4

I've followed this tutorial to set up a StrongSwan VPN server, with the exceptions that I was using Debian 9, and that I used certs I already had from Let's Encrypt instead of standing up a CA. However, I still cannot connect to the VPN server. When I try to use the built-in Windows 10 VPN client, it gives an error that

The network connection between your computer could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which devices may be causing the problem.

I tried connecting my computer directly to the server without any intervening device, and could successfully ping it but still could not connect to the vpn. Furthermore, ufw is set to allow the required ports, 500 and 4500, and nmap -sU -p 500 [VPN server IP] confirmed that the ports were open to UDP packets.

Setting the logging level to maximum, I didn't recognize any errors or warnings except a couple of lines that said

Aug 13 17:28:16 vpn ipsec[2733]: 14[IKE] EAP-Identity request configured, but not supported Aug 13 17:28:16 vpn ipsec[2733]: 14[IKE] loading EAP_MSCHAPV2 method failed

I can't figure out what else might be the problem, so I guess that it has to be related to those lines. What can I do to fix that?

dddddddd207
  • 51

3 Answers3

6

EAP-Identity support is provided by the eap-identity plugin; for EAP-MSCHAPv2 you need the eap-mschapv2 plugin.

On Debian they are both provided by the libcharon-extra-plugins package.

$ apt-file search eap-identity
libcharon-extra-plugins: /usr/lib/ipsec/plugins/libstrongswan-eap-identity.so
grawity
  • 501,077
1

Apparently the Debian package doesn't include the required plugins for the Windows 10 client. I had to uninstall the package, then download and compile StrongSwan myself. Uninstalling the package left some files behind. I had to remove /usr/lib/ipsec/ and recompile because the new install was segfaulting accessing files from the old install that were located there. However, the other files that were left behind (particularly in /etc) seem to work, or at least not cause any problems.

When compiling StrongSwan, I used the command ./configure --prefix=/usr --sysconfdir=/etc --enable-eap-identity --enable-eap-mschapv2 --enable-md4

In addition, according to this Windows tries to use the 1024-bit Diffie-Hellman group by default, and you can either get StrongSwan to offer the 1024-bit DH group, or you can set a registry key on Windows to make it accept the 2048 DH group. I couldn't find documentation for the former, so I went with the latter instead.

Finally, the Let's Encrypt certificate did work. To use it, place your active cert.pem in /etc/ipsec.d/certs/ and your active chain.pem in /etc/ipsec.d/cacerts/.

dddddddd207
  • 51
1

Aug 13 17:28:16 vpn ipsec[2733]: 14[IKE] EAP-Identity request configured, but not supported Aug 13 17:28:16 vpn ipsec[2733]: 14[IKE] loading EAP_MSCHAPV2 method failed

The first line is due to missing eap-identity plugin as answered by gravity. The second line is due to missing ´eap-mschapv2´ plugin. This plugin requires gcrypt plugin to work. The latter can be found in libstrongswan-extra-plugins.

So you need to:

apt install libcharon-extra-plugins libstrongswan-extra-plugins
Davor Josipovic
  • 754
  • 9
  • 21