[strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1
David H Durgee
dhdurgee at verizon.net
Fri Jul 2 23:51:19 CEST 2021
So strongSwan works differently than the vpn I was using previously.
Fine. I see in the log messages that appear to indicate that the tunnel
was successfully established. How can I confirm that the configuration
is working to secure all internet traffic via the WiFi connection?
I assume that there are some commands that I could issue in a linux
terminal window whose output would assure me of this. In the case of
the previous vpn it created a tun interface and routed traffic to that
interface, which could be confirmed with the ifconfig and route commands.
What commands would show me confirmation that my internet traffic is
being properly encrypted?
I do not at present have the full strongSwan package installed on the
laptop, only the packages that work with NetworkManager. I can install
additional packages if necessary, but would need to be sure that doing
so would not undo work already done to reach the current point of
successful connection.
Dave
> Noel Kuntze wrote: Hello David,
>
> strongSwan by default builds policy based tunnels, not route based
> tunnels.
> Thus no interface is needed or created.
> Read up on how IPsec works on the wiki to get an understanding for it.
>
> GUI indicators are not inherently related to if any tunnel exists, or
> works.
>
> Kind regards
> Noel
>
> Am 01.07.21 um 20:31 schrieb David H Durgee:
>> I thought it might make sense to revisit this after the progress that
>> has been made. It now appears that the connection is being established:
>>
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of
>>> 'durgeeenterprises.publicvm.com' with EAP successful
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises,
>>> LLC[7] established between
>>> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP
>>> 10.10.10.1
>>> Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address
>>> record for 10.10.10.1 on wlp5s0.IPv4.
>>> Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal:
>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises,
>>> LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS
>>> 10.10.10.1/32 === 0.0.0.0/0
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6991]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: VPN plugin: state changed: started (4)
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Tunnel Device: (null)
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: IPv4 configuration:
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal Address: 10.10.10.1
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal Prefix: 32
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal Point-to-Point Address:
>>> 10.10.10.1
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal DNS: 8.8.8.8
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal DNS: 8.8.4.4
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: DNS Domain: '(none)'
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: No IPv6 configuration
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7013]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: VPN connection: (IP Config Get) complete
>>
>> Unfortunately I am not seeing a tunnel interface being created and
>> routing added:
>>
>>> enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>> ether b8:70:f4:2c:6b:9f txqueuelen 1000 (Ethernet)
>>> RX packets 1143393 bytes 1164336056 (1.1 GB)
>>> RX errors 0 dropped 20 overruns 0 frame 0
>>> TX packets 912738 bytes 112966285 (112.9 MB)
>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>
>>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
>>> inet 127.0.0.1 netmask 255.0.0.0
>>> inet6 ::1 prefixlen 128 scopeid 0x10<host>
>>> loop txqueuelen 1000 (Local Loopback)
>>> RX packets 95404 bytes 9207887 (9.2 MB)
>>> RX errors 0 dropped 0 overruns 0 frame 0
>>> TX packets 95404 bytes 9207887 (9.2 MB)
>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>
>>> wlp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>> inet 192.168.1.114 netmask 255.255.255.0 broadcast
>>> 192.168.1.255
>>> inet6 fe80::562f:7604:6d84:57ca prefixlen 64 scopeid
>>> 0x20<link>
>>> ether ac:81:12:a4:5e:43 txqueuelen 1000 (Ethernet)
>>> RX packets 5644 bytes 4264877 (4.2 MB)
>>> RX errors 0 dropped 0 overruns 0 frame 62520
>>> TX packets 6377 bytes 1007195 (1.0 MB)
>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>> device interrupt 17
>>>
>>> dhdurgee at z560:~/Downloads$ route
>>> Kernel IP routing table
>>> Destination Gateway Genmask Flags Metric Ref Use
>>> Iface
>>> default _gateway 0.0.0.0 UG 20600 0
>>> 0 wlp5s0
>>> link-local 0.0.0.0 255.255.0.0 U 1000 0
>>> 0 wlp5s0
>>> 192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0
>>> wlp5s0
>>> dhdurgee at z560:~/Downloads$
>>
>> In case it is needed for reference, here is the ipsec.conf on the
>> server side:
>>
>>> config setup
>>> charondebug="ike 1, knl 1, cfg 1"
>>> uniqueids=no
>>>
>>> conn ikev2-vpn
>>> auto=add
>>> compress=no
>>> type=tunnel
>>> keyexchange=ikev2
>>> fragmentation=yes
>>> forceencaps=yes
>>> ike=aes256-sha1-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
>>> esp=aes256-sha1,3des-sha1!
>>> dpdaction=clear
>>> dpddelay=300s
>>> rekey=no
>>> left=%any
>>> leftid=@durgeeenterprises.publicvm.com
>>> leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>>> leftsendcert=always
>>> leftsubnet=0.0.0.0/0
>>> right=%any
>>> rightid=%any
>>> rightauth=eap-mschapv2
>>> rightsourceip=10.10.10.0/24
>>> rightdns=8.8.8.8,8.8.4.4
>>> rightsendcert=never
>>> eap_identity=%identity
>>
>> Here is the connection definition from
>> /etc/NewtorkManager/system-connections:
>>
>>> [connection]
>>> id=Durgee Enterprises, LLC
>>> uuid=72e4370d-ecfb-4e33-8572-5cf04431abb9
>>> type=vpn
>>> autoconnect=false
>>> permissions=user:dhdurgee:;
>>>
>>> [vpn]
>>> address=durgeeenterprises.publicvm.com
>>> certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
>>> encap=no
>>> ipcomp=no
>>> method=eap
>>> password-flags=1
>>> proposal=no
>>> user=dhdurgee
>>> virtual=yes
>>> service-type=org.freedesktop.NetworkManager.strongswan
>>>
>>> [ipv4]
>>> dns-search=
>>> method=auto
>>>
>>> [ipv6]
>>> addr-gen-mode=stable-privacy
>>> dns-search=
>>> ip6-privacy=0
>>> method=auto
>>>
>>> [proxy]
>>
>> The listed connection was created via the GUI. I have screenshots of
>> the four pages from the GUI available for email as they violate size
>> restrictions of posting here..
>>
>> As the VPN connection is already working with android and windows
>> systems I want to make no changes to the ipsec.conf on the server.
>> All changes should be made to the linux connection.
>>
>> I can only assume there are revisions to be made, hopefully via the
>> GUI. Obviously if the GUI cannot address what is needed I can edit
>> the connection directly.
>>
>> Alternatively, am I misunderstanding what I am seeing and the tunnel
>> is actually being established? I see only the WiFi icon on the bar
>> at the bottom of the screen just as I do when opening the WiFi
>> connection. With another VPN service, now discontinued, I showed a
>> different icon indicating the secured tunnel was open. This other
>> discontinued service likewise created a tun interface and established
>> a route via that interface.
>>
>> If more information is required please let me know.
>>
>> Dave
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210702/592ba981/attachment-0001.bin>
More information about the Users
mailing list