I set up a VPN connection to my office's network using StrongSwan. This is on Ubuntu 20.04, running on WSL2 with Windows 10 host.
The Steps
The following is the complete steps that I did.
- Install:
sudo apt install strongswan libstrongswan-extra-plugins libcharon-extra-plugins
- /etc/ipsec.conf:
conn office
keyexchange=ikev2
type=tunnel
#ike=aes256-sha1-modp1024,3des-sha1-modp1024!
#esp=aes256-sha1,3des-sha1!
forceencaps=yes
lifetime=1800
rightsendcert=always
rightsubnet=0.0.0.0/0
#rightsubnet=%dynamic
#rightsourceip=%config4
#rightfirewall=yes
rightauth=pubkey
left=%defaultroute
#leftsubnet=%dynamic
leftsourceip=%config4
leftid=any
leftauth=eap-mschapv2
eap_identity=user.name
auto=add
include /etc/ipsec.conf.office
- /etc/ipsec.conf.office:
conn office-staging
also=office
right=office-staging.office.fqdn.here
rightid=office-staging.office.fqdn.here
- /etc/ipsec.secrets:
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
include /var/lib/strongswan/ipsec.secrets.inc
- /var/lib/strongswan/ipsec.secrets.inc:
user.name: EAP password
The Error
When I run sudo ipsec start
, it does not work. Following is the log when I give --nofork
argument:
Starting strongSwan 5.6.2 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-19041-Microsoft, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] disabling load-tester plugin, not configured
00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
00[NET] opening ARP packet socket failed: Address family not supported by protocol
00[LIB] plugin 'farp': failed to load - farp_plugin_create returned NULL
00[KNL] unable to create netlink socket: Protocol not supported (93)
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:kernel-ipsec
00[CFG] dnscert plugin is disabled
00[CFG] ipseckey plugin is disabled
00[CFG] attr-sql plugin: database URI not set
00[KNL] netlink write error: Operation not supported
00[KNL] unable to create IPv4 routing table rule
00[KNL] netlink write error: Operation not supported
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=US, O=Internet Security Research Group, CN=ISRG Root X1" from '/etc/ipsec.d/cacerts/isrgrootx1.pem'
00[CFG] loaded ca certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" from '/etc/ipsec.d/cacerts/letsencryptauthorityx3.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc'
00[CFG] loaded EAP secret for user.name
00[CFG] sql plugin: database URI not set
00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
00[CFG] eap-simaka-sql database URI missing
00[CFG] loaded 0 RADIUS server configurations
00[NET] opening DHCP receive socket failed: Address family not supported by protocol
00[CFG] HA config misses local/remote address
00[CFG] no threshold configured for systime-fix, disabled
00[CFG] coupling file path unspecified
00[LIB] failed to load 1 critical plugin feature
00[DMN] initialization failed - aborting charon
00[KNL] netlink write error: Operation not supported
00[KNL] netlink write error: Operation not supported
charon has quit: initialization failed
charon refused to be started
ipsec starter stopped
Any idea what I might have missed? Thanks in advance.