[strongSwan] Can't connect to VPN after upgrading from 5.7.2 to 5.8.2

Philipp Trulson philipp at trulson.de
Mon Apr 6 17:04:56 CEST 2020


Hey everyone,

I hope everyone is well and thanks for reading :)
At work we are running an IPSec/IKEv2 VPN that worked fine with Fedora 
31 / strongswan 5.7.2 until the maintainers pushed the update to 
strongswan 5.8.2. Since then I am unable to establish a connection and I 
don't really understand what the logs are telling me, maybe you can 
help. The endpoint I am connecting to is a WatchGuard firewall. I am 
using network manager to setup the VPN and connect to it.

My guess is that it fails with these two lines:

Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] no acceptable 
traffic selectors found
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] failed to 
establish CHILD_SA, keeping IKE_SA

However the "selected proposal:" line didn't change and I was unable to 
find helpful results when googling these lines.

Here is the complete journalctl log after a failed connect:

Apr 06 16:14:52 linux.fritz.box NetworkManager[780]: <info>  
[1586182492.8858] audit: op="connection-activate" 
uuid="ab2821d0-a3a0-4392-830f-661e40ba0dda" name="IPSecVPN" pid=1396 
uid=1000 result="success"
Apr 06 16:14:52 linux.fritz.box NetworkManager[780]: <info> 
[1586182492.9128] 
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]: 
Started the VPN service, PID 2251
Apr 06 16:14:52 linux.fritz.box charon-nm[2251]: 00[DMN] Starting charon 
NetworkManager backend (strongSwan 5.8.2)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 00[LIB] openssl FIPS 
mode(2) - enabled
Apr 06 16:14:53 linux.fritz.box NetworkManager[780]: <info> 
[1586182493.1064] 
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]: 
Saw the service appear; activating connection
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 00[LIB] loaded plugins: 
nm-backend charon-nm pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem 
openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm 
gcm drbg curl kernel-netlink socket-default bypass-lan eap-identity 
eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 00[JOB] spawning 16 
worker threads
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=192.168.178.0 src_prefixlen=24 dst=192.168.178.0 dst_prefixlen=24
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] installed 
bypass policy for 192.168.178.0/24
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[KNL] received 
netlink error: Invalid argument (22)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[KNL] unable to 
install source route for %any6
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] installed 
bypass policy for ::1/128
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] installed 
bypass policy for fe80::/64
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=192.168.178.0 src_prefixlen=24 dst=192.168.178.0 dst_prefixlen=24
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=192.168.178.0 src_prefixlen=24 dst=192.168.178.0 dst_prefixlen=24
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=0000:0000:0000:0000:0000:0000:0000:0001 
dst=0000:0000:0000:0000:0000:0000:0000:0001
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=0000:0000:0000:0000:0000:0000:0000:0001 
dst=0000:0000:0000:0000:0000:0000:0000:0001
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=0000:0000:0000:0000:0000:0000:0000:0001 
dst=0000:0000:0000:0000:0000:0000:0000:0001
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=fe80:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=64 
dst=fe80:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=64
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=fe80:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=64 
dst=fe80:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=64
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1 
src=fe80:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=64 
dst=fe80:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=64
Apr 06 16:14:53 linux.fritz.box NetworkManager[780]: <info> 
[1586182493.4886] 
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]: 
VPN connection: (ConnectInteractive) reply received
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[CFG] received 
initiate for NetworkManager connection IPSecVPN
Apr 06 16:14:53 linux.fritz.box audit[2251]: AVC avc:  denied  { read } 
for  pid=2251 comm="charon-nm" name="cert.pem" dev="sda3" ino=152713 
scontext=system_u:system_r:ipsec_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Apr 06 16:14:53 linux.fritz.box audit[2251]: AVC avc:  denied  { open } 
for  pid=2251 comm="charon-nm" path="/etc/ssl/cert.pem" dev="sda3" 
ino=152713 scontext=system_u:system_r:ipsec_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Apr 06 16:14:53 linux.fritz.box audit[2251]: AVC avc:  denied  { map } 
for  pid=2251 comm="charon-nm" path="/etc/ssl/cert.pem" dev="sda3" 
ino=152713 scontext=system_u:system_r:ipsec_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[CFG] using CA 
certificate, gateway identity 'work-vpn.de'
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[IKE] initiating 
IKE_SA IPSecVPN[1] to {IP_ADDRESS}
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[ENC] generating 
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) 
N(HASH_ALG) N(REDIR_SUP) ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[NET] sending packet: 
from 192.168.178.150[48543] to {IP_ADDRESS}[500] (1080 bytes)
Apr 06 16:14:53 linux.fritz.box NetworkManager[780]: <info> 
[1586182493.5089] 
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]: 
VPN plugin: state changed: starting (3)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[NET] received 
packet: from {IP_ADDRESS}[500] to 192.168.178.150[48543] (38 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[ENC] parsed 
IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] peer didn't 
accept DH group ECP_256, it requested MODP_2048
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] initiating 
IKE_SA IPSecVPN[1] to {IP_ADDRESS}
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[ENC] generating 
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) 
N(HASH_ALG) N(REDIR_SUP) ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[NET] sending packet: 
from 192.168.178.150[48543] to {IP_ADDRESS}[500] (1272 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[NET] received 
packet: from {IP_ADDRESS}[500] to 192.168.178.150[48543] (496 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[ENC] parsed 
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[ENC] received 
unknown vendor ID: 
bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:79:49:45:4a:4f:50:54:59:77:4f:54:59:79:4f:41:3d:3d
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[CFG] selected 
proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[IKE] local host is 
behind NAT, sending keep alives
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[IKE] sending cert 
request for "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN 
************** 2018-02-01 23:13:53 CET) CA"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[IKE] establishing 
CHILD_SA IPSecVPN{1}
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[ENC] generating 
IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ SA TSi TSr 
N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[NET] sending packet: 
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (352 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[NET] received 
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (1328 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[ENC] parsed IKE_AUTH 
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[IKE] received end 
entity cert "O=WatchGuard, OU=Fireware, CN=ike2muvpn Server"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG]   using 
certificate "O=WatchGuard, OU=Fireware, CN=ike2muvpn Server"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG]   using trusted 
ca certificate "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE 
(SN ************** 2018-02-01 23:13:53 CET) CA"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG] checking 
certificate status of "O=WatchGuard, OU=Fireware, CN=ike2muvpn Server"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG] certificate 
status is not available
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG]   reached 
self-signed root ca with a path length of 0
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[IKE] authentication 
of 'O=WatchGuard, OU=Fireware, CN=ike2muvpn Server' with RSA signature 
successful
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[IKE] server 
requested EAP_IDENTITY (id 0x01), sending '{USERNAME}'
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[ENC] generating 
IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[NET] sending packet: 
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (96 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[NET] received 
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (112 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[ENC] parsed IKE_AUTH 
response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[IKE] server 
requested EAP_MSCHAPV2 authentication (id 0x02)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[ENC] generating 
IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[NET] sending packet: 
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (144 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[NET] received 
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (144 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[ENC] parsed IKE_AUTH 
response 3 [ EAP/REQ/MSCHAPV2 ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[IKE] EAP-MS-CHAPv2 
succeeded: 'Welcome2WatchGuard'
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[ENC] generating 
IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[NET] sending packet: 
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (80 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[NET] received 
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (80 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[ENC] parsed IKE_AUTH 
response 4 [ EAP/SUCC ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[IKE] EAP method 
EAP_MSCHAPV2 succeeded, MSK established
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[IKE] authentication 
of '{USERNAME}' (myself) with EAP
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[ENC] generating 
IKE_AUTH request 5 [ AUTH ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[NET] sending packet: 
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (112 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[NET] received 
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (240 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[ENC] parsed IKE_AUTH 
response 5 [ AUTH CPRP(ADDR MASK DNS DNS) SA TSi TSr ]
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] authentication 
of 'O=WatchGuard, OU=Fireware, CN=ike2muvpn Server' with EAP successful
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] IKE_SA 
IPSecVPN[1] established between 
192.168.178.150[{USERNAME}]...{IP_ADDRESS}[O=WatchGuard, OU=Fireware, 
CN=ike2muvpn Server]
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] scheduling 
rekeying in 35622s
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] maximum IKE_SA 
lifetime 36222s
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[CFG] selected 
proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] no acceptable 
traffic selectors found
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] failed to 
establish CHILD_SA, keeping IKE_SA
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] sending DELETE 
for ESP CHILD_SA with SPI c1d9d082
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[ENC] generating 
INFORMATIONAL request 6 [ D ]
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[NET] sending packet: 
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (80 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 04[NET] received 
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (80 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 04[ENC] parsed 
INFORMATIONAL response 6 [ D ]
Apr 06 16:14:54 linux.fritz.box audit: MAC_IPSEC_EVENT op=SAD-delete 
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 
src={IP_ADDRESS} dst=192.168.178.150 spi=3252277378(0xc1d9d082) res=1
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 05[IKE] deleting IKE_SA 
IPSecVPN[1] between 
192.168.178.150[{USERNAME}]...{IP_ADDRESS}[O=WatchGuard, OU=Fireware, 
CN=ike2muvpn Server]
Apr 06 16:14:54 linux.fritz.box NetworkManager[780]: <warn> 
[1586182494.0801] 
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]: 
VPN plugin: failed: connect-failed (1)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 05[IKE] sending DELETE 
for IKE_SA IPSecVPN[1]
Apr 06 16:14:54 linux.fritz.box NetworkManager[780]: <warn> 
[1586182494.0803] 
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]: 
VPN plugin: failed: connect-failed (1)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 05[ENC] generating 
INFORMATIONAL request 7 [ D ]
Apr 06 16:14:54 linux.fritz.box NetworkManager[780]: <info> 
[1586182494.0805] 
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]: 
VPN plugin: state changed: stopping (5)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 05[NET] sending packet: 
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (80 bytes)
Apr 06 16:14:54 linux.fritz.box NetworkManager[780]: <info> 
[1586182494.0808] 
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]: 
VPN plugin: state changed: stopped (6)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 01[NET] received 
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (80 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 01[ENC] parsed 
INFORMATIONAL response 7 [ ]
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 01[IKE] IKE_SA deleted

Thanks in advance!

Philipp



More information about the Users mailing list