After upgrade to fedora 32 strongswan vpn issue

,

Hi all,

I recently upgraded from fedora 31 to 32 and everything is fine so far except one issue regarding a vpn connection based on strongswan.
The vpn was initially setup with the NetworkManager-strongswan-gnome plugin and it worked fine.
The connection is authenticated with a client certificate and I am connecting to an azure gateway (point to site configuration).

With fedora 31 the vpn dialed successfully with version

Linux strongSwan U5.8.2/K5.8.18-100.fc31.x86_64

With fedora 32 I am currently running version

Linux strongSwan U5.9.0/K5.9.8-100.fc32.x86_64

When running debug mode of NetworkManager and inspecting logs the issue seems to be related to not matching proposals.

received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ

configured proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ

no acceptable proposal found

finally the log states this warning:

VPN plugin: failed: connect-failed (1)

I still have another system running fedora 31 and I doublechecked that the vpn is still able to connect succesfully on this machine. I already spent a lot of time investigating this issue but unfortunately I was not able to fix it yet :frowning:.
Results of my research so far pointed out some deprecated crypt-policies (but it seems this was introduced with fedora 33?) and I ran update-crypto-policies --set LEGACY without success.
I am also a bit confused with strongswan on fedora, does the gnome-plugin for strongswan/ipsec use libreswan under hood? I run strongswan on another Ubuntu 18 machine and all ipsec commands seem to be replaced with “strongswan” on fedora.

Find my detailed packages currently installed on fedora 32

rpm -qa | grep swan
strongswan-5.9.0-1.fc32.x86_64
NetworkManager-strongswan-gnome-1.4.5-2.fc32.x86_64
NetworkManager-strongswan-1.4.5-2.fc32.x86_64
strongswan-charon-nm-5.9.0-1.fc32.x86_64

Unfortunately I do currently not have access to my fedora 31 machine and therefore can not provide these exact versions, but I can hand in later.

Thanks in advance guys!
Regards NS

1 Like

I somehow was finally able to resolve this.
My solution was to enable and add a custom proposal in the gnome NetworkManager vpn config.

d42903b6e7df21964b8b943aac9ab39661abfde8.png

I dumped my network traffic with wireshark before and was able to retrieve some more information on the proposals offered by the vpn server.
No clue what changed and why fedora 32 requires this fix, I am also confused by the strongswan log output which offered me a proposal like

received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ

which is indeed listed in my “configured proposals”

configured proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ

One last challenge I faced that even after the vpn dialed successfully my local routes to the target network were not properly added, I somehow realized that strongswan system unit was not enabled and running.
After enabling / starting strongswan daemon my routes were properly added.

If someone can shed some light on this issue I am happy to receive any more detailed feedback.
Maybe this solution is helpful for someone.

1 Like

I don’t use strongswan but from what you posted about the strongswan daemon it could be that you need to enable it so it always runs when you boot.
I just installed everything related to strongswan and the man page for it gave me the ipsec info. This is what it says about starting.

   CONTROL COMMANDS
       start [starter options]
              calls starter which in turn parses ipsec.conf and starts the IKE daemon charon.

To me it appears that strongswan is a wrapper around ipsec and you need to set up ipsec.conf properly.
My currently installed package list is

# rpm -qa | grep swan
NetworkManager-strongswan-1.4.5-2.fc32.x86_64
plasma-nm-strongswan-5.18.5-1.fc32.x86_64
strongswan-5.9.0-1.fc32.x86_64
NetworkManager-strongswan-gnome-1.4.5-2.fc32.x86_64
strongswan-charon-nm-5.9.0-1.fc32.x86_64
strongswan-sqlite-5.9.0-1.fc32.x86_64
strongswan-libipsec-5.9.0-1.fc32.x86_64
strongswan-tnc-imcvs-5.9.0-1.fc32.x86_64

Comparing that to your list I suspect the missing strongswan-libipsec could relate but I have no clue if the other 3 are required for you. Since I only have one PC in operation I cannot set up a tunnel and test anything with it.

Thanks for your reply.
In case the VPN is configured in the gnome gui based on the strongswan-gnome plugin, it is not required to setup the ipsec.conf / ipsec.secrets etc because the vpn config lives in the NetworkManager.
Still it is a bit strange that I can dial my VPN with NetworkManager / nmcli although strongswan daemon is not even started.

It does seem strange, but did you not say you got that fixed with the change in the NM screen?
Is the strongswan daemon even needed with an outgoing connection?

exactly, starting the strongswan daemon seemed to be required to add my local routes to the destination network. Otherwise the vpn dialed succesfully but local routes were missing and I could not reach the target network. I am not sure which components are required if one only wants to set up a “client vpn”.
The fix in the NM screen solved the issue of not being able to dial the vpn connection.