[strongSwan] Can't connect to VPN after upgrading from 5.7.2 to 5.8.2
Philipp Trulson
philipp at trulson.de
Mon Apr 6 17:04:56 CEST 2020
Hey everyone,
I hope everyone is well and thanks for reading :)
At work we are running an IPSec/IKEv2 VPN that worked fine with Fedora
31 / strongswan 5.7.2 until the maintainers pushed the update to
strongswan 5.8.2. Since then I am unable to establish a connection and I
don't really understand what the logs are telling me, maybe you can
help. The endpoint I am connecting to is a WatchGuard firewall. I am
using network manager to setup the VPN and connect to it.
My guess is that it fails with these two lines:
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] no acceptable
traffic selectors found
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] failed to
establish CHILD_SA, keeping IKE_SA
However the "selected proposal:" line didn't change and I was unable to
find helpful results when googling these lines.
Here is the complete journalctl log after a failed connect:
Apr 06 16:14:52 linux.fritz.box NetworkManager[780]: <info>
[1586182492.8858] audit: op="connection-activate"
uuid="ab2821d0-a3a0-4392-830f-661e40ba0dda" name="IPSecVPN" pid=1396
uid=1000 result="success"
Apr 06 16:14:52 linux.fritz.box NetworkManager[780]: <info>
[1586182492.9128]
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]:
Started the VPN service, PID 2251
Apr 06 16:14:52 linux.fritz.box charon-nm[2251]: 00[DMN] Starting charon
NetworkManager backend (strongSwan 5.8.2)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 00[LIB] openssl FIPS
mode(2) - enabled
Apr 06 16:14:53 linux.fritz.box NetworkManager[780]: <info>
[1586182493.1064]
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]:
Saw the service appear; activating connection
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 00[LIB] loaded plugins:
nm-backend charon-nm pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem
openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm
gcm drbg curl kernel-netlink socket-default bypass-lan eap-identity
eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 00[JOB] spawning 16
worker threads
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=192.168.178.0 src_prefixlen=24 dst=192.168.178.0 dst_prefixlen=24
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] installed
bypass policy for 192.168.178.0/24
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[KNL] received
netlink error: Invalid argument (22)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[KNL] unable to
install source route for %any6
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] installed
bypass policy for ::1/128
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] installed
bypass policy for fe80::/64
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=192.168.178.0 src_prefixlen=24 dst=192.168.178.0 dst_prefixlen=24
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=192.168.178.0 src_prefixlen=24 dst=192.168.178.0 dst_prefixlen=24
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=0000:0000:0000:0000:0000:0000:0000:0001
dst=0000:0000:0000:0000:0000:0000:0000:0001
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=fe80:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=64
dst=fe80:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=64
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=fe80:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=64
dst=fe80:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=64
Apr 06 16:14:53 linux.fritz.box audit: MAC_IPSEC_EVENT op=SPD-add
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0 res=1
src=fe80:0000:0000:0000:0000:0000:0000:0000 src_prefixlen=64
dst=fe80:0000:0000:0000:0000:0000:0000:0000 dst_prefixlen=64
Apr 06 16:14:53 linux.fritz.box NetworkManager[780]: <info>
[1586182493.4886]
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]:
VPN connection: (ConnectInteractive) reply received
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[CFG] received
initiate for NetworkManager connection IPSecVPN
Apr 06 16:14:53 linux.fritz.box audit[2251]: AVC avc: denied { read }
for pid=2251 comm="charon-nm" name="cert.pem" dev="sda3" ino=152713
scontext=system_u:system_r:ipsec_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Apr 06 16:14:53 linux.fritz.box audit[2251]: AVC avc: denied { open }
for pid=2251 comm="charon-nm" path="/etc/ssl/cert.pem" dev="sda3"
ino=152713 scontext=system_u:system_r:ipsec_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Apr 06 16:14:53 linux.fritz.box audit[2251]: AVC avc: denied { map }
for pid=2251 comm="charon-nm" path="/etc/ssl/cert.pem" dev="sda3"
ino=152713 scontext=system_u:system_r:ipsec_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[CFG] using CA
certificate, gateway identity 'work-vpn.de'
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[IKE] initiating
IKE_SA IPSecVPN[1] to {IP_ADDRESS}
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[ENC] generating
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 11[NET] sending packet:
from 192.168.178.150[48543] to {IP_ADDRESS}[500] (1080 bytes)
Apr 06 16:14:53 linux.fritz.box NetworkManager[780]: <info>
[1586182493.5089]
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]:
VPN plugin: state changed: starting (3)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[NET] received
packet: from {IP_ADDRESS}[500] to 192.168.178.150[48543] (38 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[ENC] parsed
IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] peer didn't
accept DH group ECP_256, it requested MODP_2048
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[IKE] initiating
IKE_SA IPSecVPN[1] to {IP_ADDRESS}
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[ENC] generating
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(REDIR_SUP) ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 12[NET] sending packet:
from 192.168.178.150[48543] to {IP_ADDRESS}[500] (1272 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[NET] received
packet: from {IP_ADDRESS}[500] to 192.168.178.150[48543] (496 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[ENC] parsed
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[ENC] received
unknown vendor ID:
bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:79:49:45:4a:4f:50:54:59:77:4f:54:59:79:4f:41:3d:3d
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[CFG] selected
proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[IKE] local host is
behind NAT, sending keep alives
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[IKE] sending cert
request for "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE (SN
************** 2018-02-01 23:13:53 CET) CA"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[IKE] establishing
CHILD_SA IPSecVPN{1}
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[ENC] generating
IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ SA TSi TSr
N(MOBIKE_SUP) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 02[NET] sending packet:
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (352 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[NET] received
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (1328 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[ENC] parsed IKE_AUTH
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[IKE] received end
entity cert "O=WatchGuard, OU=Fireware, CN=ike2muvpn Server"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG] using
certificate "O=WatchGuard, OU=Fireware, CN=ike2muvpn Server"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG] using trusted
ca certificate "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware IKE
(SN ************** 2018-02-01 23:13:53 CET) CA"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG] checking
certificate status of "O=WatchGuard, OU=Fireware, CN=ike2muvpn Server"
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG] certificate
status is not available
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[CFG] reached
self-signed root ca with a path length of 0
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[IKE] authentication
of 'O=WatchGuard, OU=Fireware, CN=ike2muvpn Server' with RSA signature
successful
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[IKE] server
requested EAP_IDENTITY (id 0x01), sending '{USERNAME}'
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[ENC] generating
IKE_AUTH request 2 [ EAP/RES/ID ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 13[NET] sending packet:
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (96 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[NET] received
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (112 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[ENC] parsed IKE_AUTH
response 2 [ EAP/REQ/MSCHAPV2 ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[IKE] server
requested EAP_MSCHAPV2 authentication (id 0x02)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[ENC] generating
IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 14[NET] sending packet:
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (144 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[NET] received
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (144 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[ENC] parsed IKE_AUTH
response 3 [ EAP/REQ/MSCHAPV2 ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[IKE] EAP-MS-CHAPv2
succeeded: 'Welcome2WatchGuard'
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[ENC] generating
IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 15[NET] sending packet:
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (80 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[NET] received
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (80 bytes)
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[ENC] parsed IKE_AUTH
response 4 [ EAP/SUCC ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[IKE] EAP method
EAP_MSCHAPV2 succeeded, MSK established
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[IKE] authentication
of '{USERNAME}' (myself) with EAP
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[ENC] generating
IKE_AUTH request 5 [ AUTH ]
Apr 06 16:14:53 linux.fritz.box charon-nm[2251]: 16[NET] sending packet:
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (112 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[NET] received
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (240 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[ENC] parsed IKE_AUTH
response 5 [ AUTH CPRP(ADDR MASK DNS DNS) SA TSi TSr ]
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] authentication
of 'O=WatchGuard, OU=Fireware, CN=ike2muvpn Server' with EAP successful
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] IKE_SA
IPSecVPN[1] established between
192.168.178.150[{USERNAME}]...{IP_ADDRESS}[O=WatchGuard, OU=Fireware,
CN=ike2muvpn Server]
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] scheduling
rekeying in 35622s
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] maximum IKE_SA
lifetime 36222s
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[CFG] selected
proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] no acceptable
traffic selectors found
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] failed to
establish CHILD_SA, keeping IKE_SA
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[IKE] sending DELETE
for ESP CHILD_SA with SPI c1d9d082
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[ENC] generating
INFORMATIONAL request 6 [ D ]
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 03[NET] sending packet:
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (80 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 04[NET] received
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (80 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 04[ENC] parsed
INFORMATIONAL response 6 [ D ]
Apr 06 16:14:54 linux.fritz.box audit: MAC_IPSEC_EVENT op=SAD-delete
auid=4294967295 ses=4294967295 subj=system_u:system_r:ipsec_t:s0
src={IP_ADDRESS} dst=192.168.178.150 spi=3252277378(0xc1d9d082) res=1
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 05[IKE] deleting IKE_SA
IPSecVPN[1] between
192.168.178.150[{USERNAME}]...{IP_ADDRESS}[O=WatchGuard, OU=Fireware,
CN=ike2muvpn Server]
Apr 06 16:14:54 linux.fritz.box NetworkManager[780]: <warn>
[1586182494.0801]
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]:
VPN plugin: failed: connect-failed (1)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 05[IKE] sending DELETE
for IKE_SA IPSecVPN[1]
Apr 06 16:14:54 linux.fritz.box NetworkManager[780]: <warn>
[1586182494.0803]
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]:
VPN plugin: failed: connect-failed (1)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 05[ENC] generating
INFORMATIONAL request 7 [ D ]
Apr 06 16:14:54 linux.fritz.box NetworkManager[780]: <info>
[1586182494.0805]
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]:
VPN plugin: state changed: stopping (5)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 05[NET] sending packet:
from 192.168.178.150[55258] to {IP_ADDRESS}[4500] (80 bytes)
Apr 06 16:14:54 linux.fritz.box NetworkManager[780]: <info>
[1586182494.0808]
vpn-connection[0x55a7711ec0f0,ab2821d0-a3a0-4392-830f-661e40ba0dda,"IPSecVPN",0]:
VPN plugin: state changed: stopped (6)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 01[NET] received
packet: from {IP_ADDRESS}[4500] to 192.168.178.150[55258] (80 bytes)
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 01[ENC] parsed
INFORMATIONAL response 7 [ ]
Apr 06 16:14:54 linux.fritz.box charon-nm[2251]: 01[IKE] IKE_SA deleted
Thanks in advance!
Philipp
More information about the Users
mailing list