[strongSwan] debugging Ubuntu network manager vpn establishment

Alex Sharaz alex.sharaz at york.ac.uk
Thu Sep 7 13:54:45 CEST 2017

I'm  trying to establish a VPN connection to our 5.6.0 SSwan server via the
Network Manager in Ubuntu 16.04.3

I'm running an Ubuntu VM over Parallels /OSX. The VM is fully patched and
up to date.

1st step was ot get cli version running and I can establish a VPN using
"ipsec up as1558-mschap"

Which uses eap-peap/mschapv2 to authenticate a user against our server.

I then built the Network manager  plugin ( v 1.4.2 ) as per

When creating a vpn I now have an option to create an iopsec/ikev2
(strongswan) vpn.
I've left the general tab, ipv4 and ipv6 settings tabs at their default
settings and only altered the VPN tab.

Gateway address / vpn.york.ac.uk
Certificate / None

Client Authentication / EAP
Username / <my userid at york.ac.uk
Password / left at ask for password every time

Request an inner IP address
Enforce UDP encapsulation

I can save the above

but when I try enabling the vpn nothing visible hapens

1). I don't get prompted for a password
2). Having configured  /var/log/strongswan.log nothing appears in it
3). Nothing appears at the vpn server

/var/log/kern.log has

Sep  7 12:35:24 deadpool NetworkManager[693]: <info>  [1504784124.0851]
audit: op="connection-activate" uuid="4c98e2da-b95e-49b2-b18d-e8591db70094"
name="VPN connection 1" pid=19612 uid=1000 result="success"
Sep  7 12:35:24 deadpool NetworkManager[693]: <warn>  [1504784124.1173]
connection 1",0]: Could not launch the VPN service. error: Failed to
execute child process "/usr/libexec/ipsec/charon-nm" (No such file or

... and its right ... there's no directory called /usr/libexec

For strongswan I used

./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib \
   --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
   --disable-fips-prf --disable-gmp --enable-openssl --enable-nm
--enable-agent \
   --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2
--enable-eap-identity \

   --enable-curl --enable-eap-peap

For NM I originally used

./configure --sysconfdir=/etc --prefix=/usr

which generated the /usr/libexec/ipsec/chron-nm dies not exist error

..so I changed this to

./configure --sysconfdir=/etc --prefix=/usr

Having set the config to prompt for a password I get

Sep  7 12:49:07 deadpool NetworkManager[693]: <info>  [1504784947.9910]
SSwan",0]: Saw the service appear; activating connection
Sep  7 12:49:08 deadpool NetworkManager[693]: <error> [1504784948.0145]
SSwan",0]: Failed to request VPN secrets #3: No agents were available for
this request.

Entered password manually  and still got the same message in kern.log

What have I missed ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170907/4c3cdb09/attachment.html>

More information about the Users mailing list