Algo: Issue Connecting with Xubuntu 17.10 Desktop

Created on 17 Feb 2018  路  5Comments  路  Source: trailofbits/algo

OS / Environment

Ubuntu 17.10 XFCE Edition (Xubuntu)

Ansible version

2.4.2.0

Version of components from requirements.txt

msrestazure
setuptools>=11.3
ansible>=2.1,<2.2.1
dopy==0.3.5
boto>=2.5
boto3
azure=2.0.0r5
msrest=0.4.1
apache-libcloud
six
openssl
jinja==2.

Summary of the problem

When trying to perform sudo ipsec up conn-ikev2 it connects but DNS resolution appears not be working.

Log output:

parsed IKE_AUTH response 1 [ EF(2/2) ]
received fragment #2 of 2, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
received end entity cert "CN=IP"
using certificate "CN=IP"
using trusted ca certificate "CN=IP"
checking certificate status of "CN=IP"
certificate status is not available
reached self-signed root ca with a path length of 0
authentication of 'IP' with ECDSA_WITH_SHA256_DER successful
IKE_SA ikev2-IP
[3] established between 192.168.2.58[CN=user]...IP[IP]
adding DNS server failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
installing new virtual IP 10.19.48.16
CHILD_SA ikev2-IP
{3} established with SPIs cf0ae3a8_i c791476c_o and TS 10.19.48.16/32 === 0.0.0.0/0
connection 'ikev2-IP' established successfully

Wondering if the INTERNAL_IP4_DNS and or adding DNS Server fail is the problem.
Tried installing resolvconf and other plugins in the desktop but nothing seemed to work.

Output of /etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.
nameserver 127.0.0.53

Steps to reproduce the behavior

Install Xubuntu 17.10

The way of deployment (cloud or local)

Cloud

Most helpful comment

Could you, please, try to install resolvconf and see what happens then?

sudo apt install resolvconf

All 5 comments

I'm having the exact same issue (getting adding DNS server failed and handling INTERNAL_IP4_DNS attribute failed). And, of course, I cannot resolve any name.

My strongswan client is running on Kubuntu 18.04. This is the log I get when I run sudo ipsec up ikev2-xxx.xxx.xxx.xxx (I'll be using xxx.xxx.xxx.xxx as a placeholder for my IP address):

initiating IKE_SA ikev2-xxx.xxx.xxx.xxx[3] to xxx.xxx.xxx.xxx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.0.25[500] to xxx.xxx.xxx.xxx[500] (382 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.25[500] (319 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "CN=xxx.xxx.xxx.xxx"
sending cert request for "CN=xxx.xxx.xxx.xxx"
authentication of 'CN=username' (myself) with ECDSA_WITH_SHA384_DER successful
sending end entity cert "CN=username"
establishing CHILD_SA ikev2-xxx.xxx.xxx.xxx{3}
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.168.0.25[4500] to xxx.xxx.xxx.xxx[4500] (1022 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.25[4500] (935 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "CN=xxx.xxx.xxx.xxx"
  using certificate "CN=xxx.xxx.xxx.xxx"
  using trusted ca certificate "CN=xxx.xxx.xxx.xxx"
checking certificate status of "CN=xxx.xxx.xxx.xxx"
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'xxx.xxx.xxx.xxx' with ECDSA_WITH_SHA384_DER successful
IKE_SA ikev2-xxx.xxx.xxx.xxx[3] established between 192.168.0.25[CN=rodrigo.serrano]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
adding DNS server failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
installing new virtual IP 10.19.48.1
CHILD_SA ikev2-xxx.xxx.xxx.xxx{3} established with SPIs c55d24e2_i ce63e6ea_o and TS 10.19.48.1/32 === 0.0.0.0/0
connection 'ikev2-xxx.xxx.xxx.xxx' established successfully

This is the info regarding my Algo instance:

Algo running on: Ubuntu 18.04.2 LTS
ZIP file created: 2019-02-08 13:34:01.000000000 +0100
Python 2.7.15rc1
Runtime variables:
    algo_provider "ec2"
    algo_ondemand_cellular "False"
    algo_ondemand_wifi "False"
    algo_ondemand_wifi_exclude "X251bGw="
    algo_local_dns "True"
    algo_ssh_tunneling "True"
    algo_windows "True"
    wireguard_enabled "True"
    dns_encryption "True"

Could you, please, try to install resolvconf and see what happens then?

sudo apt install resolvconf

and also check if the resolve plugin is loaded here /etc/strongswan.d/charon/resolve.conf

It worked for me, everything working now (the log now says installing DNS server 172.16.0.1 via resolvconf instead of the previous errors).

May I suggest to add resolvconf in the documentation in Ubuntu Server 18.04 example?

@jrodrigosm Was the resolve plugin enabled in /etc/strongswan.d/charon/resolve.conf? I'm curious because StrongSwan should actually use this plugin if resolvconf is missing in the system

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ComputerJy picture ComputerJy  路  3Comments

RonCan picture RonCan  路  3Comments

dguido picture dguido  路  3Comments

FiloSottile picture FiloSottile  路  5Comments

huntsin2 picture huntsin2  路  3Comments