[strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

Noel Kuntze noel.kuntze at thermi.consulting
Thu Jul 29 14:07:12 CEST 2021 

Hello David,

Yes, that shows that it is working.

Kind regards
Noel

Am 28.07.21 um 22:31 schrieb David H Durgee:
> I did a bit more checking and found references to "ip xfrm policy list" and "ip xfrm state list" as possible sources of the confirmation of operation I am seeking.  I ran these commands with the VPN up and have attached the output of these commands.
>
> I am not trained in reading these reports, but what I see does appear to indicate that the VPN is indeed functioning and handling the traffic as requested.  If someone who is trained could confirm this for me I would appreciate it.
>
> Dave
>
>> Noel Kuntze wrote:  Hello David,
>>
>> strongSwan by default builds policy based tunnels, not route based tunnels.
>> Thus no interface is needed or created.
>> Read up on how IPsec works on the wiki to get an understanding for it.
>>
>> GUI indicators are not inherently related to if any tunnel exists, or works.
>>
>> Kind regards
>> Noel
>>
>> Am 01.07.21 um 20:31 schrieb David H Durgee:
>>> I thought it might make sense to revisit this after the progress that has been made. It now appears that the connection is being established:
>>>
>>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of 'durgeeenterprises.publicvm.com' with EAP successful
>>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises, LLC[7] established between 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
>>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
>>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
>>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP 10.10.10.1
>>>> Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address record for 10.10.10.1 on wlp5s0.IPv4.
>>>> Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
>>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises, LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS 10.10.10.1/32 === 0.0.0.0/0
>>>> Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6991] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: VPN plugin: state changed: started (4)
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.6997] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data: Tunnel Device: (null)
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data: IPv4 configuration:
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7003] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data:   Internal Address: 10.10.10.1
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data:   Internal Prefix: 32
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data:   Internal Point-to-Point Address: 10.10.10.1
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data:   Internal DNS: 8.8.8.8
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data:   Internal DNS: 8.8.4.4
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data:   DNS Domain: '(none)'
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7004] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: Data: No IPv6 configuration
>>>> Jun 29 11:21:34 Z560 NetworkManager[758]: <info> [1624980094.7013] vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee Enterprises, LLC",0]: VPN connection: (IP Config Get) complete
>>>
>>> Unfortunately I am not seeing a tunnel interface being created and routing added:
>>>
>>>> enp6s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>>>>         ether b8:70:f4:2c:6b:9f  txqueuelen 1000  (Ethernet)
>>>>         RX packets 1143393  bytes 1164336056 (1.1 GB)
>>>>         RX errors 0  dropped 20  overruns 0  frame 0
>>>>         TX packets 912738  bytes 112966285 (112.9 MB)
>>>>         TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
>>>>
>>>> lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
>>>>         inet 127.0.0.1  netmask 255.0.0.0
>>>>         inet6 ::1  prefixlen 128  scopeid 0x10<host>
>>>>         loop  txqueuelen 1000  (Local Loopback)
>>>>         RX packets 95404  bytes 9207887 (9.2 MB)
>>>>         RX errors 0  dropped 0  overruns 0  frame 0
>>>>         TX packets 95404  bytes 9207887 (9.2 MB)
>>>>         TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
>>>>
>>>> wlp5s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>>>         inet 192.168.1.114  netmask 255.255.255.0  broadcast 192.168.1.255
>>>>         inet6 fe80::562f:7604:6d84:57ca  prefixlen 64 scopeid 0x20<link>
>>>>         ether ac:81:12:a4:5e:43  txqueuelen 1000  (Ethernet)
>>>>         RX packets 5644  bytes 4264877 (4.2 MB)
>>>>         RX errors 0  dropped 0  overruns 0  frame 62520
>>>>         TX packets 6377  bytes 1007195 (1.0 MB)
>>>>         TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0
>>>>         device interrupt 17
>>>>
>>>> dhdurgee at z560:~/Downloads$ route
>>>> Kernel IP routing table
>>>> Destination     Gateway         Genmask         Flags Metric Ref Use Iface
>>>> default         _gateway        0.0.0.0         UG    20600 0        0 wlp5s0
>>>> link-local      0.0.0.0         255.255.0.0     U     1000 0        0 wlp5s0
>>>> 192.168.1.0     0.0.0.0         255.255.255.0   U     600 0        0 wlp5s0
>>>> dhdurgee at z560:~/Downloads$
>>>
>>> In case it is needed for reference, here is the ipsec.conf on the server side:
>>>
>>>> config setup
>>>>   charondebug="ike 1, knl 1, cfg 1"
>>>>   uniqueids=no
>>>>
>>>> conn ikev2-vpn
>>>>   auto=add
>>>>   compress=no
>>>>   type=tunnel
>>>>   keyexchange=ikev2
>>>>   fragmentation=yes
>>>>   forceencaps=yes
>>>> ike=aes256-sha1-modp2048,aes256-sha1-modp1024,3des-sha1-modp1024!
>>>>   esp=aes256-sha1,3des-sha1!
>>>>   dpdaction=clear
>>>>   dpddelay=300s
>>>>   rekey=no
>>>>   left=%any
>>>>   leftid=@durgeeenterprises.publicvm.com
>>>>   leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>>>>   leftsendcert=always
>>>>   leftsubnet=0.0.0.0/0
>>>>   right=%any
>>>>   rightid=%any
>>>>   rightauth=eap-mschapv2
>>>>   rightsourceip=10.10.10.0/24
>>>>   rightdns=8.8.8.8,8.8.4.4
>>>>   rightsendcert=never
>>>>   eap_identity=%identity
>>>
>>> Here is the connection definition from /etc/NewtorkManager/system-connections:
>>>
>>>> [connection]
>>>> id=Durgee Enterprises, LLC
>>>> uuid=72e4370d-ecfb-4e33-8572-5cf04431abb9
>>>> type=vpn
>>>> autoconnect=false
>>>> permissions=user:dhdurgee:;
>>>>
>>>> [vpn]
>>>> address=durgeeenterprises.publicvm.com
>>>> certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
>>>> encap=no
>>>> ipcomp=no
>>>> method=eap
>>>> password-flags=1
>>>> proposal=no
>>>> user=dhdurgee
>>>> virtual=yes
>>>> service-type=org.freedesktop.NetworkManager.strongswan
>>>>
>>>> [ipv4]
>>>> dns-search=
>>>> method=auto
>>>>
>>>> [ipv6]
>>>> addr-gen-mode=stable-privacy
>>>> dns-search=
>>>> ip6-privacy=0
>>>> method=auto
>>>>
>>>> [proxy]
>>>
>>> The listed connection was created via the GUI.  I have screenshots of the four pages from the GUI available for email as they violate size restrictions of posting here..
>>>
>>> As the VPN connection is already working with android and windows systems I want to make no changes to the ipsec.conf on the server. All changes should be made to the linux connection.
>>>
>>> I can only assume there are revisions to be made, hopefully via the GUI.  Obviously if the GUI cannot address what is needed I can edit the connection directly.
>>>
>>> Alternatively, am I misunderstanding what I am seeing and the tunnel is actually being established?  I see only the WiFi icon on the bar at the bottom of the screen just as I do when opening the WiFi connection. With another VPN service, now discontinued, I showed a different icon indicating the secured tunnel was open.  This other discontinued service likewise created a tun interface and established a route via that interface.
>>>
>>> If more information is required please let me know.
>>>
>>> Dave
>>>
>>>
>>
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210729/c6162a2a/attachment.sig>

More information about the Users mailing list