[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] help setting up basic VPN on ubuntu
From:       Imran Akbar <skunkwerk () gmail ! com>
Date:       2014-11-30 22:43:42
Message-ID: CABoH17c=U9OeY2_a=-jNpi2gOH-Sa3k5QEWkaif2nRK_Rzfaww () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Sure Noel,

Here's the complete server log from startup up to and including the
authentication request: http://pastebin.com/X8a0xunC
And this is a screenshot
<https://s3.amazonaws.com/pushbullet-uploads/ujBvnCpT4IC-kZXEDbaZszgiNSnbFKRLvu9QxRtio85p/Screenshot_2014-11-30-14-35-29.png>
 of how I'm connecting via the StrongSwan Android app

yours,
imran

On Sun, Nov 30, 2014 at 1:23 PM, Noel Kuntze <noel@familie-kuntze.de> wrote:

> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Imran,
> 
> Do you mind posting the complete log from daemon start to the error?
> 
> And yes, PSK is the easiest way, but if you are experienced with
> certificates, you can also take that approach.
> 
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 30.11.2014 um 20:34 schrieb Imran Akbar:
> > Hey Noel,
> > I feel like it's close to working, but still getting the same
> message after making that change and restarting.  Do you think it's the
> "config inacceptable" error that's causing authentication to fail, or is it
> something in my secrets file?
> > 
> > ipsec.conf now looks like: http://pastebin.com/tUN6jmaS
> > 
> > the server log says:
> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] looking for peer configs
> matching 172.31.25.2[%any]...76.126.165.62[app]
> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] selected peer config 'vpn'
> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] peer requested EAP,
> config inacceptable
> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] no alternative config
> found
> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] peer supports MOBIKE
> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[ENC] generating IKE_AUTH
> response 1 [ N(AUTH_FAILED) ]
> > Nov 30 19:16:02 ip-172-31-25-2 charon: 14[NET] sending packet: from
> 172.31.25.2[4500] to 76.126.165.62[37721] (76 bytes)
> > 
> > and the client log says "parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > 
> > Is using a PSK the easiest way to setup StrongSwan?  I assumed that was
> the case, but I tried using certificates as well by following this example (
> http://kleinerman.org/ipsec-with-strongswan/) but I get stuck at the last
> step, as the Android app wants a client certificate as well, which I
> haven't generated.
> > 
> > thanks again,
> > imran
> > 
> > 
> > 
> > On Sun, Nov 30, 2014 at 2:39 AM, Noel Kuntze <noel@familie-kuntze.de
> <mailto:noel@familie-kuntze.de>> wrote:
> > 
> > 
> > Hello Imran,
> > 
> > I gave you wrong information in my last email. I'm sorry.
> > 
> > The correct setting is "eap-mschapv2", not "eap-mschap".
> > 
> > 
> > Mit freundlichen Grüßen/Regards,
> > Noel Kuntze
> > 
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > 
> > Am 30.11.2014 um 05:09 schrieb Imran Akbar:
> > > thanks Noel,
> > 
> > > I've made those changes and restarted ipsec, but I'm still getting the
> same error in my server log:
> > 
> > > "peer requested EAP, config inacceptable"
> > > "no alternative config found"
> > 
> > > This is my updated ipsec: http://pastebin.com/TnZaiZX8
> > 
> > > Does that look correct?
> > 
> > > appreciate the help,
> > > imran
> > 
> > > On Sat, Nov 29, 2014 at 5:47 PM, Noel Kuntze <noel@familie-kuntze.de
> <mailto:noel@familie-kuntze.de> <mailto:noel@familie-kuntze.de <mailto:
> noel@familie-kuntze.de>>> wrote:
> > 
> > 
> > > Hello Imram,
> > 
> > > If you want to use psk-mschapv2, you need to specify
> > > leftauth=psk
> > > rightauth=psk
> > > rightauth2=eap-mschap
> > 
> > > Please make sure this is in your configuration.
> > 
> > > Mit freundlichen Grüßen/Regards,
> > > Noel Kuntze
> > 
> > > GPG Key ID: 0x63EC6658
> > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > 
> > > Am 30.11.2014 um 02:09 schrieb Imran Akbar:
> > > > thanks for pointing me in the right direction Noel.
> > 
> > > > I've installed strongswan-plugin-eap-mschapv2, added
> rightauth=eap-mschapv2 to my ipsec.conf file, and restart ipsec.
> > > > I now see the following when I try to connect:
> > 
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] looking for peer
> configs matching 172.31.25.2[%any]...76.126.165.62[app]
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] selected peer config
> 'vpn'
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] using configured
> EAP-Identity app
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] initiating
> EAP_MSCHAPV2 method (id 0xBE)
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] peer supports MOBIKE
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] no IDr configured,
> fall back on IP address
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] no private key found
> for '172.31.25.2'
> > > > Nov 30 00:29:27 ip-172-31-25-2 charon: 01[ENC] generating IKE_AUTH
> response 1 [ N(AUTH_FAILED) ]
> > 
> > > > It seems like I need to tell it to use the username/password,
> instead of looking for a key... or is a certificate mandatory for all EAP
> configurations, even using a username/password?
> > 
> > > > regards,
> > > > imran
> > 
> > > > On Sat, Nov 29, 2014 at 4:03 PM, Noel Kuntze <noel@familie-kuntze.de
> <mailto:noel@familie-kuntze.de> <mailto:noel@familie-kuntze.de <mailto:
> noel@familie-kuntze.de>> <mailto:noel@familie-kuntze.de <mailto:
> noel@familie-kuntze.de> <mailto:noel@familie-kuntze.de <mailto:
> noel@familie-kuntze.de>>>> wrote:
> > 
> > 
> > > > Hello Imran,
> > 
> > > > You need to specify rightauth2=eap-mschapv2, so strongSwan is
> configured correctly to accept
> > > > eap authentication using mschapv2 in round 2.
> > 
> > > > You also lack the eap-mschapv2 modules, that you need for
> eap-mschapv2.
> > > > Install it via your package manager or, if you built strongSwan
> yourself, configure the strongSwan sources with --enable-eap-mschapv2,
> > > > "make uninstall" "make clean" "make" and "make install".
> > 
> > > > Also, please make sure you send your answer to all parties involved,
> not just me.
> > 
> > > > Mit freundlichen Grüßen/Regards,
> > > > Noel Kuntze
> > 
> > > > GPG Key ID: 0x63EC6658
> > > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > 
> > > > Am 30.11.2014 um 00:54 schrieb Imran Akbar:
> > > > > Hey Noel and Thomas,
> > 
> > > > > thanks for your help.
> > > > > I've made some progress - I'm now getting an "AUTH FAILED" error
> from my client.
> > > > > I'm trying to connect via the StrongSwan client on Android using
> IKEv2 EAP (username/password).
> > 
> > > > > Here is my ipsec.conf: http://pastebin.com/Ap5gUX0f
> > 
> > > > > Here is my secrets.conf: http://pastebin.com/hhX9micY
> > 
> > > > > Here is my server log: http://pastebin.com/W99PPKt3 (looks like
> the key issue is "peer requested EAP, config inacceptable")
> > 
> > > > > Here is my client log: http://pastebin.com/2w9NS1Zs
> > 
> > > > > I'm going to keep tweaking the authentication configs to see if I
> can make it work.
> > 
> > > > > yours,
> > > > > imran
> > 
> > 
> > > > > On Sat, Nov 29, 2014 at 9:04 AM, Noel Kuntze <
> noel@familie-kuntze.de <mailto:noel@familie-kuntze.de> <mailto:
> noel@familie-kuntze.de <mailto:noel@familie-kuntze.de>> <mailto:
> noel@familie-kuntze.de <mailto:noel@familie-kuntze.de> <mailto:
> noel@familie-kuntze.de <mailto:noel@familie-kuntze.de>>> <mailto:
> noel@familie-kuntze.de <mailto:noel@familie-kuntze.de> <mailto:
> noel@familie-kuntze.de <mailto:noel@familie-kuntze.de>> <mailto:
> noel@familie-kuntze.de <mailto:noel@familie-kuntze.de> <mailto:
> noel@familie-kuntze.de <mailto:noel@familie-kuntze.de>>>>> wrote:
> > 
> > 
> > > > > Hello Imran,
> > 
> > > > > IPsec/L2TP is mostly used with IKEv1, not IKEv2. Please tell us
> what clients you're trying to use,
> > > > > to make sure they try to use IKEv2, too.
