On my Ubuntu 24.04.2 system. I am trying to bring up an ipsec vpn tunnel network interface via the gdm network settings gui.
Settings gui provided by strongswan plugin
I have tried many different combinations of the client settings but all of them fail to activate.
There seem to be a number of problems.
- 24.04 uses Netplan to to store the configuration data (yaml). This is rendered into a runtime configuration for NetworkManager. This configuration is not saved over NetworkManager restarts. So any changes via nmcli are lost.
2.The strongswan plugin provides a very limited gui.
I can successfully connect to the vpn server from an strongswan android client
Here is a diff between a bad IKE_SA_INIT (<) and a good one (>).
1,4c1,4
< Frame 1: 1014 bytes on wire (8112 bits), 1014 bytes captured (8112 bits)
< Ethernet II, Src: MicroStarINT_91:5e:c5 (d8:bb:c1:91:5e:c5), Dst: FireBrick_69:b0:09 (00:03:97:69:b0:09)
< Internet Protocol Version 4, Src: 10.151.0.2, Dst: 217.169.13.4
< User Datagram Protocol, Src Port: 56549, Dst Port: 500
---
> Frame 1: 990 bytes on wire (7920 bits), 990 bytes captured (7920 bits)
> Ethernet II, Src: 22:51:39:1e:38:31 (22:51:39:1e:38:31), Dst: FireBrick_69:b0:09 (00:03:97:69:b0:09)
> Internet Protocol Version 4, Src: 10.151.0.120, Dst: 217.169.13.4
> User Datagram Protocol, Src Port: 39718, Dst Port: 500
6c6
< Initiator SPI: df1e1434313247d5
---
> Initiator SPI: 155a46f2ec3c2ff5
18c18
< Length: 972
---
> Length: 948
23c23
< Payload length: 748
---
> Payload length: 724
27c27
< Payload length: 360
---
> Payload length: 344
31c31
< Proposal transforms: 38
---
> Proposal transforms: 36
210,217c210
< Transform ID (INTEG): AUTH_AES_XCBC_96 (5)
< Payload: Transform (3)
< Next payload: Transform (3)
< Reserved: 00
< Payload length: 8
< Transform Type: Integrity Algorithm (INTEG) (3)
< Reserved: 00
< Transform ID (INTEG): AUTH_AES_CMAC_96 (8)
---
> Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
224c217
< Transform ID (INTEG): AUTH_HMAC_SHA1_96 (2)
---
> Transform ID (INTEG): AUTH_AES_XCBC_96 (5)
259,265d251
< Transform ID (PRF): PRF_AES128_CMAC6 (8)
< Payload: Transform (3)
< Next payload: Transform (3)
< Reserved: 00
< Payload length: 8
< Transform Type: Pseudo-random Function (PRF) (2)
< Reserved: 00
361c347
< Payload length: 384
---
> Payload length: 376
365c351
< Proposal transforms: 38
---
> Proposal transforms: 37
372c358
< Transform ID (ENCR): ENCR-AES-CCM_16 (16)
---
> Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
384c370
< Transform ID (ENCR): ENCR-AES-CCM_16 (16)
---
> Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
396c382
< Transform ID (ENCR): ENCR-AES-CCM_16 (16)
---
> Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
408c394
< Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
---
> Transform ID (ENCR): ENCR-AES-CCM_16 (16)
420c406
< Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
---
> Transform ID (ENCR): ENCR-AES-CCM_16 (16)
432c418
< Transform ID (ENCR): AES-GCM with a 16 octet ICV (20)
---
> Transform ID (ENCR): ENCR-AES-CCM_16 (16)
451c437
< Transform ID (ENCR): ENCR_AES-CCM_8 (14)
---
> Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
463c449
< Transform ID (ENCR): ENCR_AES-CCM_8 (14)
---
> Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
475c461
< Transform ID (ENCR): ENCR_AES-CCM_8 (14)
---
> Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
487c473
< Transform ID (ENCR): ENCR-AES-CCM_12 (15)
---
> Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
499c485
< Transform ID (ENCR): ENCR-AES-CCM_12 (15)
---
> Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
511c497
< Transform ID (ENCR): ENCR-AES-CCM_12 (15)
---
> Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
523c509
< Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
---
> Transform ID (ENCR): ENCR-AES-CCM_12 (15)
535c521
< Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
---
> Transform ID (ENCR): ENCR-AES-CCM_12 (15)
547c533
< Transform ID (ENCR): AES-GCM with a 8 octet ICV (18)
---
> Transform ID (ENCR): ENCR-AES-CCM_12 (15)
559c545
< Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
---
> Transform ID (ENCR): ENCR_AES-CCM_8 (14)
571c557
< Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
---
> Transform ID (ENCR): ENCR_AES-CCM_8 (14)
583c569
< Transform ID (ENCR): AES-GCM with a 12 octet ICV (19)
---
> Transform ID (ENCR): ENCR_AES-CCM_8 (14)
623,629d608
< Transform ID (PRF): PRF_AES128_CMAC6 (8)
< Payload: Transform (3)
< Next payload: Transform (3)
< Reserved: 00
< Payload length: 8
< Transform Type: Pseudo-random Function (PRF) (2)
< Reserved: 00
729c708
< Key Exchange Data: 6db5ec080d10a3184b99fc262a19937ad9056d7c090684f5fbfcad2fa63fdf3cd7ac50697e7aa05720c76fc26662072430b6b36cce6f5da0f3980f39da3b1c04
---
> Key Exchange Data: 3b4797884a33603e7575696e64e9496936248251bc246f867cebba4609d515141fa1d5e6586a883da566d21b362830555a7dff171aa281ba8cd6c362f1007dd4
735c714
< Nonce DATA: 43d49be886379b7079aa532510d56a77438b0356a827d754c8e543491d462f90
---
> Nonce DATA: 3024f15895503ff9fa5db63b0f79fa44fde2d44311bc6c3f390948e13143c93d
744c723
< Notification DATA: 8ef81364d2f5f38ea040667ebc1414ef89067921
---
> Notification DATA: cfe73331e37a96d2d98d230240f51bb0b18caab5
753c732
< Notification DATA: adeb04af7662e90de5d010e963ad1956f7be76f3
---
> Notification DATA: dd3ea1d31c6ca083445d707198ddeeb3e4ee1ab4
Does anyone have any ideas on how I can fix this?
