[strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

David H Durgee dhdurgee at verizon.net
Mon Jul 12 17:00:30 CEST 2021


I have done a little more looking around and would like to know if what 
I am seeing from nmcli confirms proper operation of my strongswan VPN.  
Here is what I see with wifi up but not the VPN:

> wlp5s0: connected to Auto Free WiFi by Karma
>     "Broadcom and subsidiaries BCM4313"
>     wifi (wl), AC:81:12:A4:5E:43, hw, mtu 1500
>     ip4 default
>     inet4 192.168.1.114/24
>     route4 0.0.0.0/0
>     route4 192.168.1.0/24
>     route4 169.254.0.0/16
>     route4 192.168.1.0/24
>     inet6 fe80::562f:7604:6d84:57ca/64
>     route6 fe80::/64
>
> enp6s0: disconnected
>     "Realtek RTL810xE"
>     1 connection available
>     ethernet (r8169), B8:70:F4:2C:6B:9F, autoconnect, hw, mtu 1500
>
> lo: unmanaged
>     "lo"
>     loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
>
> DNS configuration:
>     servers: 192.168.1.1
>     interface: wlp5s0

When I enable the VPN this changes to show:

> Durgee Enterprises, LLC VPN connection
>     master wlp5s0, VPN
>     inet4 10.10.10.1/32
>
> wlp5s0: connected to Auto Free WiFi by Karma
>     "Broadcom and subsidiaries BCM4313"
>     wifi (wl), AC:81:12:A4:5E:43, hw, mtu 1500
>     ip4 default
>     inet4 192.168.1.114/24
>     inet4 10.10.10.1/32
>     route4 0.0.0.0/0
>     route4 192.168.1.0/24
>     route4 169.254.0.0/16
>     route4 192.168.1.0/24
>     route4 0.0.0.0/0
>     inet6 fe80::562f:7604:6d84:57ca/64
>     route6 fe80::/64
>
> enp6s0: disconnected
>     "Realtek RTL810xE"
>     1 connection available
>     ethernet (r8169), B8:70:F4:2C:6B:9F, autoconnect, hw, mtu 1500
>
> lo: unmanaged
>     "lo"
>     loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
>
> DNS configuration:
>     servers: 8.8.8.8 8.8.4.4
>     interface: wlp5s0
>     type: vpn
>
>     servers: 192.168.1.1
>     interface: wlp5s0

Does this confirm proper operation of the VPN?  If not, what other 
command will confirm it for me?

Assuming this does indeed indicate proper operation of the VPN I will 
contact support for the applet that fails to indicate the VPN in proper 
operation for them to correct their display.

