You are not logged in.
Having trouble getting my vpn connection to give me a public ip address associated with the VPN gateway using netctl and swanctl.
Everything works fine if I use NetworkManager and its networkmanager-strongswan component.
I can successfully connect to the VPN using swanctl, while using netctl for my local wifi connection, but ipleak.org shows my ISP, not my university's address.
VPN gateway is at my university, the instructions they have provided are for networkmanager on ubuntu, which I replicated in Arch, and it all works, as I said:
Install the following dependencies:
- network-manager-strongswan
- libstrongswan-extra-plugins
- libcharon-extra-pluginsConfiguration on Debian-based distributions
1. Open your desktop's Network Manager application and edit it's connections.
2. Add a new VPN connection using IPsec-based VPN (strongswan)
a. Set the Connection Name to schoolvpn
b. Set Gateway: to vpn.myuniversity.edu
c. Set Authentication to EAP
d. Enter your Username
e. Enter your Password (or leave blank to be prompted when you connect)
f. Under Options select only Request an inner IP address and Enforce UDP encapsulation
3. Click OK
I (presumably) only needed
networkmanager and
networkmanager-strongswan on Arch.
The VPN worked with those two packages.
$ uname -a
Linux nemesis 5.6.3-arch1-1 #1 SMP PREEMPT Wed, 08 Apr 2020 07:47:16 +0000 x86_64 GNU/Linux
$ sudo swanctl --version
plugin 'mysql' failed to load: libmariadb.so.3: cannot open shared object file: No such file or directory
strongSwan swanctl 5.8.2
$ NetworkManager --version
1.22.10-1When I use NetworkManager, together with networkmanager-strongswan, I get the following ip addresses and tables:
fresh boot
# connected via network manager, pre vpn
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86372sec preferred_lft 86372sec
inet6 fe80::3dd6:f5f8:2922:156d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
----------------------------------------------------------------------------------------------
$ sudo ip route list table 220
Error: ipv4: FIB table does not exist.
Dump terminated
----------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
----------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
# ==========
# connected via network manager and vpn via nm-strongswan
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86246sec preferred_lft 86246sec
inet 10.9.143.79/32 scope global wls3
valid_lft forever preferred_lft forever
inet6 fe80::3dd6:f5f8:2922:156d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
----------------------------------------------------------------------------------------------
$ sudo ip route list table 220
default via 192.168.1.1 dev wls3 proto static src 10.9.143.79
192.168.1.0/24 dev wls3 proto static src 192.168.1.5
----------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
----------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600When I use netctl and swanctl, I get the following ip addresses and tables:
fresh boot
# ==========
# pre vpn up
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86357sec preferred_lft 75557sec
inet6 fe80::21f:3bff:fe7c:b403/64 scope link
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------------------------
$ sudo ip route list table 220
Error: ipv4: FIB table does not exist.
Dump terminated
-------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
-------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
-------------------------------------------------------------------------------------------
# =======================
# post vpn up with swanctl
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86295sec preferred_lft 75495sec
inet 10.9.143.15/32 scope global wls3
valid_lft forever preferred_lft forever
inet6 fe80::21f:3bff:fe7c:b403/64 scope link
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------------------------
$ sudo ip route list table 220
192.168.1.0/24 dev wls3 proto static src 192.168.1.5
124.213.93.73 via 192.168.1.1 dev wls3 proto static src 10.9.143.15
-------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
-------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303I understand that netctl probably isn't part of any component that is breaking. I just want to be clear that I switched network tools as well.
Actually, now that I say that, I will test NetworkManager for my wifi connection, and swanctl for my vpn.
Here are results:
fresh boot
# connected via network manager, pre vpn
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86376sec preferred_lft 86376sec
inet6 fe80::3dd6:f5f8:2922:156d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------------------------
$ sudo ip route list table 220
192.168.1.0/24 dev wls3 proto static src 192.168.1.5
-------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
-------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
# ============
# enabled swanctl connection profile
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 00:e1:5e:0f:a8:5f brd ff:ff:ff:ff:ff:ff
3: wls3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:94:a6:a7:d0:f5 brd ff:ff:ff:ff:ff:ff
altname wlp3s0
inet 192.168.1.5/24 brd 192.168.1.255 scope global dynamic noprefixroute wls3
valid_lft 86263sec preferred_lft 86263sec
inet 10.5.126.28/32 scope global wls3
valid_lft forever preferred_lft forever
inet6 fe80::3dd6:f5f8:2922:156d/64 scope link noprefixroute
valid_lft forever preferred_lft forever
-------------------------------------------------------------------------------------------
$ sudo ip route list table 220
192.168.1.0/24 dev wls3 proto static src 192.168.1.5
124.213.93.73 via 192.168.1.1 dev wls3 proto static src 10.5.126.28
-------------------------------------------------------------------------------------------
$ sudo ip route list
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600
-------------------------------------------------------------------------------------------
$ sudo ip route show
default via 192.168.1.1 dev wls3 proto dhcp metric 600
192.168.1.0/24 dev wls3 proto dhcp scope link src 192.168.1.5 metric 303
192.168.1.0/24 dev wls3 proto kernel scope link src 192.168.1.5 metric 600Just noticed that
ip route list table 220 only gets populated once I
systemctl start strongswan.service .
That is the difference between the two different "pre" sections of netctl with swanctl and NetworkManager with swanctl.
Here is my
swanctl.conf I retrieved the server certificate by navigating to the address in the browser, then "inspecting" the security, and downloading it.
A friend of mine taught me that trick. He is on opensuse, and copied it into the ipsec.d/cacerts directory, so I figured it's as good as any.
Though, I think strongswan defaults to using /etc/strongswan/x509 or something?
# Section defining IKE connection configurations.
connections {
# Section for an IKE connection named <conn>.
# <conn> {
ikev2profile {
# IKE major version to use for connection.
# version = 0
version = 2
# Remote address(es) to use for IKE communication, comma separated.
# remote_addrs = %any
remote_addrs = vpn.myuniversity.edu
# Virtual IPs to request in configuration payload / Mode Config.
# vips =
vips = 0.0.0.0
# Enforce UDP encapsulation by faking NAT-D payloads.
# encap = no
encap = yes
# Section for a local authentication round.
# local<suffix> {
local {
# Authentication to perform locally (pubkey, psk, xauth[-backend] or
# eap[-method]).
# auth = pubkey
auth = eap-mschapv2
# Client EAP-Identity to use in EAP-Identity exchange and the EAP
# method.
# eap_id = id
eap_id = my_username
}
# Section for a remote authentication round.
# remote<suffix> {
remote {
# cert<suffix> {
cert {
# Absolute path to the certificate to load.
# file =
file = /etc/ipsec.d/cacerts/university_vpn_cert.crt
}
}
# children {
children {
# CHILD_SA configuration sub-section.
# <child> {
ikev2profile {
# Whether to install outbound FWD IPsec policies or not.
# policies_fwd_out = no
policies_fwd_out = yes
}
}
}
}
# Section defining secrets for IKE/EAP/XAuth authentication and private key
# decryption.
# secrets {
secrets {
# EAP secret section for a specific secret.
# eap<suffix> {
eap {
# Value of the EAP/XAuth secret.
# secret =
secret = my_password
# Identity the EAP/XAuth secret belongs to.
# id<suffix> =
id = my_username
}
}
# Include config snippets
include conf.d/*.confI've tried
policies_fwd_outequal to "yes" and "no" but it doesn't seem to make any difference.
Here is the output of running
sudo swanctl -i -c ikev2profile $ sudo swanctl -i -c ikev2profile
plugin 'mysql' failed to load: libmariadb.so.3: cannot open shared object file: No such file or directory
[IKE] initiating IKE_SA ikev2profile[1] to 124.213.93.73
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.1.5[500] to 124.213.93.73[500] (856 bytes)
[NET] received packet: from 124.213.93.73[500] to 192.168.1.5[500] (38 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
[IKE] initiating IKE_SA ikev2profile[1] to 124.213.93.73
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.1.5[500] to 124.213.93.73[500] (1048 bytes)
[NET] received packet: from 124.213.93.73[500] to 192.168.1.5[500] (424 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[CFG] no IDi configured, fall back on IP address
[IKE] establishing CHILD_SA ikev2profile{1}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (400 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (1124 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/5) ]
[ENC] received fragment #1 of 5, waiting for complete IKE message
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (1124 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/5) ]
[ENC] received fragment #2 of 5, waiting for complete IKE message
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (1124 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(3/5) ]
[ENC] received fragment #3 of 5, waiting for complete IKE message
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (1124 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(4/5) ]
[ENC] received fragment #4 of 5, waiting for complete IKE message
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (196 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(5/5) ]
[ENC] received fragment #5 of 5, reassembled fragmented IKE message (4416 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT CERT AUTH EAP/REQ/ID ]
[IKE] received end entity cert "C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu"
[IKE] received issuer cert "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"
[IKE] received issuer cert "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
[CFG] using untrusted intermediate certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"
[CFG] checking certificate status of "C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu"
[CFG] requesting ocsp status from 'http://ocsp.digicert.com' ...
[CFG] nonce in ocsp response doesn't match
[CFG] ocsp check failed, fallback to crl
[CFG] fetching crl from 'http://crl3.digicert.com/sha2-ha-server-g6.crl' ...
[CFG] using certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"
[CFG] using untrusted intermediate certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
[CFG] self-signed certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA" is not trusted
[CFG] crl response verification failed
[CFG] fetching crl from 'http://crl4.digicert.com/sha2-ha-server-g6.crl' ...
[CFG] using certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA"
[CFG] using untrusted intermediate certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
[CFG] self-signed certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA" is not trusted
[CFG] crl response verification failed
[CFG] certificate status is not available
[CFG] reached self-signed root ca with a path length of 0
[CFG] using trusted certificate "C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu"
[IKE] authentication of 'C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu' with RSA signature successful
[IKE] server requested EAP_IDENTITY (id 0x2E), sending 'my_username'
[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (96 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (112 bytes)
[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
[IKE] server requested EAP_MSCHAPV2 authentication (id 0x2F)
[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (144 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (128 bytes)
[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
[IKE] EAP-MS-CHAPv2 succeeded: '(null)'
[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (80 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
[IKE] authentication of '192.168.1.5' (myself) with EAP
[ENC] generating IKE_AUTH request 5 [ AUTH ]
[NET] sending packet: from 192.168.1.5[4500] to 124.213.93.73[4500] (112 bytes)
[NET] received packet: from 124.213.93.73[4500] to 192.168.1.5[4500] (352 bytes)
[ENC] parsed IKE_AUTH response 5 [ IDr AUTH CPRP(ADDR DNS DNS) N(MSG_ID_SYN_SUP) SA TSi TSr ]
[IKE] authentication of 'C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu' with EAP successful
[IKE] IKE_SA ikev2profile[1] established between 192.168.1.5[192.168.1.5]...124.213.93.73[C=US, ST=State, L=City, O=My University, CN=vpn.myuniversity.edu]
[IKE] scheduling rekeying in 14035s
[IKE] maximum IKE_SA lifetime 15475s
[IKE] installing DNS server 124.213.93.2 via resolvconf
[IKE] installing DNS server 124.213.78.2 via resolvconf
[IKE] installing new virtual IP 10.9.143.15
[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
[IKE] CHILD_SA ikev2profile{1} established with SPIs cefefe38_i fbf5179d_o and TS 10.9.143.15/32 === 124.213.93.73/32
initiate completed successfullyMy thought is that my ip tables just aren't configured correctly. On the strongswan site, I read somewhere that strongswan automatically sends/sets (?) the tables. I was looking at some of their example swanctl.conf files, and found an example that had:
updown = /usr/local/libexec/ipsec/_updown iptablesin the "children.connection" section. I wonder if I missed something somewhere on that I need a script to set my tables for the behavior I want. I'm not sure.
The output also says it installs DNS servers, so maybe the problem is there, but I'm inclined to think it is in the tables since NM and swanctl produce different tables.
Any ideas or suggestions on changes to make it so ipleak.org correctly only sees my university's public IP?
As stated, the behavior is correct with NetworkManager and NM-strongswan. But I prefer to use netctl, and would like to learn swanctl more.
Reason this is important is academic journal websites aren't letting me read papers if they don't see my university's ip address. As it stands, if I use my swanctl profile, they see my home public address, not that I'm vpn'ed into my school.
Thanks in advance
Note: I changed, methodically, the ip and mac addresses in the logs. Not sure if this is necessary, but I made sure to do it carefully, preserving the look of similar subnets, etc.
124.213.93.73 is analogous to my university's public ip
10.9.143.15 ~ the ip address assigned to my computer when I'm physically on campus, and also the virtual ip assigned via VPN
192.168.1.5 ~ my computer's ip on my home wifi network (I've set it static at the router)
Last edited by bbus (2020-04-10 08:51:23)
Offline
I found the examples at https://wiki.strongswan.org/projects/st … leExamples, and comparing mine to the one they have for eap-mschapv2, I was missing remote_ts = 0.0.0.0/0.
I had understood from the documentation that it was optional, that is, I thought the default value of dynamic would give the correct behavior.
The example had it set to zeros, so I gave it a shot, and voila. It worked. ipleak.org and ipleak.net both report my university's ip and I can access academic journals. Here is my new
swanctl.conf:
connections {
ikev2profile {
# IKE major version to use for connection.
version = 2
remote_addrs = vpn.myuniversity.edu
vips = 0.0.0.0, ::
encap = yes
local {
auth = eap-mschapv2
eap_id = my_username
}
remote {
certs = /etc/swanctl.d/certs/university_vpn_cert.crt
}
children {
ikev2profile {
remote_ts = 0.0.0.0/0,::/0
# Updown script to invoke on CHILD_SA up and down events.
#updown = /usr/lib/strongswan/_updown iptables
}
}
}
}
secrets {
eap {
secret = my_password
id = my_username
}
}
# Include config snippets
include conf.d/*.confNote:
For others who may be confused -- Many of the examples, and questions from others on different distros often reference an updown script at:
/usr/local/libexec/ipsec/_updownArch does not have a libexec directory--at least not when you've only installed strongswan on your machine. I'm not sure if it is a legacy location. Strongswan moved from ipsec.conf to swanctl.conf recently-ish, and maybe it was that way, back in the day. I don't know.
Either way, you can now find it at:
/usr/lib/strongswan/_updownOne other modification I made: it seems upstream prefers /etc/swanctl.d/ for "imported" certs if you will. At least one spot on the strongswan site said a ca cert for the gateway should go in /etc/swanctl.d/cacerts/, so I extrapolated that and put the gateway cert in /etc/swanctl.d/certs/. Seemed reasonable. If someone comes across this and finds/knows better, please update. Thanks!
One day I may get around to editing the strongswan wiki page. It lacks info on the client side. Yes, there is info at strongswan.org, but it is dense. imho
Last edited by bbus (2020-04-10 08:45:51)
Offline