P2N VPN connection issues with Linux/Strongswan

Question

Hi,
I have the very same problem.

I use Ubuntu 21.04 with strongswan 5.9.1-1ubuntu1.2 from ubuntu package and I have no firewall set up.

I have /etc/ipsec.conf as:

config setup  
  
conn azure  
      ike=aes128-sha1-modp1024  
      keyexchange=ikev2  
      type=tunnel  
      leftfirewall=yes  
      left=%any  
      leftauth=eap-tl    s  
      leftid=%client # client # use the DNS alternative name prefixed with the %  
      right=azuregateway-xxxxxx.vpn.azure.com #Enter the VPN Server value here# Azure VPN gateway address  
      rightid=%azuregateway-xxxxxx.vpn.azure.com # Enter the VPN Server value here# Azure VPN gateway FQDN with %  
      rightsubnet=11.0.0.0/24  
      leftsourceip=%config  
      auto=add  

This what I got:

[13:54:02 lev@mate: ~  ] sudo ipsec restart  
Stopping strongSwan IPsec...  
Starting strongSwan 5.9.1 IPsec [starter]...  
[13:54:07 lev@mate: ~  ] sudo ipsec up azure  
initiating IKE_SA azure[1] to 104.xx.xx.xx  
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]  
sending packet: from 192.168.0.38[500] to 104.xxx.xxx.88[500] (1236 bytes)  
retransmit 1 of request with message ID 0   
sending packet: from 192.168.0.38[500] to 104.xxx.xxx.88[500] (1236 bytes)  

I have copied the
And from /etc/strongswan.d/charon/kernel-netlink.conf
uncommented

# MSS to set on installed routes, 0 to disable.  
mss = 1350  

# MTU to set on installed routes, 0 to disable.  
mtu = 1350  

lines.
When I try to connect, I get this:

[13:54:07 lev@MaTe : ~ ] sudo ipsec up azure
initiating IKE_SA azure[1] to 104.xxx.xxx.88
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.0.38[500] to 104.xxx.xxx..88[500] (1236 bytes)
retransmit 1 of request with message ID 0
sending packet: from 192.168.0.38[500] to 104.xxx.xxx.88[500] (1236 bytes)
retransmit 2 of request with message ID 0
...

The /var/log/syslog contains the same.
Does anybody have idea how to debug it any further?
I have very similar problems with the GUI as well.
Can anyobody help me out?

Many thanks,

Levente

Answer 1

Hello @Levente Török ,

Apologies for the delay in response.

Below are some steps that can be taken to troubleshoot a point-to-site VPN connection on Linux/ StrongSwan, if the VPN connection is not connecting:

1) Ping the gateway name from the client to ensure that it has Internet connectivity and that the gateway name is not mistyped.

2) Run "tail -f /var/log/syslog | grep "charon-nm" on the Ubuntu client to see the related log. After running this command you should try to connect the VPN and the related logs will be displayed in the terminal window in real-time. You can also add "| log.txt" to send the output to log.txt file, if needed. The log would give you an indication as to what is wrong.
For example:

• "building CRED_PRIVATE_KEY - RSA failed" message indicates that the private key is not correct.
• "no trusted RSA public key found for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=<gatewayID>" indicates that the Gateway certificate is not correct.

Other things to check in the GUI:

1) "Request an inner IP address" is checked under the options section.
2) DNS and Routes are set to "Automatic" under IPv4 tab.
Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert#install

If above issues check out and the problem is still not resolved, then a deeper investigation would be needed. Hence, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Kindly let us know if the above helps or you need further assistance on this issue.

---

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.