from:"David H. Durgee"

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

2021-07-28 Thread David H Durgee

I did a bit more checking and found references to "ip xfrm policy list" 
and "ip xfrm state list" as possible sources of the confirmation of 
operation I am seeking.  I ran these commands with the VPN up and have 
attached the output of these commands.


I am not trained in reading these reports, but what I see does appear to 
indicate that the VPN is indeed functioning and handling the traffic as 
requested.  If someone who is trained could confirm this for me I would 
appreciate it.


Dave


Noel Kuntze wrote:  Hello David,

strongSwan by default builds policy based tunnels, not route based 
tunnels.

Thus no interface is needed or created.
Read up on how IPsec works on the wiki to get an understanding for it.

GUI indicators are not inherently related to if any tunnel exists, or 
works.


Kind regards
Noel

Am 01.07.21 um 20:31 schrieb David H Durgee:
I thought it might make sense to revisit this after the progress that 
has been made. It now appears that the connection is being established:


Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of 
'durgeeenterprises.publicvm.com' with EAP successful
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises, 
LLC[7] established between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP 
10.10.10.1
Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address 
record for 10.10.10.1 on wlp5s0.IPv4.
Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises, 
LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS 
10.10.10.1/32 === 0.0.0.0/0

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6991] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN plugin: state changed: started (4)
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: Tunnel Device: (null)
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: IPv4 configuration:
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Address: 10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Prefix: 32
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Point-to-Point Address: 
10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal DNS: 8.8.8.8
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal DNS: 8.8.4.4
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   DNS Domain: '(none)'
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: No IPv6 configuration
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7013] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP Config Get) complete


Unfortunately I am not seeing a tunnel interface being created and 
routing added:



enp6s0: flags=4163  mtu 1500
    ether b8:70:f4:2c:6b:9f  txqueuelen 1000

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

2021-07-12 Thread David H Durgee

I have done a little more looking around and would like to know if what 
I am seeing from nmcli confirms proper operation of my strongswan VPN.  
Here is what I see with wifi up but not the VPN:



wlp5s0: connected to Auto Free WiFi by Karma
    "Broadcom and subsidiaries BCM4313"
    wifi (wl), AC:81:12:A4:5E:43, hw, mtu 1500
    ip4 default
    inet4 192.168.1.114/24
    route4 0.0.0.0/0
    route4 192.168.1.0/24
    route4 169.254.0.0/16
    route4 192.168.1.0/24
    inet6 fe80::562f:7604:6d84:57ca/64
    route6 fe80::/64

enp6s0: disconnected
    "Realtek RTL810xE"
    1 connection available
    ethernet (r8169), B8:70:F4:2C:6B:9F, autoconnect, hw, mtu 1500

lo: unmanaged
    "lo"
    loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536

DNS configuration:
    servers: 192.168.1.1
    interface: wlp5s0


When I enable the VPN this changes to show:


Durgee Enterprises, LLC VPN connection
    master wlp5s0, VPN
    inet4 10.10.10.1/32

wlp5s0: connected to Auto Free WiFi by Karma
    "Broadcom and subsidiaries BCM4313"
    wifi (wl), AC:81:12:A4:5E:43, hw, mtu 1500
    ip4 default
    inet4 192.168.1.114/24
    inet4 10.10.10.1/32
    route4 0.0.0.0/0
    route4 192.168.1.0/24
    route4 169.254.0.0/16
    route4 192.168.1.0/24
    route4 0.0.0.0/0
    inet6 fe80::562f:7604:6d84:57ca/64
    route6 fe80::/64

enp6s0: disconnected
    "Realtek RTL810xE"
    1 connection available
    ethernet (r8169), B8:70:F4:2C:6B:9F, autoconnect, hw, mtu 1500

lo: unmanaged
    "lo"
    loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536

DNS configuration:
    servers: 8.8.8.8 8.8.4.4
    interface: wlp5s0
    type: vpn

    servers: 192.168.1.1
    interface: wlp5s0


Does this confirm proper operation of the VPN?  If not, what other 
command will confirm it for me?


Assuming this does indeed indicate proper operation of the VPN I will 
contact support for the applet that fails to indicate the VPN in proper 
operation for them to correct their display.


Dave


Noel Kuntze wrote:  Hello David,

strongSwan by default builds policy based tunnels, not route based 
tunnels.

Thus no interface is needed or created.
Read up on how IPsec works on the wiki to get an understanding for it.

GUI indicators are not inherently related to if any tunnel exists, or 
works.


Kind regards
Noel

Am 01.07.21 um 20:31 schrieb David H Durgee:
I thought it might make sense to revisit this after the progress that 
has been made. It now appears that the connection is being established:


Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of 
'durgeeenterprises.publicvm.com' with EAP successful
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises, 
LLC[7] established between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP 
10.10.10.1
Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address 
record for 10.10.10.1 on wlp5s0.IPv4.
Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises, 
LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS 
10.10.10.1/32 === 0.0.0.0/0

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6991] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN plugin: state changed: started (4)
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: Tunnel Device: (null)
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: IPv4 configuration:
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Address: 10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-c

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

2021-07-06 Thread David H Durgee

I am replying to my own post as I just noticed in the extract from 
syslog that the VPN does NOT appear to be working properly, as I just 
noticed that the VPN is be deactivated a few seconds after being 
established for some unknown reason.


Is this extract sufficient for someone to tell me how to fix this?  If 
not, what additional information do you need, either from the laptop or 
the server?  I believe I have posted configuration files from both sides 
in this thread, but let me know if you need more information.


Dave

David H Durgee wrote:  I brought up the VPN over a WiFi connection 
this morning for a few minutes in hopes of confirming it is operating 
correctly and securing the internet traffic.  Here are results in the 
terminal window:



dhdurgee@z560:~/Downloads$ ip rule
0:    from all lookup local
220:    from all lookup 220
32766:    from all lookup main
32767:    from all lookup default
dhdurgee@z560:~/Downloads$ ip route
default via 192.168.1.1 dev wlp5s0 proto dhcp metric 600
169.254.0.0/16 dev wlp5s0 scope link metric 1000
192.168.1.0/24 dev wlp5s0 proto kernel scope link src 192.168.1.114 
metric 600

dhdurgee@z560:~/Downloads$ ifconfig
enp6s0: flags=4163  mtu 1500
    ether b8:70:f4:2c:6b:9f  txqueuelen 1000  (Ethernet)
    RX packets 6620471  bytes 6659611738 (6.6 GB)
    RX errors 0  dropped 113  overruns 0  frame 0
    TX packets 5400612  bytes 627288507 (627.2 MB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
    inet 127.0.0.1  netmask 255.0.0.0
    inet6 ::1  prefixlen 128  scopeid 0x10
    loop  txqueuelen 1000  (Local Loopback)
    RX packets 607593  bytes 59022846 (59.0 MB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 607593  bytes 59022846 (59.0 MB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp5s0: flags=4163  mtu 1500
    inet 192.168.1.114  netmask 255.255.255.0  broadcast 
192.168.1.255
    inet6 fe80::562f:7604:6d84:57ca  prefixlen 64  scopeid 
0x20

    ether ac:81:12:a4:5e:43  txqueuelen 1000  (Ethernet)
    RX packets 6987  bytes 5181997 (5.1 MB)
    RX errors 0  dropped 0  overruns 0  frame 77207
    TX packets 7967  bytes 1225749 (1.2 MB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    device interrupt 17

dhdurgee@z560:~/Downloads$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref    
Use Iface
default _gateway    0.0.0.0 UG    600 0    0 
wlp5s0
link-local  0.0.0.0 255.255.0.0 U 1000 0    0 
wlp5s0
192.168.1.0 0.0.0.0 255.255.255.0   U 600 0    0 
wlp5s0

dhdurgee@z560:~/Downloads$


Here is an extract from my syslog:

