Issue #3345
NetworkManager-strongswan failed to detect EAP-GTC method
Description
Hi,
I tried NetworkManager-strongswan recently to connect to a IKEv2 VPN, it works well when I use the config file and commands to manually connect, but failed when I tried NetworkManager GUI.
- manjaro KDE
- strongswan 5.8.2
- NetworkManager-strongswan 1.4.5
The VPN use EAP-GTC
method to connect and I can connect without any problem in Windows and MacOS
journalctl -u NetworkManager |tail -n 1000 > log.txt 00[DMN] Starting charon NetworkManager backend (strongSwan 5.8.2) <info> [1582228337.3121] vpn-connection[0x560404b34150,b9c45984-eaab-4af5-82ef-bc15b752d72e,"New vpn connection",0]: Saw the service appear; activating connection 00[LIB] loaded plugins: nm-backend charon-nm ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl kernel-netlink socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap 00[LIB] dropped capabilities, running as uid 0, gid 0 00[JOB] spawning 16 worker threads 06[IKE] installed bypass policy for 172.17.0.0/16 06[IKE] installed bypass policy for 192.168.1.0/24 06[IKE] installed bypass policy for 192.168.56.0/24 06[KNL] received netlink error: Invalid argument (22) 06[KNL] unable to install source route for %any6 06[IKE] installed bypass policy for ::1/128 06[IKE] installed bypass policy for fe80::/64 06[IKE] interface change for bypass policy for fe80::/64 (from vboxnet0 to wlp58s0) <info> [1582228337.6028] audit: op="statistics" arg="refresh-rate-ms" pid=1361 uid=1000 result="success" 05[CFG] received initiate for NetworkManager connection New vpn connection 05[LIB] file coded in unknown format, discarded 05[LIB] building CRED_CERTIFICATE - X509 failed, tried 5 builders 05[CFG] loading CA certificate '/etc/ssl/certs/java/cacerts' failed 05[CFG] using CA certificate, gateway identity '<DELETED>' 05[IKE] initiating IKE_SA New vpn connection[1] to <DELETED> 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 05[NET] sending packet: from 192.168.1.100[56354] to <DELETED>[500] (1000 bytes) <info> [1582228341.6634] vpn-connection[0x560404b34150,b9c45984-eaab-4af5-82ef-bc15b752d72e,"New vpn connection",0]: VPN plugin: state changed: starting (3) 10[NET] received packet: from <DELETED>[500] to 192.168.1.100[56354] (280 bytes) 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256 10[IKE] local host is behind NAT, sending keep alives 10[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3" ... 10[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2" 10[IKE] establishing CHILD_SA New vpn connection{1} 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 10[ENC] splitting IKE message (8688 bytes) into 8 fragments 10[ENC] generating IKE_AUTH request 1 [ EF(1/8) ] 10[ENC] generating IKE_AUTH request 1 [ EF(2/8) ] 10[ENC] generating IKE_AUTH request 1 [ EF(3/8) ] 10[ENC] generating IKE_AUTH request 1 [ EF(4/8) ] 10[ENC] generating IKE_AUTH request 1 [ EF(5/8) ] 10[ENC] generating IKE_AUTH request 1 [ EF(6/8) ] 10[ENC] generating IKE_AUTH request 1 [ EF(7/8) ] 10[ENC] generating IKE_AUTH request 1 [ EF(8/8) ] 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (1236 bytes) 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (1236 bytes) 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (1236 bytes) 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (1236 bytes) 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (1236 bytes) 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (1236 bytes) 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (1236 bytes) 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (532 bytes) 11[NET] received packet: from <DELETED>[4500] to 192.168.1.100[50376] (1236 bytes) 11[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ] 11[ENC] received fragment #1 of 3, waiting for complete IKE message 12[NET] received packet: from <DELETED>[4500] to 192.168.1.100[50376] (1236 bytes) 12[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ] 12[ENC] received fragment #2 of 3, waiting for complete IKE message 13[NET] received packet: from <DELETED>[4500] to 192.168.1.100[50376] (628 bytes) 13[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ] 13[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2960 bytes) 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] 13[IKE] received end entity cert "CN=<DELETED>" 13[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" 13[CFG] using certificate "CN=<DELETED>" 13[CFG] using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" 13[CFG] checking certificate status of "CN=<DELETED>" 13[CFG] requesting ocsp status from 'http://ocsp.int-x3.letsencrypt.org' ... 13[LIB] libcurl request failed [28]: Connection timed out after 10000 milliseconds 13[CFG] ocsp request to http://ocsp.int-x3.letsencrypt.org failed 13[CFG] ocsp check failed, fallback to crl 13[CFG] certificate status is not available 13[CFG] using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3" 13[CFG] checking certificate status of "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" 13[CFG] requesting ocsp status from 'http://isrg.trustid.ocsp.identrust.com' ... 13[LIB] libcurl request failed [28]: Connection timed out after 10000 milliseconds 13[CFG] ocsp request to http://isrg.trustid.ocsp.identrust.com failed 13[CFG] ocsp check failed, fallback to crl 13[CFG] fetching crl from 'http://crl.identrust.com/DSTROOTCAX3CRL.crl' ... 13[CFG] using trusted certificate "O=Digital Signature Trust Co., CN=DST Root CA X3" 13[CFG] crl correctly signed by "O=Digital Signature Trust Co., CN=DST Root CA X3" 13[CFG] crl is valid: until Mar 07 01:46:18 2020 13[CFG] certificate status is good 13[CFG] certificate policy 2.23.140.1.2.1 for 'CN=<DELETED>' not allowed by trustchain, ignored 13[CFG] certificate policy 1.3.6.1.4.1.44947.1.1.1 for 'CN=<DELETED>' not allowed by trustchain, ignored 13[CFG] reached self-signed root ca with a path length of 1 13[IKE] authentication of 'CN=<DELETED>' with RSA_EMSA_PKCS1_SHA2_256 successful 13[IKE] server requested EAP_IDENTITY (id 0x00), sending '<DELETED>' 13[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ] 13[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (96 bytes) 16[NET] received packet: from <DELETED>[4500] to 192.168.1.100[50376] (80 bytes) 16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ] 16[IKE] server requested EAP_PEAP authentication (id 0x01) 16[TLS] EAP_PEAP version is v0 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/PEAP ] 16[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (256 bytes) 08[NET] received packet: from <DELETED>[4500] to 192.168.1.100[50376] (1104 bytes) 08[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/PEAP ] 08[TLS] negotiated TLS 1.2 using suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 08[ENC] generating IKE_AUTH request 4 [ EAP/RES/PEAP ] 08[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (80 bytes) 07[NET] received packet: from <DELETED>[4500] to 192.168.1.100[50376] (1104 bytes) 07[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/PEAP ] 07[ENC] generating IKE_AUTH request 5 [ EAP/RES/PEAP ] 07[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (80 bytes) 10[NET] received packet: from <DELETED>[4500] to 192.168.1.100[50376] (1072 bytes) 10[ENC] parsed IKE_AUTH response 5 [ EAP/REQ/PEAP ] 10[TLS] server certificate does not match to 'CN=<DELETED>' 10[TLS] sending fatal TLS alert 'access denied' 10[ENC] generating IKE_AUTH request 6 [ EAP/RES/PEAP ] 10[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (96 bytes) 12[NET] received packet: from <DELETED>[4500] to 192.168.1.100[50376] (80 bytes) 12[ENC] parsed IKE_AUTH response 6 [ EAP/FAIL ] 12[IKE] received EAP_FAILURE, EAP authentication failed 12[ENC] generating INFORMATIONAL request 7 [ N(AUTH_FAILED) ] 12[NET] sending packet: from 192.168.1.100[50376] to <DELETED>[4500] (80 bytes) <warn> [1582228364.8063] vpn-connection[0x560404b34150,b9c45984-eaab-4af5-82ef-bc15b752d72e,"New vpn connection",0]: VPN plugin: failed: connect-failed (1) <warn> [1582228364.8065] vpn-connection[0x560404b34150,b9c45984-eaab-4af5-82ef-bc15b752d72e,"New vpn connection",0]: VPN plugin: failed: connect-failed (1) <info> [1582228364.8068] vpn-connection[0x560404b34150,b9c45984-eaab-4af5-82ef-bc15b752d72e,"New vpn connection",0]: VPN plugin: state changed: stopping (5) <info> [1582228364.8073] vpn-connection[0x560404b34150,b9c45984-eaab-4af5-82ef-bc15b752d72e,"New vpn connection",0]: VPN plugin: state changed: stopped (6)
