search

jawj / IKEv2-setup

Set up Ubuntu Server 20.04 (or 18.04) as an IKEv2 VPN server
1.34k stars 331 forks source link

generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] #140

Closed meteoguzhan closed 2 years ago

meteoguzhan commented 2 years ago

Hello everyone, I get an error when I try to connect, can you help me? I can't connect on versions below Android 8

/etc/ipsec.conf

config setup
  strictcrlpolicy=yes
  uniqueids=never

conn roadwarrior
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes

  # CNSA/RFC 6379 Suite B (https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites)
  ike=aes256gcm16-prfsha384-ecp384!
  esp=aes256gcm16-ecp384!

  dpdaction=clear
  dpddelay=900s
  rekey=no
  left=%any
  leftid=@vpn.vpn.vpn
  leftcert=cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  eap_identity=%any
  rightdns=1.1.1.1,1.0.0.1
  rightsourceip=10.101.0.0/16
  rightsendcert=never

/etc/strongswan.conf

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

/etc/ipsec.secrets

vpn.vpn.vpn : RSA "privkey.pem"
LiONDEfTYpeDg : EAP "oarbAstIcENSFoEINghbaNdE"

log

I/charon  ( 3593): 13[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
I/charon  ( 3593): 13[ENC] received fragment #1 of 3, waiting for complete IKE message
I/charon  ( 3593): 13[NET] received packet: from 155.138.143.119[4500] to 10.0.2.15[47181] (1166 bytes)
I/charon  ( 3593): 13[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
I/charon  ( 3593): 13[ENC] received fragment #3 of 3, waiting for complete IKE message
I/charon  ( 3593): 15[NET] received packet: from 155.138.143.119[4500] to 10.0.2.15[47181] (1248 bytes)
I/charon  ( 3593): 15[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
I/charon  ( 3593): 15[ENC] received fragment #2 of 3, reassembled fragmented IKE message (3536 bytes)
I/charon  ( 3593): 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
I/charon  ( 3593): 15[IKE] received end entity cert "CN=vpn.vpn.vpn"
I/charon  ( 3593): 15[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=R3"
I/charon  ( 3593): 15[CFG]   using certificate "CN=vpn.vpn.vpn"
I/charon  ( 3593): 15[CFG]   using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=R3"
I/charon  ( 3593): 15[CFG] checking certificate status of "CN=vpn.vpn.vpn"
I/charon  ( 3593): 15[CFG]   requesting ocsp status from 'http://r3.o.lencr.org' ...
I/charon  ( 3593): 15[LIB] failed to fetch from 'http://r3.o.lencr.org'
I/charon  ( 3593): 15[CFG] ocsp request to http://r3.o.lencr.org failed
I/charon  ( 3593): 15[CFG] ocsp check failed, fallback to crl
I/charon  ( 3593): 15[CFG] certificate status is not available
I/charon  ( 3593): 15[CFG] no issuer certificate found for "C=US, O=Let's Encrypt, CN=R3"
I/charon  ( 3593): 15[CFG]   issuer is "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
I/charon  ( 3593): 15[IKE] no trusted RSA public key found for 'vpn.vpn.vpn'
I/charon  ( 3593): 15[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
I/charon  ( 3593): 15[NET] sending packet: from 10.0.2.15[47181] to 155.138.143.119[4500] (65 bytes)
jawj commented 2 years ago

It sounds like this is a strongSwan question more than a question about this script, so I suggest you ask over there.

meteoguzhan commented 2 years ago

It sounds like this is a strongSwan question more than a question about this script, so I suggest you ask over there.

https://letsencrypt.org/2020/12/21/extending-android-compatibility.html I think it's because of Letsencrypt because I can't connect at all on android 7.1.1 and below.