Mageia forum

[isadora]

Folks,

Am trying to connect up to a IKEv2/IPSEC MSCHAPv2 VPN running on an aged Windows server from Mageia.

Looked at lots of tutorials, seems you need to install strongswan (which I did).

It's a password-only set-up, so no certificates. On Windows machine to log in you have nothing but the server name along the lines of:

aname.bname.co.uk

Then my username and password and you're in.

Doing it on Mageia I can only get a time out error

Code: Select all

Error: Connection activation failed: The VPN service did not start in time
Hint: use 'journalctl -xe NM_CONNECTION=19768401-370f-461d-9175-338cbbdba5e1 + NM_DEVICE=wlp0s20f3' to get more details.


Using journalctl I see this:

Code: Select all

Apr 11 08:39:55 localhost.localdomain NetworkManager[1103]: <info>  [1712821195.4053] vpn[0x230db80,19768401-370f-461d-9175-338cbbdba5e1,"VPNName"]: starting strongswan
Apr 11 08:40:00 localhost.localdomain NetworkManager[1103]: <warn>  [1712821200.2075] vpn[0x230db80,19768401-370f-461d-9175-338cbbdba5e1,"VPNName"]: starting: timed out waiting for the VPN to activate

I can see nothing there to even vaguely help.

Would be grateful for any help on how to track this down and/or what I am likely to be doing wrong. More than happy to provide any debug information if I know what is needed. Thanks!

Edit:

The /etc/strongswan/ipsec.conf file is completely unaltered by me setting up the pofile in network mangler, is there a bug here?!

[doktor5000]

Please show the output as root of

Code: Select all

journalctl -ab | grep -iE "NetworkManager|charon|strongswan"

after activating the connection and waiting for it to fail to connect.
Please remove the information for IP adresses of your VPN and interfaces if you don't want to share that.

Also some more information what you configured in the VPN profile in networkmanager would be helpful.

[isadora]

This is what I get, I've chopped out everything before I did the request to join the VPN and obfuscated anything necessary.

Code: Select all

Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info>  [1712863747.2734] agent-manager: agent[fb5d5065f4827f4c,:1.124/nmcli-connect/1000]: agent registered
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info>  [1712863747.2763] vpn[0x264b5a0,19768401-370f-461d-9175-338cbbdba5e1,"DestinationVPN"]: starting strongswan
Apr 11 20:29:07 localhost.localdomain NetworkManager[1377]: <info>  [1712863747.2767] audit: op="connection-activate" uuid="19768401-370f-461d-9175-338cbbdba5e1" name="DestinationVPN" pid=3615 uid=1000 result="success"
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.10)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] unable to load OpenSSL FIPS provider
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] plugin 'openssl': failed to load - openssl_plugin_create returned NULL
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] received netlink error: Unknown device type (95)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] failed to create XFRM interface 'xfrmi-test-1645'
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[NET] could not open socket: Address family not supported by protocol
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[NET] could not open IPv6 socket, IPv6 disabled
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] received netlink error: Rule family not supported (97)
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[KNL] unable to create IPv6 routing table rule
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] loaded plugins: nm-backend charon-nm ldap pkcs11 tpm aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 sshkey pem pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf gcm drbg curl soup kernel-netlink socket-default eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Apr 11 20:29:07 localhost.localdomain kded5[2282]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::NeedAuth
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 00[JOB] spawning 16 worker threads
Apr 11 20:29:07 localhost.localdomain kded5[2282]: org.kde.plasma.nm.kded: Unhandled VPN connection state change:  NetworkManager::VpnConnection::Connecting
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[CFG] received initiate for NetworkManager connection DestinationVPN
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[CFG] using gateway identity 'aname.bname.co.uk'
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[IKE] initiating IKE_SA DestinationVPN[1] to xxx.xxx.xxx.xxx
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 11 20:29:07 localhost.localdomain charon-nm[3621]: 05[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[500] (336 bytes)
Apr 11 20:29:11 localhost.localdomain charon-nm[3621]: 06[IKE] retransmit 1 of request with message ID 0
Apr 11 20:29:11 localhost.localdomain charon-nm[3621]: 06[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:18 localhost.localdomain charon-nm[3621]: 07[IKE] retransmit 2 of request with message ID 0
Apr 11 20:29:18 localhost.localdomain charon-nm[3621]: 07[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:31 localhost.localdomain charon-nm[3621]: 08[IKE] retransmit 3 of request with message ID 0
Apr 11 20:29:31 localhost.localdomain charon-nm[3621]: 08[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:29:54 localhost.localdomain charon-nm[3621]: 09[IKE] retransmit 4 of request with message ID 0
Apr 11 20:29:54 localhost.localdomain charon-nm[3621]: 09[NET] sending packet: from 192.168.0.108[44444] to xxx.xxx.xxx.xxx[[500] (336 bytes)
Apr 11 20:30:07 localhost.localdomain NetworkManager[1377]: <warn>  [1712863807.9933] vpn[0x264b5a0,19768401-370f-461d-9175-338cbbdba5e1,"DestinationVPN"]: connect timeout exceeded
Apr 11 20:30:07 localhost.localdomain charon-nm[3621]: Connect timer expired, disconnecting.
Apr 11 20:30:07 localhost.localdomain charon-nm[3621]: 10[IKE] destroying IKE_SA in state CONNECTING without notification
[root@localhost

Settings-wise I've tried all sorts:

Requesty and inner IP on and off. With it on it times out almost immediately. With it off it takes a while to time out.
Enforce UDP and Use IP compression I've tried on and off
Authentication type is EAP.
IKE = aes256-sha256-modp1024
ESP is blank.
Certificate is blank.
URL of VPN server is in Gateway and the DNS clearly converts that to the correct IP address

In hte IP4 tab, Method is automatic and all else is blank. I haven't touched advanced or routes.