New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to connect from macOS Sierra behind NAT #12

Closed
pirate opened this Issue May 13, 2017 · 14 comments

Comments

Projects
None yet
2 participants
@pirate
Contributor

pirate commented May 13, 2017

I ran the setup script on a branch new 17.04 box, and I'm having trouble connecting from my home network (router is provided by Verizon FiOS, but I doubt that matters, it's a standard NAT setup).

Logs on the server:

May 13 07:21:05 charon[17287]: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
May 13 07:21:05 charon[17287]: 09[NET] sending packet: from SER.VER.IP[500] to CLI.ENT.IP[500] (38 bytes)
May 13 07:21:05 charon[17287]: 10[NET] received packet: from CLI.ENT.IP[500] to SER.VER.IP[500] (300 bytes)
May 13 07:21:05 charon[17287]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 13 07:21:05 charon[17287]: 10[IKE] CLI.ENT.IP is initiating an IKE_SA
May 13 07:21:05 charon[17287]: 10[IKE] CLI.ENT.IP is initiating an IKE_SA
May 13 07:21:05 charon[17287]: 10[IKE] remote host is behind NAT
May 13 07:21:05 charon[17287]: 10[IKE] DH group ECP_521 inacceptable, requesting ECP_521
May 13 07:21:05 charon[17287]: 10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
May 13 07:21:05 charon[17287]: 10[NET] sending packet: from SER.VER.IP[500] to CLI.ENT.IP[500] (38 bytes)

Logs on the client:

default	07:44:03.910071 -0400	neagent	0x7fdcb2315e00 opened /Users/user/Library/Keychains/login.keychain-db: 1779840 bytes
default	07:44:03.914720 -0400	neagent	getting current attributes...
default	07:44:03.914757 -0400	neagent	filling 16 attributes for type 2147483648
default	07:44:03.915368 -0400	neagent	looking at 16 attributes
default	07:44:03.915460 -0400	neagent	finished: 50ba5828bedc6a69250709880de01ce5e05e52b0c0b8e5c73acef30ecbb93cab
error	07:44:03.964986 -0400	neagent	Failed to process IKE SA Init packet

In particular, this line is baffling me: DH group ECP_521 inacceptable, requesting ECP_521.

@pirate pirate changed the title from Unable to connect from macOS Sierra to Unable to connect from macOS Sierra behind NAT May 13, 2017

@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 13, 2017

Contributor

I've changed the accepted cypher list to be more permissive, and it seems to have fixed the ECP_521 problem. (I also removed the VPN profile and added the IKEv2 connection manually via System Preferences)

ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256gcm16-sha256-ecp256!
esp=aes256gcm16-sha256,aes256-sha256!

Now I'm getting a different error on the clients though:

error   08:21:48.451705 -0400   neagent Failed to receive isakmp packet: Connection refused
error   08:21:51.451646 -0400   neagent Failed to receive isakmp packet: Connection refused
error   08:21:54.453335 -0400   neagent Failed to receive isakmp packet: Connection refused
error   08:21:57.451772 -0400   neagent Failed to receive isakmp packet: Connection refused
error   08:22:00.454139 -0400   neagent Failed to receive IKE SA Init packet
Contributor

pirate commented May 13, 2017

I've changed the accepted cypher list to be more permissive, and it seems to have fixed the ECP_521 problem. (I also removed the VPN profile and added the IKEv2 connection manually via System Preferences)

ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256gcm16-sha256-ecp256!
esp=aes256gcm16-sha256,aes256-sha256!

Now I'm getting a different error on the clients though:

error   08:21:48.451705 -0400   neagent Failed to receive isakmp packet: Connection refused
error   08:21:51.451646 -0400   neagent Failed to receive isakmp packet: Connection refused
error   08:21:54.453335 -0400   neagent Failed to receive isakmp packet: Connection refused
error   08:21:57.451772 -0400   neagent Failed to receive isakmp packet: Connection refused
error   08:22:00.454139 -0400   neagent Failed to receive IKE SA Init packet
@jawj

This comment has been minimized.

