[strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1
David H Durgee
dhdurgee at verizon.net
Mon Jul 12 17:00:30 CEST 2021
I have done a little more looking around and would like to know if what
I am seeing from nmcli confirms proper operation of my strongswan VPN.
Here is what I see with wifi up but not the VPN:
> wlp5s0: connected to Auto Free WiFi by Karma
> "Broadcom and subsidiaries BCM4313"
> wifi (wl), AC:81:12:A4:5E:43, hw, mtu 1500
> ip4 default
> inet4 192.168.1.114/24
> route4 0.0.0.0/0
> route4 192.168.1.0/24
> route4 169.254.0.0/16
> route4 192.168.1.0/24
> inet6 fe80::562f:7604:6d84:57ca/64
> route6 fe80::/64
>
> enp6s0: disconnected
> "Realtek RTL810xE"
> 1 connection available
> ethernet (r8169), B8:70:F4:2C:6B:9F, autoconnect, hw, mtu 1500
>
> lo: unmanaged
> "lo"
> loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
>
> DNS configuration:
> servers: 192.168.1.1
> interface: wlp5s0
When I enable the VPN this changes to show:
> Durgee Enterprises, LLC VPN connection
> master wlp5s0, VPN
> inet4 10.10.10.1/32
>
> wlp5s0: connected to Auto Free WiFi by Karma
> "Broadcom and subsidiaries BCM4313"
> wifi (wl), AC:81:12:A4:5E:43, hw, mtu 1500
> ip4 default
> inet4 192.168.1.114/24
> inet4 10.10.10.1/32
> route4 0.0.0.0/0
> route4 192.168.1.0/24
> route4 169.254.0.0/16
> route4 192.168.1.0/24
> route4 0.0.0.0/0
> inet6 fe80::562f:7604:6d84:57ca/64
> route6 fe80::/64
>
> enp6s0: disconnected
> "Realtek RTL810xE"
> 1 connection available
> ethernet (r8169), B8:70:F4:2C:6B:9F, autoconnect, hw, mtu 1500
>
> lo: unmanaged
> "lo"
> loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
>
> DNS configuration:
> servers: 8.8.8.8 8.8.4.4
> interface: wlp5s0
> type: vpn
>
> servers: 192.168.1.1
> interface: wlp5s0
Does this confirm proper operation of the VPN? If not, what other
command will confirm it for me?
Assuming this does indeed indicate proper operation of the VPN I will
contact support for the applet that fails to indicate the VPN in proper
operation for them to correct their display.
Dave
> Noel Kuntze wrote: Hello David,
>
> strongSwan by default builds policy based tunnels, not route based
> tunnels.
> Thus no interface is needed or created.
> Read up on how IPsec works on the wiki to get an understanding for it.
>
> GUI indicators are not inherently related to if any tunnel exists, or
> works.
>
> Kind regards
> Noel
>
> Am 01.07.21 um 20:31 schrieb David H Durgee:
>> I thought it might make sense to revisit this after the progress that
>> has been made. It now appears that the connection is being established:
>>
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of
>>> 'durgeeenterprises.publicvm.com' with EAP successful
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises,
>>> LLC[7] established between
>>> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP
>>> 10.10.10.1
>>> Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address
>>> record for 10.10.10.1 on wlp5s0.IPv4.
>>> Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal:
>>> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises,
>>> LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS
>>> 10.10.10.1/32 === 0.0.0.0/0
>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6991]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: VPN plugin: state changed: started (4)
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Tunnel Device: (null)
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: IPv4 configuration:
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal Address: 10.10.10.1
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal Prefix: 32
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal Point-to-Point Address:
>>> 10.10.10.1
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal DNS: 8.8.8.8
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: Internal DNS: 8.8.4.4
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: DNS Domain: '(none)'
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: Data: No IPv6 configuration
>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7013]
>>> vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee
>>> Enterprises, LLC",0]: VPN connection: (IP Config Get) complete
>>
>> Unfortunately I am not seeing a tunnel interface being created and
>> routing added:
>>
>>> enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>> ether b8:70:f4:2c:6b:9f txqueuelen 1000 (Ethernet)
>>> RX packets 1143393 bytes 1164336056 (1.1 GB)
>>> RX errors 0 dropped 20 overruns 0 frame 0
>>> TX packets 912738 bytes 112966285 (112.9 MB)
>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>
>>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
>>> inet 127.0.0.1 netmask 255.0.0.0
>>> inet6 ::1 prefixlen 128 scopeid 0x10<host>
>>> loop txqueuelen 1000 (Local Loopback)
>>> RX packets 95404 bytes 9207887 (9.2 MB)
>>> RX errors 0 dropped 0 overruns 0 frame 0
>>> TX packets 95404 bytes 9207887 (9.2 MB)
>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>>
>>> wlp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>> inet 192.168.1.114 netmask 255.255.255.0 broadcast
>>> 192.168.1.255
>>> inet6 fe80::562f:7604:6d84:57ca prefixlen 64 scopeid
>>> 0x20<link>
>>> ether ac:81:12:a4:5e:43 txqueuelen 1000 (Ethernet)
>>> RX packets 5644 bytes 4264877 (4.2 MB)
>>> RX errors 0 dropped 0 overruns 0 frame 62520
>>> TX packets 6377 bytes 1007195 (1.0 MB)
>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>>> device interrupt 17
>>>
>>> dhdurgee at z560:~/Downloads$ route
>>> Kernel IP routing table
>>> Destination Gateway Genmask Flags Metric Ref Use
>>> Iface
>>> default _gateway 0.0.0.0 UG 20600 0
>>> 0 wlp5s0
>>> link-local 0.0.0.0 255.255.0.0 U 1000 0
>>> 0 wlp5s0
>>> 192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0
>>> wlp5s0
>>> dhdurgee at z560:~/Downloads$
>>
>> In case it is needed for reference, here is the ipsec.conf on the
>> server side:
>>
>>> config setup
>>> charondebug="ike 1, knl 1, cfg 1"
>>> uniqueids=no
>>>
>>> conn ikev2-vpn
>>> auto=add
>>> compress=no
>>> type=tunnel
>>> keyexchange=ikev2
>>> fragmentation=yes
>>> forceencaps=yes
>>> ike=aes256-sha1-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
>>> esp=aes256-sha1,3des-sha1!
>>> dpdaction=clear
>>> dpddelay=300s
>>> rekey=no
>>> left=%any
>>> leftid=@durgeeenterprises.publicvm.com
>>> leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>>> leftsendcert=always
>>> leftsubnet=0.0.0.0/0
>>> right=%any
>>> rightid=%any
>>> rightauth=eap-mschapv2
>>> rightsourceip=10.10.10.0/24
>>> rightdns=8.8.8.8,8.8.4.4
>>> rightsendcert=never
>>> eap_identity=%identity
>>
>> Here is the connection definition from
>> /etc/NewtorkManager/system-connections:
>>
>>> [connection]
>>> id=Durgee Enterprises, LLC
>>> uuid=72e4370d-ecfb-4e33-8572-5cf04431abb9
>>> type=vpn
>>> autoconnect=false
>>> permissions=user:dhdurgee:;
>>>
>>> [vpn]
>>> address=durgeeenterprises.publicvm.com
>>> certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
>>> encap=no
>>> ipcomp=no
>>> method=eap
>>> password-flags=1
>>> proposal=no
>>> user=dhdurgee
>>> virtual=yes
>>> service-type=org.freedesktop.NetworkManager.strongswan
>>>
>>> [ipv4]
>>> dns-search=
>>> method=auto
>>>
>>> [ipv6]
>>> addr-gen-mode=stable-privacy
>>> dns-search=
>>> ip6-privacy=0
>>> method=auto
>>>
>>> [proxy]
>>
>> The listed connection was created via the GUI. I have screenshots of
>> the four pages from the GUI available for email as they violate size
>> restrictions of posting here..
>>
>> As the VPN connection is already working with android and windows
>> systems I want to make no changes to the ipsec.conf on the server.
>> All changes should be made to the linux connection.
>>
>> I can only assume there are revisions to be made, hopefully via the
>> GUI. Obviously if the GUI cannot address what is needed I can edit
>> the connection directly.
>>
>> Alternatively, am I misunderstanding what I am seeing and the tunnel
>> is actually being established? I see only the WiFi icon on the bar
>> at the bottom of the screen just as I do when opening the WiFi
>> connection. With another VPN service, now discontinued, I showed a
>> different icon indicating the secured tunnel was open. This other
>> discontinued service likewise created a tun interface and established
>> a route via that interface.
>>
>> If more information is required please let me know.
>>
>> Dave
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210712/5fd3ebfc/attachment.bin>
More information about the Users
mailing list