Closed thepra closed 5 years ago
@thepra Hello! The strongSwan Android client only supports IKEv2. See [1] for how to set up IKEv2.
You may also use the native Android VPN client (in Settings, network, VPN) to connect using IPsec/L2TP or IPsec/XAuth mode.
[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md
There's a way to accomplish the connection without going through the certificate generation?
@thepra For IKEv2, the certificate generation steps are required because Libreswan does not yet support EAP in IKEv2.
However you may use the native Android client as mentioned above. See [1] [2].
[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md [2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md
Tried with the native client without success, also I checked out ipsec verify, and there's: Pluto listening for IKE on udp 500 [FAILED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
May this be the cause?
@thepra Try these troubleshooting steps [1], restart the services and check server logs for errors [2].
[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-above [2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#additional-steps
Nov 2 15:45:45 raspberrypi pluto[1812]: Initializing NSS
Nov 2 15:45:45 raspberrypi pluto[1812]: Opening NSS database "sql:/etc/ipsec.d" read-only
Nov 2 15:45:46 raspberrypi pluto[1812]: NSS initialized
Nov 2 15:45:46 raspberrypi pluto[1812]: NSS crypto library initialized
Nov 2 15:45:46 raspberrypi pluto[1812]: FIPS HMAC integrity support [disabled]
Nov 2 15:45:46 raspberrypi pluto[1812]: libcap-ng support [enabled]
Nov 2 15:45:46 raspberrypi pluto[1812]: Linux audit support [disabled]
Nov 2 15:45:46 raspberrypi pluto[1812]: Starting Pluto (Libreswan Version 3.27 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SYSTEMD_WATCHDOG LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:1812
Nov 2 15:45:46 raspberrypi pluto[1812]: core dump dir: /run/pluto
Nov 2 15:45:46 raspberrypi pluto[1812]: secrets file: /etc/ipsec.secrets
Nov 2 15:45:46 raspberrypi pluto[1812]: leak-detective enabled
Nov 2 15:45:46 raspberrypi pluto[1812]: NSS crypto [enabled]
Nov 2 15:45:46 raspberrypi pluto[1812]: XAUTH PAM support [enabled]
Nov 2 15:45:46 raspberrypi pluto[1812]: NAT-Traversal support [enabled]
Nov 2 15:45:46 raspberrypi pluto[1812]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Nov 2 15:45:46 raspberrypi pluto[1812]: Encryption algorithms:
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a
Nov 2 15:45:46 raspberrypi pluto[1812]: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des
Nov 2 15:45:46 raspberrypi pluto[1812]: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128}
Nov 2 15:45:46 raspberrypi pluto[1812]: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes
Nov 2 15:45:46 raspberrypi pluto[1812]: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent
Nov 2 15:45:46 raspberrypi pluto[1812]: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish
Nov 2 15:45:46 raspberrypi pluto[1812]: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh
Nov 2 15:45:46 raspberrypi pluto[1812]: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} aes_gmac
Nov 2 15:45:46 raspberrypi pluto[1812]: NULL IKEv1: ESP IKEv2: ESP []
Nov 2 15:45:46 raspberrypi pluto[1812]: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305
Nov 2 15:45:46 raspberrypi pluto[1812]: Hash algorithms:
Nov 2 15:45:46 raspberrypi pluto[1812]: MD5 IKEv1: IKE IKEv2:
Nov 2 15:45:46 raspberrypi pluto[1812]: SHA1 IKEv1: IKE IKEv2: FIPS sha
Nov 2 15:45:46 raspberrypi pluto[1812]: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256
Nov 2 15:45:46 raspberrypi pluto[1812]: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384
Nov 2 15:45:46 raspberrypi pluto[1812]: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512
Nov 2 15:45:46 raspberrypi pluto[1812]: PRF algorithms:
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_XCBC IKEv1: IKEv2: IKE FIPS aes128_xcbc
Nov 2 15:45:46 raspberrypi pluto[1812]: Integrity algorithms:
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, hmac_sha2_512
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, hmac_sha2_384
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, hmac_sha2_256
Nov 2 15:45:46 raspberrypi pluto[1812]: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS aes_xcbc, aes128_xcbc, aes128_xcbc_96
Nov 2 15:45:46 raspberrypi pluto[1812]: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac
Nov 2 15:45:46 raspberrypi pluto[1812]: NONE IKEv1: ESP IKEv2: ESP FIPS null
Nov 2 15:45:46 raspberrypi pluto[1812]: DH algorithms:
Nov 2 15:45:46 raspberrypi pluto[1812]: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0
Nov 2 15:45:46 raspberrypi pluto[1812]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh2
Nov 2 15:45:46 raspberrypi pluto[1812]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5
Nov 2 15:45:46 raspberrypi pluto[1812]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14
Nov 2 15:45:46 raspberrypi pluto[1812]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15
Nov 2 15:45:46 raspberrypi pluto[1812]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16
Nov 2 15:45:46 raspberrypi pluto[1812]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17
Nov 2 15:45:46 raspberrypi pluto[1812]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18
Nov 2 15:45:46 raspberrypi pluto[1812]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256
Nov 2 15:45:46 raspberrypi pluto[1812]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384
Nov 2 15:45:46 raspberrypi pluto[1812]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521
Nov 2 15:45:46 raspberrypi pluto[1812]: starting up 3 crypto helpers
Nov 2 15:45:46 raspberrypi pluto[1812]: started thread for crypto helper 0
Nov 2 15:45:46 raspberrypi pluto[1812]: seccomp security for crypto helper not supported
Nov 2 15:45:46 raspberrypi pluto[1812]: started thread for crypto helper 1
Nov 2 15:45:46 raspberrypi pluto[1812]: started thread for crypto helper 2
Nov 2 15:45:46 raspberrypi pluto[1812]: seccomp security for crypto helper not supported
Nov 2 15:45:46 raspberrypi pluto[1812]: seccomp security for crypto helper not supported
Nov 2 15:45:46 raspberrypi pluto[1812]: Using Linux XFRM/NETKEY IPsec interface code on 4.14.71-v7+
Nov 2 15:45:46 raspberrypi pluto[1812]: | selinux support is NOT enabled.