> > 
> > > > > L2TP is not handled by strongSwan. You need to use xl2tp for that.
> Most clients try to use transport mode
> > > > > for the IPsec connection. Make sure your peer configuration has
> that specified. Also, plese make strongSwan
> > > > > write a log [1] with the settings shown in [2], show us the log
> that was created and show us your ipsec.conf.
> > 
> > > > > [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
> > 
> > > > > [2]
> > > > > default = 3
> > > > > mgr = 1
> > > > > ike = 1
> > > > > net = 1
> > > > > enc = 0
> > > > > cfg = 2
> > > > > asn = 1
> > > > > job = 1
> > > > > knl = 1
> > > > > append=no
> > > > > ike_name=no
> > > > > flush_line=yes
> > 
> > 
> > > > > Mit freundlichen Grüßen/Regards,
> > > > > Noel Kuntze
> > 
> > > > > GPG Key ID: 0x63EC6658
> > > > > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> > 
> > > > > Am 29.11.2014 um 17:53 schrieb Imran Akbar:
> > > > > > Hi everyone,
> > > > > > thanks for such a well-developed and maintained library.
> > 
> > > > > > I'm trying to setup Ipsec/L2TP on my Ubuntu 14 server with IKEv2
> and a PSK.
> > 
> > > > > > I've read through a bunch of tutorials online:
> > > > > > 
> http://trick77.com/2014/05/04/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/
> > > > > > http://www.foteviken.de/?p=2175
> > > > > > 
> http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html
> > 
> > > > > > and I've opened up UDP ports 500 & 4500, but I still have
> clients complaining about gateway timeouts and not being able to connect to
> the VPN.
> > 
> > > > > > Is there some sort of a configuration script that can walk you
> through all the necessary steps to get this working, or a gist that someone
> could share of their config?
> > > > > > I don't see anything in my /var/log/auth.conf that's indicative
> of VPN traffic.
> > 
> > > > > > yours,
> > > > > > imran
> > 
> > 
> > > > > > _______________________________________________
> > > > > > Users mailing list
> > > > > > Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>>>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>>>>
> > > > > > https://lists.strongswan.org/mailman/listinfo/users
> > 
> > 
> > 
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>>>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>
> <mailto:Users@lists.strongswan.org <mailto:Users@lists.strongswan.org>>>>
> > > > > https://lists.strongswan.org/mailman/listinfo/users
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJUe4q3AAoJEDg5KY9j7GZYLegP/iLQwOkSohCgavmb86tucBe0
> dznDUF9RAlfnnwQSjxaYLEMYOHpDKjzpQcXbvvPydmCF6UsY30w4k271ZrfyE8e0
> H3Xp4r6aXJ+WZLzQXqxsjznp/rBzDyApZ9IR1kIKssqsA2cA0Um+C8CAE+VGxIwv
> k39SBDlbv7QTv9B8Ak2+42zmgMdAPyxWiBe1qvULenYtA0NVutPqcK3o8j1pyWA+
> 8MXQlGqFIDwflCoAR5hs0XMegHT86ALXPL70bLDu5PaT211esHGCB6BGUGnp2lWS
> 7wCMnoD170/J+xSU/fi5xpRhbsy7acT5DwLWQrwo9p+NXWvCBEjvsjHRpXR/EYdu
> 5PkXyjUJAiG0alrCW2ppZCD6l/TCjwusq9qvLrhA4uDbdYifYO+ZUMOtl62F5K7U
> 9xn+3UfsnrohFaVDey+dOd49yusnhjQL6AL1UsoUHQQP0diFnCA9D4nVIbE0aGYx
> uJW+j/yqDvYBPi0hF1N0W+V+o08vM/3Cymz6Rx4rWCQ6RJ/6uo7mD6rn1/YCWbXW
> VyWl9cM2ckWgraETwy2VXj6fWWVNEevLI0WLLiOW9HboiZbYfTSUkYweBIfYJ/2R