Show comment
Hide comment
@jawj

jawj May 18, 2017

Owner

What are you seeing in the logs on the server (with sudo tail -f /var/log/syslog, started before you try to connect)?

Owner

jawj commented May 18, 2017

What are you seeing in the logs on the server (with sudo tail -f /var/log/syslog, started before you try to connect)?

@jawj

This comment has been minimized.

Show comment
Hide comment
@jawj

jawj May 18, 2017

Owner

BTW, if you add the connection manually via System Preferences rather than via the .mobileconfig profile then it will only support weak/essentially broken ciphers, so that's not recommended.

Owner

jawj commented May 18, 2017

BTW, if you add the connection manually via System Preferences rather than via the .mobileconfig profile then it will only support weak/essentially broken ciphers, so that's not recommended.

@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 18, 2017

Contributor

Thanks for helping debug this! Here's the syslog output from the server:

---
17:10:22 charon: 11[NET] received packet: from <CLIENT.IP>[500] to <SERVER.IP>[500] (604 bytes)
17:10:22 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
17:10:22 charon: 11[IKE] <CLIENT.IP> is initiating an IKE_SA
17:10:22 charon: 11[IKE] remote host is behind NAT
17:10:22 charon: 11[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
17:10:22 charon: 11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
17:10:22 charon: 11[NET] sending packet: from <SERVER.IP>[500] to <CLIENT.IP>[500] (38 bytes)
17:10:22 charon: 12[NET] received packet: from <CLIENT.IP>[500] to <SERVER.IP>[500] (476 bytes)
17:10:22 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
17:10:22 charon: 12[IKE] <CLIENT.IP> is initiating an IKE_SA
17:10:22 charon: 12[IKE] remote host is behind NAT
17:10:22 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
17:10:22 charon: 12[NET] sending packet: from <SERVER.IP>[500] to <CLIENT.IP>[500] (320 bytes)
17:10:22 charon: 13[NET] received packet: from <CLIENT.IP>[4500] to <SERVER.IP>[4500] (524 bytes)
17:10:22 charon: 13[ENC] unknown attribute type (25)
17:10:22 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
17:10:22 charon: 13[IKE] initiating EAP_IDENTITY method (id 0x00)
17:10:22 charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
17:10:22 charon: 13[IKE] peer supports MOBIKE
17:10:22 charon: 13[IKE] authentication of 'vpn.mydomain.com' (myself) with RSA signature successful
17:10:22 charon: 13[IKE] sending end entity cert "CN=vpn.mydomain.com"
17:10:22 charon: 13[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
17:10:22 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
17:10:22 charon: 13[ENC] splitting IKE message with length of 3356 bytes into 3 fragments
17:10:23 charon: 13[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
17:10:23 charon: 13[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
17:10:23 charon: 13[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
17:10:23 charon: 13[NET] sending packet: from <SERVER.IP>[4500] to <CLIENT.IP>[4500] (1248 bytes)
17:10:23 charon: 13[NET] sending packet: from <SERVER.IP>[4500] to <CLIENT.IP>[4500] (1248 bytes)
17:10:23 charon: 13[NET] sending packet: from <SERVER.IP>[4500] to <CLIENT.IP>[4500] (992 bytes)
17:10:23 charon: 15[NET] received packet: from <CLIENT.IP>[4500] to <SERVER.IP>[4500] (92 bytes)
17:10:23 charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
17:10:23 charon: 15[IKE] received EAP identity 'hostname'
17:10:23 charon: 15[IKE] loading EAP_MSCHAPV2 method failed
17:10:23 charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
17:10:23 charon: 15[NET] sending packet: from <SERVER.IP>[4500] to <CLIENT.IP>[4500] (76 bytes)
Contributor

pirate commented May 18, 2017

Thanks for helping debug this! Here's the syslog output from the server:

---
17:10:22 charon: 11[NET] received packet: from <CLIENT.IP>[500] to <SERVER.IP>[500] (604 bytes)
17:10:22 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
17:10:22 charon: 11[IKE] <CLIENT.IP> is initiating an IKE_SA
17:10:22 charon: 11[IKE] remote host is behind NAT
17:10:22 charon: 11[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
17:10:22 charon: 11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
17:10:22 charon: 11[NET] sending packet: from <SERVER.IP>[500] to <CLIENT.IP>[500] (38 bytes)
17:10:22 charon: 12[NET] received packet: from <CLIENT.IP>[500] to <SERVER.IP>[500] (476 bytes)
17:10:22 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
17:10:22 charon: 12[IKE] <CLIENT.IP> is initiating an IKE_SA
17:10:22 charon: 12[IKE] remote host is behind NAT
17:10:22 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
17:10:22 charon: 12[NET] sending packet: from <SERVER.IP>[500] to <CLIENT.IP>[500] (320 bytes)
17:10:22 charon: 13[NET] received packet: from <CLIENT.IP>[4500] to <SERVER.IP>[4500] (524 bytes)
17:10:22 charon: 13[ENC] unknown attribute type (25)
17:10:22 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
17:10:22 charon: 13[IKE] initiating EAP_IDENTITY method (id 0x00)
17:10:22 charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
17:10:22 charon: 13[IKE] peer supports MOBIKE
17:10:22 charon: 13[IKE] authentication of 'vpn.mydomain.com' (myself) with RSA signature successful
17:10:22 charon: 13[IKE] sending end entity cert "CN=vpn.mydomain.com"
17:10:22 charon: 13[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
17:10:22 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
17:10:22 charon: 13[ENC] splitting IKE message with length of 3356 bytes into 3 fragments
17:10:23 charon: 13[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
17:10:23 charon: 13[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
17:10:23 charon: 13[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
17:10:23 charon: 13[NET] sending packet: from <SERVER.IP>[4500] to <CLIENT.IP>[4500] (1248 bytes)
17:10:23 charon: 13[NET] sending packet: from <SERVER.IP>[4500] to <CLIENT.IP>[4500] (1248 bytes)
17:10:23 charon: 13[NET] sending packet: from <SERVER.IP>[4500] to <CLIENT.IP>[4500] (992 bytes)
17:10:23 charon: 15[NET] received packet: from <CLIENT.IP>[4500] to <SERVER.IP>[4500] (92 bytes)
17:10:23 charon: 15[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
17:10:23 charon: 15[IKE] received EAP identity 'hostname'
17:10:23 charon: 15[IKE] loading EAP_MSCHAPV2 method failed
17:10:23 charon: 15[ENC] generating IKE_AUTH response 2 [ EAP/FAIL ]
17:10:23 charon: 15[NET] sending packet: from <SERVER.IP>[4500] to <CLIENT.IP>[4500] (76 bytes)
@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 18, 2017

Contributor

Looks like a possible missing build flag or dependency for MSCHAPV2 support? https://wiki.strongswan.org/issues/952

Contributor

pirate commented May 18, 2017

Looks like a possible missing build flag or dependency for MSCHAPV2 support? https://wiki.strongswan.org/issues/952

@jawj

This comment has been minimized.

Show comment
Hide comment
@jawj

jawj May 18, 2017

Owner

Yes, that’s exactly where I’d got to! Which seems a bit odd, assuming you started with a fresh install of Ubuntu and just ran the script. Have you followed some of the advice in that strongSwan issue about checking up on OpenSSL?

Owner

jawj commented May 18, 2017

Yes, that’s exactly where I’d got to! Which seems a bit odd, assuming you started with a fresh install of Ubuntu and just ran the script. Have you followed some of the advice in that strongSwan issue about checking up on OpenSSL?

@jawj

This comment has been minimized.

Show comment
Hide comment
@jawj

jawj May 18, 2017

Owner

Another thing to check would be any related log messages at strongSwan startup. For that, open two separate SSH connections.

  • In the first, run sudo tail -f /var/log/syslog.
  • Then, in the second, run sudo ipsec restart.
  • Now switch back to the first and examine the logs.
Owner

jawj commented May 18, 2017

Another thing to check would be any related log messages at strongSwan startup. For that, open two separate SSH connections.

  • In the first, run sudo tail -f /var/log/syslog.
  • Then, in the second, run sudo ipsec restart.
  • Now switch back to the first and examine the logs.
@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 18, 2017

Contributor

Looks like mschap isn't something in the list of loaded plugins, but other than that, no errors on ipsec startup.

