Public bug reported:
$ lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04
For some reason, I downloaded several ubuntu source deb packages (for
very latest build of "focal"?) and re-debuild them and forcefully
installed:
network-manager-strongswan_1.4.4-2_amd64
charon-cmd_5.8.1-1ubuntu1_amd64
charon-systemd_5.8.1-1ubuntu1_amd64
libcharon-extauth-plugins_5.8.1-1ubuntu1_amd64
libcharon-extra-plugins_5.8.1-1ubuntu1_amd64
libcharon-standard-plugins_5.8.1-1ubuntu1_all
libstrongswan_5.8.1-1ubuntu1_amd64
libstrongswan-extra-plugins_5.8.1-1ubuntu1_amd64
libstrongswan-standard-plugins_5.8.1-1ubuntu1_amd64
strongswan_5.8.1-1ubuntu1_all
strongswan-charon_5.8.1-1ubuntu1_amd64
strongswan-libcharon_5.8.1-1ubuntu1_amd64
strongswan-nm_5.8.1-1ubuntu1_amd64
strongswan-pki_5.8.1-1ubuntu1_amd64
strongswan-scepclient_5.8.1-1ubuntu1_amd64
strongswan-starter_5.8.1-1ubuntu1_amd64
strongswan-swanctl_5.8.1-1ubuntu1_amd64
strongswan-tnc-base_5.8.1-1ubuntu1_all
strongswan-tnc-client_5.8.1-1ubuntu1_all
strongswan-tnc-ifmap_5.8.1-1ubuntu1_all
strongswan-tnc-pdp_5.8.1-1ubuntu1_all
strongswan-tnc-server_5.8.1-1ubuntu1_all
I setup a remote VPN server at AWS EC2, which has an Elastic IP exposed.
The VPN can be connected correctly via iOS (4G/LTE mobile, or WiFi
behind NAT) and MacOS (via WiFi behind NAT) devices.
When trying to connect from Ubuntu 18.04 which has networkmanager
installed with strongswan plug-in, it never succeeded when the mobile
wwan is connected, but it works only it has wired ethernet or wifi
connected behind a NAT.
Here is the nmcli coneection:
nmcli c
NAME UUID TYPE DEVICE
eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0
mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm --
myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn --
$ nmcli c sho myvpn | grep vpn
connection.type: vpn
vpn.service-type:
org.freedesktop.NetworkManager.strongswan
vpn.user-name: --
vpn.data: ipcomp = no, esp = aes256gcm16-ecp521,
proposal = yes, method = eap, virtual = yes, address = XXX, encap = yes, user =
UUU, ike = aes256gcm16-prfsha384-ecp521, password-flags = 0
vpn.secrets: <hidden>
vpn.persistent: no
vpn.timeout: 0
$ nmcli c up myvpn
NAME UUID TYPE DEVICE
mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm cdc-wdm1
eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0
myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn --
$ nmcli c up myvpn
Error: Connection activation failed: Unknown reason
I checked /var/log/syslog, and found the critical issue is caused by:Dec 27
17:52:30 chevalier charon-nm: 08[IKE] authentication of 'XXX' with EAP
successful
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] IKE_SA darth[6] established
between [snipped]
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] scheduling rekeying in 35503s
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] maximum IKE_SA lifetime 36103s
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] installing new virtual IP
xxx.xxx.xxx.xxx
Dec 27 17:52:30 chevalier charon: 10[KNL] xxx.xxx.xxx.xxx appeared on wwan0
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] received NO_PROPOSAL_CHOSEN
notify, no CHILD_SA built
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] peer supports MOBIKE
Dec 27 17:52:30 chevalier charon-nm: 07[IKE] deleting IKE_SA darth[6] between
[snipped]
Dec 27 17:52:30 chevalier charon-nm: 07[IKE] sending DELETE for IKE_SA darth[6]
Dec 27 17:52:30 chevalier charon-nm: 07[ENC] generating INFORMATIONAL request 6
[ D ]
Dec 27 17:52:30 chevalier charon-nm: 07[NET] sending packet: from [snipped] (65
bytes)
Dec 27 17:52:30 chevalier charon-nm: 11[NET] received packet: from [snipped]
(57 bytes)
Dec 27 17:52:30 chevalier charon-nm: 11[ENC] parsed INFORMATIONAL response 6 [ ]
Dec 27 17:52:30 chevalier charon-nm: 11[IKE] IKE_SA deleted
Dec 27 17:52:30 chevalier charon-systemd[1191]: xxx.xxx.xxx.xxx disappeared
from wwan0
Dec 27 17:52:30 chevalier charon: 08[KNL] xxx.xxx.xxx.xxx disappeared from wwan0
As you can see, the IKE encryption algorithm proposal cannot be chosen
between VPN server and Ubuntu client. There may be some blocking between
this. However, I suppose this should not be an issue casued by mobile
ISP because my iOS device used the same mobile ISP and it has no issue.
There is no firewall (ufw or iptables) setup
This will not happen to the case with wifi or ethernet only NAT behind
another mobile ISP.
Any possible reason? which underlying I shall upgrade as well for
specific Ubuntu 18.04?
Thanks for listening.