Nov 2 15:45:46 raspberrypi pluto[1812]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Nov 2 15:45:46 raspberrypi pluto[1812]: watchdog: sending probes every 100 secs
Nov 2 15:45:46 raspberrypi pluto[1812]: seccomp security not supported
Nov 2 15:45:46 raspberrypi pluto[1812]: added connection description "l2tp-psk"
Nov 2 15:45:46 raspberrypi pluto[1812]: added connection description "xauth-psk"
Nov 2 15:45:46 raspberrypi pluto[1812]: listening for IKE messages
Nov 2 15:45:46 raspberrypi pluto[1812]: adding interface eth0/eth0 192.168.1.226:500
Nov 2 15:45:46 raspberrypi pluto[1812]: adding interface eth0/eth0 192.168.1.226:4500
Nov 2 15:45:46 raspberrypi pluto[1812]: adding interface lo/lo 127.0.0.1:500
Nov 2 15:45:46 raspberrypi pluto[1812]: adding interface lo/lo 127.0.0.1:4500
Nov 2 15:45:46 raspberrypi pluto[1812]: adding interface eth0/eth0 2001:b07:644c:4284:6fe5:aea3:a905:47d0:500
Nov 2 15:45:46 raspberrypi pluto[1812]: adding interface lo/lo ::1:500
Nov 2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface lo:500 fd 20
Nov 2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface eth0:500 fd 19
Nov 2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface lo:4500 fd 18
Nov 2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface lo:500 fd 17
Nov 2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface eth0:4500 fd 16
Nov 2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface eth0:500 fd 15
Nov 2 15:45:46 raspberrypi pluto[1812]: loading secrets from "/etc/ipsec.secrets"
Nothing unusual seems from logs
@thepra Your logs do not show connection attempts, which means they did not reach your server. For Raspberry Pi’s, you must set up port forwarding on your home router for both UDP ports 500 and 4500 to your Raspberry Pi’s local IP (192.168.1.226). It is also recommended to reserve a static DHCP IP on your home router for the RPi, so that it does not change. See example at: https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/
Portforwarding done on 192.168.1.226 on UDP range 500 - 4500 outer and inner. Restarted the Raspberry also. But nothing seems to work on the smartphone Android 8.1(which doesn't have the "Backward compatible mode") with native VPN setted up as L2TP/IPSec PSK. And at ipsec verify those last messages remain the same: Pluto listening for IKE on udp 500 [FAILED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
@thepra Only UDP ports 500 and 4500 (two ports) need to be forwarded. The “ipsec verify” result in Raspberry Pi is inaccurate, please ignore that output. Connect the VPN again and then check the IPsec logs again, if you see your latest connection attempt, that means the connection attempt did reach your server. If so, edit /etc/ipsec.conf and replace sha2-truncbug=yes with sha2-truncbug=no, then run “service ipsec restart”. Then try reconnecting.
If still not working, please post your latest logs with your IP redacted.
@hwdsl2 Ok, deleted that range and put in place only those 2 UDP ports. Restarted the pi. Tried to connect, checked the log, nothing new. It's so weird this issue ._.
@thepra Check that your Raspberry Pi’s local IP still matches what you put in for port forwarding (192.168.1.226) after reboot. If not, port forward the correct IP. Also, use the correct public IP (of your home router) in your VPN clients.
You’ll need to troubleshoot this further yourself until you can see the connection attempts in the logs.
