Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN Linux Mint 19 does not work

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mmangiante
      last edited by

      Hello,

      I'm trying to configure an Ike 2 ipsec vpn with Linux Mint 19 as client; I resolved my previous issues with Mint 18 loading some packages and then I tried to do the same on the 19 version but the connection is not working.
      On the pfsense side I have this log:

      Sep 20 17:37:56 charon 07[MGR] created IKE_SA (unnamed)[5]
      Sep 20 17:37:56 charon 07[NET] <5> received packet: from 5.92.76.66[51539] to 93.145.101.114[500] (1116 bytes)
      Sep 20 17:37:56 charon 07[ENC] <5> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Sep 20 17:37:56 charon 07[CFG] <5> looking for an ike config for 93.145.101.114...5.92.76.66
      Sep 20 17:37:56 charon 07[CFG] <5> candidate: %any...%any, prio 24
      Sep 20 17:37:56 charon 07[CFG] <5> candidate: 93.145.101.114...%any, prio 1052
      Sep 20 17:37:56 charon 07[CFG] <5> found matching ike config: 93.145.101.114...%any with prio 1052
      Sep 20 17:37:56 charon 07[IKE] <5> 5.92.76.66 is initiating an IKE_SA
      Sep 20 17:37:56 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
      Sep 20 17:37:56 charon 07[CFG] <5> selecting proposal:
      Sep 20 17:37:56 charon 07[CFG] <5> no acceptable DIFFIE_HELLMAN_GROUP found
      Sep 20 17:37:56 charon 07[CFG] <5> selecting proposal:
      Sep 20 17:37:56 charon 07[CFG] <5> no acceptable ENCRYPTION_ALGORITHM found
      Sep 20 17:37:56 charon 07[CFG] <5> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192
      Sep 20 17:37:56 charon 07[CFG] <5> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      Sep 20 17:37:56 charon 07[IKE] <5> remote host is behind NAT
      Sep 20 17:37:56 charon 07[IKE] <5> received proposals inacceptable
      Sep 20 17:37:56 charon 07[ENC] <5> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
      Sep 20 17:37:56 charon 07[NET] <5> sending packet: from 93.145.101.114[500] to 5.92.76.66[51539] (36 bytes)
      Sep 20 17:37:56 charon 07[MGR] <5> checkin and destroy IKE_SA (unnamed)[5]
      Sep 20 17:37:56 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CONNECTING => DESTROYING
      Sep 20 17:37:56 charon 07[MGR] checkin and destroy of IKE_SA successful

      while on the client side I have:

      Sep 20 17:37:55 nb-mint NetworkManager[784]: <info> [1537457875.8590] audit: op="connection-activate" uuid="ffe4776f-dc03-4d23-9980-f405f3e9bd7e" name="IM_IPSEC" pid=1561 uid=1000 result="success"
      Sep 20 17:37:55 nb-mint NetworkManager[784]: <info> [1537457875.8654] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: Saw the service appear; activating connection
      Sep 20 17:37:56 nb-mint NetworkManager[784]: <info> [1537457876.3543] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN connection: (ConnectInteractive) reply received
      Sep 20 17:37:56 nb-mint charon-nm: 05[CFG] received initiate for NetworkManager connection IM_IPSEC
      Sep 20 17:37:56 nb-mint charon-nm: 05[CFG] using gateway certificate, identity 'C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114'
      Sep 20 17:37:56 nb-mint charon-nm: 05[IKE] initiating IKE_SA IM_IPSEC[3] to 93.145.101.114
      Sep 20 17:37:56 nb-mint charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Sep 20 17:37:56 nb-mint charon-nm: 05[NET] sending packet: from 192.168.43.166[51539] to 93.145.101.114[500] (1116 bytes)
      Sep 20 17:37:56 nb-mint NetworkManager[784]: <info> [1537457876.3625] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: state changed: starting (3)
      Sep 20 17:37:56 nb-mint charon-nm: 07[NET] received packet: from 93.145.101.114[500] to 192.168.43.166[51539] (36 bytes)
      Sep 20 17:37:56 nb-mint charon-nm: 07[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
      Sep 20 17:37:56 nb-mint charon-nm: 07[IKE] received NO_PROPOSAL_CHOSEN notify error
      Sep 20 17:37:56 nb-mint NetworkManager[784]: <warn> [1537457876.4285] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: failed: login-failed (0)
      Sep 20 17:37:56 nb-mint NetworkManager[784]: <warn> [1537457876.4292] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: failed: connect-failed (1)
      Sep 20 17:37:56 nb-mint NetworkManager[784]: <info> [1537457876.4293] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: state changed: stopping (5)
      Sep 20 17:37:56 nb-mint NetworkManager[784]: <info> [1537457876.4295] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: state changed: stopped (6)

      I've seen on this page IPsec Troubleshooting the explanations about the errors but I don't know ho to resolve them.

      --
      Regards,

      Marco

      M 1 Reply Last reply Reply Quote 0
      • M
        mmangiante @mmangiante
        last edited by mmangiante

        I suppose I have resolved: on the linux Mint 19 I have the GUI installed so when I try to connect with Network Manager, in the dialog there is a new part where you can enable a custom proposal, so I checked it and inserted in ike field the right proposal, that in my case is the "configure proposals" that is shown in the log.

        To understand how to "convert" the IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 in "usable" ike in the dialog, I used this page IKEv2 Cipher Suites and also, to understand how build the proposal this Man page ipsec where I found that

        The notation is encryption-integrity[-prf]-dhgroup.
        

        in the ike reference.

        So, in my case, I filled the ike field with:

        aes256-sha2_256-prfsha256-modp104
        

        However, at this time, I don't know why Mint 19 doesn't pass DH in the proposal and why there is this change from Mint 18, where I have no issue in encryption configuration like this.

        1 Reply Last reply Reply Quote 1
        • KOMK
          KOM
          last edited by

          Just curious, but is there any reason you're not going with OpenVPN? I'm also a Linux Mint user at home, and I use OpenVPN to connect to pfSense at the office. It was simple to get it working. I've always found IPSec to be more troublesome.

          M 1 Reply Last reply Reply Quote 1
          • M
            mmangiante @KOM
            last edited by

            Hello @kom

            no any reason in particular: we have few users with Linux in our company, so I started from Windows trying to resemble the vpn that we are using with our old SnapGear firewall with radius authentication; because the documentation I followed
            Configuring an IPsec Remote Access Mobile VPN using IKEv2 with EAP-MSCHAPv2
            has also the steps for Linux, I tried to configured the Mint 18 and 19 that our colleagues have on their notebooks.
            I think that because I have seen that it was not so simple, I accepted it as a challenge and so continued until I have a working configuration; it turn out to be a great learning prove and now I have some more knowledge of ipsec and vpn.
            Now I think that another step is to going with OpenVPN.

            --
            Regards,

            Marco

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Makes sense.

              And thanks for posting your solution. Many people end up fixing their problems and don't come back to update their post to help other people in the future.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.