Question

Have errors between ubuntu18/strongswan server and ubuntu18/strongswan client

Posted September 4, 2021 50 views
SecurityVPNUbuntu 18.04

First of all, thank you for the documentation/tutorial very well organized.
I have just followed and I could not make it work.

I setup strongswan server using ubuntu 18 as explained in this tutorial.
And used strongswan/ubuntu18 as a client.

And I got this log from Server side.
# systemctl status strongswan

  • strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2021-09-04 13:54:50 EDT; 1h 26min ago Main PID: 10829 (starter) Tasks: 18 (limit: 4630) CGroup: /system.slice/strongswan.service tq10829 /usr/lib/ipsec/starter –daemon charon –nofork mq10843 /usr/lib/ipsec/charon –debug-ike 1 –debug-knl 1 –debug-cfg 0

Sep 04 15:21:06 u18 charon[10843]: 07[NET] sending packet: from 192.168.1.124[500] to 192.168.1.123[500] (270 bytes)
Sep 04 15:21:06 u18 charon[10843]: 08[NET] received packet: from 192.168.1.123[4500] to 192.168.1.124[4500] (336 bytes)
Sep 04 15:21:06 u18 charon[10843]: 08[ENC] parsed IKEAUTH request 1 [ IDi N(INITCONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKESUP) N(NOADDADDR) N(
Sep 04 15:21:06 u18 charon[10843]: 08[IKE] received cert request for “CN=VPN root CA”
Sep 04 15:21:06 u18 charon[10843]: 08[IKE] EAP-Identity request configured, but not supported
Sep 04 15:21:06 u18 charon[10843]: 08[IKE] initiating EAP
MSCHAPV2 method (id 0xAE)
Sep 04 15:21:06 u18 charon[10843]: 08[IKE] peer supports MOBIKE
Sep 04 15:21:06 u18 charon[10843]: 08[IKE] no private key found for ‘192.168.1.124’
Sep 04 15:21:06 u18 charon[10843]: 08[ENC] generating IKEAUTH response 1 [ N(AUTHFAILED) ]
Sep 04 15:21:06 u18 charon[10843]: 08[NET] sending packet: from 192.168.1.124[4500] to 192.168.1.123[4500] (80 bytes)

And I also got this log from client side.
# systemctl status strongswan

  • strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; vendor preset: enabled) Active: active (running) since Sat 2021-09-04 15:21:06 EDT; 20s ago Main PID: 9801 (starter) Tasks: 18 (limit: 4630) CGroup: /system.slice/strongswan.service tq9801 /usr/lib/ipsec/starter –daemon charon –nofork mq9815 /usr/lib/ipsec/charon

Sep 04 15:21:06 u18 charon[9815]: 09[ENC] parsed IKESAINIT response 0 [ SA KE No N(NATDSIP) N(NATDDIP) N(FRAGSUP) N(HASHALG) N(MULTAUTH) ]
Sep 04 15:21:06 u18 charon[9815]: 09[IKE] remote host is behind NAT
Sep 04 15:21:06 u18 charon[9815]: 09[IKE] sending cert request for “CN=VPN root CA”
Sep 04 15:21:06 u18 charon[9815]: 09[IKE] establishing CHILD
SA ikev2-rw{1}
Sep 04 15:21:06 u18 charon[9815]: 09[IKE] establishing CHILDSA ikev2-rw{1}
Sep 04 15:21:06 u18 charon[9815]: 09[ENC] generating IKE
AUTH request 1 [ IDi N(INITCONTACT) CERTREQ IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKESUP) N(NOADDADDR)
Sep 04 15:21:06 u18 charon[9815]: 09[NET] sending packet: from 192.168.1.123[4500] to 192.168.1.124[4500] (336 bytes)
Sep 04 15:21:06 u18 charon[9815]: 10[NET] received packet: from 192.168.1.124[4500] to 192.168.1.123[4500] (80 bytes)
Sep 04 15:21:06 u18 charon[9815]: 10[ENC] parsed IKEAUTH response 1 [ N(AUTHFAILED) ]
Sep 04 15:21:06 u18 charon[9815]: 10[IKE] received AUTHENTICATION_FAILED notify error

If someone catches what I did wrong, please give me some ideas.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Actually this problem happened because of configuration mistake.
After reading the following tutorial
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2, and found a couple of mistakes.
After fixing those mistakes, this problem has disappeared.