Jul  6 11:50:46 Z560 NetworkManager[758]:   [1625586646.5967] 
manager: rfkill: Wi-Fi hardware radio set enabled
Jul  6 11:50:46 Z560 NetworkManager[758]:  [1625586646.5985] 
audit: op="radio-control" arg="wireless-enabled" pid=83 uid=1000 
result="success"

Jul  6 11:50:46 Z560 charon-nm: 11[KNL] interface wlp5s0 activated
Jul  6 11:50:46 Z560 systemd[1]: Starting Load/Save RF Kill Switch 
Status...
Jul  6 11:50:46 Z560 systemd[1]: Started Load/Save RF Kill Switch 
Status.
Jul  6 11:50:46 Z560 wpa_supplicant[818]: dbus: 
fill_dict_with_properties 
dbus_interface=fi.w1.wpa_supplicant1.Interface.P2PDevice 
dbus_property=P2PDeviceConfig getter failed
Jul  6 11:50:46 Z560 NetworkManager[758]:  [1625586646.6794] 
sup-iface[0x562fdb83d4e0,wlp5s0]: supports 1 scan SSIDs
Jul  6 11:50:46 Z560 NetworkManager[758]:  [1625586646.6808] 
device (wlp5s0): supplicant interface state: starting -> ready
Jul  6 11:50:46 Z560 NetworkManager[758]:  [1625586646.6813] 
device (wlp5s0): state change: unavailable -> disconnected (reason 
'supplicant-available', sys-iface-state: 'managed')
Jul  6 11:50:46 Z560 wpa_supplicant[818]: wlp5s0: 
CTRL-EVENT-SCAN-FAILED ret=-22

Jul  6 11:50:46 Z560 kernel: [706888.708759] ERROR @wl_cfg80211_scan :
Jul  6 11:50:46 Z560 kernel: [706888.708762] WLC_SCAN error (-22)
Jul  6 11:50:48 Z560 NetworkManager[758]:  [1625586648.4559] 
manager: rfkill: Wi-Fi now enabled by radio killswitch
Jul  6 11:50:49 Z560 systemd[1]: NetworkManager-dispatcher.service: 
Succeeded.
Jul  6 11:50:50 Z560 NetworkManager[758]:  [1625586650.2774] 
policy: auto-activating connection 'Auto Free WiFi by Karma' 
(3ccc719b-3616-44f7-a914-8c7d0344c87a)
Jul  6 11:50:50 Z560 NetworkManager[758]:  [1625586650.2819] 
device (wlp5s0): Activation: starting connection 'Auto Free WiFi by 
Karma' (3ccc719b-3616-44f7-a914-8c7d0344c87a)
Jul  6 11:50:50 Z560 NetworkManager[758]:  [1625586650.2834] 
device (wlp5s0): state change: disconnected -> prepare (reason 
'none', sys-iface-state: 'managed')
Jul  6 11:50:50 Z560 NetworkManager[758]:  [1625586650.2891] 
manager: NetworkManager state is now CONNECTING
Jul  6 11:50:50 Z560 NetworkManager[7

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

2021-07-06 Thread David H Durgee

such file or 
directory
Jul  6 11:52:34 Z560 NetworkManager[758]:  [1625586754.7953] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN plugin: state changed: stopping (5)
Jul  6 11:52:34 Z560 NetworkManager[758]:  [1625586754.7954] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN plugin: state changed: stopped (6)
Jul  6 11:52:34 Z560 charon-nm: 12[NET] received packet: from 
108.31.28.59[4500] to 192.168.1.114[47031] (76 bytes)
Jul  6 11:52:34 Z560 charon-nm: 12[ENC] parsed INFORMATIONAL response 
6 [ ]

Jul  6 11:52:34 Z560 charon-nm: 12[IKE] IKE_SA deleted
Jul  6 11:52:41 Z560 charon-nm: 15[KNL] interface wlp5s0 deactivated
Jul  6 11:52:41 Z560 wpa_supplicant[818]: wlp5s0: 
CTRL-EVENT-DISCONNECTED bssid=be:0f:2b:95:dd:58 reason=3 
locally_generated=1
Jul  6 11:52:41 Z560 avahi-daemon[750]: Interface wlp5s0.IPv6 no 
longer relevant for mDNS.
Jul  6 11:52:41 Z560 avahi-daemon[750]: Leaving mDNS multicast group 
on interface wlp5s0.IPv6 with address fe80::562f:7604:6d84:57ca.
Jul  6 11:52:41 Z560 systemd[1]: Starting Load/Save RF Kill Switch 
Status...
Jul  6 11:52:41 Z560 charon-nm: 10[KNL] fe80::562f:7604:6d84:57ca 
disappeared from wlp5s0
Jul  6 11:52:41 Z560 avahi-daemon[750]: Interface wlp5s0.IPv4 no 
longer relevant for mDNS.
Jul  6 11:52:41 Z560 avahi-daemon[750]: Leaving mDNS multicast group 
on interface wlp5s0.IPv4 with address 192.168.1.114.
Jul  6 11:52:41 Z560 avahi-daemon[750]: Withdrawing address record for 
fe80::562f:7604:6d84:57ca on wlp5s0.
Jul  6 11:52:41 Z560 avahi-daemon[750]: Withdrawing address record for 
192.168.1.114 on wlp5s0.

Jul  6 11:52:41 Z560 wpa_supplicant[818]: rfkill: WLAN soft blocked
Jul  6 11:52:41 Z560 systemd[1]: Started Load/Save RF Kill Switch Status.
Jul  6 11:52:41 Z560 NetworkManager[758]:  [1625586761.1466] 
manager: rfkill: Wi-Fi hardware radio set disabled
Jul  6 11:52:41 Z560 NetworkManager[758]:  [1625586761.1469] 
device (wlp5s0): state change: activated -> unavailable (reason 
'none', sys-iface-state: 'managed')
Jul  6 11:52:41 Z560 NetworkManager[758]:  [1625586761.1750] 
dhcp4 (wlp5s0): canceled DHCP transaction
Jul  6 11:52:41 Z560 NetworkManager[758]:  [1625586761.1750] 
dhcp4 (wlp5s0): state changed bound -> done
Jul  6 11:52:41 Z560 charon-nm: 06[KNL] 192.168.1.114 disappeared from 
wlp5s0
Jul  6 11:52:41 Z560 NetworkManager[758]:  [1625586761.1823] 
manager: NetworkManager state is now DISCONNECTED
Jul  6 11:52:41 Z560 NetworkManager[758]:  [1625586761.1920] 
audit: op="radio-control" arg="wireless-enabled" pid=83 uid=1000 
result="success"
Jul  6 11:52:41 Z560 NetworkManager[758]:  [1625586761.1931] 
manager: rfkill: Wi-Fi now disabled by radio killswitch
Jul  6 11:52:41 Z560 nm-dispatcher[914110]: run-parts: failed to stat 
component /etc/network/if-post-down.d/avahi-daemon: No such file or 
directory
Jul  6 11:52:41 Z560 charon-nm: 11[IKE] uninstalling bypass policy for 
192.168.1.0/24
Jul  6 11:52:41 Z560 charon-nm: 11[KNL] error uninstalling route 
installed with policy 192.168.1.0/24 === 192.168.1.0/24 out
Jul  6 11:52:41 Z560 charon-nm: 11[IKE] uninstalling bypass policy for 
169.254.0.0/16
Jul  6 11:52:41 Z560 charon-nm: 11[IKE] uninstalling bypass policy for 
fe80::/64
Jul  6 11:52:41 Z560 wpa_supplicant[818]: nl80211: deinit 
ifname=wlp5s0 disabled_11b_rates=0

Jul  6 11:52:46 Z560 systemd[1]: systemd-rfkill.service: Succeeded.
I am not sure that I have used the proper commands from the terminal 
window to confirm that internet traffic is indeed being encrypted and 
sent via the VPN as opposed to simply being carried via the WiFi 
connection without encryption.


Could someone please let me know what terminal commands I should be 
using to confirm proper operation of the VPN connection, assuming of 
course that it is indeed operating correctly.


Dave


Noel Kuntze wrote:  Hello David,

strongSwan by default builds policy based tunnels, not route based 
tunnels.

Thus no interface is needed or created.
Read up on how IPsec works on the wiki to get an understanding for it.

GUI indicators are not inherently related to if any tunnel exists, or 
works.


Kind regards
Noel

Am 01.07.21 um 20:31 schrieb David H Durgee:
I thought it might make sense to revisit this after the progress that 
has been made. It now appears that the connection is being established:


Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of 
'durgeeenterprises.publicvm.com' with EAP successful
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises, 
LLC[7] established between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP 
10.10.10.1
Jun 29 11:21:34 Z560 avahi-

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

2021-07-02 Thread David H Durgee

So strongSwan works differently than the vpn I was using previously.  
Fine.  I see in the log messages that appear to indicate that the tunnel 
was successfully established.  How can I confirm that the configuration 
is working to secure all internet traffic via the WiFi connection?


I assume that there are some commands that I could issue in a linux 
terminal window whose output would assure me of this.  In the case of 
the previous vpn it created a tun interface and routed traffic to that 
interface, which could be confirmed with the ifconfig and route commands.


What commands would show me confirmation that my internet traffic is 
being properly encrypted?


I do not at present have the full strongSwan package installed on the 
laptop, only the packages that work with NetworkManager.  I can install 
additional packages if necessary, but would need to be sure that doing 
so would not undo work already done to reach the current point of 
successful connection.


Dave


Noel Kuntze wrote:  Hello David,

strongSwan by default builds policy based tunnels, not route based 
tunnels.

Thus no interface is needed or created.
Read up on how IPsec works on the wiki to get an understanding for it.

GUI indicators are not inherently related to if any tunnel exists, or 
works.


Kind regards
Noel

Am 01.07.21 um 20:31 schrieb David H Durgee:
I thought it might make sense to revisit this after the progress that 
has been made. It now appears that the connection is being established:


Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of 
'durgeeenterprises.publicvm.com' with EAP successful
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises, 
LLC[7] established between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP 
10.10.10.1
Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address 
record for 10.10.10.1 on wlp5s0.IPv4.
Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises, 
LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS 
10.10.10.1/32 === 0.0.0.0/0

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6991] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN plugin: state changed: started (4)
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: Tunnel Device: (null)
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: IPv4 configuration:
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Address: 10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Prefix: 32
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Point-to-Point Address: 
10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal DNS: 8.8.8.8
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal DNS: 8.8.4.4
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   DNS Domain: '(none)'
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4

[strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

2021-07-01 Thread David H Durgee

I thought it might make sense to revisit this after the progress that 
has been made. It now appears that the connection is being established:


Jun 29 11:21:34 Z560 charon-nm: 11[IKE] authentication of 
'durgeeenterprises.publicvm.com' with EAP successful
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] IKE_SA Durgee Enterprises, 
LLC[7] established between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] scheduling rekeying in 35705s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] maximum IKE_SA lifetime 36305s
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] installing new virtual IP 
10.10.10.1
Jun 29 11:21:34 Z560 avahi-daemon[750]: Registering new address record 
for 10.10.10.1 on wlp5s0.IPv4.
Jun 29 11:21:34 Z560 charon-nm: 11[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 29 11:21:34 Z560 charon-nm: 11[IKE] CHILD_SA Durgee Enterprises, 
LLC{4} established with SPIs c8cad4e5_i c3f2eec4_o and TS 
10.10.10.1/32 === 0.0.0.0/0

Jun 29 11:21:34 Z560 charon-nm: 11[IKE] peer supports MOBIKE
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6991] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP Config Get) reply received.
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN plugin: state changed: started (4)
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.6997] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP4 Config Get) reply received
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: VPN Gateway: 108.31.28.59
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: Tunnel Device: (null)
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: IPv4 configuration:
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7003] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Address: 10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Prefix: 32
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal Point-to-Point Address: 10.10.10.1
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal DNS: 8.8.8.8
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   Internal DNS: 8.8.4.4
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data:   DNS Domain: '(none)'
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7004] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: Data: No IPv6 configuration
Jun 29 11:21:34 Z560 NetworkManager[758]:  [1624980094.7013] 
vpn-connection[0x562fdb93c2f0,72e4370d-ecfb-4e33-8572-5cf04431abb9,"Durgee 
Enterprises, LLC",0]: VPN connection: (IP Config Get) complete


Unfortunately I am not seeing a tunnel interface being created and 
routing added:



enp6s0: flags=4163  mtu 1500
    ether b8:70:f4:2c:6b:9f  txqueuelen 1000  (Ethernet)
    RX packets 1143393  bytes 1164336056 (1.1 GB)
    RX errors 0  dropped 20  overruns 0  frame 0
    TX packets 912738  bytes 112966285 (112.9 MB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73  mtu 65536
    inet 127.0.0.1  netmask 255.0.0.0
    inet6 ::1  prefixlen 128  scopeid 0x10
    loop  txqueuelen 1000  (Local Loopback)
    RX packets 95404  bytes 9207887 (9.2 MB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 95404  bytes 9207887 (9.2 MB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp5s0: flags=4163  mtu 1500
    inet 192.168.1.114  netmask 255.255.255.0  broadcast 192.168.1.255
    inet6 fe80::562f:7604:6d84:57ca  prefixlen 64  scopeid 0x20
    ether ac:81:12:a4:5e:43  txqueuelen 1000  (Ethernet)
    RX packets 5644  bytes 4264877 (4.2 MB)
    RX errors 0  dropped 0  overruns 0  frame 62520
    TX packets 6377  bytes 1007195 (1.0 MB)
    TX errors 0

Re: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

2021-06-28 Thread David H Durgee


Checking the "Request an inner IP address" box did get me further:

Jun 28 14:50:07 Z560 charon-nm: 15[IKE] installing new virtual IP 
10.10.10.2
Jun 28 14:50:07 Z560 charon-nm: 15[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Jun 28 14:50:07 Z560 charon-nm: 15[IKE] CHILD_SA Durgee Enterprises, 
LLC{2} established with SPIs c52f6709_i ce1425eb_o and TS 
10.10.10.2/32 === 0.0.0.0/0

Jun 28 14:50:07 Z560 charon-nm: 15[IKE] peer supports MOBIKE
Jun 28 14:53:34 Z560 charon-nm: 01[IKE] deleting IKE_SA Durgee 
Enterprises, LLC[2] between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
Jun 28 14:53:34 Z560 charon-nm: 01[IKE] sending DELETE for IKE_SA 
Durgee Enterprises, LLC[2]
Jun 28 14:53:34 Z560 charon-nm: 01[ENC] generating INFORMATIONAL 
request 6 [ D ]
Jun 28 14:53:34 Z560 charon-nm: 01[NET] sending packet: from 
192.168.1.114[47031] to 108.31.28.59[4500] (76 bytes)
Jun 28 14:53:34 Z560 charon-nm: 13[NET] received packet: from 
108.31.28.59[4500] to 192.168.1.114[47031] (76 bytes)
Jun 28 14:53:34 Z560 charon-nm: 13[ENC] parsed INFORMATIONAL response 
6 [ ]

Jun 28 14:53:34 Z560 charon-nm: 13[IKE] IKE_SA deleted


This however appears to be only part of the solution.  I see no tun 
interface created and routing continued to be via the WiFi connection.  
I have attached my current configuration file for the connection from 
/etc/NetworkManager/system-connections as generated via the GUI.  
Hopefully someone can tell me what else I need to change via the GUI.


Thanks in advance.

Dave


Noel Kuntze wrote:  Set "Request an inner IP address".

Am 28.06.21 um 15:55 schrieb David H Durgee:

Michael Schwartzkopff wrote:

On 28.06.21 15:34, David H Durgee wrote:

Michael Schwartzkopff wrote:

On 28.06.21 13:44, David H Durgee wrote:

I added that package and got further this time:


(...)
Jun 28 07:33:58 Z560 charon-nm: 06[ENC] parsed IKE_AUTH response 
5 [

AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] authentication of
'durgeeenterprises.publicvm.com' with EAP successful
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] IKE_SA Durgee Enterprises,
LLC[1] established between
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com] 

Jun 28 07:33:58 Z560 charon-nm: 06[IKE] scheduling rekeying in 
35606s
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] maximum IKE_SA lifetime 
36206s

Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED
notify, no CHILD_SA built
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] failed to establish 
CHILD_SA,

keeping IKE_SA

hi,


Your responder (Server) seems to have some kind of configured poliy
where the server waits for a configuration request from the 
client. But

the clients does not ask for the config and the server terminates the
connection.

Please see the logs of you server, what exactly is missing. 
Perhaps the
server wants to hand out an IP address to the client or something 
else.



Mit freundlichen Grüßen,


Looking at the log on the server I see:


Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of 'dhdurgee'
with EAP successful
Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of
'durgeeenterprises.publicvm.com' (myself) with EAP
Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
established between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 


Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
established between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 


Jun 28 07:33:58 DG41TY charon: 10[IKE] expected a virtual IP request,
sending FAILED_CP_REQUIRED
Jun 28 07:33:58 DG41TY charon: 10[IKE] traffic selectors 0.0.0.0/0
::/0 === 192.168.1.114/32 inacceptable
Jun 28 07:33:58 DG41TY charon: 10[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Jun 28 07:33:58 DG41TY charon: 10[ENC] generating IKE_AUTH response 5
[ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jun 28 07:33:58 DG41TY charon: 10[NET] sending packet: from
192.168.80.11[4500] to 172.58.190.234[59726] (124 bytes)
Jun 28 07:33:58 DG41TY charon: 14[NET] received packet: from
172.58.190.234[59726] to 192.168.80.11[4500] (76 bytes)
Jun 28 07:33:58 DG41TY charon: 14[ENC] parsed INFORMATIONAL request 6
[ D ]
Jun 28 07:33:58 DG41TY charon: 14[IKE] received DELETE for IKE_SA
ikev2-vpn[61]
Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 


Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 


Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
Jun 28 07:33:58 DG41TY charon: 14[ENC] generating INFORMATIONAL
response 6 [ ]
Jun 28 07:33:58 DG41TY charon: 14[NET] sending packet: from
192.168.80.11[4500] to 172.58.190.234[59726] (76 b

Re: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

2021-06-28 Thread David H Durgee


Michael Schwartzkopff wrote:

On 28.06.21 15:34, David H Durgee wrote:

Michael Schwartzkopff wrote:

On 28.06.21 13:44, David H Durgee wrote:

I added that package and got further this time:


(...)
Jun 28 07:33:58 Z560 charon-nm: 06[ENC] parsed IKE_AUTH response 5 [
AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] authentication of
'durgeeenterprises.publicvm.com' with EAP successful
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] IKE_SA Durgee Enterprises,
LLC[1] established between
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] scheduling rekeying in 35606s
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] maximum IKE_SA lifetime 36206s
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED
notify, no CHILD_SA built
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] failed to establish CHILD_SA,
keeping IKE_SA

hi,


Your responder (Server) seems to have some kind of configured poliy
where the server waits for a configuration request from the client. But
the clients does not ask for the config and the server terminates the
connection.

Please see the logs of you server, what exactly is missing. Perhaps the
server wants to hand out an IP address to the client or something else.