> C0fZS02dn1sdBm5BLd1TIwik8X4wCmq7yFW//w7Sb+gyBoRAaiUkyYAB6Ej63pHR
> 1sdzXK6XJTFf9auBROqu
> =BmbJ
> -----END PGP SIGNATURE-----
> 
> 


[Attachment #5 (text/html)]

<div dir="ltr">Sure Noel,  <div><br></div><div>Here&#39;s the complete server log \
from startup up to and including the authentication request:  <a \
href="http://pastebin.com/X8a0xunC" \
target="_blank">http://pastebin.com/X8a0xunC</a></div><div>And this is a <a \
href="https://s3.amazonaws.com/pushbullet-uploads/ujBvnCpT4IC-kZXEDbaZszgiNSnbFKRLvu9QxRtio85p/Screenshot_2014-11-30-14-35-29.png">screenshot</a> \
of how I&#39;m connecting via the StrongSwan Android \
app</div><div><br></div><div>yours,</div><div>imran</div><div \
class="gmail_extra"><br><div class="gmail_quote">On Sun, Nov 30, 2014 at 1:23 PM, \
Noel Kuntze <span dir="ltr">&lt;<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
                solid;padding-left:1ex"><span><br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
Hello Imran,<br>
<br>
</span>Do you mind posting the complete log from daemon start to the error?<br>
<br>
And yes, PSK is the easiest way, but if you are experienced with certificates, you \
can also take that approach.<br> <span><br>
<br>
Mit freundlichen Grüßen/Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
</span>Am 30.11.2014 um 20:34 schrieb Imran Akbar:<br>
<span>&gt; Hey Noel,<br>
&gt;        I feel like it&#39;s close to working, but still getting the same message \
after making that change and restarting.   Do you think it&#39;s the &quot;config \
inacceptable&quot; error that&#39;s causing authentication to fail, or is it \
something in my secrets file?<br> &gt;<br>
&gt; ipsec.conf now looks like: <a href="http://pastebin.com/tUN6jmaS" \
target="_blank">http://pastebin.com/tUN6jmaS</a><br> &gt;<br>
&gt; the server log says:<br>
&gt; Nov 30 19:16:02 ip-172-31-25-2 charon: 14[CFG] looking for peer configs matching \
172.31.25.2[%any]...76.126.165.62[app]<br> &gt; Nov 30 19:16:02 ip-172-31-25-2 \
charon: 14[CFG] selected peer config &#39;vpn&#39;<br> &gt; Nov 30 19:16:02 \
ip-172-31-25-2 charon: 14[IKE] peer requested EAP, config inacceptable<br> &gt; Nov \
30 19:16:02 ip-172-31-25-2 charon: 14[CFG] no alternative config found<br> &gt; Nov \
30 19:16:02 ip-172-31-25-2 charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, \
not using ESPv3 TFC padding<br> &gt; Nov 30 19:16:02 ip-172-31-25-2 charon: 14[IKE] \
peer supports MOBIKE<br> &gt; Nov 30 19:16:02 ip-172-31-25-2 charon: 14[ENC] \
generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br> &gt; Nov 30 19:16:02 \
ip-172-31-25-2 charon: 14[NET] sending packet: from 172.31.25.2[4500] to \
76.126.165.62[37721] (76 bytes)<br> &gt;<br>
&gt; and the client log says &quot;parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
&gt;<br>
&gt; Is using a PSK the easiest way to setup StrongSwan?   I assumed that was the \
case, but I tried using certificates as well by following this example (<a \
href="http://kleinerman.org/ipsec-with-strongswan/" \
target="_blank">http://kleinerman.org/ipsec-with-strongswan/</a>) but I get stuck at \
