Public bug reported: $ lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04
For some reason, I downloaded several ubuntu source deb packages (for very latest build of "focal"?) and re-debuild them and forcefully installed: network-manager-strongswan_1.4.4-2_amd64 charon-cmd_5.8.1-1ubuntu1_amd64 charon-systemd_5.8.1-1ubuntu1_amd64 libcharon-extauth-plugins_5.8.1-1ubuntu1_amd64 libcharon-extra-plugins_5.8.1-1ubuntu1_amd64 libcharon-standard-plugins_5.8.1-1ubuntu1_all libstrongswan_5.8.1-1ubuntu1_amd64 libstrongswan-extra-plugins_5.8.1-1ubuntu1_amd64 libstrongswan-standard-plugins_5.8.1-1ubuntu1_amd64 strongswan_5.8.1-1ubuntu1_all strongswan-charon_5.8.1-1ubuntu1_amd64 strongswan-libcharon_5.8.1-1ubuntu1_amd64 strongswan-nm_5.8.1-1ubuntu1_amd64 strongswan-pki_5.8.1-1ubuntu1_amd64 strongswan-scepclient_5.8.1-1ubuntu1_amd64 strongswan-starter_5.8.1-1ubuntu1_amd64 strongswan-swanctl_5.8.1-1ubuntu1_amd64 strongswan-tnc-base_5.8.1-1ubuntu1_all strongswan-tnc-client_5.8.1-1ubuntu1_all strongswan-tnc-ifmap_5.8.1-1ubuntu1_all strongswan-tnc-pdp_5.8.1-1ubuntu1_all strongswan-tnc-server_5.8.1-1ubuntu1_all I setup a remote VPN server at AWS EC2, which has an Elastic IP exposed. The VPN can be connected correctly via iOS (4G/LTE mobile, or WiFi behind NAT) and MacOS (via WiFi behind NAT) devices. When trying to connect from Ubuntu 18.04 which has networkmanager installed with strongswan plug-in, it never succeeded when the mobile wwan is connected, but it works only it has wired ethernet or wifi connected behind a NAT. Here is the nmcli coneection: nmcli c NAME UUID TYPE DEVICE eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0 mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm -- myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn -- $ nmcli c sho myvpn | grep vpn connection.type: vpn vpn.service-type: org.freedesktop.NetworkManager.strongswan vpn.user-name: -- vpn.data: ipcomp = no, esp = aes256gcm16-ecp521, proposal = yes, method = eap, virtual = yes, address = XXX, encap = yes, user = UUU, ike = aes256gcm16-prfsha384-ecp521, password-flags = 0 vpn.secrets: <hidden> vpn.persistent: no vpn.timeout: 0 $ nmcli c up myvpn NAME UUID TYPE DEVICE mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm cdc-wdm1 eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0 myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn -- $ nmcli c up myvpn Error: Connection activation failed: Unknown reason I checked /var/log/syslog, and found the critical issue is caused by:Dec 27 17:52:30 chevalier charon-nm: 08[IKE] authentication of 'XXX' with EAP successful Dec 27 17:52:30 chevalier charon-nm: 08[IKE] IKE_SA darth[6] established between [snipped] Dec 27 17:52:30 chevalier charon-nm: 08[IKE] scheduling rekeying in 35503s Dec 27 17:52:30 chevalier charon-nm: 08[IKE] maximum IKE_SA lifetime 36103s Dec 27 17:52:30 chevalier charon-nm: 08[IKE] installing new virtual IP xxx.xxx.xxx.xxx Dec 27 17:52:30 chevalier charon: 10[KNL] xxx.xxx.xxx.xxx appeared on wwan0 Dec 27 17:52:30 chevalier charon-nm: 08[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Dec 27 17:52:30 chevalier charon-nm: 08[IKE] failed to establish CHILD_SA, keeping IKE_SA Dec 27 17:52:30 chevalier charon-nm: 08[IKE] peer supports MOBIKE Dec 27 17:52:30 chevalier charon-nm: 07[IKE] deleting IKE_SA darth[6] between [snipped] Dec 27 17:52:30 chevalier charon-nm: 07[IKE] sending DELETE for IKE_SA darth[6] Dec 27 17:52:30 chevalier charon-nm: 07[ENC] generating INFORMATIONAL request 6 [ D ] Dec 27 17:52:30 chevalier charon-nm: 07[NET] sending packet: from [snipped] (65 bytes) Dec 27 17:52:30 chevalier charon-nm: 11[NET] received packet: from [snipped] (57 bytes) Dec 27 17:52:30 chevalier charon-nm: 11[ENC] parsed INFORMATIONAL response 6 [ ] Dec 27 17:52:30 chevalier charon-nm: 11[IKE] IKE_SA deleted Dec 27 17:52:30 chevalier charon-systemd[1191]: xxx.xxx.xxx.xxx disappeared from wwan0 Dec 27 17:52:30 chevalier charon: 08[KNL] xxx.xxx.xxx.xxx disappeared from wwan0 As you can see, the IKE encryption algorithm proposal cannot be chosen between VPN server and Ubuntu client. There may be some blocking between this. However, I suppose this should not be an issue casued by mobile ISP because my iOS device used the same mobile ISP and it has no issue. There is no firewall (ufw or iptables) setup This will not happen to the case with wifi or ethernet only NAT behind another mobile ISP. Any possible reason? which underlying I shall upgrade as well for specific Ubuntu 18.04? Thanks for listening. ** Affects: network-manager (Ubuntu) Importance: Undecided Status: New ** Tags: network-manager-strongswan networkmanager strongswan ** Tags added: strongswan ** Tags added: network-manager-strongswan networkmanager -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1857689 