[strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

Charles Fadipe cf445 at cam.ac.uk
Mon Jun 28 16:10:03 CEST 2021


According to:

Ubuntu 18.04 VPN Connection fails · Issue #32421 · MicrosoftDocs/azure-docs · GitHub<https://github.com/MicrosoftDocs/azure-docs/issues/32421>


there may be additional plugins required to get eap working with strongswan

The very last post suggests


libcharon-extra-plugins libcharon-standard-plugins libstrongswan-standard-plugins libstrongswan-extra-plugins


Kind Regards


Charles Fadipe

Junior Penetration and Security Tester
University Information Services

University of Cambridge


________________________________
From: Users <users-bounces at lists.strongswan.org> on behalf of David H Durgee <dhdurgee at verizon.net>
Sent: Sunday, June 27, 2021 10:42 pm
To: users at lists.strongswan.org
Subject: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

I am encountering a problem attempting to access a VPN using strongswan
from my linux laptop.  I have it working from an android phone and
tablet as well as a windows laptop, so I know the server is configured
properly.

The connection appears to start normally and then fails at the EAP
stage.  Log on the linux laptop shows:

> Jun 27 17:05:15 Z560 charon-nm: 06[IKE] authentication of
> 'durgeeenterprises.publicvm.com' with RSA_EMSA_PKCS1_SHA2_384 successful
> Jun 27 17:05:15 Z560 charon-nm: 06[IKE] server requested EAP_IDENTITY
> (id 0x00), sending 'dhdurgee'
> Jun 27 17:05:15 Z560 charon-nm: 06[IKE] EAP_IDENTITY not supported,
> sending EAP_NAK
> Jun 27 17:05:15 Z560 charon-nm: 06[ENC] generating IKE_AUTH request 2
> [ EAP/RES/NAK ]
> Jun 27 17:05:15 Z560 charon-nm: 06[NET] sending packet: from
> 192.168.1.114[60298] to 108.31.28.59[4500] (76 bytes)
> Jun 27 17:05:15 Z560 charon-nm: 09[NET] received packet: from
> 108.31.28.59[4500] to 192.168.1.114[60298] (76 bytes)
> Jun 27 17:05:15 Z560 charon-nm: 09[ENC] parsed IKE_AUTH response 2 [
> EAP/FAIL ]
> Jun 27 17:05:15 Z560 charon-nm: 09[IKE] received EAP_FAILURE, EAP
> authentication failed
> Jun 27 17:05:15 Z560 charon-nm: 09[ENC] generating INFORMATIONAL
> request 3 [ N(AUTH_FAILED) ]
> Jun 27 17:05:15 Z560 charon-nm: 09[NET] sending packet: from
> 192.168.1.114[60298] to 108.31.28.59[4500] (76 bytes)

While on the server end I see:

> Jun 27 17:05:15 DG41TY charon: 06[CFG] looking for peer configs
> matching 192.168.80.11[%any]...172.58.187.218[dhdurgee]
> Jun 27 17:05:15 DG41TY charon: 06[CFG] selected peer config 'ikev2-vpn'
> Jun 27 17:05:15 DG41TY charon: 06[IKE] initiating EAP_IDENTITY method
> (id 0x00)
> Jun 27 17:05:15 DG41TY charon: 06[IKE] peer supports MOBIKE
> Jun 27 17:05:15 DG41TY charon: 06[IKE] authentication of
> 'durgeeenterprises.publicvm.com' (myself) with RSA_EMSA_PKCS1_SHA384
> successful
> Jun 27 17:05:15 DG41TY charon: 06[IKE] sending end entity cert "C=US,
> O=Durgee Enterprises LLC, CN=durgeeenterprises.publicvm.com"
> Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> [ IDr CERT AUTH EAP/REQ/ID ]
> Jun 27 17:05:15 DG41TY charon: 06[ENC] splitting IKE message with
> length of 2092 bytes into 5 fragments
> Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> [ EF(1/5) ]
> Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> [ EF(2/5) ]
> Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> [ EF(3/5) ]
> Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> [ EF(4/5) ]
> Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1
> [ EF(5/5) ]
> Jun 27 17:05:15 DG41TY charon: 06[NET] sending packet: from
> 192.168.80.11[4500] to 172.58.187.218[54591] (544 bytes)
> Jun 27 17:05:15 DG41TY charon: message repeated 3 times: [ 06[NET]
> sending packet: from 192.168.80.11[4500] to 172.58.187.218[54591] (544
> bytes)]
> Jun 27 17:05:15 DG41TY charon: 06[NET] sending packet: from
> 192.168.80.11[4500] to 172.58.187.218[54591] (176 bytes)
> Jun 27 17:05:15 DG41TY charon: 05[NET] received packet: from
> 172.58.187.218[54591] to 192.168.80.11[4500] (76 bytes)
> Jun 27 17:05:15 DG41TY charon: 05[ENC] parsed IKE_AUTH request 2 [
> EAP/RES/NAK ]
> Jun 27 17:05:15 DG41TY charon: 05[IKE] received EAP_NAK, sending
> EAP_FAILURE
> Jun 27 17:05:15 DG41TY charon: 05[ENC] generating IKE_AUTH response 2
> [ EAP/FAIL ]
> Jun 27 17:05:15 DG41TY charon: 05[NET] sending packet: from
> 192.168.80.11[4500] to 172.58.187.218[54591] (76 bytes)

What am I doing wrong here?  I assume I have an error in the linux
client configuration, since android and windows clients work with the
server.  What did I miss?

Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210628/4cee2a32/attachment-0001.html>


More information about the Users mailing list