[strongSwan] Connection issues

Sebastian Bayer bayerse at gmail.com
Tue Jun 20 17:22:07 CEST 2017


Dear all,

I am very new to strongswan and quite excited about it: lot of interesting
things to read and understand.
The reason why I'm writing is that I want to connect to my VPN service via
IKEv2 from my notebook running Arch and have troubles initiating the
connection.
As my VPN service only recently allowed for IKEv2, they do not have good
Linux support yet, only mobile devices and Windows.

I tried my best to find a working configuration, but now I am stuck /
confused.

According to the logs:

> authentication of 'xxx' with EAP successful
> IKE_SA vpn[17] established between 192.168.178.35[xxx]...xxx[xxx]


but at the same time:

> establishing connection 'vpn' failed


Below, please find the relevant files and logs. Do you have a hint what to
do or try next?

Regards
Sebastian


### /etc/ipsec.secrets
xxx : EAP "xxx"

###/etc/ipsec.conf

config setup
# charondebug="cfg 4, dmn 4, ike 4, net 4"
# strictcrlpolicy=yes
# uniqueids = no

conn vpn
# Key settings
keyexchange=ikev2
ike=aes128-sha1-modp1024!
auto=add

# Keep alive
dpdaction=clear
dpddelay=300s

# Local
eap_identity=xxx
leftid=xxx
leftauth=eap-mschapv2
# Remote
right=xxx
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=%any
rightcert=cert.pem
type=tunnel


### log
[root at X230 sebastian]# ipsec up vpn
initiating IKE_SA vpn[17] to xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.178.35[500] to xxx[500] (338 bytes)
received packet: from xxx[500] to 192.168.178.35[500] (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
sending cert request for "xxx"
establishing CHILD_SA vpn
generating IKE_AUTH request 1 [ IDi CERTREQ SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.178.35[4500] to xxx[4500] (364 bytes)
received packet: from xxx[4500] to 192.168.178.35[4500] (1248 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from xxx[4500] to 192.168.178.35[4500] (320 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "xxx"
  using certificate "xxx"
  using trusted ca certificate "xxx"
checking certificate status of "xxx"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'xxx' with RSA_EMSA_PKCS1_SHA2_256 successful
server requested EAP_IDENTITY (id 0x00), sending 'xxx'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.178.35[4500] to xxx[4500] (92 bytes)
received packet: from xxx[4500] to 192.168.178.35[4500] (92 bytes)
parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
server requested EAP_MD5 authentication (id 0x01)
requesting EAP_MSCHAPV2 authentication, sending EAP_NAK
generating IKE_AUTH request 3 [ EAP/RES/NAK ]
sending packet: from 192.168.178.35[4500] to xxx[4500] (76 bytes)
received packet: from xxx[4500] to 192.168.178.35[4500] (108 bytes)
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x02)
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.178.35[4500] to xxx[4500] (140 bytes)
received packet: from xxx[4500] to 192.168.178.35[4500] (124 bytes)
parsed IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: '(null)'
generating IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.178.35[4500] to xxx[4500] (76 bytes)
received packet: from xxx[4500] to 192.168.178.35[4500] (76 bytes)
parsed IKE_AUTH response 5 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of 'xxx' (myself) with EAP
generating IKE_AUTH request 6 [ AUTH ]
sending packet: from 192.168.178.35[4500] to xxx[4500] (92 bytes)
received packet: from xxx[4500] to 192.168.178.35[4500] (220 bytes)
parsed IKE_AUTH response 6 [ AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
authentication of 'xxx' with EAP successful
IKE_SA vpn[17] established between 192.168.178.35[xxx]...xxx[xxx]
scheduling reauthentication in 10243s
maximum IKE_SA lifetime 10783s
received FAILED_CP_REQUIRED notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'vpn' failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170620/a132c475/attachment.html>


More information about the Users mailing list