Related
1-Click Deploy: OpenVPN Access Server
Marketplace
Question
Question
Question
New to Ubuntu and Strongswan - VPN assistance
I am new to both Ubuntu and Strongswan. I have worked through this tutorial three times with the same result, unable to connect from Windows 10 or iOS.
Below are the log entries when attempting to connect (x.x.x.x is the server IP, y.y.y.y is the client IP). Is there another troubleshooting tool I can use to figure out why the connection is not being established?
Aug 21 14:59:21 KorberVPN charon: 11[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (1104 bytes)
Aug 21 14:59:21 KorberVPN charon: 11[ENC] parsed IKESAINIT request 0 [ SA KE No N(FRAGSUP) N(NATDSIP) N(NATDDIP) V V V V ]
Aug 21 14:59:21 KorberVPN charon: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Aug 21 14:59:21 KorberVPN charon: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
Aug 21 14:59:21 KorberVPN charon: 11[IKE] received Vid-Initial-Contact vendor ID
Aug 21 14:59:21 KorberVPN charon: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Aug 21 14:59:21 KorberVPN charon: 11[IKE] y.y.y.y is initiating an IKESA
Aug 21 14:59:21 KorberVPN charon: 11[IKE] remote host is behind NAT
Aug 21 14:59:21 KorberVPN charon: 11[ENC] generating IKESAINIT response 0 [ SA KE No N(NATDSIP) N(NATDDIP) N(FRAGSUP) N(CHDLESSSUP) N(MULTAUTH) ]
Aug 21 14:59:21 KorberVPN charon: 11[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (328 bytes)
Aug 21 14:59:26 KorberVPN charon: 12[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (408 bytes)
Aug 21 14:59:26 KorberVPN charon: 12[ENC] parsed IDPROT request 0 [ SA V V V V V V V V ]
Aug 21 14:59:26 KorberVPN charon: 12[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NOPROPOSALCHOSEN
Aug 21 14:59:26 KorberVPN charon: 12[ENC] generating INFORMATIONALV1 request 3369216153 [ N(NOPROP) ]
Aug 21 14:59:26 KorberVPN charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
Aug 21 14:59:27 KorberVPN charon: 13[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (408 bytes)
Aug 21 14:59:27 KorberVPN charon: 13[ENC] parsed IDPROT request 0 [ SA V V V V V V V V ]
Aug 21 14:59:27 KorberVPN charon: 13[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NOPROPOSALCHOSEN
Aug 21 14:59:27 KorberVPN charon: 13[ENC] generating INFORMATIONALV1 request 727456103 [ N(NOPROP) ]
Aug 21 14:59:27 KorberVPN charon: 13[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
Aug 21 14:59:28 KorberVPN charon: 14[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (408 bytes)
Aug 21 14:59:28 KorberVPN charon: 14[ENC] parsed IDPROT request 0 [ SA V V V V V V V V ]
Aug 21 14:59:28 KorberVPN charon: 14[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NOPROPOSALCHOSEN
Aug 21 14:59:28 KorberVPN charon: 14[ENC] generating INFORMATIONALV1 request 589088403 [ N(NOPROP) ]
Aug 21 14:59:28 KorberVPN charon: 14[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
Aug 21 14:59:31 KorberVPN charon: 15[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (408 bytes)
Aug 21 14:59:31 KorberVPN charon: 15[ENC] parsed IDPROT request 0 [ SA V V V V V V V V ]
Aug 21 14:59:31 KorberVPN charon: 15[IKE] no IKE config found for x.x.x.x…y.y.y.y, sending NOPROPOSALCHOSEN
Aug 21 14:59:31 KorberVPN charon: 15[ENC] generating INFORMATIONALV1 request 1818908561 [ N(NOPROP) ]
Aug 21 14:59:31 KorberVPN charon: 15[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (40 bytes)
Aug 21 14:59:51 KorberVPN charon: 16[JOB] deleting half open IKESA with y.y.y.y after timeout
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
These log lines are interesting:
They’re saying that the client and server cannot agree on a set of ciphers in common.
For the Windows 10 client, are you using the GUI to configure the VPN or the PowerShell commands? I’d opt for the latter if you can, since the ciphers that are included there are more modern.
Also just confirming that you are using an Ubuntu 20.04 server and not 18.04?
Yes, I am using Ubuntu 20.04. Is 18.04 a better version to use for this?
The VPN was initially configured using the GUI. I re-created it using PowerShell and am receiving the Windows connection error ‘The parameter is incorrect’ with the following log entries on the server:
Aug 24 18:09:17 KorberVPN charon: 11[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (376 bytes)
Aug 24 18:09:17 KorberVPN charon: 11[ENC] parsed IKESAINIT request 0 [ SA KE No N(FRAGSUP) N(NATDSIP) N(NATDDIP) V V V V ]
Aug 24 18:09:17 KorberVPN charon: 11[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Aug 24 18:09:17 KorberVPN charon: 11[IKE] received MS-Negotiation Discovery Capable vendor ID
Aug 24 18:09:17 KorberVPN charon: 11[IKE] received Vid-Initial-Contact vendor ID
Aug 24 18:09:17 KorberVPN charon: 11[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Aug 24 18:09:17 KorberVPN charon: 11[IKE] y.y.y.y is initiating an IKESA
Aug 24 18:09:17 KorberVPN charon: 11[IKE] remote host is behind NAT
Aug 24 18:09:17 KorberVPN charon: 11[ENC] generating IKESAINIT response 0 [ SA KE No N(NATDSIP) N(NATDDIP) N(FRAGSUP) N(CHDLESSSUP) N(MULTAUTH) ]
Aug 24 18:09:17 KorberVPN charon: 11[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (288 bytes)
Aug 24 18:09:47 KorberVPN charon: 12[JOB] deleting half open IKESA with y.y.y.y after timeout
After clearing the Windows cache for the network adapters I’m now getting ‘IKE authentication credentials are unacceptable’. Is there some disconnect with the certificate being used by Strongswan?
