Re: [strongSwan] problem connecting linux laptop to VPN using network-manager-strongswan 1.4.5-2.1

Mon, 28 Jun 2021 12:44:15 -0700 

Checking the "Request an inner IP address" box did get me further:
Jun 28 14:50:07 Z560 charon-nm: 15[IKE] installing new virtual IP 10.10.10.2 Jun 28 14:50:07 Z560 charon-nm: 15[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Jun 28 14:50:07 Z560 charon-nm: 15[IKE] CHILD_SA Durgee Enterprises, LLC{2} established with SPIs c52f6709_i ce1425eb_o and TS 10.10.10.2/32 === 0.0.0.0/0 
Jun 28 14:50:07 Z560 charon-nm: 15[IKE] peer supports MOBIKE
Jun 28 14:53:34 Z560 charon-nm: 01[IKE] deleting IKE_SA Durgee Enterprises, LLC[2] between 192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com] Jun 28 14:53:34 Z560 charon-nm: 01[IKE] sending DELETE for IKE_SA Durgee Enterprises, LLC[2] Jun 28 14:53:34 Z560 charon-nm: 01[ENC] generating INFORMATIONAL request 6 [ D ] Jun 28 14:53:34 Z560 charon-nm: 01[NET] sending packet: from 192.168.1.114[47031] to 108.31.28.59[4500] (76 bytes) Jun 28 14:53:34 Z560 charon-nm: 13[NET] received packet: from 108.31.28.59[4500] to 192.168.1.114[47031] (76 bytes) Jun 28 14:53:34 Z560 charon-nm: 13[ENC] parsed INFORMATIONAL response 6 [ ] 
Jun 28 14:53:34 Z560 charon-nm: 13[IKE] IKE_SA deleted
This however appears to be only part of the solution.  I see no tun interface created and routing continued to be via the WiFi connection.  I have attached my current configuration file for the connection from /etc/NetworkManager/system-connections as generated via the GUI.  Hopefully someone can tell me what else I need to change via the GUI. 

Thanks in advance.

Dave


Noel Kuntze wrote:  Set "Request an inner IP address".

Am 28.06.21 um 15:55 schrieb David H Durgee:

Michael Schwartzkopff wrote:

On 28.06.21 15:34, David H Durgee wrote:

Michael Schwartzkopff wrote:

On 28.06.21 13:44, David H Durgee wrote:

I added that package and got further this time:


(...)
Jun 28 07:33:58 Z560 charon-nm: 06[ENC] parsed IKE_AUTH response 5 [ 
AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] authentication of
'durgeeenterprises.publicvm.com' with EAP successful
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] IKE_SA Durgee Enterprises,
LLC[1] established between
192.168.1.114[dhdurgee]...108.31.28.59[durgeeenterprises.publicvm.com] Jun 28 07:33:58 Z560 charon-nm: 06[IKE] scheduling rekeying in 35606s Jun 28 07:33:58 Z560 charon-nm: 06[IKE] maximum IKE_SA lifetime 36206s 
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] received FAILED_CP_REQUIRED
notify, no CHILD_SA built
Jun 28 07:33:58 Z560 charon-nm: 06[IKE] failed to establish CHILD_SA, 
keeping IKE_SA

hi,


Your responder (Server) seems to have some kind of configured poliy
where the server waits for a configuration request from the client. But 
the clients does not ask for the config and the server terminates the
connection.
Please see the logs of you server, what exactly is missing. Perhaps the server wants to hand out an IP address to the client or something else. 


Mit freundlichen Grüßen,


Looking at the log on the server I see:


Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of 'dhdurgee'
with EAP successful
Jun 28 07:33:58 DG41TY charon: 10[IKE] authentication of
'durgeeenterprises.publicvm.com' (myself) with EAP
Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
established between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 
Jun 28 07:33:58 DG41TY charon: 10[IKE] IKE_SA ikev2-vpn[61]
established between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 
Jun 28 07:33:58 DG41TY charon: 10[IKE] expected a virtual IP request,
sending FAILED_CP_REQUIRED
Jun 28 07:33:58 DG41TY charon: 10[IKE] traffic selectors 0.0.0.0/0
::/0 === 192.168.1.114/32 inacceptable
Jun 28 07:33:58 DG41TY charon: 10[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Jun 28 07:33:58 DG41TY charon: 10[ENC] generating IKE_AUTH response 5
[ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Jun 28 07:33:58 DG41TY charon: 10[NET] sending packet: from
192.168.80.11[4500] to 172.58.190.234[59726] (124 bytes)
Jun 28 07:33:58 DG41TY charon: 14[NET] received packet: from
172.58.190.234[59726] to 192.168.80.11[4500] (76 bytes)
Jun 28 07:33:58 DG41TY charon: 14[ENC] parsed INFORMATIONAL request 6
[ D ]
Jun 28 07:33:58 DG41TY charon: 14[IKE] received DELETE for IKE_SA
ikev2-vpn[61]
Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 
Jun 28 07:33:58 DG41TY charon: 14[IKE] deleting IKE_SA ikev2-vpn[61]
between
192.168.80.11[durgeeenterprises.publicvm.com]...172.58.190.234[dhdurgee] 
Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
Jun 28 07:33:58 DG41TY charon: 14[IKE] IKE_SA deleted
Jun 28 07:33:58 DG41TY charon: 14[ENC] generating INFORMATIONAL
response 6 [ ]
Jun 28 07:33:58 DG41TY charon: 14[NET] sending packet: from
192.168.80.11[4500] to 172.58.190.234[59726] (76 bytes)

Looking at my settings for the network connection shows IPv4 enabled
expecting an address to be assigned automatically via DHCP with DNS
and Routes set as automatic.  The checkbox for "use this connection
only for resources on its network" is NOT checked.  The page for IPv6
is also set as automatic with the checkbox NOT checked.

On the identity page none of the options are checked. Options are:

"Request an inner IP address"
"Enforce UDP encapsulation"
"Use IP compression"

All this should be defaults, as I only filled in the name, gateway,
certificate, authentication(EAP), username and password fields.

Dave
I don't know about the manufacturer of your server side. but did you try 
to add leftsourceip=%config to your client (initiator) config? Also
%config6 for IPv6 exists. See
https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp




Mit freundlichen Grüßen,
I am configuring this client using the strongswan plugin for network manager as noted in the subject line.  I have attached the created network connection to this post for your inspection.  I guess additional lines could be edited in manually if necessary, but now I am wondering if I am posting in the proper place.  Is it possible this is a network-manager problem as opposed to strongswan? 

Dave





[connection]
id=Durgee Enterprises, LLC
uuid=72e4370d-ecfb-4e33-8572-5cf04431abb9
type=vpn
autoconnect=false
permissions=user:dhdurgee:;

[vpn]
address=durgeeenterprises.publicvm.com
certificate=/home/dhdurgee/Downloads/vpn_root_certificate.pem
encap=no
ipcomp=no
method=eap
password-flags=1
proposal=no
user=dhdurgee
virtual=yes
service-type=org.freedesktop.NetworkManager.strongswan

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto

[proxy]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to