This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sören
Employee
Employee
‎2023-05-29 02:26 PM

strongSwan - GUI - Network Manager - Username / Password

Instead of using strongSwan Command Line Interface (CLI), you can also use the Network-Manager-strongSwan Plugin to create a VPN Remote Connection to a Check Point Firewall. 

This is not an official guide. This is just a tutorial from my lab.

How to configure strongSwan, please see:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/T...

 

Environment:

 

Username / Password Authentication

Gateway:
- R81.20 JF 10

Linux Client:
- Ubuntu 22.04
- strongSwan 5.9.5
- Network-Manager-StrongSwan 1.5.2

 

Ubuntu:

1) Install Network Manager strongSwan Plugin

 

$ sudo apt install network-manager-strongswan

 

These packages are also needed to connect successfully

 

$ sudo apt-get install libstrongswan-extra-plugins
$ sudo apt-get install libcharon-extra-plugins
$ sudo apt-get install strongswan

 

2) add the following to /etc/strongswan.conf

 

charon-nm {
        load_modular = yes
        send_vendor_id = yes
        plugins {
                include strongswan.d/charon/*.conf
                attr {
                    dns = 1.1.1.1, 9.9.9.9
                }
        }

}

 

* charon-nm is used by the Network Manager only. Without the option "send_vendor_id=yes", the VPN won't come up. See also under Troubleshooting an example of the strongswan.conf file I use in my lab. 

3) Restart ipsec service

 

$ systemctl restart ipsec

 

4) create IPSec Profile in Network Manager

Select: IPSec/IKEv2 (strongSwan)

Bildschirmfoto 2023-05-29 um 23.11.13.png

5) Configure Firewall IP Address etc. This is only an example of my Lab.

Bildschirmfoto 2023-05-29 um 23.18.10.png

Bildschirmfoto 2023-06-28 um 18.10.08.png

6) Connect to Gateway

Enter User Password and the Remote Access VPN should work.

Bildschirmfoto 2023-05-29 um 23.20.36.png

7) Connected

Bildschirmfoto 2023-05-29 um 23.48.37.png

Log Output - /var/log/syslog

 

