Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to connect to a Windows server that uses IKEv2/IPSEC MSCHAPv2 with no certificate. It's simply username and password. From Windows client this works fine, but I'd really like to be able to get on via Linux.
I've found lots of articles saying use Swanstrong, so I've set it up using Netowrk Manager in KDE and it's just now having it.
I get this from journalctl:
Code:
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2734] agent-manager: agent[fb5d5065f4827f4c,:1.124/nmcli-connect/1000]: agent registered
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2763] vpn[0x264b5a0,19768401-370f-461d-9175-338cbbdba5e1,"DestinationVPN"]: starting strongswan
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info> [1712863747.2767] audit: op="connection-activate" uuid="19768401-370f-461d-9175-338cbbdba5e1" name="DestinationVPN" pid=3615 uid=1000 result="success"
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.10)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] unable to load OpenSSL FIPS provider
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] plugin 'openssl': failed to load - openssl_plugin_create returned NULL
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] received netlink error: Unknown device type (95)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] failed to create XFRM interface 'xfrmi-test-1645'
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[NET] could not open socket: Address family not supported by protocol
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[NET] could not open IPv6 socket, IPv6 disabled
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] received netlink error: Rule family not supported (97)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] unable to create IPv6 routing table rule
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] loaded plugins: nm-backend charon-nm ldap pkcs11 tpm aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 sshkey pem pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf gcm drbg curl soup kernel-netlink socket-default eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 11 20:29:07 localhost.localdomain kded5[2282]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::NeedAuth
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[JOB] spawning 16 worker threads
Apr 11 20:29:07 localhost.localdomain kded5[2282]: org.kde.plasma.nm.kded: Unhandled VPN connection state change: NetworkManager::VpnConnection::Connecting
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[CFG] received initiate for NetworkManager connection DestinationVPN
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[CFG] using gateway identity 'aname.bname.co.uk'
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[IKE] initiating IKE_SA DestinationVPN[1] to xxx.xxx.xxx.xxx
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[500] (336 bytes)
Apr 11 20:29:11 localhost.localdomain charon-nm[3621]: 06[IKE] retransmit 1 of request with message ID 0
Apr 11 20:29:11 localhost.localdomain charon-nm[3621]: 06[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:18 localhost.localdomain charon-nm[3621]: 07[IKE] retransmit 2 of request with message ID 0
Apr 11 20:29:18 localhost.localdomain charon-nm[3621]: 07[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:31 localhost.localdomain charon-nm[3621]: 08[IKE] retransmit 3 of request with message ID 0
Apr 11 20:29:31 localhost.localdomain charon-nm[3621]: 08[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:54 localhost.localdomain charon-nm[3621]: 09[IKE] retransmit 4 of request with message ID 0
Apr 11 20:29:54 localhost.localdomain charon-nm[3621]: 09[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:30:07 localhost.localdomain NetworkManager[1377]: <warn> [1712863807.9933] vpn[0x264b5a0,19768401-370f-461d-9175-338cbbdba5e1,"DestinationVPN"]: connect timeout exceeded
Apr 11 20:30:07 localhost.localdomain charon-nm[3621]: Connect timer expired, disconnecting.
Apr 11 20:30:07 localhost.localdomain charon-nm[3621]: 10[IKE] destroying IKE_SA in state CONNECTING without notification
I can't connect via Android either. Is there simply an issue that this is never going to work from a non-Windows client, or could I be doing something wrong?
In Network Manager I set up a VPN connection using Strongswan with EAP as the Authentication and request inner IP address selected. All else is default.
If there's any information I can supply which would help please ask.
I got connected using wpa_supplicant on a university website, but it's beyond the "we're smart, so we'll figure it out for you" approach of NM. You have to authenticate yourself, which grades your access. Others get higher/lower levels of access.
Do a targeted search for connecting using that protocol & NetworkManager, or read 'man wpa_supplicant.conf' to see how I did it, because it was 10 years ago, and I saw it as just another obstacle to my (late) higher education, and got a severe dose of "Knowledge Bulimia" after. [Knowledge Bulimia = learn it for the test/purpose, & forget it after .]
EDIT: From your output, it looks like you mightn't have the openssl requirements (whatever they are), and it never really tries. It's not going to send your user & pass unencrypted, is it?
EDIT: From your output, it looks like you mightn't have the openssl requirements (whatever they are), and it never really tries. It's not going to send your user & pass unencrypted, is it?
Hmmm, I think it does. It's a very basic connection and there's no certificate when connecting on Winders.
Isn't wpa_supplicant for connecting to wifi? I have no issue with that part of it.
Well, mine was a wifi connection. But if it's wired, you still need to authenticate your user & password as part of your connection. That decides your access level, iirc. It may be your (or NM's) dhcp config. Sending that over wired is less of an issue.
Yes, the username and password is the on;y thing that's entered when I connect using Windows as the client and therefore the only thing I [can] try with Linux. There is no certificate, it's all very iffy, but that's their call.
Check is there a program, script or Python module. NM must have crossed this bridge before. I'd be swallowing hard and using networkmanager, except my vpn NM driver needs systemd .
EDIT: I did a basic, basic before-you-bother-anybody type search and found scores of similar posts, many with [SOLVED] in the title. Post the one(s) that solve it for you.
Check is there a program, script or Python module.
For what, sorry? To use where?
Quote:
Originally Posted by business_kid
EDIT: I did a basic, basic before-you-bother-anybody type search and found scores of similar posts, many with [SOLVED] in the title. Post the one(s) that solve it for you.
I spent three or four evenings a month back looking for a solution. Plenty of people with certificates, but nothing whatsoever for use without certs (other than someone who rebuilt Swanstrong libs from scratch which I'm not doing. Would be most grateful if you can point me in the direction of one you've found :-)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.