Mit freundlichen Grüßen,


Looking at the log on the server I see:


Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of 'dhdurgee'
with EAP successful
Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of
'durgeeenterprises.publicvm.com' (myself) with EAP
Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
established between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
established between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
Jun 28 07:33:58 DG41TY charon: 10[IKE] expected a virtual IP request,
sending FAILED_CP_REQUIRED
Jun 28 07:33:58 DG41TY charon: 10[IKE] traffic selectors 0.0.0.0/0
::/0 === 192.168.1.114/32 inacceptable
Jun 28 07:33:58 DG41TY charon: 10[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Jun 28 07:33:58 DG41TY charon: 10[ENC] generating IKE_AUTH response 5
[ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jun 28 07:33:58 DG41TY charon: 10[NET] sending packet: from
192.168.80.11[4500] to 172.58.190.234[59726] (124 bytes)
Jun 28 07:33:58 DG41TY charon: 14[NET] received packet: from
172.58.190.234[59726] to 192.168.80.11[4500] (76 bytes)
Jun 28 07:33:58 DG41TY charon: 14[ENC] parsed INFORMATIONAL request 6
[ D ]
Jun 28 07:33:58 DG41TY charon: 14[IKE] received DELETE for IKE_SA
ikev2-vpn[61]
Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee]
Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
Jun 28 07:33:58 DG41TY charon: 14[ENC] generating INFORMATIONAL
response 6 [ ]
Jun 28 07:33:58 DG41TY charon: 14[NET] sending packet: from
192.168.80.11[4500] to 172.58.190.234[59726] (76 bytes)

Looking at my settings for the network connection shows IPv4 enabled
expecting an address to be assigned automatically via DHCP with DNS
and Routes set as automatic.  The checkbox for "use this connection
only for resources on its network" is NOT checked.  The page for IPv6
is also set as automatic with the checkbox NOT checked.

On the identity page none of the options are checked.  Options are:

"Request an inner IP address"
"Enforce UDP encapsulation"
"Use IP compression"

All this should be defaults, as I only filled in the name, gateway,
certificate, authentication(EAP), username and password fields.

Dave


I don't know about the manufacturer of your server side. but did you try
to add leftsourceip=%config to your client (initiator) config? Also
%config6 for IPv6 exists. See
https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp




Mit freundlichen Grüßen,



I am configuring this client using the strongswan plugin for network 
manager as noted in the subject line.  I have attached the created 
network connection to this post for your inspection.  I guess additional 
lines could be edited in manually if necessary, but now I am wondering 
if I am posting in the proper place.  Is it possible this is a 
network-manager problem as opposed to strongswan?


Dave
[connection]
id=Durgee Enterprises, LLC
uuid=79c86094-b6e0-4819-afee-e6e427cdf4c8
type=vpn
autoconnect=false
permissions=user:dhdurgee:;

[vpn]
address=durgeeenterprises.publicvm.com
certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
encap=no
ipcomp=no
method=eap
password-flags=1
proposal=no
user=dhdurgee
virtual=no
service-type=org.freedesktop.Netw

Re: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

2021-06-28 Thread David H Durgee


I added that package and got further this time:

Jun 28 07:33:57 Z560 charon-nm: 13[IKE] server requested EAP_IDENTITY 
(id 0x00), sending 'dhdurgee'
Jun 28 07:33:57 Z560 charon-nm: 13[ENC] generating IKE_AUTH request 2 
[ EAP/RES/ID ]
Jun 28 07:33:57 Z560 charon-nm: 13[NET] sending packet: from 
192.168.1.114[47031] to 108.31.28.59[4500] (92 bytes)
Jun 28 07:33:58 Z560 charon-nm: 15[NET] received packet: from 
108.31.28.59[4500] to 192.168.1.114[47031] (108 bytes)
Jun 28 07:33:58 Z560 charon-nm: 15[ENC] parsed IKE_AUTH response 2 [ 
EAP/REQ/MSCHAPV2 ]
Jun 28 07:33:58 Z560 charon-nm: 15[IKE] server requested EAP_MSCHAPV2 
authentication (id 0xB0)
Jun 28 07:33:58 Z560 charon-nm: 15[ENC] generating IKE_AUTH request 3 
[ EAP/RES/MSCHAPV2 ]
Jun 28 07:33:58 Z560 charon-nm: 15[NET] sending packet: from 
192.168.1.114[47031] to 108.31.28.59[4500] (140 bytes)
Jun 28 07:33:58 Z560 charon-nm: 01[NET] received packet: from 
108.31.28.59[4500] to 192.168.1.114[47031] (140 bytes)
Jun 28 07:33:58 Z560 charon-nm: 01[ENC] parsed IKE_AUTH response 3 [ 
EAP/REQ/MSCHAPV2 ]
Jun 28 07:33:58 Z560 charon-nm: 01[IKE] EAP-MS-CHAPv2 succeeded: 
'Welcome2strongSwan'
Jun 28 07:33:58 Z560 charon-nm: 01[ENC] generating IKE_AUTH request 4 
[ EAP/RES/MSCHAPV2 ]
Jun 28 07:33:58 Z560 charon-nm: 01[NET] sending packet: from 
192.168.1.114[47031] to 108.31.28.59[4500] (76 bytes)
Jun 28 07:33:58 Z560 charon-nm: 07[NET] received packet: from 
108.31.28.59[4500] to 192.168.1.114[47031] (76 bytes)
Jun 28 07:33:58 Z560 charon-nm: 07[ENC] parsed IKE_AUTH response 4 [ 
EAP/SUCC ]
Jun 28 07:33:58 Z560 charon-nm: 07[IKE] EAP method EAP_MSCHAPV2 
succeeded, MSK established
Jun 28 07:33:58 Z560 charon-nm: 07[IKE] authentication of 'dhdurgee' 
(myself) with EAP
Jun 28 07:33:58 Z560 charon-nm: 07[ENC] generating IKE_AUTH request 5 
[ AUTH ]
Jun 28 07:33:58 Z560 charon-nm: 07[NET] sending packet: from 
192.168.1.114[47031] to 108.31.28.59[4500] (92 bytes)
Jun 28 07:33:58 Z560 charon-nm: 06[NET] received packet: from 
108.31.28.59[4500] to 192.168.1.114[47031] (124 bytes)
Jun 28 07:33:58 Z560 charon-nm: 06[ENC] parsed IKE_AUTH response 5 [ 
AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] authentication of 
'durgeeenterprises.publicvm.com' with EAP successful
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] IKE_SA Durgee Enterprises, 
LLC[1] established between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]

Jun 28 07:33:58 Z560 charon-nm: 06[IKE] scheduling rekeying in 35606s
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] maximum IKE_SA lifetime 36206s
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED 
notify, no CHILD_SA built
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] failed to establish CHILD_SA, 
keeping IKE_SA

