You are not logged in.
Hi,
I've been attempting to create a client connection to a Zyxel USG60 router via VPN using IKEv2 and EAP/TLS and networkmanager-strongswan (an activation of the connection via a GUI is a criterion, since I will be setting the connection up for other devices if I am successful on my device.
Zyxel has tutorials on how to generate two CA certificates (one for Windows and one for MacOS). Their customer support told me they have no experience with any Linux distributions, but I should probably use the Mac certificate, since it is compatible with Strongswan on MacOS.
I have copied the certificate to /usr/share/ca-certificates/ and to /etc/ipsec.d/cacerts. Additionally, I have tried storing it as a trust anchor.
From the log (see below), it appears that it first attempts to use a trusted certificate whose signature does not match and then attempts to use the correct certificate, which is untrusted. I'm not sure I fully understand what is going on from the logs. though.
If someone has a better idea than me, I would be very grateful to hear from you!
P.S. I have replaced potentially sensitive info from the log with placeholders.
-- Logs begin at Mon 2019-01-28 20:24:45 CET, end at Tue 2019-01-29 20:12:47 CET. --
Jan 29 20:12:16 p40yoga NetworkManager[588]: <info> [1548789136.9189] settings-connection[0x562a61e94aa0,588c5ab4-5525-4aff-866f-dd11a426ef02]: write: successfully commited (keyfile: update /etc/NetworkManager/system-connections/VS (588c5ab4-5525-4aff-866f-dd11a426ef02,"VS"))
Jan 29 20:12:37 p40yoga NetworkManager[588]: <info> [1548789157.0683] settings-connection[0x562a61e94aa0,588c5ab4-5525-4aff-866f-dd11a426ef02]: write: successfully updated (keyfile: update /etc/NetworkManager/system-connections/VS (588c5ab4-5525-4aff-866f-dd11a426ef02,"VS"))
Jan 29 20:12:37 p40yoga audit[588]: USYS_CONFIG pid=588 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-update uuid=588c5ab4-5525-4aff-866f-dd11a426ef02 name="VS" args=vpn.data pid=3509 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
Jan 29 20:12:37 p40yoga NetworkManager[588]: <info> [1548789157.0708] audit: op="connection-update" uuid="588c5ab4-5525-4aff-866f-dd11a426ef02" name="VS" args="vpn.data" pid=3509 uid=1000 result="success"
Jan 29 20:12:37 p40yoga kernel: audit: type=1111 audit(1548789157.067:167): pid=588 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-update uuid=588c5ab4-5525-4aff-866f-dd11a426ef02 name="VS" args=vpn.data pid=3509 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
Jan 29 20:12:42 p40yoga audit[588]: USYS_CONFIG pid=588 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-activate uuid=588c5ab4-5525-4aff-866f-dd11a426ef02 name="VS" pid=3509 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
Jan 29 20:12:42 p40yoga NetworkManager[588]: <info> [1548789162.2409] audit: op="connection-activate" uuid="588c5ab4-5525-4aff-866f-dd11a426ef02" name="VS" pid=3509 uid=1000 result="success"
Jan 29 20:12:42 p40yoga kernel: audit: type=1111 audit(1548789162.237:168): pid=588 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-activate uuid=588c5ab4-5525-4aff-866f-dd11a426ef02 name="VS" pid=3509 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
Jan 29 20:12:42 p40yoga NetworkManager[588]: <info> [1548789162.2490] vpn-connection[0x562a61ffc530,588c5ab4-5525-4aff-866f-dd11a426ef02,"VS",0]: Saw the service appear; activating connection
Jan 29 20:12:42 p40yoga NetworkManager[588]: <info> [1548789162.2563] vpn-connection[0x562a61ffc530,588c5ab4-5525-4aff-866f-dd11a426ef02,"VS",0]: VPN connection: (ConnectInteractive) reply received
Jan 29 20:12:42 p40yoga charon-nm[3517]: 05[CFG] received initiate for NetworkManager connection VS
Jan 29 20:12:42 p40yoga charon-nm[3517]: 05[CFG] using CA certificate, gateway identity 'xxx.xxx.xxx.xxx'
Jan 29 20:12:42 p40yoga charon-nm[3517]: 05[IKE] initiating IKE_SA VS[12] to xxx.xxx.xxx.xxx
Jan 29 20:12:42 p40yoga charon-nm[3517]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 29 20:12:42 p40yoga charon-nm[3517]: 05[NET] sending packet: from 192.168.0.143[38166] to xxx.xxx.xxx.xxx[500] (1000 bytes)
Jan 29 20:12:42 p40yoga NetworkManager[588]: <info> [1548789162.2592] vpn-connection[0x562a61ffc530,588c5ab4-5525-4aff-866f-dd11a426ef02,"VS",0]: VPN plugin: state changed: starting (3)
Jan 29 20:12:42 p40yoga charon-nm[3517]: 13[NET] received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.143[38166] (38 bytes)
Jan 29 20:12:42 p40yoga charon-nm[3517]: 13[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 29 20:12:42 p40yoga charon-nm[3517]: 13[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Jan 29 20:12:42 p40yoga charon-nm[3517]: 13[IKE] initiating IKE_SA VS[12] to xxx.xxx.xxx.xxx
Jan 29 20:12:42 p40yoga charon-nm[3517]: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 29 20:12:42 p40yoga charon-nm[3517]: 13[NET] sending packet: from 192.168.0.143[38166] to xxx.xxx.xxx.xxx[500] (1192 bytes)
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[NET] received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.143[38166] (669 bytes)
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HTTP_CERT_LOOK) CERTREQ V V V ]
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[ENC] received unknown vendor ID: c4:4f:ed:c7:49:f9:e6:ae:5b:04:ec:96:9c:b2:5d:69
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[ENC] received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:20:00
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[IKE] local host is behind NAT, sending keep alives
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[IKE] received cert request for "CN=xxx.xxx.xxx.xxx"
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[IKE] received 7 cert requests for an unknown ca
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[IKE] sending cert request for "CN=xxx.xxx.xxx.xxx"
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[IKE] establishing CHILD_SA VS{12}
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jan 29 20:12:43 p40yoga charon-nm[3517]: 06[NET] sending packet: from 192.168.0.143[57248] to xxx.xxx.xxx.xxx[4500] (320 bytes)
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.143[57248] (1376 bytes)
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[IKE] received end entity cert "CN=xxx.xxx.xxx.xxx, C=CH, L=X, O=Vs, OU=IT"
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[CFG] using trusted certificate "CN=xxx.xxx.xxx.xxx"
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[IKE] signature validation failed, looking for another key
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[CFG] using certificate "CN=xxx.xxx.xxx.xxx, C=CH, L=X, O=Vs, OU=IT"
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[CFG] self-signed certificate "CN=xxx.xxx.xxx.xxx, C=CH, L=X, O=Vs, OU=IT" is not trusted
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Jan 29 20:12:45 p40yoga charon-nm[3517]: 07[NET] sending packet: from 192.168.0.143[57248] to xxx.xxx.xxx.xxx[4500] (80 bytes)
Jan 29 20:12:45 p40yoga audit: MAC_IPSEC_EVENT op=SAD-delete auid=4294967295 ses=4294967295 src=xxx.xxx.xxx.xxx dst=192.168.0.143 spi=3381167428(0xc9888544) res=1
Jan 29 20:12:45 p40yoga audit[3517]: SYSCALL arch=c000003e syscall=44 success=yes exit=40 a0=8 a1=7f9c07ffe650 a2=28 a3=0 items=0 ppid=1 pid=3517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="charon-nm" exe="/usr/lib/strongswan/charon-nm" key=(null)
Jan 29 20:12:45 p40yoga audit: PROCTITLE proctitle="/usr/lib/strongswan/charon-nm"
Jan 29 20:12:45 p40yoga NetworkManager[588]: <warn> [1548789165.5125] vpn-connection[0x562a61ffc530,588c5ab4-5525-4aff-866f-dd11a426ef02,"VS",0]: VPN plugin: failed: connect-failed (1)
Jan 29 20:12:45 p40yoga kernel: audit: type=1415 audit(1548789165.507:169): op=SAD-delete auid=4294967295 ses=4294967295 src=xxx.xxx.xxx.xxx dst=192.168.0.143 spi=3381167428(0xc9888544) res=1
Jan 29 20:12:45 p40yoga kernel: audit: type=1300 audit(1548789165.507:169): arch=c000003e syscall=44 success=yes exit=40 a0=8 a1=7f9c07ffe650 a2=28 a3=0 items=0 ppid=1 pid=3517 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="charon-nm" exe="/usr/lib/strongswan/charon-nm" key=(null)
Jan 29 20:12:45 p40yoga kernel: audit: type=1327 audit(1548789165.507:169): proctitle="/usr/lib/strongswan/charon-nm"
Jan 29 20:12:45 p40yoga NetworkManager[588]: <warn> [1548789165.5136] vpn-connection[0x562a61ffc530,588c5ab4-5525-4aff-866f-dd11a426ef02,"VS",0]: VPN plugin: failed: connect-failed (1)
Jan 29 20:12:45 p40yoga NetworkManager[588]: <info> [1548789165.5138] vpn-connection[0x562a61ffc530,588c5ab4-5525-4aff-866f-dd11a426ef02,"VS",0]: VPN plugin: state changed: stopping (5)
Jan 29 20:12:45 p40yoga NetworkManager[588]: <info> [1548789165.5139] vpn-connection[0x562a61ffc530,588c5ab4-5525-4aff-866f-dd11a426ef02,"VS",0]: VPN plugin: state changed: stopped (6)Last edited by MrcJkb (2019-01-30 08:52:46)
Offline
Nevermind. networkmanager-strongswan was still pointing to the local copy of the certificate, not the imported one. I solved the issue by selecting the imported certificate in /etc/ipsec.d/cacerts/Cert_for_Mac.crt in the networkmanager-strongswan UI.
Offline
Update: It stopped working again with the same log message. Maybe I was still connected to the company network and not my testing hotspot so it only seemed like my solution worked.
I finally got it to work by moving the self-signed certificate to /etc/ipdec.d/certs (instead of cacerts).
Last edited by MrcJkb (2019-01-31 13:53:32)
Offline