May 18 17:26:30 charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Contributor

pirate commented May 18, 2017

Looks like mschap isn't something in the list of loaded plugins, but other than that, no errors on ipsec startup.

May 18 17:26:30 charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem gcrypt af-alg fips-prf gmp chapoly xcbc cmac hmac ctr ccm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 18, 2017

Contributor

I'm back to using the vpn.mobileconfig now, which produces the same error as before, even after a clean install and re-run of the setup script:

17:28:19 charon: 07[NET] received packet: from CLIENT[500] to SERVER[500] (300 bytes)
17:28:19 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
17:28:19 charon: 07[IKE] CLIENT is initiating an IKE_SA
17:28:19 charon: 07[IKE] remote host is behind NAT
17:28:19 charon: 07[IKE] DH group ECP_521 inacceptable, requesting ECP_521
17:28:19 charon: 07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
17:28:19 charon: 07[NET] sending packet: from SERVER[500] to CLIENT[500] (38 bytes)
17:28:19 charon: 08[NET] received packet: from CLIENT[500] to SERVER[500] (300 bytes)
17:28:19 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
17:28:19 charon: 08[IKE] CLIENT is initiating an IKE_SA
17:28:19 charon: 08[IKE] remote host is behind NAT
17:28:19 charon: 08[IKE] DH group ECP_521 inacceptable, requesting ECP_521
17:28:19 charon: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
17:28:19 charon: 08[NET] sending packet: from SERVER[500] to CLIENT[500] (38 bytes)

I'm guessing it has to be something to do with this: DH group ECP_521 inacceptable, requesting ECP_521. I have no results for googling that either...

Contributor

pirate commented May 18, 2017

I'm back to using the vpn.mobileconfig now, which produces the same error as before, even after a clean install and re-run of the setup script:

17:28:19 charon: 07[NET] received packet: from CLIENT[500] to SERVER[500] (300 bytes)
17:28:19 charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
17:28:19 charon: 07[IKE] CLIENT is initiating an IKE_SA
17:28:19 charon: 07[IKE] remote host is behind NAT
17:28:19 charon: 07[IKE] DH group ECP_521 inacceptable, requesting ECP_521
17:28:19 charon: 07[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
17:28:19 charon: 07[NET] sending packet: from SERVER[500] to CLIENT[500] (38 bytes)
17:28:19 charon: 08[NET] received packet: from CLIENT[500] to SERVER[500] (300 bytes)
17:28:19 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
17:28:19 charon: 08[IKE] CLIENT is initiating an IKE_SA
17:28:19 charon: 08[IKE] remote host is behind NAT
17:28:19 charon: 08[IKE] DH group ECP_521 inacceptable, requesting ECP_521
17:28:19 charon: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
17:28:19 charon: 08[NET] sending packet: from SERVER[500] to CLIENT[500] (38 bytes)

I'm guessing it has to be something to do with this: DH group ECP_521 inacceptable, requesting ECP_521. I have no results for googling that either...

@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 18, 2017

Contributor

Aha, ipsec statusall | grep openssl yields nothing, looks like I'll have to rebuild strongswan with openssl enabled manually.

Contributor

pirate commented May 18, 2017

Aha, ipsec statusall | grep openssl yields nothing, looks like I'll have to rebuild strongswan with openssl enabled manually.

@jawj

This comment has been minimized.

Show comment
Hide comment
@jawj

jawj May 18, 2017

Owner

(I'm hoping the typo in that command (opnessl) wasn't present when you ran it?)

Sounds like the right idea, but I wonder why it's necessary. What kind of Ubuntu setup is this? A dedicated box, a VPS, ... ? I would have thought that the strongSwan config as installed via apt-get couldn't possibly differ from normal.

Owner

jawj commented May 18, 2017

(I'm hoping the typo in that command (opnessl) wasn't present when you ran it?)

Sounds like the right idea, but I wonder why it's necessary. What kind of Ubuntu setup is this? A dedicated box, a VPS, ... ? I would have thought that the strongSwan config as installed via apt-get couldn't possibly differ from normal.