May 29 23:20:21 strongswan charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.5)
May 29 23:20:21 strongswan charon-nm: 00[CFG] PKCS11 module '<name>' lacks library path
May 29 23:20:21 strongswan charon-nm: 00[PTS] TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0"
May 29 23:20:21 strongswan charon-nm: 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
May 29 23:20:21 strongswan charon-nm: 00[LIB] providers loaded by OpenSSL: legacy default
May 29 23:20:21 strongswan NetworkManager[811]: <info>  [1685395221.6499] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/4)
May 29 23:20:21 strongswan charon-nm: 00[LIB] created TUN device: tun0
May 29 23:20:21 strongswan systemd-udevd[4704]: Using default interface naming scheme 'v249'.
May 29 23:20:21 strongswan charon-nm: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:20:21 strongswan charon-nm: 00[NET] using forecast interface ens160
May 29 23:20:21 strongswan charon-nm: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
May 29 23:20:21 strongswan charon-nm: 00[CFG] HA config misses local/remote address
May 29 23:20:21 strongswan charon-nm: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:20:21 strongswan charon-nm: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:20:21 strongswan charon-nm: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:20:21 strongswan charon-nm: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:20:21 strongswan charon-nm: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:20:21 strongswan charon-nm: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:20:21 strongswan charon-nm: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:20:21 strongswan charon-nm: 00[JOB] spawning 16 worker threads
May 29 23:21:53 strongswan charon-nm: 05[CFG] received initiate for NetworkManager connection Home - IPSec
May 29 23:21:53 strongswan charon-nm: 05[CFG] using gateway identity '192.168.0.1'
May 29 23:21:53 strongswan charon-nm: 05[IKE] initiating IKE_SA Home - IPSec[1] to 10.34.103.98
May 29 23:21:53 strongswan charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
May 29 23:21:53 strongswan charon-nm: 05[NET] sending packet: from 10.34.103.200[55399] to 10.34.103.98[500] (484 bytes)
May 29 23:21:53 strongswan charon-nm: 13[NET] received packet: from 10.34.103.98[500] to 10.34.103.200[55399] (633 bytes)
May 29 23:21:53 strongswan charon-nm: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
May 29 23:21:53 strongswan charon-nm: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
May 29 23:21:53 strongswan charon-nm: 13[IKE] local host is behind NAT, sending keep alives
May 29 23:21:53 strongswan charon-nm: 13[IKE] received cert request for "O=home-fw..22erwk"
May 29 23:21:53 strongswan charon-nm: 13[IKE] received 1 cert requests for an unknown ca
May 29 23:21:53 strongswan charon-nm: 13[IKE] sending cert request for "O=home-fw..22erwk"
May 29 23:21:53 strongswan charon-nm: 13[IKE] establishing CHILD_SA Home - IPSec{1}
May 29 23:21:53 strongswan charon-nm: 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS NBNS DNS6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May 29 23:21:53 strongswan charon-nm: 13[NET] sending packet: from 10.34.103.200[58460] to 10.34.103.98[4500] (368 bytes)
May 29 23:21:53 strongswan charon-nm: 16[NET] received packet: from 10.34.103.98[4500] to 10.34.103.200[58460] (1008 bytes)
May 29 23:21:53 strongswan charon-nm: 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 29 23:21:53 strongswan charon-nm: 16[IKE] received end entity cert "O=home-fw..22erwk, CN=home-fw VPN Certificate"
May 29 23:21:53 strongswan charon-nm: 16[CFG]   using certificate "O=home-fw..22erwk, CN=home-fw VPN Certificate"
May 29 23:21:53 strongswan charon-nm: 16[CFG]   using trusted ca certificate "O=home-fw..22erwk"
May 29 23:21:53 strongswan charon-nm: 16[CFG]   reached self-signed root ca with a path length of 0
May 29 23:21:53 strongswan charon-nm: 16[CFG] checking certificate status of "O=home-fw..22erwk, CN=home-fw VPN Certificate"
May 29 23:21:53 strongswan charon-nm: 16[CFG]   fetching crl from 'O=home-fw..22erwk, CN=ICA_CRL11' ...
May 29 23:21:53 strongswan charon-nm: 16[LIB] unable to fetch from O=home-fw..22erwk, CN=ICA_CRL11, no capable fetcher found
May 29 23:21:53 strongswan charon-nm: 16[CFG] crl fetching failed
May 29 23:21:53 strongswan charon-nm: 16[CFG]   fetching crl from 'http://home-fw.example.de:18264/ICA_CRL11.crl' ...
May 29 23:21:53 strongswan charon-nm: 16[LIB] libcurl request failed [6]: Could not resolve host: home-fw.example.de
May 29 23:21:53 strongswan charon-nm: 16[CFG] crl fetching failed
May 29 23:21:53 strongswan charon-nm: 16[CFG] certificate status is not available
May 29 23:21:53 strongswan charon-nm: 16[IKE] authentication of '192.168.0.1' with RSA signature successful
May 29 23:21:53 strongswan charon-nm: 16[IKE] server requested EAP_IDENTITY (id 0xD4), sending 'vpn_soeren'
May 29 23:21:53 strongswan charon-nm: 16[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
May 29 23:21:53 strongswan charon-nm: 16[NET] sending packet: from 10.34.103.200[58460] to 10.34.103.98[4500] (96 bytes)
May 29 23:21:53 strongswan charon-nm: 07[NET] received packet: from 10.34.103.98[4500] to 10.34.103.200[58460] (80 bytes)
May 29 23:21:53 strongswan charon-nm: 07[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/GTC ]
May 29 23:21:53 strongswan charon-nm: 07[IKE] server requested EAP_GTC authentication (id 0xD5)
May 29 23:21:53 strongswan charon-nm: 07[ENC] generating IKE_AUTH request 3 [ EAP/RES/GTC ]
May 29 23:21:53 strongswan charon-nm: 07[NET] sending packet: from 10.34.103.200[58460] to 10.34.103.98[4500] (96 bytes)
May 29 23:21:53 strongswan charon-nm: 08[NET] received packet: from 10.34.103.98[4500] to 10.34.103.200[58460] (80 bytes)
May 29 23:21:53 strongswan charon-nm: 08[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
May 29 23:21:53 strongswan charon-nm: 08[IKE] EAP method EAP_GTC succeeded, no MSK established
May 29 23:21:53 strongswan charon-nm: 08[IKE] authentication of 'vpn_soeren' (myself) with EAP
May 29 23:21:53 strongswan charon-nm: 08[ENC] generating IKE_AUTH request 4 [ AUTH ]
May 29 23:21:53 strongswan charon-nm: 08[NET] sending packet: from 10.34.103.200[58460] to 10.34.103.98[4500] (112 bytes)
May 29 23:21:54 strongswan charon-nm: 09[NET] received packet: from 10.34.103.98[4500] to 10.34.103.200[58460] (400 bytes)
May 29 23:21:54 strongswan charon-nm: 09[ENC] parsed IKE_AUTH response 4 [ AUTH N(CRASH_DET) CPRP(ADDR DNS DNS) SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
May 29 23:21:54 strongswan charon-nm: 09[IKE] authentication of '192.168.0.1' with EAP successful
May 29 23:21:54 strongswan charon-nm: 09[IKE] IKE_SA Home - IPSec[1] established between 10.34.103.200[vpn_soeren]...10.34.103.98[192.168.0.1]
May 29 23:21:54 strongswan charon-nm: 09[IKE] scheduling rekeying in 35812s
May 29 23:21:54 strongswan charon-nm: 09[IKE] maximum IKE_SA lifetime 36412s
May 29 23:21:54 strongswan charon-nm: 09[IKE] installing DNS server 192.168.0.31 via resolvconf
May 29 23:21:54 strongswan charon-nm: 09[IKE] installing new virtual IP 192.168.1.168
May 29 23:21:54 strongswan avahi-daemon[808]: Registering new address record for 192.168.1.168 on ens160.IPv4.
May 29 23:21:54 strongswan charon: 10[KNL] 192.168.1.168 appeared on ens160
May 29 23:21:54 strongswan charon-nm: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May 29 23:21:54 strongswan charon-nm: 09[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
May 29 23:21:54 strongswan charon-nm: 09[IKE] CHILD_SA Home - IPSec{1} established with SPIs c0040ebd_i c0417c77_o and TS 192.168.1.168/32 === 10.34.103.1/32 10.34.103.98/32 172.18.0.1/32 192.168.0.0/24 192.168.2.0/24 192.168.4.1/32 192.168.207.0/24 192.168.222.1/32
May 29 23:21:54 strongswan charon: 15[KNL] interface tun0 activated
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8189] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8199] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8204] device (tun0): Activation: starting connection 'tun0' (7e91075e-00b4-41ab-aea7-512e0a3ffc19)
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8207] device (tun0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
May 29 23:21:54 strongswan charon: 12[KNL] fe80::5047:48eb:aeb1:877e appeared on tun0
May 29 23:21:54 strongswan charon: 08[KNL] 192.168.1.168 appeared on tun0
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8212] device (tun0): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
May 29 23:21:54 strongswan dbus-daemon[809]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.3' (uid=0 pid=811 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
May 29 23:21:54 strongswan systemd[1]: Starting Network Manager Script Dispatcher Service...
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8259] device (tun0): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8264] device (tun0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
May 29 23:21:54 strongswan charon-nm: 10[KNL] interface tun0 activated
May 29 23:21:54 strongswan dbus-daemon[809]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 29 23:21:54 strongswan systemd[1]: Started Network Manager Script Dispatcher Service.
May 29 23:21:54 strongswan charon-nm: 14[KNL] fe80::5047:48eb:aeb1:877e appeared on tun0
May 29 23:21:54 strongswan charon-nm: 06[KNL] 192.168.1.168 appeared on tun0
May 29 23:21:54 strongswan systemd-resolved[629]: ens160: Bus client set default route setting: no
May 29 23:21:54 strongswan systemd-resolved[629]: ens160: Bus client reset DNS server list.
May 29 23:21:54 strongswan systemd-resolved[629]: tun0: Bus client set default route setting: yes
May 29 23:21:54 strongswan systemd-resolved[629]: tun0: Bus client set DNS server list to: 192.168.0.21
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8421] device (tun0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8430] device (tun0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
May 29 23:21:54 strongswan NetworkManager[811]: <info>  [1685395314.8446] device (tun0): Activation: successful, device activated.
May 29 23:21:54 strongswan charon: 13[NET] using forecast interface ens160
May 29 23:21:54 strongswan charon: 13[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
May 29 23:21:54 strongswan charon-nm: 16[NET] using forecast interface ens160
May 29 23:21:54 strongswan charon-nm: 16[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
May 29 23:22:04 strongswan systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
May 29 23:22:29 strongswan charon-nm: 16[IKE] sending keep alive to 10.34.103.98[4500]

 

Troubleshooting:

 

Linux Client:

Check /var/log/syslog for any issues.

 


Example:

This is my ipsec.conf and strongswan.conf.

/etc/ipsec.conf

You don't need this file for the Network Manager to work. This is only an example for the CLI connect and for comparison with the values I entered into the Network Manager GUI above.

 

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

# Add connections here.
conn home
	auto=add
	type=tunnel
	leftfirewall=yes
	rightauth=pubkey
	leftauth=eap-gtc
	keyexchange=ikev2
	eap_identity=install
	left=%any
	leftsourceip=%config
	right=10.34.103.98
	rightid=192.168.0.1
	rightsubnet=0.0.0.0/0
	ike=aes256-sha256-modp2048
	esp=aes128-sha256
	ikelifetime=8h
	lifetime=1h
	reauth=yes
	rekey=yes
	margintime=1m
	rekeyfuzz=50%
	dpdaction=restart
	dpddelay=30s
	dpdtimeout=60s

 

/etc/strongswan.conf 

There are two sections, charon-nm is used by the Network Manager und charon is used for the CLI. For Network Manager to work, you only need charon-nm section. 

 

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files


charon-nm {
        load_modular = yes
        send_vendor_id = yes
        plugins {
                include strongswan.d/charon/*.conf
                attr {
                    dns = 192.168.0.21, 192.168.0.31
                }
        }

}

charon {
  	load_modular = yes
  	send_vendor_id = yes
  	plugins {
    		include strongswan.d/charon/*.conf
		attr {
	            dns = 192.168.0.21, 192.168.0.31
        	}
  	}

}
include strongswan.d/*.conf

 

 

(3)
Who rated this post