[strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

Mon Jun 28 15:55:26 CEST 2021

Michael Schwartzkopff wrote:
> On 28.06.21 15:34, David H Durgee wrote:
>> Michael Schwartzkopff wrote:
>>> On 28.06.21 13:44, David H Durgee wrote:
>>>> I added that package and got further this time:
>>>>
>>>>> (...)
>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[ENC] parsed IKE_AUTH response 5 [
>>>>> AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] authentication of
>>>>> 'durgeeenterprises.publicvm.com' with EAP successful
>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] IKE_SA Durgee Enterprises,
>>>>> LLC[1] established between
>>>>> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] scheduling rekeying in 35606s
>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] maximum IKE_SA lifetime 36206s
>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED
>>>>> notify, no CHILD_SA built
>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] failed to establish CHILD_SA,
>>>>> keeping IKE_SA
>>> hi,
>>>
>>>
>>> Your responder (Server) seems to have some kind of configured poliy
>>> where the server waits for a configuration request from the client. But
>>> the clients does not ask for the config and the server terminates the
>>> connection.
>>>
>>> Please see the logs of you server, what exactly is missing. Perhaps the
>>> server wants to hand out an IP address to the client or something else.
>>>
>>>
>>> Mit freundlichen Grüßen,
>>>
>> Looking at the log on the server I see:
>>
>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of 'dhdurgee'
>>> with EAP successful
>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of
>>> 'durgeeenterprises.publicvm.com' (myself) with EAP
>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
>>> established between
>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
>>> established between
>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] expected a virtual IP request,
>>> sending FAILED_CP_REQUIRED
>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] traffic selectors 0.0.0.0/0
>>> ::/0 === 192.168.1.114/32 inacceptable
>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] failed to establish CHILD_SA,
>>> keeping IKE_SA
>>> Jun 28 07:33:58 DG41TY charon: 10[ENC] generating IKE_AUTH response 5
>>> [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
>>> Jun 28 07:33:58 DG41TY charon: 10[NET] sending packet: from
>>> 192.168.80.11[4500] to 172.58.190.234[59726] (124 bytes)
>>> Jun 28 07:33:58 DG41TY charon: 14[NET] received packet: from
>>> 172.58.190.234[59726] to 192.168.80.11[4500] (76 bytes)
>>> Jun 28 07:33:58 DG41TY charon: 14[ENC] parsed INFORMATIONAL request 6
>>> [ D ]
>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] received DELETE for IKE_SA
>>> ikev2-vpn[61]
>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
>>> between
>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
>>> between
>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
>>> Jun 28 07:33:58 DG41TY charon: 14[ENC] generating INFORMATIONAL
>>> response 6 [ ]
>>> Jun 28 07:33:58 DG41TY charon: 14[NET] sending packet: from
>>> 192.168.80.11[4500] to 172.58.190.234[59726] (76 bytes)
>> Looking at my settings for the network connection shows IPv4 enabled
>> expecting an address to be assigned automatically via DHCP with DNS
>> and Routes set as automatic.  The checkbox for "use this connection
>> only for resources on its network" is NOT checked.  The page for IPv6
>> is also set as automatic with the checkbox NOT checked.
>>
>> On the identity page none of the options are checked.  Options are:
>>
>> "Request an inner IP address"
>> "Enforce UDP encapsulation"
>> "Use IP compression"
>>
>> All this should be defaults, as I only filled in the name, gateway,
>> certificate, authentication(EAP), username and password fields.
>>
>> Dave
>>
> I don't know about the manufacturer of your server side. but did you try
> to add leftsourceip=%config to your client (initiator) config? Also
> %config6 for IPv6 exists. See
> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
>
>
>
>
> Mit freundlichen Grüßen,
>

I am configuring this client using the strongswan plugin for network 
manager as noted in the subject line.  I have attached the created 
network connection to this post for your inspection.  I guess additional 
lines could be edited in manually if necessary, but now I am wondering 
if I am posting in the proper place.  Is it possible this is a 
network-manager problem as opposed to strongswan?

Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210628/0ef19ac2/attachment-0001.html>
-------------- next part --------------
[connection]
id=Durgee Enterprises, LLC
uuid=79c86094-b6e0-4819-afee-e6e427cdf4c8
type=vpn
autoconnect=false
permissions=user:dhdurgee:;

[vpn]
address=durgeeenterprises.publicvm.com
certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
encap=no
ipcomp=no
method=eap
password-flags=1
proposal=no
user=dhdurgee
virtual=no
service-type=org.freedesktop.NetworkManager.strongswan

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

[proxy]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210628/0ef19ac2/attachment-0001.bin>