/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IKEv2 VPN does not change to remote IP address on fedora based VMs #3568

Open
Polygonbugs opened this Issue Feb 11, 2018 · 2 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.2 updates
2 participants
@Polygonbugs @andrewdavidwong
@Polygonbugs

Polygonbugs commented Feb 11, 2018
edited
Edited 3 times
  • @Polygonbugs Polygonbugs edited Feb 11, 2018 (most recent)
  • @Polygonbugs Polygonbugs edited Feb 11, 2018
  • @Polygonbugs Polygonbugs edited Feb 11, 2018

Qubes OS version:

R3.2

Affected TemplateVMs:

fedora-26, fedora-26-minimal (PV domains)

Steps to reproduce the behavior:

Fedora VPN setup

  1. sudo dnf install -y strongswan

  2. cd /etc/strongswan

  3. sudo gedit ipsec.conf
    -add config for VPN server

  4. sudo gedit ipsec.secrets
    -add credential

  5. sudo rm -rf ./ipsec.d/cacerts

  6. sudo wget https://www.digicert.com/CACerts/DigiCertECCSecureServerCA.crt -O /etc/ssl/certs/DigiCertECCSecureServerCA.crt

  7. sudo wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt -O /etc/ssl/certs/DigiCertHighAssuranceEVRootCA.crt

  8. sudo wget https://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt -O /etc/ssl/certs/DigiCertGlobalRootCA.crt

  9. sudo cp /etc/ssl/certs/* ./ipsec.d/cacerts

  10. sudo strongswan restart

  11. sudo strongswan up vpn

Expected behavior:

VPN is established successfully and Public IP is changed to remote server.

Actual behavior:

VPN is established successfully but Public IP is not changed.

General notes:

Same VPN server is established succesfully and get server IP on HVM linux such as Linux Mint. Does Qubes need additional IP routing to change? I use default route settings of strongswan.conf. Or additional package needed?

@Polygonbugs Polygonbugs changed the title from IKEv2 VPN does not change remote IP address on fedora based VMs to IKEv2 VPN does not change to remote IP address on fedora based VMs Feb 11, 2018

@Polygonbugs

This comment has been minimized.

Show comment
Hide comment
@Polygonbugs

Polygonbugs Feb 11, 2018

Checked that debian-9 template is also not working properly liked as mentioned above.

Polygonbugs commented Feb 11, 2018
edited
Edited 1 time
  • @Polygonbugs Polygonbugs edited Feb 11, 2018 (most recent)

Checked that debian-9 template is also not working properly liked as mentioned above.

@andrewdavidwong andrewdavidwong added bug C: Fedora labels Feb 11, 2018

@andrewdavidwong andrewdavidwong added this to the Release 3.2 updates milestone Feb 11, 2018

@Polygonbugs

This comment has been minimized.

Show comment
Hide comment
@Polygonbugs

Polygonbugs Mar 9, 2018

Same server OpenVPN works in PV mode machine. Could anybody test IKEv2 protocol on 4.0-rc5 which run PVH mode by default? I know that OpenVPN doesn't need kernel for this but IKEv2 dependent on it. See "https://openvpn.net/index.php/open-source/339-why-ssl-vpn.html"

Polygonbugs commented Mar 9, 2018

Same server OpenVPN works in PV mode machine. Could anybody test IKEv2 protocol on 4.0-rc5 which run PVH mode by default? I know that OpenVPN doesn't need kernel for this but IKEv2 dependent on it. See "https://openvpn.net/index.php/open-source/339-why-ssl-vpn.html"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment