Connect to IKEv2/IPSEC MSCHAPv2 Windows Server?
by DiBosco from LinuxQuestions.org on (#6M669)
I'm trying to connect to a Windows server that uses IKEv2/IPSEC MSCHAPv2 with no certificate. It's simply username and password. From Windows client this works fine, but I'd really like to be able to get on via Linux.
I've found lots of articles saying use Swanstrong, so I've set it up using Netowrk Manager in KDE and it's just now having it.
I get this from journalctl:
Code: Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2734] agent-manager: agent[fb5d5065f4827f4c,:1.124/nmcli-connect/1000]: agent registered
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2763] vpn[0x264b5a0,19768401-370f-461d-9175-338cbbdba5e1,"DestinationVPN"]: starting strongswan
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2767] audit: op="connection-activate" uuid="19768401-370f-461d-9175-338cbbdba5e1" name="DestinationVPN" pid=3615 uid=1000 result="success"
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.10)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] unable to load OpenSSL FIPS provider
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] plugin 'openssl': failed to load - openssl_plugin_create returned NULL
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] received netlink error: Unknown device type (95)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] failed to create XFRM interface 'xfrmi-test-1645'
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[NET] could not open socket: Address family not supported by protocol
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[NET] could not open IPv6 socket, IPv6 disabled
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] received netlink error: Rule family not supported (97)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] unable to create IPv6 routing table rule
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] loaded plugins: nm-backend charon-nm ldap pkcs11 tpm aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 sshkey pem pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf gcm drbg curl soup kernel-netlink socket-default eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 11 20:29:07 localhost.localdomain kded5[2282]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::NeedAuth
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[JOB] spawning 16 worker threads
Apr 11 20:29:07 localhost.localdomain kded5[2282]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::Connecting
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[CFG] received initiate for NetworkManager connection DestinationVPN
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[CFG] using gateway identity 'aname.bname.co.uk'
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[IKE] initiating IKE_SA DestinationVPN[1] to xxx.xxx.xxx.xxx
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[500] (336 bytes)
Apr 11 20:29:11 localhost.localdomain charon-nm[3621]: 06[IKE] retransmit 1 of request with message ID 0
Apr 11 20:29:11 localhost.localdomain charon-nm[3621]: 06[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:18 localhost.localdomain charon-nm[3621]: 07[IKE] retransmit 2 of request with message ID 0
Apr 11 20:29:18 localhost.localdomain charon-nm[3621]: 07[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:31 localhost.localdomain charon-nm[3621]: 08[IKE] retransmit 3 of request with message ID 0
Apr 11 20:29:31 localhost.localdomain charon-nm[3621]: 08[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:54 localhost.localdomain charon-nm[3621]: 09[IKE] retransmit 4 of request with message ID 0
Apr 11 20:29:54 localhost.localdomain charon-nm[3621]: 09[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:30:07 localhost.localdomain NetworkManager[1377]: <warn> [1712863807.9933] vpn[0x264b5a0,19768401-370f-461d-9175-338cbbdba5e1,"DestinationVPN"]: connect timeout exceeded
Apr 11 20:30:07 localhost.localdomain charon-nm[3621]: Connect timer expired, disconnecting.
Apr 11 20:30:07 localhost.localdomain charon-nm[3621]: 10[IKE] destroying IKE_SA in state CONNECTING without notificationI can't connect via Android either. Is there simply an issue that this is never going to work from a non-Windows client, or could I be doing something wrong?
In Network Manager I set up a VPN connection using Strongswan with EAP as the Authentication and request inner IP address selected. All else is default.
If there's any information I can supply which would help please ask.
Many thanks.
I've found lots of articles saying use Swanstrong, so I've set it up using Netowrk Manager in KDE and it's just now having it.
I get this from journalctl:
Code: Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2734] agent-manager: agent[fb5d5065f4827f4c,:1.124/nmcli-connect/1000]: agent registered
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2763] vpn[0x264b5a0,19768401-370f-461d-9175-338cbbdba5e1,"DestinationVPN"]: starting strongswan
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2767] audit: op="connection-activate" uuid="19768401-370f-461d-9175-338cbbdba5e1" name="DestinationVPN" pid=3615 uid=1000 result="success"
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.10)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] unable to load OpenSSL FIPS provider
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] plugin 'openssl': failed to load - openssl_plugin_create returned NULL
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] received netlink error: Unknown device type (95)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] failed to create XFRM interface 'xfrmi-test-1645'
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[NET] could not open socket: Address family not supported by protocol
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[NET] could not open IPv6 socket, IPv6 disabled
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] received netlink error: Rule family not supported (97)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] unable to create IPv6 routing table rule
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] loaded plugins: nm-backend charon-nm ldap pkcs11 tpm aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 sshkey pem pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf gcm drbg curl soup kernel-netlink socket-default eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 11 20:29:07 localhost.localdomain kded5[2282]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::NeedAuth
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[JOB] spawning 16 worker threads
Apr 11 20:29:07 localhost.localdomain kded5[2282]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::Connecting
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[CFG] received initiate for NetworkManager connection DestinationVPN
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[CFG] using gateway identity 'aname.bname.co.uk'
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[IKE] initiating IKE_SA DestinationVPN[1] to xxx.xxx.xxx.xxx
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[500] (336 bytes)
Apr 11 20:29:11 localhost.localdomain charon-nm[3621]: 06[IKE] retransmit 1 of request with message ID 0
Apr 11 20:29:11 localhost.localdomain charon-nm[3621]: 06[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:18 localhost.localdomain charon-nm[3621]: 07[IKE] retransmit 2 of request with message ID 0
Apr 11 20:29:18 localhost.localdomain charon-nm[3621]: 07[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:31 localhost.localdomain charon-nm[3621]: 08[IKE] retransmit 3 of request with message ID 0
Apr 11 20:29:31 localhost.localdomain charon-nm[3621]: 08[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:54 localhost.localdomain charon-nm[3621]: 09[IKE] retransmit 4 of request with message ID 0
Apr 11 20:29:54 localhost.localdomain charon-nm[3621]: 09[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:30:07 localhost.localdomain NetworkManager[1377]: <warn> [1712863807.9933] vpn[0x264b5a0,19768401-370f-461d-9175-338cbbdba5e1,"DestinationVPN"]: connect timeout exceeded
Apr 11 20:30:07 localhost.localdomain charon-nm[3621]: Connect timer expired, disconnecting.
Apr 11 20:30:07 localhost.localdomain charon-nm[3621]: 10[IKE] destroying IKE_SA in state CONNECTING without notificationI can't connect via Android either. Is there simply an issue that this is never going to work from a non-Windows client, or could I be doing something wrong?
In Network Manager I set up a VPN connection using Strongswan with EAP as the Authentication and request inner IP address selected. All else is default.
If there's any information I can supply which would help please ask.
Many thanks.