@hwdsl2 Still matches the public IP. Here's an output of the local raspberry pi ifconfig:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.226 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 2001:b07:644c:4284:6fe5:aea3:a905:47d0 prefixlen 64 scopeid 0x0<global>
inet6 fe80::61d:9e8b:31ac:cdc9 prefixlen 64 scopeid 0x20<link>
ether b8:27:eb:8f:20:c5 txqueuelen 1000 (Ethernet)
RX packets 9498 bytes 7441747 (7.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6447 bytes 537904 (525.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
On the router webconfiguration:
My public IP was automatically given at the end of the script run, which is still the same.
Can you help me troubleshoot? I'll give you whatever information is necessary.
@thepra Unfortunately I don’t see any issue in your configuration above. Check your home router’s status page to see what public IP is displayed there. If it does not match the public IP shown at the end of the script run (or from https://ipv4.icanhazip.com), then your ISP may be using carrier-grade NAT which blocks connections from the Internet to your home router.
You may verify that the VPN server is running properly by connecting from another device on your home network, for example, the Android 8.1 device you mentioned earlier, and just put 192.168.1.226 as the server IP. This is for testing purpose only.
Other than those above, unfortunately I am not sure and you’ll need to troubleshoot further yourself.
@hwdsl2 93.40.185.177 is my public IP, and it's still the same. I've tried to change the connection on my android(with home wifi connected) to 192.168.1.226. Still no logs of an attempt. But in the logs I found this:
Nov 3 04:34:29 raspberrypi pluto[1315]: watchdog: sending probes every 100 secs
Nov 3 04:34:29 raspberrypi pluto[1315]: seccomp security not supported
Nov 3 04:34:29 raspberrypi pluto[1315]: seccomp security for crypto helper not supported
Nov 3 04:34:29 raspberrypi pluto[1315]: connection l2tp-psk must specify host IP address for our side
Nov 3 04:34:29 raspberrypi pluto[1315]: Failed to load connection "l2tp-psk": attempt to load incomplete connection
Nov 3 04:34:29 raspberrypi pluto[1315]: connection xauth-psk must specify host IP address for our side
Nov 3 04:34:29 raspberrypi pluto[1315]: Failed to load connection "xauth-psk": attempt to load incomplete connection
Which is an indication of something not working properly on the raspberry pi side. Right?
@thepra Edit /etc/ipsec.conf and replace “left=%defaultroute” with “left=192.168.1.226”, save the file and run “service ipsec restart”. Note that all lines below a conn section must be indented by two spaces. That should fix the issue.
What I don’t understand is that in the previous log you posted, the connections loaded just fine, but not in the log you posted just now. Did you change any configuration on the server?
@hwdsl2 Ok, right now the connection worked on the local wifi, logs show it, and it's shown enstrablished on the smartphone and functioning, but after that, switching to the public IP on Android seems to fail connection again(both on wifi and carrier LTE).
Nope, I'm following the actions along with you, so I didn't touched any settings that you didn't say so.
Here's the log after the connection enstablishes:
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: responding to Main Mode from unknown peer 192.168.1.96 on port 500
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: WARNING: connection l2tp-psk PSK length of 20 bytes is too short for sha2_384 PRF in FIPS mode (24 bytes required)
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: Oakley Transform [AES_CBC (256), HMAC_SHA2_384, MODP1024] refused
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: Peer ID is ID_IPV4_ADDR: '192.168.1.96'
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Nov 3 08:43:59 raspberrypi pluto[3885]: | ISAKMP Notification Payload
Nov 3 08:43:59 raspberrypi pluto[3885]: | 00 00 00 1c 00 00 00 01 01 10 60 02
Nov 3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: received and ignored notification payload: IPSEC_INITIAL_CONTACT
Nov 3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: the peer proposed: 192.168.1.226/32:17/1701 -> 192.168.1.96/32:17/0
Nov 3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4: responding to Quick Mode proposal {msgid:94c7a2e5}
Nov 3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4: us: 192.168.1.226<192.168.1.226>[93.40.185.177]:17/1701
Nov 3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4: them: 192.168.1.96:17/0
Nov 3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x07531e12 <0x9d40ccdd xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=192.168.1.96:4500 DPD=active}
Nov 3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x07531e12 <0x9d40ccdd xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=192.168.1.96:4500 DPD=active}
@thepra It is good that the connection now works locally. That means your VPN server is running fine.
For external connections using your public IP, unfortunately I can’t help because I am not familiar with your ISP or home router configuration. You’ll need to troubleshoot further yourself.
If I was behind a carrier NAT, is there any chance to make it work?
@thepra No I don’t think so. Typically, ISPs with carrier-grade NAT let many user share the same public IP, therefore they cannot forward external connections to that public IP to a particular user.
I did run the scripts but still I'm not able to use the VPN, how do configure the IPsec PSK on strongSwan, I didn't find where to put that code.