the last step, as the Android app wants a client certificate as well, which I \
haven&#39;t generated.<br> &gt;<br>
&gt; thanks again,<br>
&gt; imran<br>
&gt;<br>
&gt;<br>
&gt;<br>
</span><span>&gt; On Sun, Nov 30, 2014 at 2:39 AM, Noel Kuntze &lt;<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;&gt; wrote:<br> &gt;<br>
&gt;<br>
&gt; Hello Imran,<br>
&gt;<br>
</span><span>&gt; I gave you wrong information in my last email. I&#39;m sorry.<br>
&gt;<br>
&gt; The correct setting is &quot;eap-mschapv2&quot;, not &quot;eap-mschap&quot;.<br>
&gt;<br>
&gt;<br>
&gt; Mit freundlichen Grüßen/Regards,<br>
&gt; Noel Kuntze<br>
&gt;<br>
&gt; GPG Key ID: 0x63EC6658<br>
&gt; Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
&gt;<br>
&gt; Am 30.11.2014 um 05:09 schrieb Imran Akbar:<br>
&gt; &gt; thanks Noel,<br>
&gt;<br>
&gt; &gt; I&#39;ve made those changes and restarted ipsec, but I&#39;m still getting \
the same error in my server log:<br> &gt;<br>
&gt; &gt; &quot;peer requested EAP, config inacceptable&quot;<br>
&gt; &gt; &quot;no alternative config found&quot;<br>
&gt;<br>
&gt; &gt; This is my updated ipsec: <a href="http://pastebin.com/TnZaiZX8" \
target="_blank">http://pastebin.com/TnZaiZX8</a><br> &gt;<br>
&gt; &gt; Does that look correct?<br>
&gt;<br>
&gt; &gt; appreciate the help,<br>
&gt; &gt; imran<br>
&gt;<br>
</span><div><div>&gt; &gt; On Sat, Nov 29, 2014 at 5:47 PM, Noel Kuntze &lt;<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;&gt;&gt; wrote:<br> &gt;<br>
&gt;<br>
&gt; &gt; Hello Imram,<br>
&gt;<br>
&gt; &gt; If you want to use psk-mschapv2, you need to specify<br>
&gt; &gt; leftauth=psk<br>
&gt; &gt; rightauth=psk<br>
&gt; &gt; rightauth2=eap-mschap<br>
&gt;<br>
&gt; &gt; Please make sure this is in your configuration.<br>
&gt;<br>
&gt; &gt; Mit freundlichen Grüßen/Regards,<br>
&gt; &gt; Noel Kuntze<br>
&gt;<br>
&gt; &gt; GPG Key ID: 0x63EC6658<br>
&gt; &gt; Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
&gt;<br>
&gt; &gt; Am 30.11.2014 um 02:09 schrieb Imran Akbar:<br>
&gt; &gt; &gt; thanks for pointing me in the right direction Noel.<br>
&gt;<br>
&gt; &gt; &gt; I&#39;ve installed strongswan-plugin-eap-mschapv2, added \
rightauth=eap-mschapv2 to my ipsec.conf file, and restart ipsec.<br> &gt; &gt; &gt; I \
now see the following when I try to connect:<br> &gt;<br>
&gt; &gt; &gt; Nov 30 00:29:27 ip-172-31-25-2 charon: 01[CFG] looking for peer \
configs matching 172.31.25.2[%any]...76.126.165.62[app]<br> &gt; &gt; &gt; Nov 30 \
00:29:27 ip-172-31-25-2 charon: 01[CFG] selected peer config &#39;vpn&#39;<br> &gt; \
&gt; &gt; Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] using configured \
EAP-Identity app<br> &gt; &gt; &gt; Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] \
initiating EAP_MSCHAPV2 method (id 0xBE)<br> &gt; &gt; &gt; Nov 30 00:29:27 \
ip-172-31-25-2 charon: 01[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using \
ESPv3 TFC padding<br> &gt; &gt; &gt; Nov 30 00:29:27 ip-172-31-25-2 charon: 01[IKE] \
peer supports MOBIKE<br> &gt; &gt; &gt; Nov 30 00:29:27 ip-172-31-25-2 charon: \
01[CFG] no IDr configured, fall back on IP address<br> &gt; &gt; &gt; Nov 30 00:29:27 \
