[strongSwan] Connection issues

Wed Jun 21 14:00:17 CEST 2017

Thanks! I think this helped.

Now it tells me that a new virtual IP was installed. The only thing I still
need to figure out is how I can use this virtual IP as the external IP is
still unchanged.

Any quick hints what I should read?

Best
Sebastian

2017-06-20 18:00 GMT+02:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting>:

>
>
> On 20.06.2017 17:22, Sebastian Bayer wrote:
> > Dear all,
> >
> > I am very new to strongswan and quite excited about it: lot of
> interesting things to read and understand.
> > The reason why I'm writing is that I want to connect to my VPN service
> via IKEv2 from my notebook running Arch and have troubles initiating the
> connection.
> > As my VPN service only recently allowed for IKEv2, they do not have good
> Linux support yet, only mobile devices and Windows.
> >
> > I tried my best to find a working configuration, but now I am stuck /
> confused.
> >
> > According to the logs:
> >
> >     authentication of 'xxx' with EAP successful
> >     IKE_SA vpn[17] established between 192.168.178.35[xxx]...xxx[xxx]
> >
> >
> > but at the same time:
> >
> >     establishing connection 'vpn' failed
> >
>
> You need to read further than the IKE_SA established. With `ipsec
> up`/`swanctl -i --child[...]`, you're telling the daemon to establish a
> CHILD_SA.
> Doing that fails, so the connection fails.
>
> >
> > Below, please find the relevant files and logs. Do you have a hint what
> to do or try next?
> >
> > Regards
> > Sebastian
> >
> >
> > ### /etc/ipsec.secrets
> > xxx : EAP "xxx"
> >
> > ###/etc/ipsec.conf
> >
> > config setup
> > # charondebug="cfg 4, dmn 4, ike 4, net 4"
> > # strictcrlpolicy=yes
> > # uniqueids = no
> >
> > conn vpn
> > # Key settings
> > keyexchange=ikev2
> > ike=aes128-sha1-modp1024!
> > auto=add
> >
> > # Keep alive
> > dpdaction=clear
> > dpddelay=300s
> >
> > # Local
> > eap_identity=xxx
> > leftid=xxx
> > leftauth=eap-mschapv2
> > # Remote
> > right=xxx
> > rightauth=pubkey
> > rightsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> > rightid=%any
> > rightcert=cert.pem
> > type=tunnel
> That's redundant, because it's the default.
> >
> >
> > ### log
> > [root at X230 sebastian]# ipsec up vpn
> > initiating IKE_SA vpn[17] to xxx
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> > sending packet: from 192.168.178.35[500] to xxx[500] (338 bytes)
> > received packet: from xxx[500] to 192.168.178.35[500] (336 bytes)
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> > local host is behind NAT, sending keep alives
> > sending cert request for "xxx"
> > establishing CHILD_SA vpn
> > generating IKE_AUTH request 1 [ IDi CERTREQ SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> > sending packet: from 192.168.178.35[4500] to xxx[4500] (364 bytes)
> > received packet: from xxx[4500] to 192.168.178.35[4500] (1248 bytes)
> > parsed IKE_AUTH response 1 [ EF(1/2) ]
> > received fragment #1 of 2, waiting for complete IKE message
> > received packet: from xxx[4500] to 192.168.178.35[4500] (320 bytes)
> > parsed IKE_AUTH response 1 [ EF(2/2) ]
> > received fragment #2 of 2, reassembling fragmented IKE message
> > parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> > received end entity cert "xxx"
> >   using certificate "xxx"
> >   using trusted ca certificate "xxx"
> > checking certificate status of "xxx"
> > certificate status is not available
> >   reached self-signed root ca with a path length of 0
> > authentication of 'xxx' with RSA_EMSA_PKCS1_SHA2_256 successful
> > server requested EAP_IDENTITY (id 0x00), sending 'xxx'
> > generating IKE_AUTH request 2 [ EAP/RES/ID ]
> > sending packet: from 192.168.178.35[4500] to xxx[4500] (92 bytes)
> > received packet: from xxx[4500] to 192.168.178.35[4500] (92 bytes)
> > parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
> > server requested EAP_MD5 authentication (id 0x01)
> > requesting EAP_MSCHAPV2 authentication, sending EAP_NAK
> > generating IKE_AUTH request 3 [ EAP/RES/NAK ]
> > sending packet: from 192.168.178.35[4500] to xxx[4500] (76 bytes)
> > received packet: from xxx[4500] to 192.168.178.35[4500] (108 bytes)
> > parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> > server requested EAP_MSCHAPV2 authentication (id 0x02)
> > generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> > sending packet: from 192.168.178.35[4500] to xxx[4500] (140 bytes)
> > received packet: from xxx[4500] to 192.168.178.35[4500] (124 bytes)
> > parsed IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ]
> > EAP-MS-CHAPv2 succeeded: '(null)'
> > generating IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ]
> > sending packet: from 192.168.178.35[4500] to xxx[4500] (76 bytes)
> > received packet: from xxx[4500] to 192.168.178.35[4500] (76 bytes)
> > parsed IKE_AUTH response 5 [ EAP/SUCC ]
> > EAP method EAP_MSCHAPV2 succeeded, MSK established
> > authentication of 'xxx' (myself) with EAP
> > generating IKE_AUTH request 6 [ AUTH ]
> > sending packet: from 192.168.178.35[4500] to xxx[4500] (92 bytes)
> > received packet: from xxx[4500] to 192.168.178.35[4500] (220 bytes)
> > parsed IKE_AUTH response 6 [ AUTH N(MOBIKE_SUP) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
> > authentication of 'xxx' with EAP successful
> > IKE_SA vpn[17] established between 192.168.178.35[xxx]...xxx[xxx]
> > scheduling reauthentication in 10243s
> > maximum IKE_SA lifetime 10783s
> > received FAILED_CP_REQUIRED notify, no CHILD_SA built
> Add leftsourceip=%config4, %config6. That makes charon request an IP
> address from the peer.
> Right now, the peer complains about charon not doing that.
> > failed to establish CHILD_SA, keeping IKE_SA
> > establishing connection 'vpn' failed
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170621/7ebb61a2/attachment.html>