Can't connect to Azure Point-to-Site with certificate authentication using Strongswan.

cientista99 · May 25, 2018, 6:16pm

Hi!

For work I’m trying to connect to Azure Point-to-Site with certificate authentication using Strongswan but my connection always time-out.
To create the connection I followed this microsoft official guide for Ubuntu that I already try in a Ubuntu 18.04 on VirtualBox and the connection works flawless (It’s the only way that I can working for now…).

In Tumbleweed the packages are not the same but have installed:

strongswan - 5.6.0
strongswan-ipsec - 5.6.0
strongswan-libs0 - 5.6.0
strongswan-nm - 5.6.0
NetworkManager-strongswan - 1.4.3
plasma-nm5-strongswan - 5.12

When I try to connect it says connecting and after a time disconnects. In the NetworkManager I get the following output (sorry about the hidden gateway, ip and user/domain but is required by work):

mai 25 16:59:26 user.localhost NetworkManager[1487]: <info>  [1527263966.4961] audit: op="connection-activate" uuid="6e873f71-e4b1-4e03-8bce-bdffccf82c33" name="bostonP2S" pid=29981 uid=1000 result="success"
mai 25 16:59:26 user.localhost NetworkManager[1487]: <info>  [1527263966.5014] vpn-connection[0x564adf7e05b0,6e873f71-e4b1-4e03-8bce-bdffccf82c33,"bostonP2S",0]: Saw the service appear; activating connection
mai 25 16:59:26 user.localhost charon-nm[30496]: 05[CFG] received initiate for NetworkManager connection bostonP2S
mai 25 16:59:26 user.localhost charon-nm[30496]: 05[CFG] using CA certificate, gateway identity 'azuregateway-zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz-zzzzzzzzzzzz.cloudapp.net'
mai 25 16:59:26 user.localhost charon-nm[30496]: 05[IKE] initiating IKE_SA bostonP2S[6] to xx.xx.xx.xxx
mai 25 16:59:26 user.localhost charon-nm[30496]: 05[ENC] generating IKE_SA_INIT request 0  SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
mai 25 16:59:26 user.localhost charon-nm[30496]: 05[NET] sending packet: from 192.168.1.96[50659] to xx.xx.xx.xxx[500] (1082 bytes)
mai 25 16:59:26 user.localhost NetworkManager[1487]: <info>  [1527263966.5289] vpn-connection[0x564adf7e05b0,6e873f71-e4b1-4e03-8bce-bdffccf82c33,"bostonP2S",0]: VPN plugin: state changed: starting (3)
mai 25 16:59:26 user.localhost charon-nm[30496]: 14[NET] received packet: from xx.xx.xx.xxx[500] to 192.168.1.96[50659] (38 bytes)
mai 25 16:59:26 user.localhost charon-nm[30496]: 14[ENC] parsed IKE_SA_INIT response 0  N(INVAL_KE) ]
mai 25 16:59:26 user.localhost charon-nm[30496]: 14[IKE] peer didn't accept DH group ECP_256, it requested ECP_384
mai 25 16:59:26 user.localhost charon-nm[30496]: 14[IKE] initiating IKE_SA bostonP2S[6] to xx.xx.xx.xxx
mai 25 16:59:26 user.localhost charon-nm[30496]: 14[ENC] generating IKE_SA_INIT request 0  SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
mai 25 16:59:26 user.localhost charon-nm[30496]: 14[NET] sending packet: from 192.168.1.96[50659] to xx.xx.xx.xxx[500] (1114 bytes)
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[NET] received packet: from xx.xx.xx.xxx[500] to 192.168.1.96[50659] (357 bytes)
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[ENC] parsed IKE_SA_INIT response 0  SA KE No N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[IKE] received MS-Negotiation Discovery Capable vendor ID
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[IKE] local host is behind NAT, sending keep alives
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[IKE] received 1 cert requests for an unknown ca
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[IKE] authentication of 'CN=AIAzureP2SChildCert' (myself) with RSA signature successful
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[IKE] sending end entity cert "CN=AIAzureP2SChildCert"
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[IKE] establishing CHILD_SA bostonP2S{6}
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[ENC] generating IKE_AUTH request 1  IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
mai 25 16:59:26 user.localhost charon-nm[30496]: 15[NET] sending packet: from 192.168.1.96[48536] to xx.xx.xx.xxx[4500] (1496 bytes)
mai 25 16:59:30 user.localhost charon-nm[30496]: 08[IKE] retransmit 1 of request with message ID 1
mai 25 16:59:30 user.localhost charon-nm[30496]: 08[NET] sending packet: from 192.168.1.96[48536] to xx.xx.xx.xxx[4500] (1496 bytes)
mai 25 16:59:32 user.localhost charon-nm[30496]: 09[NET] received unencrypted informational: from xx.xx.xx.xxx[500] to 192.168.1.96[50659]
mai 25 16:59:32 user.localhost charon-nm[30496]: 09[ENC] payload type NOTIFY was not encrypted
mai 25 16:59:32 user.localhost charon-nm[30496]: 09[ENC] could not decrypt payloads
mai 25 16:59:32 user.localhost charon-nm[30496]: 09[IKE] INFORMATIONAL request with message ID 0 processing failed
mai 25 16:59:38 user.localhost charon-nm[30496]: 10[IKE] retransmit 2 of request with message ID 1
mai 25 16:59:38 user.localhost charon-nm[30496]: 10[NET] sending packet: from 192.168.1.96[48536] to xx.xx.xx.xxx[4500] (1496 bytes)
mai 25 16:59:50 user.localhost charon-nm[30496]: 12[IKE] retransmit 3 of request with message ID 1
mai 25 16:59:50 user.localhost charon-nm[30496]: 12[NET] sending packet: from 192.168.1.96[48536] to xx.xx.xx.xxx[4500] (1496 bytes)
mai 25 17:00:10 user.localhost charon-nm[30496]: 14[IKE] sending keep alive to xx.xx.xx.xxx[4500]
mai 25 17:00:14 user.localhost charon-nm[30496]: 15[IKE] retransmit 4 of request with message ID 1
mai 25 17:00:14 user.localhost charon-nm[30496]: 15[NET] sending packet: from 192.168.1.96[48536] to xx.xx.xx.xxx[4500] (1496 bytes)
mai 25 17:00:26 user.localhost NetworkManager[1487]: <warn>  [1527264026.6327] vpn-connection[0x564adf7e05b0,6e873f71-e4b1-4e03-8bce-bdffccf82c33,"bostonP2S",0]: VPN connection: connect timeout exceeded.
mai 25 17:00:26 user.localhost charon-nm[30496]: Connect timer expired, disconnecting.
mai 25 17:00:26 user.localhost charon-nm[30496]: 01[IKE] destroying IKE_SA in state CONNECTING without notification
mai 25 17:00:26 user.localhost NetworkManager[1487]: <info>  [1527264026.6366] vpn-connection[0x564adf7e05b0,6e873f71-e4b1-4e03-8bce-bdffccf82c33,"bostonP2S",0]: VPN plugin: state changed: stopping (5)
mai 25 17:00:26 user.localhost NetworkManager[1487]: <warn>  [1527264026.6367] vpn-connection[0x564adf7e05b0,6e873f71-e4b1-4e03-8bce-bdffccf82c33,"bostonP2S",0]: VPN plugin: failed: login-failed (0)
mai 25 17:00:26 user.localhost NetworkManager[1487]: <info>  [1527264026.6369] vpn-connection[0x564adf7e05b0,6e873f71-e4b1-4e03-8bce-bdffccf82c33,"bostonP2S",0]: VPN plugin: state changed: stopped (6)

I appreciate any help!

Best regards,
André Pereira

tsu2 · May 26, 2018, 5:17am

My take on your posted output…
Your connection proceeds quite awhile before it fails, the critical point is somewhere around

payload type NOTIFY was not encrypted

A search based on the above and “strongswan” suggests that maybe your IKE versions on server and client are mis-matched, I suspect that the errors about being “not encrypted” may actually not be accurate, it may actually mean “not decryptable.” If you did a packet capture you can verify or refute my suspicion.

Maybe a long read through the many Internet search results will turn up more possible causes…

Good Luck,
TSU

cientista99 · May 28, 2018, 6:13pm

tsu2:

My take on your posted output…
Your connection proceeds quite awhile before it fails, the critical point is somewhere around
payload type NOTIFY was not encrypted
A search based on the above and “strongswan” suggests that maybe your IKE versions on server and client are mis-matched, I suspect that the errors about being “not encrypted” may actually not be accurate, it may actually mean “not decryptable.” If you did a packet capture you can verify or refute my suspicion.

Maybe a long read through the many Internet search results will turn up more possible causes…

Good Luck,
TSU

Hi again!

After read your response I did the packet capture but my analysis skill are not the best so, before dig a lot in the capture, I remove all strongSwan packages from my system, grab the latest strongSwan and NetworkManager strongSwan plugin, compile and install both, installed the nm-applet because the NetworkManager strongSwan plugin compile with GTK and after a reboot just fired nm-applet and try connect to VPN and worked flawless.

For sake of curiosity later I will try to figure out why I can’t connect with the official packages but this thread is solved! lol!

Thank you so much for the help!

tsu2 · May 28, 2018, 7:12pm

Glad to hear you got yourself working.

FYI -
My SOP for initial analysis (bsides a quick skim of Wireshark)

Is to export the relevant log snippet (unless necessary, try to limit the amount of log data analyzed) to a spreadsheet,
Then you can sort the columns by simply clicking on the column headers.
This is useful for locating instances and long running patterns.

If I want to inspect whether something is encrypted or not,
Then in Wireshark simply locate the payload and click on it.
The pane to the right will display the contents of whatever you selected, if it’s easily read then it’s unencrypted. If it’s random characters, it’s encrypted.

Beyond that,
Deeper analysis depends on expertise.

HTH,
TSU

arvidjaar · May 28, 2018, 7:23pm

Care to try building package using this version? Briefly looking at strongSwan package, it contains only two patches, so with great probability will build OK. Then you could simply submit request to pull it.