Ich habe versucht, mithilfe des Strongswan-Netzwerkmanagers eine Verbindung zum VPN meiner Firma herzustellen. Ich habe keine Ahnung, was schief läuft. Für mich sieht es so aus, als ob nach der Authentifizierung einfach keine Verbindung hergestellt werden kann.
Ich verwende Ubuntu 22.04.1
Aug 19 10:24:05 bumpusbox NetworkManager[711]: <info> [1660929845.1405] audit: op="connection-activate" uuid="16404d0f-b19b-4af9-9e44-7a596c8d3892" name="jimsFishyBusiness vpn" pid=2006 uid=1000 result="success"
Aug 19 10:24:05 bumpusbox charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.5)
Aug 19 10:24:05 bumpusbox charon-nm: 00[LIB] providers loaded by OpenSSL: legacy default
Aug 19 10:24:05 bumpusbox charon-nm: 00[LIB] created TUN device: tun0
Aug 19 10:24:05 bumpusbox NetworkManager[711]: <info> [1660929845.1503] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/10)
Aug 19 10:24:05 bumpusbox systemd-udevd[67536]: Using default interface naming scheme 'v249'.
Aug 19 10:24:05 bumpusbox charon-nm: 00[LIB] loaded plugins: nm-backend charon-nm aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg kernel-netlink socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Aug 19 10:24:05 bumpusbox charon-nm: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 19 10:24:05 bumpusbox charon-nm: 00[JOB] spawning 16 worker threads
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for 169.254.0.0/16
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for 172.17.0.0/16
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for 192.168.0.0/24
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for ::1/128
Aug 19 10:24:05 bumpusbox charon-nm: 07[IKE] installed bypass policy for fe80::/64
Aug 19 10:24:05 bumpusbox charon-nm: 06[CFG] received initiate for NetworkManager connection jimsFishyBusiness vpn
Aug 19 10:24:05 bumpusbox charon-nm: 06[CFG] using gateway identity '9.999.999.999'
Aug 19 10:24:05 bumpusbox charon-nm: 06[IKE] initiating IKE_SA jimsFishyBusiness vpn[1] to 9.999.999.999
Aug 19 10:24:05 bumpusbox charon-nm: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 19 10:24:05 bumpusbox charon-nm: 06[NET] sending packet: from 192.168.0.223[36581] to 9.999.999.999[500] (904 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 13[NET] received packet: from 9.999.999.999[500] to 192.168.0.223[36581] (38 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 13[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Aug 19 10:24:05 bumpusbox charon-nm: 13[IKE] peer didn't accept DH group CURVE_25519, it requested ECP_256
Aug 19 10:24:05 bumpusbox charon-nm: 13[IKE] initiating IKE_SA jimsFishyBusiness vpn[1] to 9.999.999.999
Aug 19 10:24:05 bumpusbox charon-nm: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 19 10:24:05 bumpusbox charon-nm: 13[NET] sending packet: from 192.168.0.223[36581] to 9.999.999.999[500] (936 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 14[NET] received packet: from 9.999.999.999[500] to 192.168.0.223[36581] (270 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 19 10:24:05 bumpusbox charon-nm: 14[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Aug 19 10:24:05 bumpusbox charon-nm: 14[IKE] local host is behind NAT, sending keep alives
Aug 19 10:24:05 bumpusbox charon-nm: 14[IKE] remote host is behind NAT
Aug 19 10:24:05 bumpusbox charon-nm: 14[IKE] sending cert request for "CN=VPN root CA"
Aug 19 10:24:05 bumpusbox charon-nm: 14[IKE] establishing CHILD_SA jimsFishyBusiness vpn{1}
Aug 19 10:24:05 bumpusbox charon-nm: 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 19 10:24:05 bumpusbox charon-nm: 14[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (416 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 15[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (1236 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 15[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Aug 19 10:24:05 bumpusbox charon-nm: 15[ENC] received fragment #1 of 2, waiting for complete IKE message
Aug 19 10:24:05 bumpusbox charon-nm: 01[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (788 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 01[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Aug 19 10:24:05 bumpusbox charon-nm: 01[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1952 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Aug 19 10:24:05 bumpusbox charon-nm: 01[IKE] received end entity cert "CN=9.999.999.999"
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG] using certificate "CN=9.999.999.999"
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG] using trusted ca certificate "CN=VPN root CA"
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG] checking certificate status of "CN=9.999.999.999"
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG] certificate status is not available
Aug 19 10:24:05 bumpusbox charon-nm: 01[CFG] reached self-signed root ca with a path length of 0
Aug 19 10:24:05 bumpusbox charon-nm: 01[IKE] authentication of '9.999.999.999' with RSA_EMSA_PKCS1_SHA2_384 successful
Aug 19 10:24:05 bumpusbox charon-nm: 01[IKE] server requested EAP_MSCHAPV2 authentication (id 0xD1)
Aug 19 10:24:05 bumpusbox charon-nm: 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Aug 19 10:24:05 bumpusbox charon-nm: 01[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (144 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 04[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (144 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 04[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Aug 19 10:24:05 bumpusbox charon-nm: 04[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Aug 19 10:24:05 bumpusbox charon-nm: 04[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Aug 19 10:24:05 bumpusbox charon-nm: 04[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (80 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 08[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (80 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 08[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Aug 19 10:24:05 bumpusbox charon-nm: 08[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Aug 19 10:24:05 bumpusbox charon-nm: 08[IKE] authentication of 'myuser' (myself) with EAP
Aug 19 10:24:05 bumpusbox charon-nm: 08[ENC] generating IKE_AUTH request 4 [ AUTH ]
Aug 19 10:24:05 bumpusbox charon-nm: 08[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (96 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 09[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (128 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 09[ENC] parsed IKE_AUTH response 4 [ AUTH N(MOBIKE_SUP) N(NO_ADD_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] authentication of '9.999.999.999' with EAP successful
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] IKE_SA jimsFishyBusiness vpn[1] established between 192.168.0.223[myuser]...9.999.999.999[9.999.999.999]
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] scheduling rekeying in 35530s
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] maximum IKE_SA lifetime 36130s
Aug 19 10:24:05 bumpusbox NetworkManager[711]: <warn> [1660929845.8775] vpn[0x55b4cab76220,16404d0f-b19b-4af9-9e44-7a596c8d3892,"jimsFishyBusiness vpn"]: dbus: failure: connect-failed (1)
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] received FAILED_CP_REQUIRED notify, no CHILD_SA built
Aug 19 10:24:05 bumpusbox NetworkManager[711]: <warn> [1660929845.8776] vpn[0x55b4cab76220,16404d0f-b19b-4af9-9e44-7a596c8d3892,"jimsFishyBusiness vpn"]: dbus: failure: connect-failed (1)
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Aug 19 10:24:05 bumpusbox charon-nm: 09[IKE] peer supports MOBIKE
Aug 19 10:24:05 bumpusbox charon-nm: 10[IKE] deleting IKE_SA jimsFishyBusiness vpn[1] between 192.168.0.223[myuser]...9.999.999.999[9.999.999.999]
Aug 19 10:24:05 bumpusbox charon-nm: 10[IKE] sending DELETE for IKE_SA jimsFishyBusiness vpn[1]
Aug 19 10:24:05 bumpusbox charon-nm: 10[ENC] generating INFORMATIONAL request 5 [ D ]
Aug 19 10:24:05 bumpusbox charon-nm: 10[NET] sending packet: from 192.168.0.223[44877] to 9.999.999.999[4500] (80 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 11[NET] received packet: from 9.999.999.999[4500] to 192.168.0.223[44877] (80 bytes)
Aug 19 10:24:05 bumpusbox charon-nm: 11[ENC] parsed INFORMATIONAL response 5 [ ]
Aug 19 10:24:05 bumpusbox charon-nm: 11[IKE] IKE_SA deleted```
Antwort1
Falls Sie noch keine Lösung gefunden haben, ich hatte gerade ein ähnliches Problem und habe es geschafft, mein Gehäuse zum Laufen zu bringen. Meine Lösung war letztendlich das, was im Update-Abschnitt von beschrieben wurdediese Frage.
Konkret hatte ich eine funktionierende Strongswan-VPN-Verbindung, aber nach dem Update auf Ubuntu 22.04 LTS funktionierte die Verbindung nicht mehr. Die Lösung war:
- Offen
/etc/NetworkManager/system-connections/<VPN_Name> - Suchen Sie im Abschnitt [vpn] nach der Zeile mit dem Namen
proposal=no. Ändern Sie diese inyes - Fügen Sie darunter eine Zeile hinzu für
esp=aes256-sha256-ecp384
Diese spezielle Lösung schien für den Verfasser der verlinkten Frage nicht zu funktionieren, aber für mich hat sie funktioniert und meine Situation war Ihrer ähnlicher. Hoffe, das hilft jemandem!
Antwort2
Ich hatte nicht die richtigen Einstellungen. Ich musste die Option „Eine interne IP-Adresse anfordern“ aktivieren.