NordVPN CA Certs not getting imported in Raspberry Pi

[tifoji]

Here is the excerpt after running ./install.sh

Setting up openvpn (2.4.7-1) ...
[ ok ] Restarting virtual private network daemon.:.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
Setting up opensc (0.19.0-1) ...
Processing triggers for systemd (241-7~deb10u2+rpi1) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for desktop-file-utils (0.23-4) ...
Processing triggers for mime-support (3.62) ...
Processing triggers for gnome-menus (3.31.4-3) ...
Processing triggers for libc-bin (2.28-10+rpi1) ...
**E: Unable to locate package strongswan-ikev2**
Required packages installed
installing certificates (needed by ipsec)
downloading and extracting conf files from NordVPN

Rest of the installation was successful but when trying to connect, I saw the following in /var/log/syslog

Feb 16 16:05:32 raspberrypi charon: 16[IKE] received end entity cert "CN=us3628.nordvpn.com"
Feb 16 16:05:32 raspberrypi charon: 16[IKE] received issuer cert "C=PA, O=NordVPN, CN=NordVPN CA4"
Feb 16 16:05:32 raspberrypi charon: 16[CFG]   using certificate "CN=us3628.nordvpn.com"
Feb 16 16:05:32 raspberrypi charon: 16[CFG]   using untrusted intermediate certificate "C=PA, O=NordVPN, CN=NordVPN CA4"
Feb 16 16:05:32 raspberrypi charon: 16[CFG] checking certificate status of "CN=us3628.nordvpn.com"
Feb 16 16:05:32 raspberrypi charon: 16[CFG] certificate status is not available
Feb 16 16:05:32 raspberrypi charon: 16[CFG] no issuer certificate found for "C=PA, O=NordVPN, CN=NordVPN CA4"
Feb 16 16:05:32 raspberrypi charon: 16[CFG]   issuer is "C=PA, O=NordVPN, CN=NordVPN Root CA"
Feb 16 16:05:32 raspberrypi charon: 16[IKE] no trusted RSA public key found for 'us3628.nordvpn.com'

I followed Step #2 and Step #9 from https://nordvpn.com/tutorials/linux/ikev2ipsec/ manually and the error in /var/log/syslog gets resolved but I cannot authenticate successfully and get "Wrong Credentials" everytime.

Feb 16 16:26:51 raspberrypi charon: 01[CFG]   reached self-signed root ca with a path length of 1
Feb 16 16:26:51 raspberrypi charon: 01[IKE] authentication of 'us3030.nordvpn.com' with RSA_EMSA_PKCS1_SHA2_256 successful
Feb 16 16:26:51 raspberrypi charon: 01[IKE] server requested EAP_IDENTITY (id 0x00), sending 'myNordVpnCredentials@foo.net'
Feb 16 16:26:51 raspberrypi charon: 01[IKE] EAP_IDENTITY not supported, sending EAP_NAK
Feb 16 16:26:51 raspberrypi charon: 01[ENC] generating IKE_AUTH request 2 [ EAP/RES/NAK ]
Feb 16 16:26:51 raspberrypi charon: 01[NET] sending packet: from 192.168.86.22[4500] to 208.84.155.239[4500] (80 bytes)
Feb 16 16:26:51 raspberrypi charon: 06[NET] received packet: from 208.84.155.239[4500] to 192.168.86.22[4500] (80 bytes)
Feb 16 16:26:51 raspberrypi charon: 06[ENC] parsed IKE_AUTH response 2 [ EAP/FAIL ]
Feb 16 16:26:51 raspberrypi charon: 06[IKE] received EAP_FAILURE, EAP authentication failed
Feb 16 16:26:51 raspberrypi charon: 06[ENC] generating INFORMATIONAL request 3 [ N(AUTH_FAILED) ]
Feb 16 16:26:51 raspberrypi charon: 06[NET] sending packet: from 192.168.86.22[4500] to 208.84.155.239[4500] (80 bytes)

Thanks for this tool. I hope you can add NordLynx support as well.

[morpheusthewhite]

Try to test your credentials with opemvpn just to make sure that they're correct

[tifoji]

Yes the credentials are correct. I wonder if anyone on Rpi 4 and Buster has a similar error. I can see that some guides mention about an RSA key also being present in the /etc/ipsec.secrets file but I don't have one. I also opened UDP ports 500 and 4500 to see if it makes any difference. During the install it failed that strongswan-ikev2 package. Will that have an impact in all this ? On my Raspberry Pi 4 I have the following

pi@raspberrypi:~ $ apt list | grep -i strongswan

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libstrongswan-extra-plugins/stable 5.7.2-1 armhf
libstrongswan-standard-plugins/stable,now 5.7.2-1 armhf [installed,automatic]
libstrongswan/stable,now 5.7.2-1 armhf [installed,automatic]
network-manager-strongswan/stable 1.4.4-2 armhf
strongswan-charon/stable,now 5.7.2-1 armhf [installed,automatic]
strongswan-libcharon/stable,now 5.7.2-1 armhf [installed,automatic]
strongswan-nm/stable 5.7.2-1 armhf
strongswan-pki/stable 5.7.2-1 armhf
strongswan-scepclient/stable 5.7.2-1 armhf
strongswan-starter/stable,now 5.7.2-1 armhf [installed,automatic]
strongswan-swanctl/stable 5.7.2-1 armhf
strongswan/stable,now 5.7.2-1 all [installed]
pi@raspberrypi:~ $ 

[morpheusthewhite]

Exactly, I was also thinking about that; I tested the script on Debian but unfortunately I could not do the same on the raspberry

[morpheusthewhite]

If you can, please do these tests:

• Verify the nordvpn certificate (which should be downloaded by the install.sh script) by

  $ file /etc/ipsec.d/cacerts/NordVPN.der

• Try to install the plugins suggested on the NordVPN site

  $ sudo apt-get install strongswan libcharon-extra-plugins libcharon-standard-plugins

• Issue this command (suggested on the NordVPN site)

  $ sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem

Source: https://support.nordvpn.com/Connectivity/Linux/1151861242/How-to-connect-to-NordVPN-with-IKEv2-IPSec-on-Linux.htm

[tifoji]

libcharon-standard-plugins is no longer available. I just issued $ sudo apt-get install strongswan libcharon-extra-plugins and it installed successfully. I had already followed the rest of the guide as indicated in one of the earlier messages. But it was interesting to see this error while trying to restart ipsec

Feb 17 12:35:34 raspberrypi charon: 00[CFG]   loaded EAP secret for myNordVpnCredentials@foo.net
Feb 17 12:35:34 raspberrypi charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 17 12:35:34 raspberrypi charon: 00[CFG] HA config misses local/remote address
Feb 17 12:35:34 raspberrypi charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Feb 17 12:35:34 raspberrypi charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 17 12:35:34 raspberrypi charon: 00[JOB] spawning 16 worker threads
Feb 17 12:35:34 raspberrypi charon: 05[CFG] received stroke: add connection 'NordVPN'
**Feb 17 12:35:34 raspberrypi charon: 05[CFG] CA certificate "/etc/ipsec.d/cacerts/NordVPN.pem" not found, discarding CA constraint**
Feb 17 12:35:34 raspberrypi charon: 05[CFG] added configuration 'NordVPN'
Feb 17 12:36:11 raspberrypi systemd[1]: Started Session c5 of user pi.

The file most definitely exists

pi@raspberrypi:/etc $ sudo openssl x509 -inform der -in /etc/ipsec.d/cacerts/NordVPN.der -out /etc/ipsec.d/cacerts/NordVPN.pem
pi@raspberrypi:/etc $ cat /etc/ipsec.d/cacerts/NordVPN.pem
-----BEGIN CERTIFICATE-----
MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ
MA4GA1UEChMHTm9yZFZQTjEYMBYGA1UEAxMPTm9yZFZQTiBSb290IENBMB4XDTE2
MDEwMTAwMDAwMFoXDTM1MTIzMTIzNTk1OVowOTELMAkGA1UEBhMCUEExEDAOBgNV
BAoTB05vcmRWUE4xGDAWBgNVBAMTD05vcmRWUE4gUm9vdCBDQTCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBAMkr/BYhyo0F2upsIMXwC6QvkZps3NN2/eQF
kfQIS1gql0aejsKsEnmY0Kaon8uZCTXPsRH1gQNgg5D2gixdd1mJUvV3dE3y9FJr
XMoDkXdCGBodvKJyU6lcfEVF6/UxHcbBguZK9UtRHS9eJYm3rpL/5huQMCppX7kU
eQ8dpCwd3iKITqwd1ZudDqsWaU0vqzC2H55IyaZ/5/TnCk31Q1UP6BksbbuRcwOV
skEDsm6YoWDnn/IIzGOYnFJRzQH5jTz3j1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusWVBJB/qNS94EtNtj8iaebCQW1jHAhvGmFILVR9lzD0EzWKHkvy
WEjmUVRgCDd6Ne3eFRNS73gdv/C3l5boYySeu4exkEYVxVRn8DhCxs0MnkMHWFK6
MyzXCCn+JnWFDYPfDKHvpff/kLDobtPBf+Lbch5wQy9quY27xaj0XwLyjOltpiST
LWae/Q4vAgMBAAGjHTAbMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqG
SIb3DQEBDQUAA4ICAQC9fUL2sZPxIN2mD32VeNySTgZlCEdVmlq471o/bDMP4B8g
nQesFRtXY2ZCjs50Jm73B2LViL9qlREmI6vE5IC8IsRBJSV4ce1WYxyXro5rmVg/
k6a10rlsbK/eg//GHoJxDdXDOokLUSnxt7gk3QKpX6eCdh67p0PuWm/7WUJQxH2S
DxsT9vB/iZriTIEe/ILoOQF0Aqp7AgNCcLcLAmbxXQkXYCCSB35Vp06u+eTWjG0/
pyS5V14stGtw+fA0DJp5ZJV4eqJ5LqxMlYvEZ/qKTEdoCeaXv2QEmN6dVqjDoTAo
k0t5u4YRXzEVCfXAC3ocplNdtCA72wjFJcSbfif4BSC8bDACTXtnPC7nD0VndZLp
+RiNLeiENhk0oTC+UVdSc+n2nJOzkCK0vYu0Ads4JGIB7g8IB3z2t9ICmsWrgnhd
NdcOe15BincrGA8avQ1cWXsfIKEjbrnEuEk9b5jel6NfHtPKoHc9mDpRdNPISeVa
wDBM1mJChneHt59Nh8Gah74+TM1jBsw4fhJPvoc7Atcg740JErb904mZfkIEmojC
VPhBHVQ9LHBAdM8qFI2kRK0IynOmAZhexlP/aT/kpEsEPyaZQlnBn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
pi@raspberrypi:/etc $ 

So yes it is still failing but I am not sure what is going on.

[morpheusthewhite]

On ubuntu I am not able to replicate this error

[morpheusthewhite]

I am not able to reproduce this even on a Raspbian VM

[morpheusthewhite]

Since this error depends most likely on NordVPN and ipsec, I cannot help you.

You'll probably find someone else with the same problem, like this one