Title: bionic 18.04 network-manager-strongswan cannot connect behind a mobile wwan connection Status in network-manager package in Ubuntu: New Bug description: $ lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 For some reason, I downloaded several ubuntu source deb packages (for very latest build of "focal"?) and re-debuild them and forcefully installed: network-manager-strongswan_1.4.4-2_amd64 charon-cmd_5.8.1-1ubuntu1_amd64 charon-systemd_5.8.1-1ubuntu1_amd64 libcharon-extauth-plugins_5.8.1-1ubuntu1_amd64 libcharon-extra-plugins_5.8.1-1ubuntu1_amd64 libcharon-standard-plugins_5.8.1-1ubuntu1_all libstrongswan_5.8.1-1ubuntu1_amd64 libstrongswan-extra-plugins_5.8.1-1ubuntu1_amd64 libstrongswan-standard-plugins_5.8.1-1ubuntu1_amd64 strongswan_5.8.1-1ubuntu1_all strongswan-charon_5.8.1-1ubuntu1_amd64 strongswan-libcharon_5.8.1-1ubuntu1_amd64 strongswan-nm_5.8.1-1ubuntu1_amd64 strongswan-pki_5.8.1-1ubuntu1_amd64 strongswan-scepclient_5.8.1-1ubuntu1_amd64 strongswan-starter_5.8.1-1ubuntu1_amd64 strongswan-swanctl_5.8.1-1ubuntu1_amd64 strongswan-tnc-base_5.8.1-1ubuntu1_all strongswan-tnc-client_5.8.1-1ubuntu1_all strongswan-tnc-ifmap_5.8.1-1ubuntu1_all strongswan-tnc-pdp_5.8.1-1ubuntu1_all strongswan-tnc-server_5.8.1-1ubuntu1_all I setup a remote VPN server at AWS EC2, which has an Elastic IP exposed. The VPN can be connected correctly via iOS (4G/LTE mobile, or WiFi behind NAT) and MacOS (via WiFi behind NAT) devices. When trying to connect from Ubuntu 18.04 which has networkmanager installed with strongswan plug-in, it never succeeded when the mobile wwan is connected, but it works only it has wired ethernet or wifi connected behind a NAT. Here is the nmcli coneection: nmcli c NAME UUID TYPE DEVICE eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0 mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm -- myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn -- $ nmcli c sho myvpn | grep vpn connection.type: vpn vpn.service-type: org.freedesktop.NetworkManager.strongswan vpn.user-name: -- vpn.data: ipcomp = no, esp = aes256gcm16-ecp521, proposal = yes, method = eap, virtual = yes, address = XXX, encap = yes, user = UUU, ike = aes256gcm16-prfsha384-ecp521, password-flags = 0 vpn.secrets: <hidden> vpn.persistent: no vpn.timeout: 0 $ nmcli c up myvpn NAME UUID TYPE DEVICE mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm cdc-wdm1 eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0 myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn -- $ nmcli c up myvpn Error: Connection activation failed: Unknown reason I checked /var/log/syslog, and found the critical issue is caused by:Dec 27 17:52:30 chevalier charon-nm: 08[IKE] authentication of 'XXX' with EAP successful Dec 27 17:52:30 chevalier charon-nm: 08[IKE] IKE_SA darth[6] established between [snipped] Dec 27 17:52:30 chevalier charon-nm: 08[IKE] scheduling rekeying in 35503s Dec 27 17:52:30 chevalier charon-nm: 08[IKE] maximum IKE_SA lifetime 36103s Dec 27 17:52:30 chevalier charon-nm: 08[IKE] installing new virtual IP xxx.xxx.xxx.xxx Dec 27 17:52:30 chevalier charon: 10[KNL] xxx.xxx.xxx.xxx appeared on wwan0 Dec 27 17:52:30 chevalier charon-nm: 08[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built Dec 27 17:52:30 chevalier charon-nm: 08[IKE] failed to establish CHILD_SA, keeping IKE_SA Dec 27 17:52:30 chevalier charon-nm: 08[IKE] peer supports MOBIKE Dec 27 17:52:30 chevalier charon-nm: 07[IKE] deleting IKE_SA darth[6] between [snipped] Dec 27 17:52:30 chevalier charon-nm: 07[IKE] sending DELETE for IKE_SA darth[6] Dec 27 17:52:30 chevalier charon-nm: 07[ENC] generating INFORMATIONAL request 6 [ D ] Dec 27 17:52:30 chevalier charon-nm: 07[NET] sending packet: from [snipped] (65 bytes) Dec 27 17:52:30 chevalier charon-nm: 11[NET] received packet: from [snipped] (57 bytes) Dec 27 17:52:30 chevalier charon-nm: 11[ENC] parsed INFORMATIONAL response 6 [ ] Dec 27 17:52:30 chevalier charon-nm: 11[IKE] IKE_SA deleted Dec 27 17:52:30 chevalier charon-systemd[1191]: xxx.xxx.xxx.xxx disappeared from wwan0 Dec 27 17:52:30 chevalier charon: 08[KNL] xxx.xxx.xxx.xxx disappeared from wwan0 As you can see, the IKE encryption algorithm proposal cannot be chosen between VPN server and Ubuntu client. There may be some blocking between this. However, I suppose this should not be an issue casued by mobile ISP because my iOS device used the same mobile ISP and it has no issue. There is no firewall (ufw or iptables) setup This will not happen to the case with wifi or ethernet only NAT behind another mobile ISP. Any possible reason? which underlying I shall upgrade as well for specific Ubuntu 18.04? Thanks for listening. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1857689/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp