[strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jun 28 16:08:18 CEST 2021


Set "Request an inner IP address".

Am 28.06.21 um 15:55 schrieb David H Durgee:
> Michael Schwartzkopff wrote:
>> On 28.06.21 15:34, David H Durgee wrote:
>>> Michael Schwartzkopff wrote:
>>>> On 28.06.21 13:44, David H Durgee wrote:
>>>>> I added that package and got further this time:
>>>>>
>>>>>> (...)
>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[ENC] parsed IKE_AUTH response 5 [
>>>>>> AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] authentication of
>>>>>> 'durgeeenterprises.publicvm.com' with EAP successful
>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] IKE_SA Durgee Enterprises,
>>>>>> LLC[1] established between
>>>>>> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] scheduling rekeying in 35606s
>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] maximum IKE_SA lifetime 36206s
>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED
>>>>>> notify, no CHILD_SA built
>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] failed to establish CHILD_SA,
>>>>>> keeping IKE_SA
>>>> hi,
>>>>
>>>>
>>>> Your responder (Server) seems to have some kind of configured poliy
>>>> where the server waits for a configuration request from the client. But
>>>> the clients does not ask for the config and the server terminates the
>>>> connection.
>>>>
>>>> Please see the logs of you server, what exactly is missing. Perhaps the
>>>> server wants to hand out an IP address to the client or something else.
>>>>
>>>>
>>>> Mit freundlichen Grüßen,
>>>>
>>> Looking at the log on the server I see:
>>>
>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of 'dhdurgee'
>>>> with EAP successful
>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of
>>>> 'durgeeenterprises.publicvm.com' (myself) with EAP
>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
>>>> established between
>>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
>>>> established between
>>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] expected a virtual IP request,
>>>> sending FAILED_CP_REQUIRED
>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] traffic selectors 0.0.0.0/0
>>>> ::/0 === 192.168.1.114/32 inacceptable
>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] failed to establish CHILD_SA,
>>>> keeping IKE_SA
>>>> Jun 28 07:33:58 DG41TY charon: 10[ENC] generating IKE_AUTH response 5
>>>> [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
>>>> Jun 28 07:33:58 DG41TY charon: 10[NET] sending packet: from
>>>> 192.168.80.11[4500] to 172.58.190.234[59726] (124 bytes)
>>>> Jun 28 07:33:58 DG41TY charon: 14[NET] received packet: from
>>>> 172.58.190.234[59726] to 192.168.80.11[4500] (76 bytes)
>>>> Jun 28 07:33:58 DG41TY charon: 14[ENC] parsed INFORMATIONAL request 6
>>>> [ D ]
>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] received DELETE for IKE_SA
>>>> ikev2-vpn[61]
>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
>>>> between
>>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
>>>> between
>>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
>>>> Jun 28 07:33:58 DG41TY charon: 14[ENC] generating INFORMATIONAL
>>>> response 6 [ ]
>>>> Jun 28 07:33:58 DG41TY charon: 14[NET] sending packet: from
>>>> 192.168.80.11[4500] to 172.58.190.234[59726] (76 bytes)
>>> Looking at my settings for the network connection shows IPv4 enabled
>>> expecting an address to be assigned automatically via DHCP with DNS
>>> and Routes set as automatic.  The checkbox for "use this connection
>>> only for resources on its network" is NOT checked.  The page for IPv6
>>> is also set as automatic with the checkbox NOT checked.
>>>
>>> On the identity page none of the options are checked.  Options are:
>>>
>>> "Request an inner IP address"
>>> "Enforce UDP encapsulation"
>>> "Use IP compression"
>>>
>>> All this should be defaults, as I only filled in the name, gateway,
>>> certificate, authentication(EAP), username and password fields.
>>>
>>> Dave
>>>
>> I don't know about the manufacturer of your server side. but did you try
>> to add leftsourceip=%config to your client (initiator) config? Also
>> %config6 for IPv6 exists. See
>> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
>>
>>
>>
>>
>> Mit freundlichen Grüßen,
>>
> 
> I am configuring this client using the strongswan plugin for network manager as noted in the subject line.  I have attached the created network connection to this post for your inspection.  I guess additional lines could be edited in manually if necessary, but now I am wondering if I am posting in the proper place.  Is it possible this is a network-manager problem as opposed to strongswan?
> 
> Dave

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210628/0a50b63a/attachment.sig>


More information about the Users mailing list