Hmm, that sounds a little bit more promising. One thing that I ran into on my first few attempts with this was a missing package.
Are both
libcharon-extra-pluginsandlibcharon-extauth-pluginsinstalled on the server? Without the latter, there will be authentication errors on the server side, since theextauthpackage is what includes support for EAP-MSCHAPv2.Also is there anything in the server logs that shows the failing authentication attempts?
Thank you for your assistance.
When installing the packages the server said both were already installed. Here are the entries from /var/log/syslog. Please let me know if there is a better log I should be looking at. Again, this is my first experience with Ubuntu and Strongswam.
Aug 24 19:28:58 KorberVPN charon: 12[NET] received packet: from y.y.y.y[500] to x.x.x.x[500] (376 bytes)
Aug 24 19:28:58 KorberVPN charon: 12[ENC] parsed IKESAINIT request 0 [ SA KE No N(FRAGSUP) N(NATDSIP) N(NATDDIP) V V V V ]
Aug 24 19:28:58 KorberVPN charon: 12[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Aug 24 19:28:58 KorberVPN charon: 12[IKE] received MS-Negotiation Discovery Capable vendor ID
Aug 24 19:28:58 KorberVPN charon: 12[IKE] received Vid-Initial-Contact vendor ID
Aug 24 19:28:58 KorberVPN charon: 12[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Aug 24 19:28:58 KorberVPN charon: 12[IKE] y.y.y.y is initiating an IKESA
Aug 24 19:28:58 KorberVPN charon: 12[IKE] remote host is behind NAT
Aug 24 19:28:58 KorberVPN charon: 12[ENC] generating IKESAINIT response 0 [ SA KE No N(NATDSIP) N(NATDDIP) N(FRAGSUP) N(CHDLESSSUP) N(MULTAUTH) ]
Aug 24 19:28:58 KorberVPN charon: 12[NET] sending packet: from x.x.x.x[500] to y.y.y.y[500] (288 bytes)
Aug 24 19:28:58 KorberVPN charon: 13[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (572 bytes)
Aug 24 19:28:58 KorberVPN charon: 13[ENC] parsed IKEAUTH request 1 [ EF(¼) ]
Aug 24 19:28:58 KorberVPN charon: 13[ENC] received fragment #1 of 4, waiting for complete IKE message
Aug 24 19:28:58 KorberVPN charon: 15[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (572 bytes)
Aug 24 19:28:58 KorberVPN charon: 15[ENC] parsed IKEAUTH request 1 [ EF(2/4) ]
Aug 24 19:28:58 KorberVPN charon: 15[ENC] received fragment #2 of 4, waiting for complete IKE message
Aug 24 19:28:58 KorberVPN charon: 16[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (572 bytes)
Aug 24 19:28:58 KorberVPN charon: 16[ENC] parsed IKEAUTH request 1 [ EF(¾) ]
Aug 24 19:28:58 KorberVPN charon: 16[ENC] received fragment #3 of 4, waiting for complete IKE message
Aug 24 19:28:58 KorberVPN charon: 14[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (172 bytes)
Aug 24 19:28:58 KorberVPN charon: 14[ENC] parsed IKEAUTH request 1 [ EF(4/4) ]
Aug 24 19:28:58 KorberVPN charon: 14[ENC] received fragment #4 of 4, reassembled fragmented IKE message (1642 bytes)
Aug 24 19:28:58 KorberVPN charon: 14[ENC] parsed IKEAUTH request 1 [ IDi CERTREQ N(MOBIKESUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Aug 24 19:28:58 KorberVPN charon: 14[IKE] received cert request for “CN=VisionVPN”
Aug 24 19:28:58 KorberVPN charon: 14[IKE] received 67 cert requests for an unknown ca
Aug 24 19:28:58 KorberVPN charon: 14[IKE] initiating EAPIDENTITY method (id 0x00)
Aug 24 19:28:58 KorberVPN charon: 14[IKE] peer supports MOBIKE
Aug 24 19:28:58 KorberVPN charon: 14[IKE] no private key found for ‘x.x.x.x’
Aug 24 19:28:58 KorberVPN charon: 14[ENC] generating IKEAUTH response 1 [ N(AUTHFAILED) ]
Aug 24 19:28:58 KorberVPN charon: 14[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (65 bytes)
I think we’re getting closer! This line makes me think the issue might be with
/etc/ipsec.secrets:That message is from StrongSwan trying to find a private key that it can use for the control channel’s TLS key exchange.
Can you confirm that
/etc/ipsec.secretscontains this line? Note the spaces are important, and the first character should be the::Once you confirm that, what does
lsshow for theserver-key.pemfile itself?There should be output that is similar to this (really all you’re looking for is that the file exists and is around 1-2kb in size):
That was it - I was missing the : and space before RSA in the ipsec.secrets - thought it was representing the line prompt. Thank you again for your patience and assistance.
Terrific! Thanks for checking and I’m glad that you got it sorted out. I updated the tutorial to clarify adding the private key to
ipsec.secrets. Hopefully no one else will run into the issue now.