Hi all,
I recently upgraded from fedora 31 to 32 and everything is fine so far except one issue regarding a vpn connection based on strongswan.
The vpn was initially setup with the NetworkManager-strongswan-gnome plugin and it worked fine.
The connection is authenticated with a client certificate and I am connecting to an azure gateway (point to site configuration).
With fedora 31 the vpn dialed successfully with version
Linux strongSwan U5.8.2/K5.8.18-100.fc31.x86_64
With fedora 32 I am currently running version
Linux strongSwan U5.9.0/K5.9.8-100.fc32.x86_64
When running debug mode of NetworkManager and inspecting logs the issue seems to be related to not matching proposals.
received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
configured proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
no acceptable proposal found
finally the log states this warning:
VPN plugin: failed: connect-failed (1)
I still have another system running fedora 31 and I doublechecked that the vpn is still able to connect succesfully on this machine. I already spent a lot of time investigating this issue but unfortunately I was not able to fix it yet .
Results of my research so far pointed out some deprecated crypt-policies (but it seems this was introduced with fedora 33?) and I ran update-crypto-policies --set LEGACY without success.
I am also a bit confused with strongswan on fedora, does the gnome-plugin for strongswan/ipsec use libreswan under hood? I run strongswan on another Ubuntu 18 machine and all ipsec commands seem to be replaced with “strongswan” on fedora.
Find my detailed packages currently installed on fedora 32
rpm -qa | grep swan
strongswan-5.9.0-1.fc32.x86_64
NetworkManager-strongswan-gnome-1.4.5-2.fc32.x86_64
NetworkManager-strongswan-1.4.5-2.fc32.x86_64
strongswan-charon-nm-5.9.0-1.fc32.x86_64
Unfortunately I do currently not have access to my fedora 31 machine and therefore can not provide these exact versions, but I can hand in later.
Thanks in advance guys!
Regards NS