Debian 9, Xfce, Network Manager, strongSwan and UniFi VPN
debian-user:
I have an AT&T residential gateway that provides the DMZ 192.168.1.0/24.
The gateway has DMZ address 192.168.1.254.
I have a Ubiquiti Networks UniFi Security Gateway (USG) whose upstream
port is connected to the DMZ and has address 192.168.1.133. The USG
provides the LAN 192.168.5.0/24 and has address 192.158.5.1.
I have created a RADIUS account 'dpchrist' in the UniFi Controller.
I have configured a VPN network in the UniFi Controller:
Name remote-access
VPN Type L2TP Server
Pre-Shared Key ********************
Gateway/Subnet 172.16.5.1/29
Name Server Auto
WINS Server unchecked
Site-to-Site VPN unchecked
RADIUS Profile Default
MS-CHAP v2 Require MS-CHAP v2
I have a Debian 9 laptop with Xfce. I have attached the laptop to the
DMZ at address 192.168.1.144. The laptop can ping the AT&T gateway, can
ping the USG, and can connect to the Internet via the AT&T gateway.
I would like to connect the laptop on the DMZ to the LAN using Network
Manager and strongSwan VPN.
STFW I found:
https://www.bestvpnz.com/tutorials/how-to-set-up-l2tp-ipsec-vpn-on-linux-networkmanager-strongswan/
I have installed the following packages on the laptop:
openvpn
network-manager-openvpn-gnome
network-manager-strongswan
xl2tpd
strongswan
I have put the pre-shared key into a file in my home directory in the
laptop:
l2tp-key
I have created a VPN connection in the laptop:
Xfce Applications Menu -> Settings -> Network Connections -> Add:
Choose a Connection Type IPsec/IKEv2 (strongswan)
Create...
Connection Name 192.168.1.133
VPN
Gateway
Address 192.168.1.133
Certificate l2tp-key
Client
Authentication Pre-shared key
Username dpchrist
Password
-> Store the password only for this user
********************
Options
Request an inner IP address checked
Enforce UDP encapsulation checked
Use IP compression checked
When I select Xfce Panel -> Notification Area -> NetworkManager Applet
-> VPN Connections -> 192.168.1.133, I get a pop-up that says:
VPN Connection Failed
The VPN connection "192.168.1.133" failed because the VPN
service failed to start.
There are clues in the messages log:
2020-02-04 20:44:30 root@tinkywinky ~
# tail -n 4 /var/log/messages
Feb 4 20:43:42 tinkywinky NetworkManager[537]: <info>
[1580877822.3516] audit: op="connection-activate"
uuid="4f2c0009-5392-4001-a090-adb11d5977a8" name="192.168.1.133"
pid=1210 uid=13250 result="success"
Feb 4 20:43:42 tinkywinky NetworkManager[537]: <info>
[1580877822.3549]
vpn-connection[0x563d18544800,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
Saw the service appear; activating connection
Feb 4 20:43:42 tinkywinky NetworkManager[537]: <info>
[1580877822.4545]
vpn-connection[0x563d18544800,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
VPN connection: (ConnectInteractive) reply received
Feb 4 20:43:42 tinkywinky NetworkManager[537]: <warn>
[1580877822.4593]
vpn-connection[0x563d18544800,4f2c0009-5392-4001-a090-adb11d5977a8,"192.168.1.133",0]:
VPN connection: failed to connect: 'Loading gateway certificate failed.'
STFW I found my own posts from ~6 months ago with these same issues. I
fumbled around and eventually got it working, but have no recollection
or understanding of how or why. I have not touched the UniFi settings
since then. The laptop has a fresh install of Debian 9.
Suggestions?
David
Reply to: