[strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

David H Durgee dhdurgee at verizon.net
Mon Jun 28 21:43:57 CEST 2021


Checking the "Request an inner IP address" box did get me further:

> Jun 28 14:50:07 Z560 charon-nm: 15[IKE] installing new virtual IP 
> 10.10.10.2
> Jun 28 14:50:07 Z560 charon-nm: 15[CFG] selected proposal: 
> ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
> Jun 28 14:50:07 Z560 charon-nm: 15[IKE] CHILD_SA Durgee Enterprises, 
> LLC{2} established with SPIs c52f6709_i ce1425eb_o and TS 
> 10.10.10.2/32 === 0.0.0.0/0
> Jun 28 14:50:07 Z560 charon-nm: 15[IKE] peer supports MOBIKE
> Jun 28 14:53:34 Z560 charon-nm: 01[IKE] deleting IKE_SA Durgee 
> Enterprises, LLC[2] between 
> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
> Jun 28 14:53:34 Z560 charon-nm: 01[IKE] sending DELETE for IKE_SA 
> Durgee Enterprises, LLC[2]
> Jun 28 14:53:34 Z560 charon-nm: 01[ENC] generating INFORMATIONAL 
> request 6 [ D ]
> Jun 28 14:53:34 Z560 charon-nm: 01[NET] sending packet: from 
> 192.168.1.114[47031] to 108.31.28.59[4500] (76 bytes)
> Jun 28 14:53:34 Z560 charon-nm: 13[NET] received packet: from 
> 108.31.28.59[4500] to 192.168.1.114[47031] (76 bytes)
> Jun 28 14:53:34 Z560 charon-nm: 13[ENC] parsed INFORMATIONAL response 
> 6 [ ]
> Jun 28 14:53:34 Z560 charon-nm: 13[IKE] IKE_SA deleted

This however appears to be only part of the solution.  I see no tun 
interface created and routing continued to be via the WiFi connection.  
I have attached my current configuration file for the connection from 
/etc/NetworkManager/system-connections as generated via the GUI.  
Hopefully someone can tell me what else I need to change via the GUI.

Thanks in advance.

