IPSec PSK roadwarrior from Linux Network Manager fails to connect

bonnietwin · 2 December 2024 15:28

I am trying to setup an IPSec roadwarrior connection between an IPFire system and a Linux laptop using Network Manager with the Strongswan Plugin.

I am trying to use the PSK to start with and after getting that working move on to certificates setup but I am having problems with the PSK connection.

I have been testing this with CU190 Testing but I got the same results when I also tested it out with CU189.

The Network Manager logs indicate that a proposal for the selected ciphers was accepted. In the setup of the IPFire IPSec roadwarrior I just used the default settings. Din’t change anything.
Log message was

Dec 02 16:15:34 tethys charon-nm[3769]: 05[IKE] initiating IKE_SA tethys ipsec to skrymir[1] to 192.168.26.200
Dec 02 16:15:34 tethys charon-nm[3769]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 05[NET] sending packet: from 192.168.26.37[51471] to 192.168.26.200[500] (1036 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 08[NET] received packet: from 192.168.26.200[500] to 192.168.26.37[51471] (38 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 08[IKE] peer didn't accept DH group ECP_256, it requested CURVE_448
Dec 02 16:15:34 tethys charon-nm[3769]: 08[IKE] initiating IKE_SA tethys ipsec to skrymir[1] to 192.168.26.200
Dec 02 16:15:34 tethys charon-nm[3769]: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 08[NET] sending packet: from 192.168.26.37[51471] to 192.168.26.200[500] (1028 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] received packet: from 192.168.26.200[500] to 192.168.26.37[51471] (285 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[CFG] selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_448

Then the PSK authentication was carried out and that was successful.

Dec 02 16:15:34 tethys charon-nm[3769]: 09[IKE] authentication of 'tethys' (myself) with pre-shared key
Dec 02 16:15:34 tethys charon-nm[3769]: 09[IKE] establishing CHILD_SA tethys ipsec to skrymir{1}
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] splitting IKE message (9435 bytes) into 8 fragments
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ EF(1/8) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ EF(2/8) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ EF(3/8) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ EF(4/8) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ EF(5/8) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ EF(6/8) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ EF(7/8) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[ENC] generating IKE_AUTH request 1 [ EF(8/8) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (1248 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (1248 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (1248 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (1248 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (1248 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (1248 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (1248 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 09[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (1130 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 10[NET] received packet: from 192.168.26.200[4500] to 192.168.26.37[52545] (228 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 10[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(FAIL_CP_REQ) N(TS_UNACCEPT) ]
Dec 02 16:15:34 tethys charon-nm[3769]: 10[IKE] authentication of 'skrymir' with pre-shared key successful

but then in the next section is where it is failing and I have been unable to find out how to fix this.

Dec 02 16:15:34 tethys charon-nm[3769]: 10[IKE] peer supports MOBIKE
Dec 02 16:15:34 tethys charon-nm[3769]: 10[IKE] IKE_SA tethys ipsec to skrymir[1] established between 192.168.26.37[tethys]...192.168.26.200[skrymir]
Dec 02 16:15:34 tethys charon-nm[3769]: 10[IKE] scheduling rekeying in 35877s
Dec 02 16:15:34 tethys charon-nm[3769]: 10[IKE] maximum IKE_SA lifetime 36477s
Dec 02 16:15:34 tethys charon-nm[3769]: 10[IKE] received FAILED_CP_REQUIRED notify, no CHILD_SA built
Dec 02 16:15:34 tethys charon-nm[3769]: 10[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec 02 16:15:34 tethys charon-nm[3769]: 13[IKE] deleting IKE_SA tethys ipsec to skrymir[1] between 192.168.26.37[tethys]...192.168.26.200[skrymir]
Dec 02 16:15:34 tethys charon-nm[3769]: 13[IKE] sending DELETE for IKE_SA tethys ipsec to skrymir[1]
Dec 02 16:15:34 tethys charon-nm[3769]: 13[ENC] generating INFORMATIONAL request 2 [ D ]
Dec 02 16:15:34 tethys charon-nm[3769]: 13[NET] sending packet: from 192.168.26.37[52545] to 192.168.26.200[4500] (65 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 11[NET] received packet: from 192.168.26.200[4500] to 192.168.26.37[52545] (57 bytes)
Dec 02 16:15:34 tethys charon-nm[3769]: 11[ENC] parsed INFORMATIONAL response 2 [ ]
Dec 02 16:15:34 tethys charon-nm[3769]: 11[IKE] IKE_SA deleted
Dec 02 16:15:34 tethys charon-nm[3769]: 01[KNL] interface tun0 deleted

Anyone got any ideas what the message
[IKE] received FAILED_CP_REQUIRED notify, no CHILD_SA built
means and what needs to be modified and where?

bonnietwin · 2 December 2024 15:37

Having posted my issue, the third search item afterwards had a comment that the message is because I had not selected the Request an inner IP address in the Network Manager screen.

I selected that checkbox and the PSK roadwarrior connection was successfully made.

I will add some stuff about Linux connection with Network Manager into the wiki.