ip-172-31-25-2 charon: 01[IKE] no private key found for &#39;172.31.25.2&#39;<br> \
&gt; &gt; &gt; Nov 30 00:29:27 ip-172-31-25-2 charon: 01[ENC] generating IKE_AUTH \
response 1 [ N(AUTH_FAILED) ]<br> &gt;<br>
&gt; &gt; &gt; It seems like I need to tell it to use the username/password, instead \
of looking for a key... or is a certificate mandatory for all EAP configurations, \
even using a username/password?<br> &gt;<br>
&gt; &gt; &gt; regards,<br>
&gt; &gt; &gt; imran<br>
&gt;<br>
</div></div><span>&gt; &gt; &gt; On Sat, Nov 29, 2014 at 4:03 PM, Noel Kuntze &lt;<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;&gt;&gt;&gt; wrote:<br> &gt;<br>
&gt;<br>
&gt; &gt; &gt; Hello Imran,<br>
&gt;<br>
&gt; &gt; &gt; You need to specify rightauth2=eap-mschapv2, so strongSwan is \
configured correctly to accept<br> &gt; &gt; &gt; eap authentication using mschapv2 \
in round 2.<br> &gt;<br>
&gt; &gt; &gt; You also lack the eap-mschapv2 modules, that you need for \
eap-mschapv2.<br> &gt; &gt; &gt; Install it via your package manager or, if you built \
strongSwan yourself, configure the strongSwan sources with --enable-eap-mschapv2,<br> \
&gt; &gt; &gt; &quot;make uninstall&quot; &quot;make clean&quot; &quot;make&quot; and \
&quot;make install&quot;.<br> &gt;<br>
&gt; &gt; &gt; Also, please make sure you send your answer to all parties involved, \
not just me.<br> &gt;<br>
&gt; &gt; &gt; Mit freundlichen Grüßen/Regards,<br>
&gt; &gt; &gt; Noel Kuntze<br>
&gt;<br>
&gt; &gt; &gt; GPG Key ID: 0x63EC6658<br>
&gt; &gt; &gt; Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
&gt;<br>
&gt; &gt; &gt; Am 30.11.2014 um 00:54 schrieb Imran Akbar:<br>
&gt; &gt; &gt; &gt; Hey Noel and Thomas,<br>
&gt;<br>
&gt; &gt; &gt; &gt; thanks for your help.<br>
&gt; &gt; &gt; &gt; I&#39;ve made some progress - I&#39;m now getting an &quot;AUTH \
FAILED&quot; error from my client.<br> &gt; &gt; &gt; &gt; I&#39;m trying to connect \
via the StrongSwan client on Android using IKEv2 EAP (username/password).<br> \
&gt;<br> &gt; &gt; &gt; &gt; Here is my ipsec.conf: <a \
href="http://pastebin.com/Ap5gUX0f" \
target="_blank">http://pastebin.com/Ap5gUX0f</a><br> &gt;<br>
&gt; &gt; &gt; &gt; Here is my secrets.conf: <a href="http://pastebin.com/hhX9micY" \
target="_blank">http://pastebin.com/hhX9micY</a><br> &gt;<br>
&gt; &gt; &gt; &gt; Here is my server log: <a href="http://pastebin.com/W99PPKt3" \
target="_blank">http://pastebin.com/W99PPKt3</a> (looks like the key issue is \
&quot;peer requested EAP, config inacceptable&quot;)<br> &gt;<br>
&gt; &gt; &gt; &gt; Here is my client log: <a href="http://pastebin.com/2w9NS1Zs" \
target="_blank">http://pastebin.com/2w9NS1Zs</a><br> &gt;<br>
&gt; &gt; &gt; &gt; I&#39;m going to keep tweaking the authentication configs to see \
if I can make it work.<br> &gt;<br>
&gt; &gt; &gt; &gt; yours,<br>
&gt; &gt; &gt; &gt; imran<br>
&gt;<br>
&gt;<br>
</span><div><div>&gt; &gt; &gt; &gt; On Sat, Nov 29, 2014 at 9:04 AM, Noel Kuntze \