** Affects: network-manager (Ubuntu)
Importance: Undecided
Status: New
** Tags: network-manager-strongswan networkmanager strongswan
** Tags added: strongswan
** Tags added: network-manager-strongswan networkmanager
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to network-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1857689
Title:
bionic 18.04 network-manager-strongswan cannot connect behind a mobile
wwan connection
Status in network-manager package in Ubuntu:
New
Bug description:
$ lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04
For some reason, I downloaded several ubuntu source deb packages (for
very latest build of "focal"?) and re-debuild them and forcefully
installed:
network-manager-strongswan_1.4.4-2_amd64
charon-cmd_5.8.1-1ubuntu1_amd64
charon-systemd_5.8.1-1ubuntu1_amd64
libcharon-extauth-plugins_5.8.1-1ubuntu1_amd64
libcharon-extra-plugins_5.8.1-1ubuntu1_amd64
libcharon-standard-plugins_5.8.1-1ubuntu1_all
libstrongswan_5.8.1-1ubuntu1_amd64
libstrongswan-extra-plugins_5.8.1-1ubuntu1_amd64
libstrongswan-standard-plugins_5.8.1-1ubuntu1_amd64
strongswan_5.8.1-1ubuntu1_all
strongswan-charon_5.8.1-1ubuntu1_amd64
strongswan-libcharon_5.8.1-1ubuntu1_amd64
strongswan-nm_5.8.1-1ubuntu1_amd64
strongswan-pki_5.8.1-1ubuntu1_amd64
strongswan-scepclient_5.8.1-1ubuntu1_amd64
strongswan-starter_5.8.1-1ubuntu1_amd64
strongswan-swanctl_5.8.1-1ubuntu1_amd64
strongswan-tnc-base_5.8.1-1ubuntu1_all
strongswan-tnc-client_5.8.1-1ubuntu1_all
strongswan-tnc-ifmap_5.8.1-1ubuntu1_all
strongswan-tnc-pdp_5.8.1-1ubuntu1_all
strongswan-tnc-server_5.8.1-1ubuntu1_all
I setup a remote VPN server at AWS EC2, which has an Elastic IP
exposed. The VPN can be connected correctly via iOS (4G/LTE mobile, or
WiFi behind NAT) and MacOS (via WiFi behind NAT) devices.
When trying to connect from Ubuntu 18.04 which has networkmanager
installed with strongswan plug-in, it never succeeded when the mobile
wwan is connected, but it works only it has wired ethernet or wifi
connected behind a NAT.
Here is the nmcli coneection:
nmcli c
NAME UUID TYPE DEVICE
eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0
mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm --
myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn --
$ nmcli c sho myvpn | grep vpn
connection.type: vpn
vpn.service-type:
org.freedesktop.NetworkManager.strongswan
vpn.user-name: --
vpn.data: ipcomp = no, esp =
aes256gcm16-ecp521, proposal = yes, method = eap, virtual = yes, address = XXX,
encap = yes, user = UUU, ike = aes256gcm16-prfsha384-ecp521, password-flags = 0
vpn.secrets: <hidden>
vpn.persistent: no
vpn.timeout: 0
$ nmcli c up myvpn
NAME UUID TYPE DEVICE
mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm cdc-wdm1
eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0
myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn --
$ nmcli c up myvpn
Error: Connection activation failed: Unknown reason
I checked /var/log/syslog, and found the critical issue is caused by:Dec 27
17:52:30 chevalier charon-nm: 08[IKE] authentication of 'XXX' with EAP
successful
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] IKE_SA darth[6] established
between [snipped]
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] scheduling rekeying in 35503s
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] maximum IKE_SA lifetime 36103s
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] installing new virtual IP
xxx.xxx.xxx.xxx
Dec 27 17:52:30 chevalier charon: 10[KNL] xxx.xxx.xxx.xxx appeared on wwan0
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] received NO_PROPOSAL_CHOSEN
notify, no CHILD_SA built
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] peer supports MOBIKE
Dec 27 17:52:30 chevalier charon-nm: 07[IKE] deleting IKE_SA darth[6] between
[snipped]
Dec 27 17:52:30 chevalier charon-nm: 07[IKE] sending DELETE for IKE_SA
darth[6]
Dec 27 17:52:30 chevalier charon-nm: 07[ENC] generating INFORMATIONAL request
6 [ D ]
Dec 27 17:52:30 chevalier charon-nm: 07[NET] sending packet: from [snipped]
(65 bytes)
Dec 27 17:52:30 chevalier charon-nm: 11[NET] received packet: from [snipped]
(57 bytes)
Dec 27 17:52:30 chevalier charon-nm: 11[ENC] parsed INFORMATIONAL response 6
[ ]
Dec 27 17:52:30 chevalier charon-nm: 11[IKE] IKE_SA deleted
Dec 27 17:52:30 chevalier charon-systemd[1191]: xxx.xxx.xxx.xxx disappeared
from wwan0
Dec 27 17:52:30 chevalier charon: 08[KNL] xxx.xxx.xxx.xxx disappeared from
wwan0
As you can see, the IKE encryption algorithm proposal cannot be chosen
between VPN server and Ubuntu client. There may be some blocking
between this. However, I suppose this should not be an issue casued by
mobile ISP because my iOS device used the same mobile ISP and it has
no issue.
There is no firewall (ufw or iptables) setup
This will not happen to the case with wifi or ethernet only NAT behind
another mobile ISP.
Any possible reason? which underlying I shall upgrade as well for
specific Ubuntu 18.04?
Thanks for listening.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1857689/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
