 um 20:34 schrieb Imran Akbar:
> Hey Noel,
> I feel like it's close to working, but still getting the same message after making that change and restarting. Do you think it's the "config inacceptable" error that's causing authentication to fail, or is it something in my secrets file?
>
> ipsec.conf now looks like: http://pastebin.com/tUN6jmaS
>
> the server log says:
> Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] looking for peer configs matching 172.31.25.2[%any]...76.126.165.62[app]
> Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] selected peer config 'vpn'
> Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] peer requested EAP, config inacceptable
> Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] no alternative config found
> Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] peer supports MOBIKE
> Nov 30 19:16:02 ip-172-31-25-2 charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> Nov 30 19:16:02 ip-172-31-25-2 charon: 14[NET] sending packet: from 172.31.25.2[4500] to 76.126.165.62[37721] (76 bytes)
>
> and the client log says "parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> Is using a PSK the easiest way to setup StrongSwan? I assumed that was the case, but I tried using certificates as well by following this example (http://kleinerman.org/ipsec-with-strongswan/) but I get stuck at the last step, as the Android app wants a client certificate as well, which I haven't generated.
>
> thanks again,
> imran
>
>
>
> On Sun, Nov 30, 2014 at 2:39 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>
>
> Hello Imran,
>
> I gave you wrong information in my last email. I'm sorry.
>
> The correct setting is "eap-mschapv2", not "eap-mschap".
>
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 30.11.2014 um 05:09 schrieb Imran Akbar:
> > thanks Noel,
>
> > I've made those changes and restarted ipsec, but I'm still getting the same error in my server log:
>
> > "peer requested EAP, config inacceptable"
> > "no alternative config found"
>
> > This is my updated ipsec: http://pastebin.com/TnZaiZX8
>
> > Does that look correct?
>
> > appreciate the help,
> > imran
>
> > On Sat, Nov 29, 2014 at 5:47 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> wrote:
>
>
> > Hello Imram,
>
> > If you want to use psk-mschapv2, you need to specify
> > leftauth=psk
> > rightauth=psk
> > rightauth2=eap-mschap
>
> > Please make sure this is in your configuration.
>
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
>
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > Am 30.11.2014 um 02:09 schrieb Imran Akbar:
> > > thanks for pointing me in the right direction Noel.
>
> > > I've installed strongswan-plugin-eap-mschapv2, added rightauth=eap-mschapv2 to my ipsec.conf file, and restart ipsec.
> > > I now see the following when I try to connect:
>
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] looking for peer configs matching 172.31.25.2[%any]...76.126.165.62[app]
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] selected peer config 'vpn'
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] using configured EAP-Identity app
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] initiating EAP_MSCHAPV2 method (id 0xBE)
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] peer supports MOBIKE
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] no IDr configured, fall back on IP address
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] no private key found for '172.31.25.2'
> > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>
> > > It seems like I need to tell it to use the username/password, instead of looking for a key... or is a certificate mandatory for all EAP configurations, even using a username/password?
>
> > > regards,
> > > imran
>
> > > On Sat, Nov 29, 2014 at 4:03 PM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>> wrote:
>
>
> > > Hello Imran,
>
> > > You need to specify rightauth2=eap-mschapv2, so strongSwan is configured correctly to accept
> > > eap authentication using mschapv2 in round 2.
>
> > > You also lack the eap-mschapv2 modules, that you need for eap-mschapv2.
> > > Install it via your package manager or, if you built strongSwan yourself, configure the strongSwan sources with --enable-eap-mschapv2,
> > > "make uninstall" "make clean" "make" and "make install".
>
> > > Also, please make sure you send your answer to all parties involved, not just me.
>
> > > Mit freundlichen Grüßen/Regards,
> > > Noel Kuntze
>
> > > GPG Key ID: 0x63EC6658
> > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > > Am 30.11.2014 um 00:54 schrieb Imran Akbar:
> > > > Hey Noel and Thomas,
>
> > > > thanks for your help.
> > > > I've made some progress - I'm now getting an "AUTH FAILED" error from my client.
> > > > I'm trying to connect via the StrongSwan client on Android using IKEv2 EAP (username/password).
