IPSEC VPN Linux Mint 19 does not work

mmangiante

Hello,

I'm trying to configure an Ike 2 ipsec vpn with Linux Mint 19 as client; I resolved my previous issues with Mint 18 loading some packages and then I tried to do the same on the 19 version but the connection is not working.
On the pfsense side I have this log:

Sep 20 17:37:56 charon 07[MGR] created IKE_SA (unnamed)[5]
Sep 20 17:37:56 charon 07[NET] <5> received packet: from 5.92.76.66[51539] to 93.145.101.114[500] (1116 bytes)
Sep 20 17:37:56 charon 07[ENC] <5> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 20 17:37:56 charon 07[CFG] <5> looking for an ike config for 93.145.101.114...5.92.76.66
Sep 20 17:37:56 charon 07[CFG] <5> candidate: %any...%any, prio 24
Sep 20 17:37:56 charon 07[CFG] <5> candidate: 93.145.101.114...%any, prio 1052
Sep 20 17:37:56 charon 07[CFG] <5> found matching ike config: 93.145.101.114...%any with prio 1052
Sep 20 17:37:56 charon 07[IKE] <5> 5.92.76.66 is initiating an IKE_SA
Sep 20 17:37:56 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Sep 20 17:37:56 charon 07[CFG] <5> selecting proposal:
Sep 20 17:37:56 charon 07[CFG] <5> no acceptable DIFFIE_HELLMAN_GROUP found
Sep 20 17:37:56 charon 07[CFG] <5> selecting proposal:
Sep 20 17:37:56 charon 07[CFG] <5> no acceptable ENCRYPTION_ALGORITHM found
Sep 20 17:37:56 charon 07[CFG] <5> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/NTRU_128/NTRU_192/NTRU_256/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192
Sep 20 17:37:56 charon 07[CFG] <5> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Sep 20 17:37:56 charon 07[IKE] <5> remote host is behind NAT
Sep 20 17:37:56 charon 07[IKE] <5> received proposals inacceptable
Sep 20 17:37:56 charon 07[ENC] <5> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Sep 20 17:37:56 charon 07[NET] <5> sending packet: from 93.145.101.114[500] to 5.92.76.66[51539] (36 bytes)
Sep 20 17:37:56 charon 07[MGR] <5> checkin and destroy IKE_SA (unnamed)[5]
Sep 20 17:37:56 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CONNECTING => DESTROYING
Sep 20 17:37:56 charon 07[MGR] checkin and destroy of IKE_SA successful

while on the client side I have:

Sep 20 17:37:55 nb-mint NetworkManager[784]: <info> [1537457875.8590] audit: op="connection-activate" uuid="ffe4776f-dc03-4d23-9980-f405f3e9bd7e" name="IM_IPSEC" pid=1561 uid=1000 result="success"
Sep 20 17:37:55 nb-mint NetworkManager[784]: <info> [1537457875.8654] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: Saw the service appear; activating connection
Sep 20 17:37:56 nb-mint NetworkManager[784]: <info> [1537457876.3543] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN connection: (ConnectInteractive) reply received
Sep 20 17:37:56 nb-mint charon-nm: 05[CFG] received initiate for NetworkManager connection IM_IPSEC
Sep 20 17:37:56 nb-mint charon-nm: 05[CFG] using gateway certificate, identity 'C=IT, ST=Lazio, L=Roma, O=Interactive Media SpA, E=mmangiante@imnet.com, CN=93.145.101.114'
Sep 20 17:37:56 nb-mint charon-nm: 05[IKE] initiating IKE_SA IM_IPSEC[3] to 93.145.101.114
Sep 20 17:37:56 nb-mint charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 20 17:37:56 nb-mint charon-nm: 05[NET] sending packet: from 192.168.43.166[51539] to 93.145.101.114[500] (1116 bytes)
Sep 20 17:37:56 nb-mint NetworkManager[784]: <info> [1537457876.3625] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: state changed: starting (3)
Sep 20 17:37:56 nb-mint charon-nm: 07[NET] received packet: from 93.145.101.114[500] to 192.168.43.166[51539] (36 bytes)
Sep 20 17:37:56 nb-mint charon-nm: 07[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Sep 20 17:37:56 nb-mint charon-nm: 07[IKE] received NO_PROPOSAL_CHOSEN notify error
Sep 20 17:37:56 nb-mint NetworkManager[784]: <warn> [1537457876.4285] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: failed: login-failed (0)
Sep 20 17:37:56 nb-mint NetworkManager[784]: <warn> [1537457876.4292] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: failed: connect-failed (1)
Sep 20 17:37:56 nb-mint NetworkManager[784]: <info> [1537457876.4293] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: state changed: stopping (5)
Sep 20 17:37:56 nb-mint NetworkManager[784]: <info> [1537457876.4295] vpn-connection[0x55817f1e4530,ffe4776f-dc03-4d23-9980-f405f3e9bd7e,"IM_IPSEC",0]: VPN plugin: state changed: stopped (6)

I've seen on this page IPsec Troubleshooting the explanations about the errors but I don't know ho to resolve them.

--
Regards,

Marco

mmangiante

I suppose I have resolved: on the linux Mint 19 I have the GUI installed so when I try to connect with Network Manager, in the dialog there is a new part where you can enable a custom proposal, so I checked it and inserted in ike field the right proposal, that in my case is the "configure proposals" that is shown in the log.

To understand how to "convert" the IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 in "usable" ike in the dialog, I used this page IKEv2 Cipher Suites and also, to understand how build the proposal this Man page ipsec where I found that

The notation is encryption-integrity[-prf]-dhgroup.

in the ike reference.

So, in my case, I filled the ike field with:

aes256-sha2_256-prfsha256-modp104

However, at this time, I don't know why Mint 19 doesn't pass DH in the proposal and why there is this change from Mint 18, where I have no issue in encryption configuration like this.

KOM

Just curious, but is there any reason you're not going with OpenVPN? I'm also a Linux Mint user at home, and I use OpenVPN to connect to pfSense at the office. It was simple to get it working. I've always found IPSec to be more troublesome.

mmangiante

Hello @kom

no any reason in particular: we have few users with Linux in our company, so I started from Windows trying to resemble the vpn that we are using with our old SnapGear firewall with radius authentication; because the documentation I followed
Configuring an IPsec Remote Access Mobile VPN using IKEv2 with EAP-MSCHAPv2 has also the steps for Linux, I tried to configured the Mint 18 and 19 that our colleagues have on their notebooks.
I think that because I have seen that it was not so simple, I accepted it as a challenge and so continued until I have a working configuration; it turn out to be a great learning prove and now I have some more knowledge of ipsec and vpn.
Now I think that another step is to going with OpenVPN.

--
Regards,

Marco

KOM

Makes sense.

And thanks for posting your solution. Many people end up fixing their problems and don't come back to update their post to help other people in the future.