[strongSwan] Debian 9, Xfce, Network Manager, strongSwan and UniFi VPN
David Christensen
dpchrist at holgerdanske.com
Wed Feb 5 19:26:32 CET 2020
On 2020-02-04 22:16, David Christensen wrote:
> users:
>
> I have an AT&T residential gateway that provides the DMZ 192.168.1.0/24.
> The gateway has DMZ address 192.168.1.254.
>
>
> I have a Ubiquiti Networks UniFi Security Gateway (USG) whose upstream
> port is connected to the DMZ and has address 192.168.1.133. The USG
> provides the LAN 192.168.5.0/24 and has address 192.158.5.1.
>
>
> I have created a RADIUS account 'dpchrist' in the UniFi Controller.
>
>
> I have configured a VPN network in the UniFi Controller:
>
> Name remote-access
> VPN Type L2TP Server
> Pre-Shared Key ********************
> Gateway/Subnet 172.16.5.1/29
> Name Server Auto
> WINS Server unchecked
> Site-to-Site VPN unchecked
>
> RADIUS Profile Default
> MS-CHAP v2 Require MS-CHAP v2
>
>
> I have a Debian 9 laptop with Xfce. I have attached the laptop to the
> DMZ at address 192.168.1.144. The laptop can ping the AT&T gateway, can
> ping the USG, and can connect to the Internet via the AT&T gateway.
>
>
> I would like to connect the laptop on the DMZ to the LAN using Network
> Manager and strongSwan VPN.
>
>
> STFW I found:
>
>
> https://www.bestvpnz.com/tutorials/how-to-set-up-l2tp-ipsec-vpn-on-linux-networkmanager-strongswan/
>
>
>
> I have installed the following packages on the laptop:
>
> openvpn
> network-manager-openvpn-gnome
> network-manager-strongswan
> xl2tpd
> strongswan
>
>
> I have put the pre-shared key into a file in my home directory in the
> laptop:
>
> l2tp-key
>
>
> I have created a VPN connection in the laptop:
>
> Xfce Applications Menu -> Settings -> Network Connections -> Add:
>
> Choose a Connection Type IPsec/IKEv2 (strongswan)
> Create...
>
> Connection Name 192.168.1.133
>
> VPN
> Gateway
> Address 192.168.1.133
> Certificate l2tp-key
> Client
> Authentication Pre-shared key
> Username dpchrist
> Password
> -> Store the password only for this user
> ********************
>
> Options
> Request an inner IP address checked
> Enforce UDP encapsulation checked
> Use IP compression checked
>
>
> When I select Xfce Panel -> Notification Area -> NetworkManager Applet
> -> VPN Connections -> 192.168.1.133, I get a pop-up that says:
>
> VPN Connection Failed
>
> The VPN connection "192.168.1.133" failed because the VPN
> service failed to start.
>
>
> There are clues in the messages log:
>
> 2020-02-04 20:44:30 root at tinkywinky ~
> # tail -n 4 /var/log/messages
> Feb 4 20:43:42 tinkywinky NetworkManager[537]: <info>
> [1580877822.3516] audit: op="connection-activate"
> uuid="4f2c0009-5392-4001-a090-adb11d5977a8" name="192.168.1.133"
> pid=1210 uid=13250 result="success"
> Feb 4 20:43:42 tinkywinky NetworkManager[537]: <info>
> [1580877822.3549]
> vpn-connection[0x563d18544800,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
> Saw the service appear; activating connection
> Feb 4 20:43:42 tinkywinky NetworkManager[537]: <info>
> [1580877822.4545]
> vpn-connection[0x563d18544800,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
> VPN connection: (ConnectInteractive) reply received
> Feb 4 20:43:42 tinkywinky NetworkManager[537]: <warn>
> [1580877822.4593]
> vpn-connection[0x563d18544800,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
> VPN connection: failed to connect: 'Loading gateway certificate failed.'
>
>
> STFW I found my own posts from ~6 months ago with these same issues. I
> fumbled around and eventually got it working, but have no recollection
> or understanding of how or why. I have not touched the UniFi settings
> since then. The laptop has a fresh install of Debian 9.
>
>
> Suggestions?
