Azure-docs: Ubuntu 18.04 VPN Connection fails

To try and rule out anything odd I've recreated a new set of certs following this process and retried but still no joy.

@lawrencegripper , The error description for 13806 is "ERROR_IPSEC_IKE_NO_CERT | IKE failed to find valid machine certificate. Contact your Network Security Administrator about installing a valid certificate in the appropriate Certificate Store."

• Select tunnel type as SSTP in the P2S settings
• Reinstalled the VPN client

Let me know if this works for you

This is running on a Ubuntu 18.04 install, should I re-install the strongswan packages? I don't believe Ubuntu has support for SSTP in the main set of repositories, I am attempting to connect with IKE2.

My /etc/ipsec.conf file is as follows, certs are placed in the right location (I hope checked this a fair few times but still might have an issue here).

conn azure
  keyexchange=ikev2
  type=tunnel
  leftfirewall=yes
  left=%any
  leftid=%client
  leftauth=eap-tls
  right=azuregateway-GUIDREMOVED.vpn.azure.com # Azure VPN gateway address
  rightid=%azuregateway-GUIDREMOVED.vpn.azure.com
  rightsubnet=0.0.0.0/0
  leftsourceip=%config
  auto=add

Is that error returned by the server as the certificate presented isn't valid?

After re-checking certs I do see the two certificates (CA for the VPN server and client certificate) mentioned in the logs.

17:41 $ sudo ipsec up azure
initiating IKE_SA azure[20] to 51.145.00.000
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.0.1.185[500] to 51.145.00.000[500] (656 bytes)
received packet: from 51.145.00.000[500] to 10.0.1.185[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group CURVE_25519, it requested MODP_2048
initiating IKE_SA azure[20] to 51.145.00.000
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.0.1.185[500] to 51.145.00.000[500] (880 bytes)
received packet: from 51.145.00.000[500] to 10.0.1.185[500] (545 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
received MS NT5 ISAKMPOAKLEY v9 vendor ID
received MS-Negotiation Discovery Capable vendor ID
local host is behind NAT, sending keep alives
received cert request for "CN=VPN CA"
received 1 cert requests for an unknown ca
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
sending cert request for "CN=VPN CA"
sending cert request for "CN=VPN CA"
establishing CHILD_SA azure{10}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.0.1.185[4500] to 51.145.00.000[4500] (360 bytes)
received packet: from 51.145.00.000[4500] to 10.0.1.185[4500] (88 bytes)
parsed IKE_AUTH response 1 [ N(MS_STATUS(13806)) ]
received MS_NOTIFY_STATUS notify error
establishing connection 'azure' failed

@lawrencegripper , Can you post your issue in MSDN or StackOverflow ?

This forum is used to enhance the documentation and your query seems to be more specific to your environment.

It's an interesting line to draw.

At what point is this an problem an issue with the docs? Currently it looks like the setup guide gives incorrect certificate configuration instructions or a least a bit muddled and that's why I see the issue but I'm not able to 100% validate. If I can reproduce this with a brand new Ubuntu 18.04 machine does this then become a docs issue?

Specifically regarding the docs it's not clear how the following relates to the setup.

https://github.com/MicrosoftDocs/azure-docs/blame/master/articles/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert.md#L182

This looks like it requires the certificates to have been created following this guide: https://github.com/MicrosoftDocs/azure-docs/blame/ba035bfe9fab85dd1e6134a98af1ad7cf6891033/includes/vpn-gateway-strongswan-certificates-include.md#L55

If the certs have been generated using one of the other guides then it looks like these will always fail as the CommonName is set as follows New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert. I think this would mean these certs would never work as the %client line in the linux setup looks like it has to match the CommonName set on the self signed certificate. Can the author of the LinuxCLI guide confirm this?

This flow is fairly common as a Windows based Admin might setup a VPN then issue certificates to a Linux user to connect.

@msrini-MSFT

@cherylmc, can you add your comment here?

Sure - which article could use a note saying that if you are installing on a Linux client, you must create the certificate using the Linux steps? (Just making sure I understand what is being asked)

Hi- can you confirm that certificates for Linux clients must be generated using a Linux computer? If so, I will update the documentation to reflect that. @msrini-MSFT

Nope I don't think that certs need to be generated with a Linux computer but I do think the CommonName used when generating has to be updated on the %client line of the config when using the CLI path to match the CommonName of the certificate.

I haven't been able to test this further as I went back to using the GUI based setup and managed to get this working.

Were you able to set it up? @cherylmc @lawrencegripper @msrini-MSFT

I seem to have the same issue:

$ sudo ipsec up azure
initiating IKE_SA azure[1] to X.X.X.X
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.100.102.4[500] to X.X.X.X[500] (726 bytes)
received packet: from X.X.X.X[500] to 10.100.102.4[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested MODP_2048
initiating IKE_SA azure[1] to X.X.X.X
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.100.102.4[500] to X.X.X.X[500] (918 bytes)
received packet: from X.X.X.X[500] to 10.100.102.4[500] (517 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
received MS NT5 ISAKMPOAKLEY v9 vendor ID
received MS-Negotiation Discovery Capable vendor ID
local host is behind NAT, sending keep alives
received cert request for "CN=VPN CA"
sending cert request for "CN=VPN CA"
sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
establishing CHILD_SA azure{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.100.102.4[4500] to X.X.X.X[4500] (339 bytes)
received packet: from X.X.X.X[4500] to 10.100.102.4[4500] (1276 bytes)
parsed IKE_AUTH response 1 [ EF(1/3) ]
received fragment #1 of 3, waiting for complete IKE message
received packet: from X.X.X.X[4500] to 10.100.102.4[4500] (1276 bytes)
parsed IKE_AUTH response 1 [ EF(2/3) ]
received fragment #2 of 3, waiting for complete IKE message
received packet: from X.X.X.X[4500] to 10.100.102.4[4500] (1132 bytes)
parsed IKE_AUTH response 1 [ EF(3/3) ]
received fragment #3 of 3, reassembling fragmented IKE message
parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
received end entity cert "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=EDITED.vpn.azure.com"
received issuer cert "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
  using certificate "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=EDITED.vpn.azure.com"
  using untrusted intermediate certificate "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
checking certificate status of "C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=EDITED.vpn.azure.com"
  requesting ocsp status from 'http://ocsp.digicert.com' ...
unable to fetch from http://ocsp.digicert.com, no capable fetcher found
ocsp request to http://ocsp.digicert.com failed
ocsp check failed, fallback to crl
  fetching crl from 'http://crl3.digicert.com/ssca-sha2-g6.crl' ...
unable to fetch from http://crl3.digicert.com/ssca-sha2-g6.crl, no capable fetcher found
crl fetching failed
  fetching crl from 'http://crl4.digicert.com/ssca-sha2-g6.crl' ...
unable to fetch from http://crl4.digicert.com/ssca-sha2-g6.crl, no capable fetcher found
crl fetching failed
certificate status is not available
  using trusted ca certificate "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
checking certificate status of "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
  requesting ocsp status from 'http://ocsp.digicert.com' ...
unable to fetch from http://ocsp.digicert.com, no capable fetcher found
ocsp request to http://ocsp.digicert.com failed
ocsp check failed, fallback to crl
  fetching crl from 'http://crl3.digicert.com/DigiCertGlobalRootCA.crl' ...
unable to fetch from http://crl3.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found
crl fetching failed
  fetching crl from 'http://crl4.digicert.com/DigiCertGlobalRootCA.crl' ...
unable to fetch from http://crl4.digicert.com/DigiCertGlobalRootCA.crl, no capable fetcher found
crl fetching failed
certificate status is not available
certificate policy 2.16.840.1.114412.1.1 for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=EDITED.vpn.azure.com' not allowed by trustchain, ignored
certificate policy 2.23.140.1.2.2 for 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=EDITED.vpn.azure.com' not allowed by trustchain, ignored
  reached self-signed root ca with a path length of 1
authentication of 'C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=EDITED.vpn.azure.com' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'xavier001'
EAP_IDENTITY not supported, sending EAP_NAK
generating IKE_AUTH request 2 [ EAP/RES/NAK ]
sending packet: from 10.100.102.4[4500] to X.X.X.X[4500] (67 bytes)
received packet: from X.X.X.X[4500] to 10.100.102.4[4500] (72 bytes)
parsed IKE_AUTH response 2 [ N(MS_STATUS(1244)) ]
received MS_NOTIFY_STATUS notify error
establishing connection 'azure' failed

