IPsec IKEv2 (K)ubuntu 18.04 client (strongswan with Network Manager)

  • Hi,
    so I am using pfsense on a Server for years now and I am quite happy but since my windows10 laptop kind of died I changed to Kubuntu 18.04 (KDE - due to HiDPI support) and now I would like to connect to my pfsense via IPsec IKEv2 EAP-MSCHAPv2 which worked fine for mentioned w10 client.

    But apparently it does not work it throws me some error which imply that Phase1 works out and Phase2 kind of until the authentication?

    charon-nm[3373]: 08[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    charon-nm[3373]: 08[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
    charon-nm[3373]: 08[IKE] EAP_MSCHAPV2 method failed
    charon-nm[3373]: 08[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]

    I tried figuring it out but without any luck. ☹

    Your documentation on https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html#ubuntu-based-client-setup is stating that one should install packages "strongswan-plugin-eap-mschapv2" which actually do not exist in 18.04 and apparently didn't since 17.10 https://askubuntu.com/questions/1029907/trouble-setting-up-ikev2-ipsec-on-18-04-unable-to-locate-package-strongswan-ik/1030024 so the needed packages for this auth method I think are linked to "libcharon-extra-plugins" and "libstrongswan-extra-plugins" depending on the networkmanager used one might possibly need "network-manager-strongswan" or "charon-systemd" although I don't think that this is my issue.

    Anyhow I also tried recreating a server certificate like stated on the page needed due to a missing flag "Extended Key Usage" but this also did not help.

    Serverside i see similiar messages:

    07[NET] <con-mobile|1262> sending packet: from <serverip>[4500] to <clientip>[58318] (80 bytes)
    07[ENC] <con-mobile|1262> generating INFORMATIONAL response 4 [ N(AUTH_FAILED) ]
    07[ENC] <con-mobile|1262> parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
    07[NET] <con-mobile|1262> received packet: from <clientip>[58318] to <serverip>[4500] (80 bytes)
    07[NET] <con-mobile|1262> sending packet: from <serverip>[4500] to <clientip>[58318] (128 bytes)
    07[ENC] <con-mobile|1262> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
    07[IKE] <con-mobile|1262> EAP-MS-CHAPv2 verification failed, retry (1)
    07[ENC] <con-mobile|1262> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
    07[NET] <con-mobile|1262> received packet: from <clientip>[58318] to <serverip>[4500] (160 bytes)
    07[NET] <con-mobile|1262> sending packet: from <serverip>[4500] to <clientip>[58318] (112 bytes)
    07[ENC] <con-mobile|1262> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
    07[IKE] <con-mobile|1262> initiating EAP_MSCHAPV2 method (id 0x30)
    07[IKE] <con-mobile|1262> received EAP identity '<ID>' 

    Maybe someone has had some similar issues or an idea how to debug it maybe a bit better also on the server I see that phase1 connecting and phase2 is negotiating under the Status->IPsec page.

    I also had the idea that the "@" in the ID might be an issue so I tried a string only ID and Password which didn't help either.

    Maybe some side information:

    user@lenovo:~# sudo NetworkManager --version
    user@lenovo:~# sudo ipsec --version
    Linux strongSwan U5.6.2/K5.0.0-32-generic
    user@lenovo:~# sudo cat /etc/os-release 
    VERSION="18.04.3 LTS (Bionic Beaver)"
    PRETTY_NAME="Ubuntu 18.04.3 LTS"
    user@lenovo:~# sudo ipsec statusall 
    Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-32-generic, x86_64):
      uptime: 43 minutes, since Nov 06 16:22:06 2019
      malloc: sbrk 3411968, mmap 532480, used 1249056, free 2162912
      worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
      loaded plugins: charon-systemd charon-systemd test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc **__**eap-mschapv2**__** eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
    pfsense Version:
    2.4.4-RELEASE-p3 (amd64) 

    I would be happy to get some infos on this or someone who could try IPSec IKEv2 Setup on another 18.04 client.

  • So I found my issue.
    Apparantly "Network Manager" did not safe the password properly or something happened there.

    So usually commandline the PSK/EAP secrete of the client is stored in /etc/ipsec.secrets where my password was correct but Network Manager also stores it in its own location under /etc/NetworkManager/system-connections/<CONNECTION_NAME> and in the second file a wrong password was given under the section [vpn-secrets] \n password=<PSK>.

    I dont know why and how because a definitly have change and give the correct password but thats how it is.

    So user error. -> Check your configs 🤦