>
> > > > Here is my ipsec.conf: http://pastebin.com/Ap5gUX0f
>
> > > > Here is my secrets.conf: http://pastebin.com/hhX9micY
>
> > > > Here is my server log: http://pastebin.com/W99PPKt3 (looks like the key issue is "peer requested EAP, config inacceptable")
>
> > > > Here is my client log: http://pastebin.com/2w9NS1Zs
>
> > > > I'm going to keep tweaking the authentication configs to see if I can make it work.
>
> > > > yours,
> > > > imran
>
>
> > > > On Sat, Nov 29, 2014 at 9:04 AM, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de> <mailto:noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>>>>> wrote:
>
>
> > > > Hello Imran,
>
> > > > IPsec/L2TP is mostly used with IKEv1, not IKEv2. Please tell us what clients you're trying to use,
> > > > to make sure they try to use IKEv2, too.
>
> > > > L2TP is not handled by strongSwan. You need to use xl2tp for that. Most clients try to use transport mode
> > > > for the IPsec connection. Make sure your peer configuration has that specified. Also, plese make strongSwan
> > > > write a log [1] with the settings shown in [2], show us the log that was created and show us your ipsec.conf.
>
> > > > [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
> > > > [2]
> > > > default = 3
> > > > mgr = 1
> > > > ike = 1
> > > > net = 1
> > > > enc = 0
> > > > cfg = 2
> > > > asn = 1
> > > > job = 1
> > > > knl = 1
> > > > append=no
> > > > ike_name=no
> > > > flush_line=yes
>
>
> > > > Mit freundlichen Grüßen/Regards,
> > > > Noel Kuntze
>
> > > > GPG Key ID: 0x63EC6658
> > > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> > > > Am 29.11.2014 um 17:53 schrieb Imran Akbar:
> > > > > Hi everyone,
> > > > > thanks for such a well-developed and maintained library.
>
> > > > > I'm trying to setup Ipsec/L2TP on my Ubuntu 14 server with IKEv2 and a PSK.
>
> > > > > I've read through a bunch of tutorials online:
> > > > > http://trick77.com/2014/05/04/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/
> > > > > http://www.foteviken.de/?p=2175
> > > > > http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
>
> > > > > and I've opened up UDP ports 500 & 4500, but I still have clients complaining about gateway timeouts and not being able to connect to the VPN.
>
> > > > > Is there some sort of a configuration script that can walk you through all the necessary steps to get this working, or a gist that someone could share of their config?
> > > > > I don't see anything in my /var/log/auth.conf that's indicative of VPN traffic.
>
> > > > > yours,
> > > > > imran
>
>
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>>
> > > > > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org> <mailto:Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>>>>
> > > > https://lists.strongswan.org/mailman/listinfo/users
>
>
>
>
>
>
>
>
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUe4q3AAoJEDg5KY9j7GZYLegP/iLQwOkSohCgavmb86tucBe0
dznDUF9RAlfnnwQSjxaYLEMYOHpDKjzpQcXbvvPydmCF6UsY30w4k271ZrfyE8e0
H3Xp4r6aXJ+WZLzQXqxsjznp/rBzDyApZ9IR1kIKssqsA2cA0Um+C8CAE+VGxIwv
k39SBDlbv7QTv9B8Ak2+42zmgMdAPyxWiBe1qvULenYtA0NVutPqcK3o8j1pyWA+
8MXQlGqFIDwflCoAR5hs0XMegHT86ALXPL70bLDu5PaT211esHGCB6BGUGnp2lWS
7wCMnoD170/J+xSU/fi5xpRhbsy7acT5DwLWQrwo9p+NXWvCBEjvsjHRpXR/EYdu
5PkXyjUJAiG0alrCW2ppZCD6l/TCjwusq9qvLrhA4uDbdYifYO+ZUMOtl62F5K7U
9xn+3UfsnrohFaVDey+dOd49yusnhjQL6AL1UsoUHQQP0diFnCA9D4nVIbE0aGYx
uJW+j/yqDvYBPi0hF1N0W+V+o08vM/3Cymz6Rx4rWCQ6RJ/6uo7mD6rn1/YCWbXW
VyWl9cM2ckWgraETwy2VXj6fWWVNEevLI0WLLiOW9HboiZbYfTSUkYweBIfYJ/2R
C0fZS02dn1sdBm5BLd1TIwik8X4wCmq7yFW//w7Sb+gyBoRAaiUkyYAB6Ej63pHR
1sdzXK6XJTFf9auBROqu
=BmbJ
-----END PGP SIGNATURE-----
More information about the Users
mailing list