Dave

> Noel Kuntze wrote:  Set "Request an inner IP address".
>
> Am 28.06.21 um 15:55 schrieb David H Durgee:
>> Michael Schwartzkopff wrote:
>>> On 28.06.21 15:34, David H Durgee wrote:
>>>> Michael Schwartzkopff wrote:
>>>>> On 28.06.21 13:44, David H Durgee wrote:
>>>>>> I added that package and got further this time:
>>>>>>
>>>>>>> (...)
>>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[ENC] parsed IKE_AUTH response 
>>>>>>> 5 [
>>>>>>> AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
>>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] authentication of
>>>>>>> 'durgeeenterprises.publicvm.com' with EAP successful
>>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] IKE_SA Durgee Enterprises,
>>>>>>> LLC[1] established between
>>>>>>> 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com] 
>>>>>>>
>>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] scheduling rekeying in 
>>>>>>> 35606s
>>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] maximum IKE_SA lifetime 
>>>>>>> 36206s
>>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED
>>>>>>> notify, no CHILD_SA built
>>>>>>> Jun 28 07:33:58 Z560 charon-nm: 06[IKE] failed to establish 
>>>>>>> CHILD_SA,
>>>>>>> keeping IKE_SA
>>>>> hi,
>>>>>
>>>>>
>>>>> Your responder (Server) seems to have some kind of configured poliy
>>>>> where the server waits for a configuration request from the 
>>>>> client. But
>>>>> the clients does not ask for the config and the server terminates the
>>>>> connection.
>>>>>
>>>>> Please see the logs of you server, what exactly is missing. 
>>>>> Perhaps the
>>>>> server wants to hand out an IP address to the client or something 
>>>>> else.
>>>>>
>>>>>
>>>>> Mit freundlichen Grüßen,
>>>>>
>>>> Looking at the log on the server I see:
>>>>
>>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of 'dhdurgee'
>>>>> with EAP successful
>>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of
>>>>> 'durgeeenterprises.publicvm.com' (myself) with EAP
>>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
>>>>> established between
>>>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 
>>>>>
>>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
>>>>> established between
>>>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 
>>>>>
>>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] expected a virtual IP request,
>>>>> sending FAILED_CP_REQUIRED
>>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] traffic selectors 0.0.0.0/0
>>>>> ::/0 === 192.168.1.114/32 inacceptable
>>>>> Jun 28 07:33:58 DG41TY charon: 10[IKE] failed to establish CHILD_SA,
>>>>> keeping IKE_SA
>>>>> Jun 28 07:33:58 DG41TY charon: 10[ENC] generating IKE_AUTH response 5
>>>>> [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
>>>>> Jun 28 07:33:58 DG41TY charon: 10[NET] sending packet: from
>>>>> 192.168.80.11[4500] to 172.58.190.234[59726] (124 bytes)
>>>>> Jun 28 07:33:58 DG41TY charon: 14[NET] received packet: from
>>>>> 172.58.190.234[59726] to 192.168.80.11[4500] (76 bytes)
>>>>> Jun 28 07:33:58 DG41TY charon: 14[ENC] parsed INFORMATIONAL request 6
>>>>> [ D ]
>>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] received DELETE for IKE_SA
>>>>> ikev2-vpn[61]
>>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
>>>>> between
>>>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 
>>>>>
>>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
>>>>> between
>>>>> 192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 
>>>>>
>>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
>>>>> Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
>>>>> Jun 28 07:33:58 DG41TY charon: 14[ENC] generating INFORMATIONAL
>>>>> response 6 [ ]
>>>>> Jun 28 07:33:58 DG41TY charon: 14[NET] sending packet: from
>>>>> 192.168.80.11[4500] to 172.58.190.234[59726] (76 bytes)
>>>> Looking at my settings for the network connection shows IPv4 enabled
>>>> expecting an address to be assigned automatically via DHCP with DNS
>>>> and Routes set as automatic.  The checkbox for "use this connection
>>>> only for resources on its network" is NOT checked.  The page for IPv6
>>>> is also set as automatic with the checkbox NOT checked.
>>>>
>>>> On the identity page none of the options are checked. Options are:
>>>>
>>>> "Request an inner IP address"
>>>> "Enforce UDP encapsulation"
>>>> "Use IP compression"
>>>>
>>>> All this should be defaults, as I only filled in the name, gateway,
>>>> certificate, authentication(EAP), username and password fields.
>>>>
>>>> Dave
>>>>
>>> I don't know about the manufacturer of your server side. but did you 
>>> try
>>> to add leftsourceip=%config to your client (initiator) config? Also
>>> %config6 for IPv6 exists. See
>>> https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
>>>
>>>
>>>
>>>
>>> Mit freundlichen Grüßen,
>>>
>>
>> I am configuring this client using the strongswan plugin for network 
>> manager as noted in the subject line.  I have attached the created 
>> network connection to this post for your inspection.  I guess 
>> additional lines could be edited in manually if necessary, but now I 
>> am wondering if I am posting in the proper place.  Is it possible 
>> this is a network-manager problem as opposed to strongswan?
>>
>> Dave
>

-------------- next part --------------
[connection]
id=Durgee Enterprises, LLC
uuid=72e4370d-ecfb-4e33-8572-5cf04431abb9
type=vpn
autoconnect=false
permissions=user:dhdurgee:;

[vpn]
address=durgeeenterprises.publicvm.com
certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
encap=no
ipcomp=no
method=eap
password-flags=1
proposal=no
user=dhdurgee
virtual=yes
service-type=org.freedesktop.NetworkManager.strongswan

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

[proxy]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4492 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210628/3f711c08/attachment.bin>


More information about the Users mailing list