&lt;<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a> &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>&gt; \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a> &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;&gt;&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt; &lt;mailto:<a \
href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a> \
&lt;mailto:<a href="mailto:noel@familie-kuntze.de" \
target="_blank">noel@familie-kuntze.de</a>&gt;&gt;&gt;&gt;&gt; wrote:<br> &gt;<br>
&gt;<br>
&gt; &gt; &gt; &gt; Hello Imran,<br>
&gt;<br>
&gt; &gt; &gt; &gt; IPsec/L2TP is mostly used with IKEv1, not IKEv2. Please tell us \
what clients you&#39;re trying to use,<br> &gt; &gt; &gt; &gt; to make sure they try \
to use IKEv2, too.<br> &gt;<br>
&gt; &gt; &gt; &gt; L2TP is not handled by strongSwan. You need to use xl2tp for \
that. Most clients try to use transport mode<br> &gt; &gt; &gt; &gt; for the IPsec \
connection. Make sure your peer configuration has that specified. Also, plese make \
strongSwan<br> &gt; &gt; &gt; &gt; write a log [1] with the settings shown in [2], \
show us the log that was created and show us your ipsec.conf.<br> &gt;<br>
&gt; &gt; &gt; &gt; [1] <a \
href="https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" \
target="_blank">https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration</a><br>
 &gt;<br>
&gt; &gt; &gt; &gt; [2]<br>
&gt; &gt; &gt; &gt;                                      default = 3<br>
&gt; &gt; &gt; &gt;                                      mgr = 1<br>
&gt; &gt; &gt; &gt;                                      ike = 1<br>
&gt; &gt; &gt; &gt;                                      net = 1<br>
&gt; &gt; &gt; &gt;                                      enc = 0<br>
&gt; &gt; &gt; &gt;                                      cfg = 2<br>
&gt; &gt; &gt; &gt;                                      asn = 1<br>
&gt; &gt; &gt; &gt;                                      job = 1<br>
&gt; &gt; &gt; &gt;                                      knl = 1<br>
&gt; &gt; &gt; &gt;                                      append=no<br>
&gt; &gt; &gt; &gt;                                      ike_name=no<br>
&gt; &gt; &gt; &gt;                                      flush_line=yes<br>
&gt;<br>
&gt;<br>
&gt; &gt; &gt; &gt; Mit freundlichen Grüßen/Regards,<br>
&gt; &gt; &gt; &gt; Noel Kuntze<br>
&gt;<br>
&gt; &gt; &gt; &gt; GPG Key ID: 0x63EC6658<br>
&gt; &gt; &gt; &gt; Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC \
6658<br> &gt;<br>
&gt; &gt; &gt; &gt; Am 29.11.2014 um 17:53 schrieb Imran Akbar:<br>
&gt; &gt; &gt; &gt; &gt; Hi everyone,<br>
&gt; &gt; &gt; &gt; &gt;        thanks for such a well-developed and maintained \
library.<br> &gt;<br>
&gt; &gt; &gt; &gt; &gt; I&#39;m trying to setup Ipsec/L2TP on my Ubuntu 14 server \
with IKEv2 and a PSK.<br> &gt;<br>
&gt; &gt; &gt; &gt; &gt; I&#39;ve read through a bunch of tutorials online:<br>
&gt; &gt; &gt; &gt; &gt; <a \
href="http://trick77.com/2014/05/04/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/" \
target="_blank">http://trick77.com/2014/05/04/strongswan-5-vpn-ubuntu-14-04-lts-psk-xauth/</a><br>
 &gt; &gt; &gt; &gt; &gt; <a href="http://www.foteviken.de/?p=2175" \
target="_blank">http://www.foteviken.de/?p=2175</a><br> &gt; &gt; &gt; &gt; &gt; <a \