@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 18, 2017

Contributor

Typo was not present, I just edited my comment to fix it. It's a vultr.com $2.50/month box, with what seems like standard ubuntu 17.04.

root@mozart ~/IKEv2-setup# screenfetch
                          ./+o+-       root@mozart
                  yyyyy- -yyyyyy+      OS: Ubuntu 17.04 zesty
               ://+//////-yyyyyyo      Kernel: x86_64 Linux 4.10.0-21-generic
           .++ .:/++++++/-.+sss/`      Uptime: 1d 14h 44m
         .:++o:  /++++++++/:--:/-      Packages: 567
        o:+o+:++.`..```.-/oo+++++/     Shell: fish
       .:+o:+o/.          `+sssoo+/    CPU: Virtual CPU a7769a6388d5 @ 2.4GHz
  .++/+:+oo+o:`             /sssooo.   RAM: 124MiB / 485MiB
 /+++//+:`oo+o               /::--:.
 \+/+o+++`o++o               ++////.
  .++.o+++oo+:`             /dddhhh.
       .+.o+oo:.          `oddhhhh+
        \+.++o+o``-````.:ohdhhhhh+
         `:o+++ `ohhhhhhhhyo++os:
           .o:`.syhhhhhhh/.oo++o`
               /osyyyyyyo++ooo+++/
                   ````` +oo+++o\:
                          `oo++.
Contributor

pirate commented May 18, 2017

Typo was not present, I just edited my comment to fix it. It's a vultr.com $2.50/month box, with what seems like standard ubuntu 17.04.

root@mozart ~/IKEv2-setup# screenfetch
                          ./+o+-       root@mozart
                  yyyyy- -yyyyyy+      OS: Ubuntu 17.04 zesty
               ://+//////-yyyyyyo      Kernel: x86_64 Linux 4.10.0-21-generic
           .++ .:/++++++/-.+sss/`      Uptime: 1d 14h 44m
         .:++o:  /++++++++/:--:/-      Packages: 567
        o:+o+:++.`..```.-/oo+++++/     Shell: fish
       .:+o:+o/.          `+sssoo+/    CPU: Virtual CPU a7769a6388d5 @ 2.4GHz
  .++/+:+oo+o:`             /sssooo.   RAM: 124MiB / 485MiB
 /+++//+:`oo+o               /::--:.
 \+/+o+++`o++o               ++////.
  .++.o+++oo+:`             /dddhhh.
       .+.o+oo:.          `oddhhhh+
        \+.++o+o``-````.:ohdhhhhh+
         `:o+++ `ohhhhhhhhyo++os:
           .o:`.syhhhhhhh/.oo++o`
               /osyyyyyyo++ooo+++/
                   ````` +oo+++o\:
                          `oo++.
@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 18, 2017

Contributor

strongswan-standard-plugins includes openssl, but it wasn't installed by default.
apt install libstrongswan-standard-plugins && ipsec restart fixed the DH group ECP_521 inacceptable, requesting ECP_521 issue, now it's back to loading EAP_MSCHAPV2 method failed.

Contributor

pirate commented May 18, 2017

strongswan-standard-plugins includes openssl, but it wasn't installed by default.
apt install libstrongswan-standard-plugins && ipsec restart fixed the DH group ECP_521 inacceptable, requesting ECP_521 issue, now it's back to loading EAP_MSCHAPV2 method failed.

@pirate

This comment has been minimized.

Show comment
Hide comment
@pirate

pirate May 18, 2017

Contributor

Bingo, got it working! PR coming shortly. It was missing the standard plugin set libs for both libstrongswan and libcharon.
Solution:

apt install strongswan-ikev2 strongswan-libcharon libcharon-extra-plugins libcharon-standard-plugins libstrongswan-standard-plugins
ipsec restart
Contributor

pirate commented May 18, 2017

Bingo, got it working! PR coming shortly. It was missing the standard plugin set libs for both libstrongswan and libcharon.
Solution:

apt install strongswan-ikev2 strongswan-libcharon libcharon-extra-plugins libcharon-standard-plugins libstrongswan-standard-plugins
ipsec restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment