I am new to both Ubuntu and Strongswan. I have worked through this tutorial three times with the same result, unable to connect from Windows 10 or iOS.

Below are the log entries when attempting to connect (x.x.x.x is the server IP, y.y.y.y is the client IP). Is there another troubleshooting tool I can use to figure out why the connection is not being established?

Aug 21 14:59:21 KorberVPN charon: 11[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (1104 bytes)
Aug 21 14:59:21 KorberVPN charon: 11[ENC] parsed IKESAINIT request 0 [ SA KE No N(FRAGSUP) N(NATDSIP) N(NATDDIP) V V V V ]
Aug 21 14:59:21 KorberVPN charon: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Aug 21 14:59:21 KorberVPN charon: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
Aug 21 14:59:21 KorberVPN charon: 11[IKE] received Vid-Initial-Contact vendor ID
Aug 21 14:59:21 KorberVPN charon: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Aug 21 14:59:21 KorberVPN charon: 11[IKE] y.y.y.y is initiating an IKE
SA
Aug 21 14:59:21 KorberVPN charon: 11[IKE] remote host is behind NAT
Aug 21 14:59:21 KorberVPN charon: 11[ENC] generating IKESAINIT response 0 [ SA KE No N(NATDSIP) N(NATDDIP) N(FRAGSUP) N(CHDLESSSUP) N(MULTAUTH) ]
Aug 21 14:59:21 KorberVPN charon: 11[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (328 bytes)
Aug 21 14:59:26 KorberVPN charon: 12[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (408 bytes)
Aug 21 14:59:26 KorberVPN charon: 12[ENC] parsed ID
PROT request 0 [ SA V V V V V V V V ]
Aug 21 14:59:26 KorberVPN charon: 12[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NOPROPOSALCHOSEN
Aug 21 14:59:26 KorberVPN charon: 12[ENC] generating INFORMATIONALV1 request 3369216153 [ N(NOPROP) ]
Aug 21 14:59:26 KorberVPN charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
Aug 21 14:59:27 KorberVPN charon: 13[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (408 bytes)
Aug 21 14:59:27 KorberVPN charon: 13[ENC] parsed IDPROT request 0 [ SA V V V V V V V V ]
Aug 21 14:59:27 KorberVPN charon: 13[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NO
PROPOSALCHOSEN
Aug 21 14:59:27 KorberVPN charon: 13[ENC] generating INFORMATIONAL
V1 request 727456103 [ N(NOPROP) ]
Aug 21 14:59:27 KorberVPN charon: 13[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
Aug 21 14:59:28 KorberVPN charon: 14[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (408 bytes)
Aug 21 14:59:28 KorberVPN charon: 14[ENC] parsed ID
PROT request 0 [ SA V V V V V V V V ]
Aug 21 14:59:28 KorberVPN charon: 14[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NOPROPOSALCHOSEN
Aug 21 14:59:28 KorberVPN charon: 14[ENC] generating INFORMATIONALV1 request 589088403 [ N(NOPROP) ]
Aug 21 14:59:28 KorberVPN charon: 14[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
Aug 21 14:59:31 KorberVPN charon: 15[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (408 bytes)
Aug 21 14:59:31 KorberVPN charon: 15[ENC] parsed IDPROT request 0 [ SA V V V V V V V V ]
Aug 21 14:59:31 KorberVPN charon: 15[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NO
PROPOSALCHOSEN
Aug 21 14:59:31 KorberVPN charon: 15[ENC] generating INFORMATIONAL
V1 request 1818908561 [ N(NOPROP) ]
Aug 21 14:59:31 KorberVPN charon: 15[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
Aug 21 14:59:51 KorberVPN charon: 16[JOB] deleting half open IKE
SA with y.y.y.y after timeout

8 comments
  • These log lines are interesting:

    Aug 21 14:59:26 KorberVPN charon: 12[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NOPROPOSALCHOSEN
    

    They’re saying that the client and server cannot agree on a set of ciphers in common.

    For the Windows 10 client, are you using the GUI to configure the VPN or the PowerShell commands? I’d opt for the latter if you can, since the ciphers that are included there are more modern.

    Also just confirming that you are using an Ubuntu 20.04 server and not 18.04?

  • Yes, I am using Ubuntu 20.04. Is 18.04 a better version to use for this?

    The VPN was initially configured using the GUI. I re-created it using PowerShell and am receiving the Windows connection error ‘The parameter is incorrect’ with the following log entries on the server:

    Aug 24 18:09:17 KorberVPN charon: 11[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (376 bytes)
    Aug 24 18:09:17 KorberVPN charon: 11[ENC] parsed IKESAINIT request 0 [ SA KE No N(FRAGSUP) N(NATDSIP) N(NATDDIP) V V V V ]
    Aug 24 18:09:17 KorberVPN charon: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Aug 24 18:09:17 KorberVPN charon: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
    Aug 24 18:09:17 KorberVPN charon: 11[IKE] received Vid-Initial-Contact vendor ID
    Aug 24 18:09:17 KorberVPN charon: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Aug 24 18:09:17 KorberVPN charon: 11[IKE] y.y.y.y is initiating an IKE
    SA
    Aug 24 18:09:17 KorberVPN charon: 11[IKE] remote host is behind NAT
    Aug 24 18:09:17 KorberVPN charon: 11[ENC] generating IKESAINIT response 0 [ SA KE No N(NATDSIP) N(NATDDIP) N(FRAGSUP) N(CHDLESSSUP) N(MULTAUTH) ]
    Aug 24 18:09:17 KorberVPN charon: 11[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (288 bytes)
    Aug 24 18:09:47 KorberVPN charon: 12[JOB] deleting half open IKE
    SA with y.y.y.y after timeout

  • After clearing the Windows cache for the network adapters I’m now getting ‘IKE authentication credentials are unacceptable’. Is there some disconnect with the certificate being used by Strongswan?

  • Hmm, that sounds a little bit more promising. One thing that I ran into on my first few attempts with this was a missing package.

    Are both libcharon-extra-plugins and libcharon-extauth-plugins installed on the server? Without the latter, there will be authentication errors on the server side, since the extauth package is what includes support for EAP-MSCHAPv2.

    Also is there anything in the server logs that shows the failing authentication attempts?

  • Thank you for your assistance.

    When installing the packages the server said both were already installed. Here are the entries from /var/log/syslog. Please let me know if there is a better log I should be looking at. Again, this is my first experience with Ubuntu and Strongswam.
    Aug 24 19:28:58 KorberVPN charon: 12[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (376 bytes)
    Aug 24 19:28:58 KorberVPN charon: 12[ENC] parsed IKESAINIT request 0 [ SA KE No N(FRAGSUP) N(NATDSIP) N(NATDDIP) V V V V ]
    Aug 24 19:28:58 KorberVPN charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
    Aug 24 19:28:58 KorberVPN charon: 12[IKE] received MS-Negotiation Discovery Capable vendor ID
    Aug 24 19:28:58 KorberVPN charon: 12[IKE] received Vid-Initial-Contact vendor ID
    Aug 24 19:28:58 KorberVPN charon: 12[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
    Aug 24 19:28:58 KorberVPN charon: 12[IKE] y.y.y.y is initiating an IKE
    SA
    Aug 24 19:28:58 KorberVPN charon: 12[IKE] remote host is behind NAT
    Aug 24 19:28:58 KorberVPN charon: 12[ENC] generating IKESAINIT response 0 [ SA KE No N(NATDSIP) N(NATDDIP) N(FRAGSUP) N(CHDLESSSUP) N(MULTAUTH) ]
    Aug 24 19:28:58 KorberVPN charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (288 bytes)
    Aug 24 19:28:58 KorberVPN charon: 13[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (572 bytes)
    Aug 24 19:28:58 KorberVPN charon: 13[ENC] parsed IKE
    AUTH request 1 [ EF(¼) ]
    Aug 24 19:28:58 KorberVPN charon: 13[ENC] received fragment #1 of 4, waiting for complete IKE message
    Aug 24 19:28:58 KorberVPN charon: 15[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (572 bytes)
    Aug 24 19:28:58 KorberVPN charon: 15[ENC] parsed IKEAUTH request 1 [ EF(2/4) ]
    Aug 24 19:28:58 KorberVPN charon: 15[ENC] received fragment #2 of 4, waiting for complete IKE message
    Aug 24 19:28:58 KorberVPN charon: 16[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (572 bytes)
    Aug 24 19:28:58 KorberVPN charon: 16[ENC] parsed IKE
    AUTH request 1 [ EF(¾) ]
    Aug 24 19:28:58 KorberVPN charon: 16[ENC] received fragment #3 of 4, waiting for complete IKE message
    Aug 24 19:28:58 KorberVPN charon: 14[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (172 bytes)
    Aug 24 19:28:58 KorberVPN charon: 14[ENC] parsed IKEAUTH request 1 [ EF(4/4) ]
    Aug 24 19:28:58 KorberVPN charon: 14[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1642 bytes)
    Aug 24 19:28:58 KorberVPN charon: 14[ENC] parsed IKE
    AUTH request 1 [ IDi CERTREQ N(MOBIKESUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
    Aug 24 19:28:58 KorberVPN charon: 14[IKE] received cert request for “CN=VisionVPN”
    Aug 24 19:28:58 KorberVPN charon: 14[IKE] received 67 cert requests for an unknown ca
    Aug 24 19:28:58 KorberVPN charon: 14[IKE] initiating EAP
    IDENTITY method (id 0x00)
    Aug 24 19:28:58 KorberVPN charon: 14[IKE] peer supports MOBIKE
    Aug 24 19:28:58 KorberVPN charon: 14[IKE] no private key found for ‘x.x.x.x’
    Aug 24 19:28:58 KorberVPN charon: 14[ENC] generating IKEAUTH response 1 [ N(AUTHFAILED) ]
    Aug 24 19:28:58 KorberVPN charon: 14[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (65 bytes)

  • Show 3 more comments

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

This question was answered by @erikschindeldecker:

That was it - I was missing the : and space before RSA in the ipsec.secrets - thought it was representing the line prompt. Thank you again for your patience and assistance.

View the original comment

Submit an Answer