Install and Configure StrongSwan Client on Ubuntu

networking vpn ipsec client

I am having trouble trying to setup StrongSwan Client on Ubuntu.

Here are the steps I follow:

Export user's certificate:

openssl pkcs12 -in [email protected] -out username-cert.pem -clcerts -nokeys

Export user's private key:

openssl pkcs12 -in [email protected] -out username-key.pem -nocerts -nodes

Rename CA certificate:

mv cert_export_CA.crt cacert.pem

Copy certificates & key files to the appropriate directories:

cp username-cert.pem /etc/ipsec.d/certs
cp username-key.pem /etc/ipsec.d/private
cp cacert.pem /etc/ipsec.d/cacerts

Edit /etc/ipsec.conf file:

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
conn "DOMAIN"
    leftsourceip=%config
    leftcert=username-cert.pem
    [email protected]
    leftfirewall=yes
    right=vpn.domain.com
    rightid=cvpn.domain.com
    rightsubnet=0.0.0.0/0
    auto=start

Edit /etc/ipsec.secrets:

: RSA username-key.pem "passphrase"

Restart the ipsec daemon:

sudo ipsec restart

Check if connection established:

sudo ipsec status

returns: Security Associations (0 up, 0 connecting): none

ip a

returns:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000   
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    
    inet 127.0.0.1/8 scope host lo   
       valid_lft forever preferred_lft forever    
    inet6 ::1/128 scope host     
       valid_lft forever preferred_lft forever    
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000    
    link/ether 8c:8c:aa:49:56:b0 brd ff:ff:ff:ff:ff:ff    
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000   
    link/ether b0:a4:60:d9:2c:a4 brd ff:ff:ff:ff:ff:ff  
    inet <ip>/24 brd <ip> scope global dynamic noprefixroute wlp3s0 
       valid_lft 168sec preferred_lft 168sec    
    inet6 <ip>/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

Which means I am not able to connect.

When i run ipsec up DOMAIN i get this output:

initiating IKE_SA DOMAIN[2] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (936 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested MODP_2048
initiating IKE_SA DOMAIN[2] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (1128 bytes)
received packet: from 1xxx.xxx.xxx.xxx[500] to xxx.xxx.xxx.xxx[500] (437 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) CERTREQ ]
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
sending cert request for "O=domain.com, CN=vpn.domain.com"
authentication of '[email protected]' (myself) with RSA signature successful
sending end entity cert "O=domain.com, CN=Template-User"
establishing CHILD_SA DOMAIN{2}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
splitting IKE message (1536 bytes) into 2 fragments
generating IKE_AUTH request 1 [ EF(1/2) ]
generating IKE_AUTH request 1 [ EF(2/2) ]
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (1236 bytes)
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (372 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (1204 bytes)
parsed IKE_AUTH response 1 [ EF(1/2) ]
received fragment #1 of 2, waiting for complete IKE message
received packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (564 bytes)
parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembled fragmented IKE message (1408 bytes)
parsed IKE_AUTH response 1 [ CERT IDr AUTH CPRP(ADDR MASK SUBNET) TSi TSr SA ]
received end entity cert "O=domain.com, CN=vpn.domain.com"
  using trusted certificate "O=domain.com, CN=vpn.domain.com"
signature validation failed, looking for another key
  using certificate "O=domain.com, CN=vpn.domain.com"
  using trusted ca certificate "O=domain.com, CN=vpn.domain.com"
checking certificate status of "O=domain.com, CN=vpn.domain.com"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'vpn.domain.com' with RSA signature successful
constraint check failed: identity 'cvpn.domain.com' required 
selected peer config 'DOMAIN' unacceptable: constraint checking failed
no alternative config found
generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
sending packet: from xxx.xxx.xxx.xxx[4500] to xxx.xxx.xxx.xxx[4500] (80 bytes)
establishing connection 'DOMAIN' failed


rightid=cvpn.domain.com

should probably be

rightid=vpn.domain.com

Related

How to harden security on services in ubuntu? [duplicate]
After installing Ubuntu 20.04 the wifi card Ralink RT3090 does not see any wifi networks
Delete Krunner history
How to fix error: Failed to load module "canberra-gtk-module"
Wake laptop when lid is opened?
How can I set up multiseat with only one physical graphics card?
Certain websites not displaying correctly in chromium (ERR_INSECURE_RESPONSE for all images and css)
Laptop CPU+GPU overheating after update to 18.04 LTS
Why does my resolv.conf file get regenerated every time?
What's the name of PPA? (for ppa-purge)
How to use Unity's global menu in GNOME Shell, if possible?
How to prevent so many instances of apt-check running?