bionic 18.04 network-manager-strongswan cannot connect behind a mobile wwan connection

Bug #1857689 reported by Cyanryaku
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
New
Undecided
Unassigned

Bug Description

$ lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04

For some reason, I downloaded several ubuntu source deb packages (for very latest build of "focal"?) and re-debuild them and forcefully installed:

network-manager-strongswan_1.4.4-2_amd64
charon-cmd_5.8.1-1ubuntu1_amd64
charon-systemd_5.8.1-1ubuntu1_amd64
libcharon-extauth-plugins_5.8.1-1ubuntu1_amd64
libcharon-extra-plugins_5.8.1-1ubuntu1_amd64
libcharon-standard-plugins_5.8.1-1ubuntu1_all
libstrongswan_5.8.1-1ubuntu1_amd64
libstrongswan-extra-plugins_5.8.1-1ubuntu1_amd64
libstrongswan-standard-plugins_5.8.1-1ubuntu1_amd64
strongswan_5.8.1-1ubuntu1_all
strongswan-charon_5.8.1-1ubuntu1_amd64
strongswan-libcharon_5.8.1-1ubuntu1_amd64
strongswan-nm_5.8.1-1ubuntu1_amd64
strongswan-pki_5.8.1-1ubuntu1_amd64
strongswan-scepclient_5.8.1-1ubuntu1_amd64
strongswan-starter_5.8.1-1ubuntu1_amd64
strongswan-swanctl_5.8.1-1ubuntu1_amd64
strongswan-tnc-base_5.8.1-1ubuntu1_all
strongswan-tnc-client_5.8.1-1ubuntu1_all
strongswan-tnc-ifmap_5.8.1-1ubuntu1_all
strongswan-tnc-pdp_5.8.1-1ubuntu1_all
strongswan-tnc-server_5.8.1-1ubuntu1_all

I setup a remote VPN server at AWS EC2, which has an Elastic IP exposed. The VPN can be connected correctly via iOS (4G/LTE mobile, or WiFi behind NAT) and MacOS (via WiFi behind NAT) devices.

When trying to connect from Ubuntu 18.04 which has networkmanager installed with strongswan plug-in, it never succeeded when the mobile wwan is connected, but it works only it has wired ethernet or wifi connected behind a NAT.

Here is the nmcli coneection:
nmcli c
NAME UUID TYPE DEVICE
eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0
mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm --
myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn --

$ nmcli c sho myvpn | grep vpn
connection.type: vpn
vpn.service-type: org.freedesktop.NetworkManager.strongswan
vpn.user-name: --
vpn.data: ipcomp = no, esp = aes256gcm16-ecp521, proposal = yes, method = eap, virtual = yes, address = XXX, encap = yes, user = UUU, ike = aes256gcm16-prfsha384-ecp521, password-flags = 0
vpn.secrets: <hidden>
vpn.persistent: no
vpn.timeout: 0

$ nmcli c up myvpn
NAME UUID TYPE DEVICE
mobil 9dd38b76-68d8-42cd-aec6-acef5a993088 gsm cdc-wdm1
eth0 97ab1a44-d6a6-39b1-abad-9ba56fbca8d2 ethernet eth0
myvpn 035be8b0-c4b0-41c4-b64f-bf7378ec0823 vpn --

$ nmcli c up myvpn
Error: Connection activation failed: Unknown reason

I checked /var/log/syslog, and found the critical issue is caused by:Dec 27 17:52:30 chevalier charon-nm: 08[IKE] authentication of 'XXX' with EAP successful
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] IKE_SA darth[6] established between [snipped]
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] scheduling rekeying in 35503s
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] maximum IKE_SA lifetime 36103s
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] installing new virtual IP xxx.xxx.xxx.xxx
Dec 27 17:52:30 chevalier charon: 10[KNL] xxx.xxx.xxx.xxx appeared on wwan0
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] peer supports MOBIKE
Dec 27 17:52:30 chevalier charon-nm: 07[IKE] deleting IKE_SA darth[6] between [snipped]
Dec 27 17:52:30 chevalier charon-nm: 07[IKE] sending DELETE for IKE_SA darth[6]
Dec 27 17:52:30 chevalier charon-nm: 07[ENC] generating INFORMATIONAL request 6 [ D ]
Dec 27 17:52:30 chevalier charon-nm: 07[NET] sending packet: from [snipped] (65 bytes)
Dec 27 17:52:30 chevalier charon-nm: 11[NET] received packet: from [snipped] (57 bytes)
Dec 27 17:52:30 chevalier charon-nm: 11[ENC] parsed INFORMATIONAL response 6 [ ]
Dec 27 17:52:30 chevalier charon-nm: 11[IKE] IKE_SA deleted
Dec 27 17:52:30 chevalier charon-systemd[1191]: xxx.xxx.xxx.xxx disappeared from wwan0
Dec 27 17:52:30 chevalier charon: 08[KNL] xxx.xxx.xxx.xxx disappeared from wwan0

As you can see, the IKE encryption algorithm proposal cannot be chosen between VPN server and Ubuntu client. There may be some blocking between this. However, I suppose this should not be an issue casued by mobile ISP because my iOS device used the same mobile ISP and it has no issue.

There is no firewall (ufw or iptables) setup

This will not happen to the case with wifi or ethernet only NAT behind another mobile ISP.

Any possible reason? which underlying I shall upgrade as well for specific Ubuntu 18.04?

Thanks for listening.

Cyanryaku (cyanryaku)
tags: added: strongswan
tags: added: network-manager-strongswan networkmanager
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.