bionic 18.04 network-manager-strongswan cannot connect behind a mobile wwan connection
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| network-manager (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
$ lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04
For some reason, I downloaded several ubuntu source deb packages (for very latest build of "focal"?) and re-debuild them and forcefully installed:
network-
charon-
charon-
libcharon-
libcharon-
libcharon-
libstrongswan_
libstrongswan-
libstrongswan-
strongswan_
strongswan-
strongswan-
strongswan-
strongswan-
strongswan-
strongswan-
strongswan-
strongswan-
strongswan-
strongswan-
strongswan-
strongswan-
I setup a remote VPN server at AWS EC2, which has an Elastic IP exposed. The VPN can be connected correctly via iOS (4G/LTE mobile, or WiFi behind NAT) and MacOS (via WiFi behind NAT) devices.
When trying to connect from Ubuntu 18.04 which has networkmanager installed with strongswan plug-in, it never succeeded when the mobile wwan is connected, but it works only it has wired ethernet or wifi connected behind a NAT.
Here is the nmcli coneection:
nmcli c
NAME UUID TYPE DEVICE
eth0 97ab1a44-
mobil 9dd38b76-
myvpn 035be8b0-
$ nmcli c sho myvpn | grep vpn
connection.type: vpn
vpn.service-type: org.freedesktop
vpn.user-name: --
vpn.data: ipcomp = no, esp = aes256gcm16-ecp521, proposal = yes, method = eap, virtual = yes, address = XXX, encap = yes, user = UUU, ike = aes256gcm16-
vpn.secrets: <hidden>
vpn.persistent: no
vpn.timeout: 0
$ nmcli c up myvpn
NAME UUID TYPE DEVICE
mobil 9dd38b76-
eth0 97ab1a44-
myvpn 035be8b0-
$ nmcli c up myvpn
Error: Connection activation failed: Unknown reason
I checked /var/log/syslog, and found the critical issue is caused by:Dec 27 17:52:30 chevalier charon-nm: 08[IKE] authentication of 'XXX' with EAP successful
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] IKE_SA darth[6] established between [snipped]
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] scheduling rekeying in 35503s
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] maximum IKE_SA lifetime 36103s
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] installing new virtual IP xxx.xxx.xxx.xxx
Dec 27 17:52:30 chevalier charon: 10[KNL] xxx.xxx.xxx.xxx appeared on wwan0
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] failed to establish CHILD_SA, keeping IKE_SA
Dec 27 17:52:30 chevalier charon-nm: 08[IKE] peer supports MOBIKE
Dec 27 17:52:30 chevalier charon-nm: 07[IKE] deleting IKE_SA darth[6] between [snipped]
Dec 27 17:52:30 chevalier charon-nm: 07[IKE] sending DELETE for IKE_SA darth[6]
Dec 27 17:52:30 chevalier charon-nm: 07[ENC] generating INFORMATIONAL request 6 [ D ]
Dec 27 17:52:30 chevalier charon-nm: 07[NET] sending packet: from [snipped] (65 bytes)
Dec 27 17:52:30 chevalier charon-nm: 11[NET] received packet: from [snipped] (57 bytes)
Dec 27 17:52:30 chevalier charon-nm: 11[ENC] parsed INFORMATIONAL response 6 [ ]
Dec 27 17:52:30 chevalier charon-nm: 11[IKE] IKE_SA deleted
Dec 27 17:52:30 chevalier charon-
Dec 27 17:52:30 chevalier charon: 08[KNL] xxx.xxx.xxx.xxx disappeared from wwan0
As you can see, the IKE encryption algorithm proposal cannot be chosen between VPN server and Ubuntu client. There may be some blocking between this. However, I suppose this should not be an issue casued by mobile ISP because my iOS device used the same mobile ISP and it has no issue.
There is no firewall (ufw or iptables) setup
This will not happen to the case with wifi or ethernet only NAT behind another mobile ISP.
Any possible reason? which underlying I shall upgrade as well for specific Ubuntu 18.04?
Thanks for listening.
| tags: | added: strongswan |
| tags: | added: network-manager-strongswan networkmanager |