Dave

> Noel Kuntze wrote:  Hello David,
>
> strongSwan by default builds policy based tunnels, not route based 
> tunnels.
> Thus no interface is needed or created.
> Read up on how IPsec works on the wiki to get an understanding for it.
>
> GUI indicators are not inherently related to if any tunnel exists, or 
> works.
>
> Kind regards
> Noel
>
> Am 01.07.21 um 20:31 schrieb David H Durgee:
>> I thought it might make sense to revisit this after the progress that 
>> has been made. It now appears that the connection is being established:
>>
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of 
>>> 'durgeeenterprises.publicvm.com' with EAP successful
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises, 
>>> LLC[7] established between 
>>> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP 
>>> 10.10.10.1
>>> Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address 
>>> record for 10.10.10.1 on wlp5s0.IPv4.
>>> Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal: 
>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises, 
>>> LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS 
>>> 10.10.10.1/32 === 0.0.0.0/0
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6991] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: VPN plugin: state changed: started (4)
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data: Tunnel Device: (null)
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data: IPv4 configuration:
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data:   Internal Address: 10.10.10.1
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data:   Internal Prefix: 32
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data:   Internal Point-to-Point Address: 
>>> 10.10.10.1
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data:   Internal DNS: 8.8.8.8
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data:   Internal DNS: 8.8.4.4
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data:   DNS Domain: '(none)'
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: Data: No IPv6 configuration
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7013] 
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
>>> Enterprises, LLC",0]: VPN connection: (IP Config Get) complete
>>
>> Unfortunately I am not seeing a tunnel interface being created and 
>> routing added:
>>
>>> enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>>>         ether b8:70:f4:2c:6b:9f  txqueuelen 1000  (Ethernet)
>>>         RX packets 1143393  bytes 1164336056 (1.1 GB)
>>>         RX errors 0  dropped 20  overruns 0  frame 0
>>>         TX packets 912738  bytes 112966285 (112.9 MB)
>>>         TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
>>>
>>> lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
>>>         inet 127.0.0.1  netmask 255.0.0.0
>>>         inet6 ::1  prefixlen 128  scopeid 0x10<host>
>>>         loop  txqueuelen 1000  (Local Loopback)
>>>         RX packets 95404  bytes 9207887 (9.2 MB)
>>>         RX errors 0  dropped 0  overruns 0  frame 0
>>>         TX packets 95404  bytes 9207887 (9.2 MB)
>>>         TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
>>>
>>> wlp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>>>         inet 192.168.1.114  netmask 255.255.255.0  broadcast 
>>> 192.168.1.255
>>>         inet6 fe80::562f:7604:6d84:57ca  prefixlen 64  scopeid 
>>> 0x20<link>
>>>         ether ac:81:12:a4:5e:43  txqueuelen 1000  (Ethernet)
>>>         RX packets 5644  bytes 4264877 (4.2 MB)
>>>         RX errors 0  dropped 0  overruns 0  frame 62520
>>>         TX packets 6377  bytes 1007195 (1.0 MB)
>>>         TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
>>>         device interrupt 17
>>>
>>> dhdurgee at z560:~/Downloads$ route
>>> Kernel IP routing table
>>> Destination     Gateway         Genmask         Flags Metric Ref Use 
>>> Iface
>>> default         _gateway        0.0.0.0         UG    20600 0        
>>> 0 wlp5s0
>>> link-local      0.0.0.0         255.255.0.0     U     1000 0        
>>> 0 wlp5s0
>>> 192.168.1.0     0.0.0.0         255.255.255.0   U     600 0        0 
>>> wlp5s0
>>> dhdurgee at z560:~/Downloads$
>>
>> In case it is needed for reference, here is the ipsec.conf on the 
>> server side:
>>
>>> config setup
>>>   charondebug="ike 1, knl 1, cfg 1"
>>>   uniqueids=no
>>>
>>> conn ikev2-vpn
>>>   auto=add
>>>   compress=no
>>>   type=tunnel
>>>   keyexchange=ikev2
>>>   fragmentation=yes
>>>   forceencaps=yes
>>> ike=aes256-sha1-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
>>>   esp=aes256-sha1,3des-sha1!
>>>   dpdaction=clear
>>>   dpddelay=300s
>>>   rekey=no
>>>   left=%any
>>>   leftid=@durgeeenterprises.publicvm.com
>>>   leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>>>   leftsendcert=always
>>>   leftsubnet=0.0.0.0/0
>>>   right=%any
>>>   rightid=%any
>>>   rightauth=eap-mschapv2
>>>   rightsourceip=10.10.10.0/24
>>>   rightdns=8.8.8.8,8.8.4.4
>>>   rightsendcert=never
>>>   eap_identity=%identity
>>
>> Here is the connection definition from 
>> /etc/NewtorkManager/system-connections:
>>
>>> [connection]
>>> id=Durgee Enterprises, LLC
>>> uuid=72e4370d-ecfb-4e33-8572-5cf04431abb9
>>> type=vpn
>>> autoconnect=false
>>> permissions=user:dhdurgee:;
>>>
>>> [vpn]
>>> address=durgeeenterprises.publicvm.com
>>> certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
>>> encap=no
>>> ipcomp=no
>>> method=eap
>>> password-flags=1
>>> proposal=no
>>> user=dhdurgee
>>> virtual=yes
>>> service-type=org.freedesktop.NetworkManager.strongswan
>>>
>>> [ipv4]
>>> dns-search=
>>> method=auto
>>>
>>> [ipv6]
>>> addr-gen-mode=stable-privacy
>>> dns-search=
>>> ip6-privacy=0
>>> method=auto
>>>
>>> [proxy]
>>
>> The listed connection was created via the GUI.  I have screenshots of 
>> the four pages from the GUI available for email as they violate size 
>> restrictions of posting here..
>>
>> As the VPN connection is already working with android and windows 
>> systems I want to make no changes to the ipsec.conf on the server. 
>> All changes should be made to the linux connection.
>>
>> I can only assume there are revisions to be made, hopefully via the 
>> GUI.  Obviously if the GUI cannot address what is needed I can edit 
>> the connection directly.
>>
>> Alternatively, am I misunderstanding what I am seeing and the tunnel 
>> is actually being established?  I see only the WiFi icon on the bar 
>> at the bottom of the screen just as I do when opening the WiFi 
>> connection. With another VPN service, now discontinued, I showed a 
>> different icon indicating the secured tunnel was open.  This other 
>> discontinued service likewise created a tun interface and established 
>> a route via that interface.
>>
>> If more information is required please let me know.
>>
>> Dave
>>
>>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210712/5fd3ebfc/attachment.bin>


More information about the Users mailing list