I'm trying to connect to my Strongswan VPN server, compiled from 5.9.14.
I have it up on the server, and the client tries to connect, but the server never answers the call. I've checked the firewall and it is set to allow ports 500 and 4500. I've also tried to get it to log in higher detail, but it doesn't do that / or no entries are made in the system journal.
Generally, I'm at a loss and would appreciate any assistance. I've tried it with UFW up and down - no change.
Server is a Ubuntu 24.04.01 LTS.
Compile command:
./configure --prefix=/usr --sysconfdir=/etc --disable-defaults --enable-silent-rules --enable-charon --enable-systemd --enable-ikev2 --enable-vici --enable-swanctl --enable-nonce --enable-random --enable-drbg --enable-openssl --enable-curl --enable-pem --enable-x509 --enable-constraints --enable-revocation --enable-pki --enable-pubkey --enable-socket-default --enable-kernel-netlink --enable-resolve --enable-eap-identity --enable-eap-md5 --enable-eap-dynamic --enable-eap-tls --enable-updown --enable-tss-tss2 --enable-tpm
root@huginn:~/strongswan-5.9.14# service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-09-02 21:06:16 EDT; 10min ago
Process: 220846 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 220827 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.9.14, Linux 6.8.0-41-generic, x86_64"
Tasks: 17 (limit: 9445)
Memory: 3.5M (peak: 6.1M)
CPU: 44ms
CGroup: /system.slice/strongswan.service
└─220827 /usr/sbin/charon-systemd
Sep 02 21:06:16 huginn swanctl[220846]: loaded certificate from '/etc/swanctl/x509ca/ca-chain.cert.pem'
Sep 02 21:06:16 huginn swanctl[220846]: loaded private key from '/etc/swanctl/private/vpn.server.org.key.pem'
Sep 02 21:06:16 huginn swanctl[220846]: loaded eap secret 'eap-user'
Sep 02 21:06:16 huginn swanctl[220846]: loaded authority 'Strongswan'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 authorities, 0 unloaded
Sep 02 21:06:16 huginn swanctl[220846]: loaded pool 'remote_pool'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 pools, 0 unloaded
Sep 02 21:06:16 huginn swanctl[220846]: loaded connection 'roadwarrior'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 connections, 0 unloaded
Sep 02 21:06:16 huginn systemd[1]: Started strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
logging.conf
charon-systemd {
journal {
default = 4
ike = 4
knl = 4
# ...
}
}
charon {
# two defined file loggers
filelog {
charon {
# path to the log file, specify this as section name in versions prior to 5.7.0
path = /var/log/charon.log
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = yes
# increase default loglevel for all daemon subsystems
default = 2
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
ike = 2
knl = 3
}
}
# and two loggers using syslog
syslog {
# prefix for each log message
identifier = charon-custom
# use default settings to log to the LOG_DAEMON facility
daemon {
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
default = -1
ike = 0
}
}
# ...
}
connection.conf
#roadwarrior configuration
authorities {
Strongswan {
cacert = ca-chain.cert.pem
}
}
journal {
default = 4
ike = 4
knl = 4
# ...
}
connections {
roadwarrior {
pools = rw_pool
local {
auth = pubkey
certs = vpn.server.org.cert.pem
id = vpn.server.org
}
remote {
auth = pubkey
}
children {
roadwarrior {
# local_ts = 10.1.0.0/16
# local_ts = 0.0.0.0/0
local_ts = 0.0.0.0/0, ::/0
rekey_time = 0
}
}
}
}
}
client log (ubuntu desktop 24.04)
2024-09-02T19:32:04.323589-06:00 fafnir charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-09-02T19:32:04.323634-06:00 fafnir charon-nm: 05[NET] sending packet: from 192.168.30.50[46858] to 167.71.166.210[500] (972 bytes)
2024-09-02T19:32:08.324281-06:00 fafnir charon-nm: 12[IKE] retransmit 1 of request with message ID 0
2024-09-02T19:32:08.324342-06:00 fafnir charon-nm: 12[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:15.524583-06:00 fafnir charon-nm: 14[IKE] retransmit 2 of request with message ID 0
2024-09-02T19:32:15.524692-06:00 fafnir charon-nm: 14[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:28.485020-06:00 fafnir charon-nm: 09[IKE] retransmit 3 of request with message ID 0
2024-09-02T19:32:28.485079-06:00 fafnir charon-nm: 09[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:51.813298-06:00 fafnir charon-nm: 15[IKE] retransmit 4 of request with message ID 0
2024-09-02T19:32:51.813448-06:00 fafnir charon-nm: 15[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:33:04.247159-06:00 fafnir charon-nm[70214]: Connect timer expired, disconnecting.
2024-09-02T19:33:04.247220-06:00 fafnir charon-nm: 08[IKE] destroying IKE_SA in state CONNECTING without notification
2024-09-02T19:33:04.247899-06:00 fafnir charon-nm: 07[KNL] interface nm-xfrm-2751540 deactivated
2024-09-02T19:33:04.248785-06:00 fafnir charon-nm: 13[KNL] fe80::bddd:f33c:78f:5cd9 disappeared from nm-xfrm-2751540
4 Sep update.
My client is connecting via Starlink, which I understand has had issue with IPV4, so I reconfigured it for IPv6 based on the Strongswan Test labs configuration for IPv6 roadwarrior. I then ran a TCPDUMP while attempting to connect, which, from the server resulted in this:
02:42:11.805109 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:15.803606 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:23.008293 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:35.966303 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:59.299393 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431
I get nothing in the syslog for the client IP or for IKEV2 connections.
4 Sep update - ps -ef output
UID PID PPID C STIME TTY TIME CMD
root 1020 1 0 03:03 ? 00:00:00 /usr/sbin/charon-systemd
So the issue is/was that Ubuntu 24.04 was using the netfilter / nft firewall. There was created a separate table inet which applies both to IPV4 and IPv6, but was not modified through UFW or IPTABLES commands.
Will list the rules with a position number.
Apply the below rules to position of the rule at least above the last (drop) rule
The addition of the above rules above the last drop rule fixed the issue of the packets being dropped, regardless of UFW and IPTABLES rules to accept port 500.