Jun 28 07:33:58 Z560 charon-nm: 06[IKE] peer supports MOBIKE
Jun 28 07:33:58 Z560 charon-nm: 08[IKE] deleting IKE_SA Durgee 
Enterprises, LLC[1] between 
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com]
Jun 28 07:33:58 Z560 charon-nm: 08[IKE] sending DELETE for IKE_SA 
Durgee Enterprises, LLC[1]
Jun 28 07:33:58 Z560 charon-nm: 08[ENC] generating INFORMATIONAL 
request 6 [ D ]
Jun 28 07:33:58 Z560 charon-nm: 08[NET] sending packet: from 
192.168.1.114[47031] to 108.31.28.59[4500] (76 bytes)
Jun 28 07:33:58 Z560 charon-nm: 09[NET] received packet: from 
108.31.28.59[4500] to 192.168.1.114[47031] (76 bytes)
Jun 28 07:33:58 Z560 charon-nm: 09[ENC] parsed INFORMATIONAL response 
6 [ ]

Jun 28 07:33:58 Z560 charon-nm: 09[IKE] IKE_SA deleted


Obviously I am still missing something or have a setting wrong. Any 
suggestions?


Dave


Charles Fadipe wrote:  Hi David,


Please confirm you have StrongSwann’seap-mschapv2 plugin installed.

If not try Installing,libcharon-extra-plugins on your client.


Kind Regards

/Charles Fadipe/

/Junior Penetration and Security Tester
/
/University Information Services
/

/University of Cambridge/



*From:* Users  on behalf of David 
H Durgee 

*Sent:* Sunday, June 27, 2021 10:42 pm
*To:* users@lists.strongswan.org
*Subject:* [strongSwan] problem connecting linux laptop to VPN using 
network-manager-strongswan 1.4.5-2.1

I am encountering a problem attempting to access a VPN using strongswan
from my linux laptop.  I have it working from an android phone and
tablet as well as a windows laptop, so I know the server is configured
properly.

The connection appears to start normally and then fails at the EAP
stage.  Log on the linux laptop shows:

> Jun 27 17:05:15 Z560 charon-nm: 06[IKE] authentication of
> 'durgeeenterprises.publicvm.com' with RSA_EMSA_PKCS1_SHA2_384 successful
> Jun 27 17:05:15 Z560 charon-nm: 06[IKE] server requested EAP_IDENTITY
> (id 0x00), sending 'dhdurgee'
> Jun 27 17:05:15 Z560 charon-nm: 06[IKE] EAP_IDENTITY not supported,
> sending EAP_NAK
> Jun 27 17:05:15 Z560 charon-nm: 06[ENC] generating IKE_A

[strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

2021-06-27 Thread David H Durgee

I am encountering a problem attempting to access a VPN using strongswan 
from my linux laptop.  I have it working from an android phone and 
tablet as well as a windows laptop, so I know the server is configured 
properly.


The connection appears to start normally and then fails at the EAP 
stage.  Log on the linux laptop shows:


Jun 27 17:05:15 Z560 charon-nm: 06[IKE] authentication of 
'durgeeenterprises.publicvm.com' with RSA_EMSA_PKCS1_SHA2_384 successful
Jun 27 17:05:15 Z560 charon-nm: 06[IKE] server requested EAP_IDENTITY 
(id 0x00), sending 'dhdurgee'
Jun 27 17:05:15 Z560 charon-nm: 06[IKE] EAP_IDENTITY not supported, 
sending EAP_NAK
Jun 27 17:05:15 Z560 charon-nm: 06[ENC] generating IKE_AUTH request 2 
[ EAP/RES/NAK ]
Jun 27 17:05:15 Z560 charon-nm: 06[NET] sending packet: from 
192.168.1.114[60298] to 108.31.28.59[4500] (76 bytes)
Jun 27 17:05:15 Z560 charon-nm: 09[NET] received packet: from 
108.31.28.59[4500] to 192.168.1.114[60298] (76 bytes)
Jun 27 17:05:15 Z560 charon-nm: 09[ENC] parsed IKE_AUTH response 2 [ 
EAP/FAIL ]
Jun 27 17:05:15 Z560 charon-nm: 09[IKE] received EAP_FAILURE, EAP 
authentication failed
Jun 27 17:05:15 Z560 charon-nm: 09[ENC] generating INFORMATIONAL 
request 3 [ N(AUTH_FAILED) ]
Jun 27 17:05:15 Z560 charon-nm: 09[NET] sending packet: from 
192.168.1.114[60298] to 108.31.28.59[4500] (76 bytes)


While on the server end I see:

Jun 27 17:05:15 DG41TY charon: 06[CFG] looking for peer configs 
matching 192.168.80.11[%any]...172.58.187.218[dhdurgee]

Jun 27 17:05:15 DG41TY charon: 06[CFG] selected peer config 'ikev2-vpn'
Jun 27 17:05:15 DG41TY charon: 06[IKE] initiating EAP_IDENTITY method 
(id 0x00)

Jun 27 17:05:15 DG41TY charon: 06[IKE] peer supports MOBIKE
Jun 27 17:05:15 DG41TY charon: 06[IKE] authentication of 
'durgeeenterprises.publicvm.com' (myself) with RSA_EMSA_PKCS1_SHA384 
successful
Jun 27 17:05:15 DG41TY charon: 06[IKE] sending end entity cert "C=US, 
O=Durgee Enterprises LLC, CN=durgeeenterprises.publicvm.com"
Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1 
[ IDr CERT AUTH EAP/REQ/ID ]
Jun 27 17:05:15 DG41TY charon: 06[ENC] splitting IKE message with 
length of 2092 bytes into 5 fragments
Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1 
[ EF(1/5) ]
Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1 
[ EF(2/5) ]
Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1 
[ EF(3/5) ]
Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1 
[ EF(4/5) ]
Jun 27 17:05:15 DG41TY charon: 06[ENC] generating IKE_AUTH response 1 
[ EF(5/5) ]
Jun 27 17:05:15 DG41TY charon: 06[NET] sending packet: from 
192.168.80.11[4500] to 172.58.187.218[54591] (544 bytes)
Jun 27 17:05:15 DG41TY charon: message repeated 3 times: [ 06[NET] 
sending packet: from 192.168.80.11[4500] to 172.58.187.218[54591] (544 
bytes)]
Jun 27 17:05:15 DG41TY charon: 06[NET] sending packet: from 
192.168.80.11[4500] to 172.58.187.218[54591] (176 bytes)
Jun 27 17:05:15 DG41TY charon: 05[NET] received packet: from 
172.58.187.218[54591] to 192.168.80.11[4500] (76 bytes)
Jun 27 17:05:15 DG41TY charon: 05[ENC] parsed IKE_AUTH request 2 [ 
EAP/RES/NAK ]
Jun 27 17:05:15 DG41TY charon: 05[IKE] received EAP_NAK, sending 
EAP_FAILURE
Jun 27 17:05:15 DG41TY charon: 05[ENC] generating IKE_AUTH response 2 
[ EAP/FAIL ]
Jun 27 17:05:15 DG41TY charon: 05[NET] sending packet: from 
192.168.80.11[4500] to 172.58.187.218[54591] (76 bytes)


What am I doing wrong here?  I assume I have an error in the linux 
client configuration, since android and windows clients work with the 
server.  What did I miss?


Dave



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] automating Strongswan for Android with Tasker

2020-02-14 Thread David H. Durgee

Your eyes for this are better than mine, as I missed that difference as
well.  Correcting that to match the working task now has both of them
working.  I next created two state profiles, one when connected to my
home WiFi network which exits the VPN and one when connected to any
other WiFi network which enters the VPN.  This should allow the android
tablet to safely use WiFi at all times.

Thank you again for your assistance.

Dave

> Tobias Brunner wrote:  Hi David,
>
>> Changing the target to Activity now has the Exit_VPN task working as
>> expected.
> Great!
>
>> Unfortunately the Enter_VPN task still does nothing.  Is it
>> possible that the Action should be something other than "START_PROFILE"
>> or that I need to issue another intent to connect it?
> Nope.  The only difference between the two (if you changed the target
> for both) is "Cat:Browsable" (Enter_VPN) vs. "Cat:None" (Exit_VPN).  No
> idea what it means or what the impact is, though.
>
> Regards,
> Tobias
>
>

smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] automating Strongswan for Android with Tasker

2020-02-13 Thread David H. Durgee

Changing the target to Activity now has the Exit_VPN task working as
expected.  Unfortunately the Enter_VPN task still does nothing.  Is it
possible that the Action should be something other than "START_PROFILE"
or that I need to issue another intent to connect it?

Dave
> Tobias Brunner wrote:  Hi David,
>
>>                                 Target:Broadcast Receiver
> That doesn't sound right.  The receiver will be an activity.
>
> Regards,
> Tobias

smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] automating Strongswan for Android with Tasker

2020-02-07 Thread David H. Durgee

Tobias Brunner wrote:
> Hi David,
>
>> Neither of the above does anything when I run them.  If you see an error
>> in the above please let me know.
> arg0 and arg4 seem to be OK, but not sure about arg7.  Maybe the package
> name should actually be in arg6.  But it's difficult to say because I've
> not found any documentation of that format.
>
> Regards,
> Tobias
>
I looked a bit further and found another way to export the tasks:

    Enter_VPN (2)
        A1: Send Intent [
Action:org.strongswan.android.action.START_PROFILE Cat:Browsable Mime
Type: Data: Extra:org.strongswan.android.VPN_PROFILE_ID :
8d582063-fb0d-4234-aa1b-23d961583dd8 Extra: Extra:
Package:org.strongswan.android Class: Target:Broadcast Receiver ]

I think that can be reformatted a bit as:

Enter_VPN (2)
        A1: Send Intent [
                                   
Action:org.strongswan.android.action.START_PROFILE
                                Cat:Browsable
                                Mime Type:
                                Data:
                               
Extra:org.strongswan.android.VPN_PROFILE_ID :
8d582063-fb0d-4234-aa1b-23d961583dd8
                                Extra:
                                Extra:
                                Package:org.strongswan.android
                                Class:
                                Target:Broadcast Receiver
                          ]

Exit_VPN (3)
        A1: Send Intent [
Action:org.strongswan.android.action.DISCONNECT Cat:None Mime Type:
Data: Extra:org.strongswan.android.VPN_PROFILE_ID :
8d582063-fb0d-4234-aa1b-23d961583dd8 Extra: Extra:
Package:org.strongswan.android Class: Target:Broadcast Receiver ]

Once again reformatting as:

Exit_VPN (3)
        A1: Send Intent [
                               
Action:org.strongswan.android.action.DISCONNECT
                                Cat:None
                                Mime Type:
                                Data:
                               
Extra:org.strongswan.android.VPN_PROFILE_ID :
8d582063-fb0d-4234-aa1b-23d961583dd8
                                Extra:
                                Extra:
                                Package:org.strongswan.android
                                Class:
                                Target:Broadcast Receiver
                             ]

If I understand this correctly this appears to match the directions in
the Wiki, so I am puzzled why these don't work.

If nobody here sees why this isn't working I guess I will have to try
contacting tasker support.

Dave


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] automating Strongswan for Android with Tasker

2020-02-05 Thread David H. Durgee

Tobias Brunner wrote:
> Hi David,
>
>> I am populating the Action, Extra and Package in the Tasker "Send
>> Intent" definition as per the wiki.  When I run the task nothing happens.
> Typo perhaps?
>
>> Is the wiki out of date?  Did I miss something required for this to
>> work?  Is anyone using this successfully?
> I never tried it with Tasker, only with Llama (not available anymore in
> the Play store).  But I now tried it with the Automate app, works fine
> as described on the wiki.  And I know there have been users who used
> Tasker for this.
>
> Regards,
> Tobias
>
Just had a chance to get back to this.  If there is a typo I don't see
it.  I exported the two tasks I created in XML for your inspection:


    
        1580920935423
        1580921818574
        2
        Enter_VPN
        100
        
            877
            org.strongswan.android.action.START_PROFILE
            
            
            
            org.strongswan.android.VPN_PROFILE_ID
: 8d582063-fb0d-4234-aa1b-23d961583dd8
            
            
            org.strongswan.android
            
            
        
    


 
    
        1580921356532
        1580921888200
        3
        Exit_VPN
        100
        
            877
            org.strongswan.android.action.DISCONNECT
            
            
            
            org.strongswan.android.VPN_PROFILE_ID
: 8d582063-fb0d-4234-aa1b-23d961583dd8
            
            
            org.strongswan.android
            
            
        
    


Neither of the above does anything when I run them.  If you see an error
in the above please let me know.

Dave


smime.p7s
Description: S/MIME Cryptographic Signature

[strongSwan] automating Strongswan for Android with Tasker

2020-01-29 Thread David H. Durgee

I have installed the Strongswan for Android app on a Marshmallow tablet
and have created a profile to allow a VPN to be opened to my home
network.  Looking at the wiki I see directions on how to connect and
disconnect the VPN using intents.  I have installed Tasker on the tablet
and believe I have defined intents to accomplish this following the
wiki, but they do not work.

I am populating the Action, Extra and Package in the Tasker "Send
Intent" definition as per the wiki.  When I run the task nothing happens.

Is the wiki out of date?  Did I miss something required for this to
work?  Is anyone using this successfully?

Dave



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] configuring android StrongSwan VPN Client 2.2.1

2020-01-07 Thread David H. Durgee

Ok, if I understand you correctly I would need to take two actions:

1) create the Windows registry entry you linked to with a value of 1 or
2 to enable or require modp2048 on Windows.

2) modify my ipsec.conf on the linux server replacing all "modp1024"
with "modp2048" as the recipe is out of date.

This should allow the Windows clients to connect securely and allow my
android phone client to connect as well.

I would need to have the Windows client fix installed first, as once I
change the ipsec.conf script any of them without the fix would be unable
to connect.  Until the ipsec.conf is modified any Windows client
connections are not secured properly.

Do I have this correct?

Dave

> Andreas Steffen wrote:  Hi Dave,
>
> the Diffie-Hellman group modp1024 is totally weak and is therefore
> deprecated by NIST. Please add modp2048 to your server's configuration.
> Actually Windows Clients be made secure by enabling modp2048 via the
> Windows registry:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/WindowsClients#AES-256-CBC-and-MODP2048
>
> Best regards
>
> Andreas
>
> On 07.01.20 17:31, David H. Durgee wrote:
>> I followed this recipe to install StrongSwan on my linux server:
>>
>> How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04
>> <https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04>
>>
>> This is working fine with a Windows client, so I know it is configured
>> properly.
>>
>> After this success I attempted to install the above client on my android
>> Nougat phone.  Unfortunately this is not working with the default
>> options on the client.  Here is the log entries from the linux server
>> attempting to open the VPN connection:
>>
>> Dec 26 18:07:11 DG41TY charon: 09[NET] received packet: from
>> 108.31.28.59[1024] to 192.168.80.11[500] (716 bytes)
>> Dec 26 18:07:11 DG41TY charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA
>> KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>> Dec 26 18:07:11 DG41TY charon: 09[CFG] looking for an ike config for
>> 192.168.80.11...108.31.28.59
>> Dec 26 18:07:11 DG41TY charon: 09[CFG]   candidate: %any...%any, prio 28
>> Dec 26 18:07:11 DG41TY charon: 09[CFG] found matching ike config:
>> %any...%any with prio 28
>> Dec 26 18:07:11 DG41TY charon: 09[IKE] 108.31.28.59 is initiating an IKE_SA
>> Dec 26 18:07:11 DG41TY charon: 09[IKE] IKE_SA (unnamed)[15] state
>> change: CREATED => CONNECTING
>> Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
>> Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
>> DIFFIE_HELLMAN_GROUP found
>> Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
>> Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
>> Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
>> DIFFIE_HELLMAN_GROUP found
>> Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
>> Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
>> ENCRYPTION_ALGORITHM found
>> Dec 26 18:07:11 DG41TY charon: 09[CFG] received proposals:
>> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
>> IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
>> Dec 26 18:07:11 DG41TY charon: 09[CFG] configured proposals:
>> IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
>> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> Dec 26 18:07:11 DG41TY charon: 09[IKE] local host is behind NAT, sending
>> keep alives
>> Dec 26 18:07:11 DG41TY charon: 09[IKE] remote host is behind NAT
>> Dec 26 18:07:11 DG41TY charon: 09[IKE] received proposals inacceptable
>> Dec 26 18:07:11 DG41TY charon: 09[ENC] generating IKE_SA_INIT response 0
>> [ N(NO_PROP) ]
>> Dec 26 18:07:11 DG41TY charon: 09[NET] sending packet: from
>> 192.168.80.11[500] to 108.31.28.59[1024] (36 bytes)
>> Dec 26 18:07:11 DG41TY charon: 09[IKE] IKE_SA (unnamed)[15] state
>> change: CONNECTING => DESTROYING
>>
>> What do I need to change in the android client configuration?  I would
>> prefer not to touch the linux server as it is working with windows
>> clients, but will do so if absolutely necessary.  Thank you for your
>> assistance in this matter.
>>
>> Dave




smime.p7s
Description: S/MIME Cryptographic Signature

[strongSwan] configuring android StrongSwan VPN Client 2.2.1

2020-01-07 Thread David H. Durgee

I followed this recipe to install StrongSwan on my linux server:

How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 16.04


This is working fine with a Windows client, so I know it is configured
properly.

After this success I attempted to install the above client on my android
Nougat phone.  Unfortunately this is not working with the default
options on the client.  Here is the log entries from the linux server
attempting to open the VPN connection:

Dec 26 18:07:11 DG41TY charon: 09[NET] received packet: from
108.31.28.59[1024] to 192.168.80.11[500] (716 bytes)
Dec 26 18:07:11 DG41TY charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 26 18:07:11 DG41TY charon: 09[CFG] looking for an ike config for
192.168.80.11...108.31.28.59
Dec 26 18:07:11 DG41TY charon: 09[CFG]   candidate: %any...%any, prio 28
Dec 26 18:07:11 DG41TY charon: 09[CFG] found matching ike config:
%any...%any with prio 28
Dec 26 18:07:11 DG41TY charon: 09[IKE] 108.31.28.59 is initiating an IKE_SA
Dec 26 18:07:11 DG41TY charon: 09[IKE] IKE_SA (unnamed)[15] state
change: CREATED => CONNECTING
Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
DIFFIE_HELLMAN_GROUP found
Dec 26 18:07:11 DG41TY charon: 09[CFG] selecting proposal:
Dec 26 18:07:11 DG41TY charon: 09[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Dec 26 18:07:11 DG41TY charon: 09[CFG] received proposals:
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 26 18:07:11 DG41TY charon: 09[CFG] configured proposals:
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 26 18:07:11 DG41TY charon: 09[IKE] local host is behind NAT, sending
keep alives
Dec 26 18:07:11 DG41TY charon: 09[IKE] remote host is behind NAT
Dec 26 18:07:11 DG41TY charon: 09[IKE] received proposals inacceptable
Dec 26 18:07:11 DG41TY charon: 09[ENC] generating IKE_SA_INIT response 0
[ N(NO_PROP) ]
Dec 26 18:07:11 DG41TY charon: 09[NET] sending packet: from
192.168.80.11[500] to 108.31.28.59[1024] (36 bytes)
Dec 26 18:07:11 DG41TY charon: 09[IKE] IKE_SA (unnamed)[15] state
change: CONNECTING => DESTROYING

What do I need to change in the android client configuration?  I would
prefer not to touch the linux server as it is working with windows
clients, but will do so if absolutely necessary.  Thank you for your
assistance in this matter.

Dave


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

Re: [strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

[strongSwan] revisiting problem with linux to VPN using network-manager-strongswan 1.4.5-2.1

Re: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

Re: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

Re: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

[strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

Re: [strongSwan] automating Strongswan for Android with Tasker

Re: [strongSwan] automating Strongswan for Android with Tasker

Re: [strongSwan] automating Strongswan for Android with Tasker

Re: [strongSwan] automating Strongswan for Android with Tasker

[strongSwan] automating Strongswan for Android with Tasker

Re: [strongSwan] configuring android StrongSwan VPN Client 2.2.1

[strongSwan] configuring android StrongSwan VPN Client 2.2.1

17 matches

Site Navigation

Mail list logo

Footer information