href="http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html" \
target="_blank">http://endlessroad1991.blogspot.com/2014/04/setup-ipsec-vpn-on-ec2.html</a><br>
 &gt;<br>
&gt; &gt; &gt; &gt; &gt; and I&#39;ve opened up UDP ports 500 &amp; 4500, but I still \
have clients complaining about gateway timeouts and not being able to connect to the \
VPN.<br> &gt;<br>
&gt; &gt; &gt; &gt; &gt; Is there some sort of a configuration script that can walk \
you through all the necessary steps to get this working, or a gist that someone could \
share of their config?<br> &gt; &gt; &gt; &gt; &gt; I don&#39;t see anything in my \
/var/log/auth.conf that&#39;s indicative of VPN traffic.<br> &gt;<br>
&gt; &gt; &gt; &gt; &gt; yours,<br>
&gt; &gt; &gt; &gt; &gt; imran<br>
&gt;<br>
&gt;<br>
&gt; &gt; &gt; &gt; &gt; _______________________________________________<br>
&gt; &gt; &gt; &gt; &gt; Users mailing list<br>
</div></div>&gt; &gt; &gt; &gt; &gt; <a href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt;&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt;&gt;&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt;&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt;&gt;&gt;&gt;<br> <span>&gt; &gt; \
&gt; &gt; &gt; <a href="https://lists.strongswan.org/mailman/listinfo/users" \
target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br> &gt;<br>
&gt;<br>
&gt;<br>
&gt; &gt; &gt; &gt;        _______________________________________________<br>
&gt; &gt; &gt; &gt;        Users mailing list<br>
</span>&gt; &gt; &gt; &gt;        <a href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt;&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt;&gt;&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt;&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt; &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a> &lt;mailto:<a \
href="mailto:Users@lists.strongswan.org" \
target="_blank">Users@lists.strongswan.org</a>&gt;&gt;&gt;&gt;<br> <span>&gt; &gt; \
&gt; &gt;        <a href="https://lists.strongswan.org/mailman/listinfo/users" \
target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br> &gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2<br>
<br>
</span>iQIcBAEBCAAGBQJUe4q3AAoJEDg5KY9j7GZYLegP/iLQwOkSohCgavmb86tucBe0<br>
dznDUF9RAlfnnwQSjxaYLEMYOHpDKjzpQcXbvvPydmCF6UsY30w4k271ZrfyE8e0<br>
H3Xp4r6aXJ+WZLzQXqxsjznp/rBzDyApZ9IR1kIKssqsA2cA0Um+C8CAE+VGxIwv<br>
k39SBDlbv7QTv9B8Ak2+42zmgMdAPyxWiBe1qvULenYtA0NVutPqcK3o8j1pyWA+<br>
8MXQlGqFIDwflCoAR5hs0XMegHT86ALXPL70bLDu5PaT211esHGCB6BGUGnp2lWS<br>
7wCMnoD170/J+xSU/fi5xpRhbsy7acT5DwLWQrwo9p+NXWvCBEjvsjHRpXR/EYdu<br>
5PkXyjUJAiG0alrCW2ppZCD6l/TCjwusq9qvLrhA4uDbdYifYO+ZUMOtl62F5K7U<br>
9xn+3UfsnrohFaVDey+dOd49yusnhjQL6AL1UsoUHQQP0diFnCA9D4nVIbE0aGYx<br>
uJW+j/yqDvYBPi0hF1N0W+V+o08vM/3Cymz6Rx4rWCQ6RJ/6uo7mD6rn1/YCWbXW<br>
VyWl9cM2ckWgraETwy2VXj6fWWVNEevLI0WLLiOW9HboiZbYfTSUkYweBIfYJ/2R<br>
C0fZS02dn1sdBm5BLd1TIwik8X4wCmq7yFW//w7Sb+gyBoRAaiUkyYAB6Ej63pHR<br>
1sdzXK6XJTFf9auBROqu<br>
=BmbJ<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br></div></div>



_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic