Join Log in
Score:0
avatar Server

Cannot connect MacOS to StrongSwan VPN server installed on ubuntu

br flag
nealous3

I have an issue connecting to IKEv2 VPN running on an Ubuntu VM on GCP. I am trying to connect with MacOS and Windows. I followed this tutorial to install the VPN on an Ubuntu VM. I need a VPN so that I can have a static IP for multiple people and connect to apps running on GCP that are not public. I read that client/server VPN is the solution I need which is why I tried this tutorial. Possibly the issue with the configuration is that only Ubuntu OS will be able to connect to the VPN?

The only difference from the tutorial is that I changed the domain names in the tutorial to an IP address of the GCP VM. The error message on MacOS is "User Authentication failed" and I have loaded the ca.cert.pem from the VPN server into Key chain Access on my MacOS. Connecting from Windows 10 is similar problem. I put the pem file in the Trusted Root Certification Authorities but couldn't connect using username and password.

Found following logs in Ubuntu server var/log/syslog when trying to connect with MacOS inbuilt IKEv2 client:

Jun 13 12:54:14 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.152.0.2[500]
Jun 13 12:54:14 vpn-instance charon: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance charon: 09[MGR] checkout IKEv2 SA by message with SPIs e2706de3b7c70401_i 0000000000000000_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (740 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkout IKEv2 SA by message with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500] (80 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[IKE] initiating EAP_MSCHAPV2 method (id 0x9C)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (112 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jun 13 12:54:14 vpn-instance charon: 09[MGR] created IKE_SA (unnamed)[7]
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[5]
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => DESTROYING
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[IKE] IKE_SA ipsec-ikev2-vpn[6] state change: CONNECTING => DESTROYING
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 06[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 06[MGR] IKE_SA checkout not successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 05[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 05[MGR] IKE_SA checkout not successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.152.0.2[500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance ipsec[540]: 09[MGR] checkout IKEv2 SA by message with SPIs e2706de3b7c70401_i 0000000000000000_r
Jun 13 12:54:14 vpn-instance charon: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkout IKEv2 SA by message with SPIs 25159daea9f11f1d_i 64799938fac7
977c_r
Jun 13 12:54:14 vpn-instance charon: 14[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:14 vpn-instance charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500] (80 by
tes)
Jun 13 12:54:14 vpn-instance charon: 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 13 12:54:14 vpn-instance charon: 14[IKE] initiating EAP_MSCHAPV2 method (id 0x4A)
Jun 13 12:54:14 vpn-instance charon: 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 13 12:54:14 vpn-instance charon: 14[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (112 by
tes)
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkin IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:34 vpn-instance charon: 16[MGR] IKE_SA ipsec-ikev2-vpn[7] successfully checked out
Jun 13 12:54:34 vpn-instance charon: 16[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkin IKE_SA ipsec-ikev2-vpn[7]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkin of IKE_SA successful
Jun 13 12:54:34 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:34 vpn-instance charon: 06[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:34 vpn-instance charon: 06[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkin IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkin of IKE_SA successful
Jun 13 12:54:34 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:44 vpn-instance charon: 05[MGR] IKE_SA ipsec-ikev2-vpn[7] successfully checked out
Jun 13 12:54:44 vpn-instance charon: 05[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[7]
Jun 13 12:54:44 vpn-instance charon: 05[IKE] IKE_SA ipsec-ikev2-vpn[7] state change: CONNECTING => DESTROYING
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:44 vpn-instance charon: 07[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:44 vpn-instance charon: 07[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:44 vpn-instance charon: 07[IKE] IKE_SA ipsec-ikev2-vpn[8] state change: CONNECTING => DESTROYING
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:54 vpn-instance charon: 08[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:54 vpn-instance charon: 08[MGR] IKE_SA checkout not successful
Jun 13 12:54:54 vpn-instance charon: 09[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:54 vpn-instance charon: 09[MGR] IKE_SA checkout not successful

Please let me know what could be wrong?

Edit I added more syslog output above from when I try to connect from my log.

Here is the /etc/ipsec.conf configuration:

config setup
  charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
  strictcrlpolicy=no
  uniqueids=yes
  cachecrls=no

conn ipsec-ikev2-vpn
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%any
  leftid=xx.xxx.xxx.219
  leftcert=server.cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=192.168.0.0/24
  rightdns=8.8.8.8 # DNS to be assigned to clients
  rightsendcert=never
  eap_identity=%identity

The MacOS VPN configuration is just Server Address and Remote ID being the IP address of the Ubuntu server and related Authentication Settings which is the username and password I set in /etc/ipsec.secrets.

I could not see any vpn related events in logs in the Macbook such as racoon.log or ppp.log. Hard to find info about MacOS VPN logs on the net as well which is why figuring out this issue has been tricky. Anywhere else the IKEv2 VPN logs could be in BigSur?

Solved Had to make sure the username and password is applied properly in the mac IKEv2 Authentication Settings.

369
0 + 2
vpn
Ginnungagap avatar
gu flag
Ginnungagap
You have no logs of the raccoon daemon on the macOS side to understand what fails, your StrongSwan logs are sparse and you're attempting to debug, and you haven't shown your StrongSwan configuration nor your VPN setup on the macOS side. I have macOS clients connect to StrongSwan servers in production with no issue so I'm sure that it's not about having an Ubuntu client. Please post complete and relevant information and enable verbose StrongSwan logs to trace actual behavior. My best guess as-is relates to not having the CA in the System Keychain or not using EAP TLS.
0
Reply
br flag
nealous3
@Ginnungagap I have updated the question according to your comments. It started working after I re-added the Authentication. It kept disappearing.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.