I deleted a lot of the certificate try(I think it wont help a lot) in the middle and replace the IP and username with <DELETED>
I can make sure the password is correct, I can connect by console with it. It seems that the plugin use the wrong method to authenticate, when I use the config file and console I can see
server requested EAP_IDENTITY (id 0x00), sending '<DELETED>' generating IKE_AUTH request 2 [ EAP/RES/ID ] sending packet: from 192.168.1.100[4500] to <DELETED>[4500] (96 bytes) received packet: from <DELETED>[4500] to 192.168.1.100[4500] (80 bytes) parsed IKE_AUTH response 2 [ EAP/REQ/PEAP ] server requested EAP_PEAP authentication (id 0x01) requesting EAP_GTC authentication, sending EAP_NAK generating IKE_AUTH request 3 [ EAP/RES/NAK ] sending packet: from 192.168.1.100[4500] to <DELETED>[4500] (80 bytes) received packet: from <DELETED>[4500] to 192.168.1.100[4500] (96 bytes) parsed IKE_AUTH response 3 [ EAP/REQ/GTC ] server requested EAP_GTC authentication (id 0x02) generating IKE_AUTH request 4 [ EAP/RES/GTC ] sending packet: from 192.168.1.100[4500] to <DELETED>[4500] (96 bytes) received packet: from <DELETED>[4500] to 192.168.1.100[4500] (80 bytes) parsed IKE_AUTH response 4 [ EAP/SUCC ] EAP method EAP_GTC succeeded, no MSK established authentication of 'config' (myself) with EAP generating IKE_AUTH request 5 [ AUTH ] sending packet: from 192.168.1.100[4500] to <DELETED>[4500] (96 bytes) received packet: from <DELETED>[4500] to 192.168.1.100[4500] (256 bytes) parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ] authentication of '<DELETED>' with EAP successful@
in the end.
I find that the plugin claims to support EAP-GTC(https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager).
So is it a bug in the plugin(I cant find the settings in NetworkManager to manually change the method to EAP-GTC, only the EAP, perhaps it is auto-detected?) or there is something wrong in the server settings(But Windows and MacOS can connect automatically).
Any suggestions?
History
#1 Updated by Tobias Brunner over 2 years ago
- Description updated (diff)
- Status changed from New to Feedback
The VPN use EAP-GTC method to connect and I can connect without any problem in Windows and MacOS
These two things can't be related, because neither of the latter platforms actually supports EAP-GTC.
As you can see in the log, the problem is that the server requests EAP-PEAP and that the AAA server certificate validation fails:
16[IKE] server requested EAP_PEAP authentication (id 0x01) ... 10[TLS] server certificate does not match to 'CN=<DELETED>' 10[TLS] sending fatal TLS alert 'access denied'
If you don't want to use EAP-PEAP, but EAP-GTC, don't load the eap-peap plugin in charon-nm (see PluginLoad). Or configure the server to not request EAP-PEAP first.
#2 Updated by Xinzhe Wang over 2 years ago
Thanks for reply.
I think this is the problem but I have no access to server.
So I tried to disable the plugin with load_modular, make load=no in /etc/strongswan.d/charon/eap-peap.conf and load_modular = yes in /etc/strongswan.d/charon.conf
From swanctl --stats
or ipsec statusall
I can see the eap-peap is not loaded. But the log file in NetworkManager shows that charon-nm still load eap-peap plugin.
What else shall I configure or the only way is to recompile the strongswan.
#3 Updated by Tobias Brunner over 2 years ago
So I tried to disable the plugin with load_modular, make load=no in /etc/strongswan.d/charon/eap-peap.conf and load_modular = yes in /etc/strongswan.d/charon.conf
You need to change this for charon-nm (the NM backend) not charon (the regular IKE daemon). So you can't use the snippets in /etc/strongswan.d
.
But you also don't need to use modular plugin loading to disable a specific plugin. Just add the following to strongswan.conf:
charon-nm { plugins { eap-peap { load = no } } }
From
swanctl --stats
oripsec statusall
Both of these tools have no relation to charon-nm, which is configured by the NM plugin.
#4 Updated by Xinzhe Wang over 2 years ago
OK, I see.
Thanks a lot, after making eap-peap and eap-md5 disabled, I can connect successfully. Cheers!
#5 Updated by Tobias Brunner over 2 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required