>
>
> David
While setting up Wi-Fi, "Default Keyring" (Gnome Keyring?) was rejecting
the password I set yesterday. So I moved aside the following file:
~/.local/share/keyrings/Default_keyring.keyring
When I selected NetworkManager Applet -> VPN Conections -> 192.168.1.133:
1. A pop-up prompted for the Pre-Shared Key. So I entered it.
2. A modal pop-up prompted to create a new keyring. So, I entered my
user account password twice.
Nothing was displayed on the screen and the VPN was not working.
When I selected NetworkManager Applet -> VPN Conections -> 192.168.1.133
again, the following dialog was displayed:
VPN Connection Failed
The VPN connection "192.168.1.133" failed because the VPN
service failed to start.
The logs show:
2020-02-05 10:15:38 root at tinkywinky ~
# tail -n 24 /var/log/messages
Feb 5 10:08:04 tinkywinky NetworkManager[524]: <info>
[1580926084.4024] audit: op="connection-activate"
uuid="4f2c0009-5392-4001-a090-adb11d5977a8" name="192.168.1.133"
pid=1239 uid=13250 result="success"
Feb 5 10:08:04 tinkywinky NetworkManager[524]: <info>
[1580926084.4140]
vpn-connection[0x5634e2a5a260,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
Started the VPN service, PID 2588
Feb 5 10:08:04 tinkywinky NetworkManager[524]: <info>
[1580926084.4373]
vpn-connection[0x5634e2a5a260,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
Saw the service appear; activating connection
Feb 5 10:08:04 tinkywinky NetworkManager[524]: <info>
[1580926084.4457]
vpn-connection[0x5634e2a5a260,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
VPN plugin: state changed: init (1)
Feb 5 10:08:04 tinkywinky gnome-keyring-d[1798]: invalid
unclassed pointer in cast to 'GkmObject'
Feb 5 10:08:04 tinkywinky gnome-keyring-d[1798]:
gkm_object_expose_full: assertion 'GKM_IS_OBJECT (self)' failed
Feb 5 10:08:26 tinkywinky kernel: [ 1070.638661] perf:
interrupt took too long (3177 > 3172), lowering
kernel.perf_event_max_sample_rate to 62750
Feb 5 10:09:58 tinkywinky NetworkManager[524]: <info>
[1580926198.8951]
vpn-connection[0x5634e2a5a260,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
VPN connection: (ConnectInteractive) reply received
Feb 5 10:09:58 tinkywinky NetworkManager[524]: <warn>
[1580926198.8975]
vpn-connection[0x5634e2a5a260,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
VPN connection: failed to connect: 'Loading gateway certificate failed.'
Feb 5 10:09:58 tinkywinky NetworkManager[524]: <info>
[1580926198.9001]
vpn-connection[0x5634e2a5a260,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
VPN plugin: state changed: stopped (6)
Feb 5 10:09:59 tinkywinky gcr-prompter[2632]: GtkDialog mapped
without a transient parent. This is discouraged.
Feb 5 10:10:22 tinkywinky gnome-keyring-d[1798]: asked to
register collection
/org/freedesktop/secrets/collection/Default_5fkeyring, but it's already
registered
Feb 5 10:11:47 tinkywinky NetworkManager[524]: <info>
[1580926307.4292] audit: op="connection-activate"
uuid="4f2c0009-5392-4001-a090-adb11d5977a8" name="192.168.1.133"
pid=1239 uid=13250 result="success"
Feb 5 10:11:47 tinkywinky NetworkManager[524]: <info>
[1580926307.4333]
vpn-connection[0x5634e2a5a460,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
Saw the service appear; activating connection
Feb 5 10:11:47 tinkywinky NetworkManager[524]: <info>
[1580926307.5385]
vpn-connection[0x5634e2a5a460,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
VPN connection: (ConnectInteractive) reply received
Feb 5 10:11:47 tinkywinky NetworkManager[524]: <warn>
[1580926307.5404]
vpn-connection[0x5634e2a5a460,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
VPN connection: failed to connect: 'Loading gateway certificate failed.'
Feb 5 10:12:29 tinkywinky NetworkManager[524]: <info>
[1580926349.8395] device (wlp11s0): set-hw-addr: set MAC address to
42:82:FD:31:3A:3C (scanning)
Feb 5 10:12:29 tinkywinky NetworkManager[524]: <info>
[1580926349.9184] device (wlp11s0): supplicant interface state:
disconnected -> disabled
:set nonumber
David
More information about the Users
mailing list