$ cat /etc/ipsec.conf

conn azure
    keyexchange=ikev2
    type=tunnel
    leftfirewall=yes
    left=%any
    leftauth=eap-tls
    leftid=%xavier001 # use the DNS alternative name prefixed with the %
    right=azuregateway-EDITED.vpn.azure.com
    rightid=%azuregateway-EDITED.vpn.azure.com
    rightsubnet=0.0.0.0/0
    leftsourceip=%config
    auto=add

$ sudo cat /etc/ipsec.secrets
: P12 xavier001.p12 'pass' # key filename inside /etc/ipsec.d/private directory

$ ls -la /etc/ipsec.d/private/
-rw-------  1 root   root   3157 Jul 26 03:11 xavier001.p12

$ ls -la /etc/ipsec.d/cacerts/
-rw-rw-r--  1 root root  947 Jul 26 02:51 VpnServerRoot.cer

$ sudo apt list --installed | grep strongswan

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libstrongswan/bionic-updates,now 5.6.2-1ubuntu2.4 arm64 [installed,automatic]
libstrongswan-standard-plugins/bionic-updates,now 5.6.2-1ubuntu2.4 arm64 [installed]
strongswan/bionic-updates,now 5.6.2-1ubuntu2.4 all [installed,automatic]
strongswan-charon/bionic-updates,now 5.6.2-1ubuntu2.4 arm64 [installed,automatic]
strongswan-libcharon/bionic-updates,now 5.6.2-1ubuntu2.4 arm64 [installed,automatic]
strongswan-pki/bionic-updates,now 5.6.2-1ubuntu2.4 arm64 [installed]
strongswan-starter/bionic-updates,now 5.6.2-1ubuntu2.4 arm64 [installed,automatic]
strongswan-swanctl/bionic-updates,now 5.6.2-1ubuntu2.4 arm64 [installed]

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.2 LTS
Release:    18.04
Codename:   bionic

$ uname -a
Linux nvidia-desktop 4.9.140-tegra #1 SMP PREEMPT Tue Jul 16 17:09:53 PDT 2019 aarch64 aarch64 aarch64 GNU/Linux

Any idea?

Nope I didn't have any luck getting the non-gui instructions working, sorry :(

@anzaman , Can you take a look at this issue?

@cherylmc @lawrencegripper @msrini-MSFT @anzaman

I have found the problem. I noticed the following error:

EAP_IDENTITY not supported, sending EAP_NAK

This happened because I was missing a package. I figured it out after checking this post. In order to have EAP_IDENTITY support, I had to run

sudo apt install -y libcharon-extra-plugins

After that, everything worked.

Thank you

Finally I did it, thanks @lawrencegripper without this comment:
"Nope I don't think that certs need to be generated with a Linux computer but I do think the CommonName used when generating has to be updated on the %client line of the config when using the CLI path to match the CommonName of the certificate. I haven't been able to test this further as I went back to using the GUI based setup and managed to get this working."
I'll explain what I did:
1- I had this problem:
no TLS peer certificate found for 'client', skipping client authentication
2- After reinstall, build strongswan always I had the same error.
3- I noticed that the value of leftid=%client is the value of the CN of P12 certificate to check this I need to
openssl pkcs12 -in MY_PERSONAL_P12.p12 -nodes -passin pass:"SOME_DARK_PASSWORD" | openssl x509 -noout -subject
with that value I changed %cliente to %MY_DARK_CN
it's important this P12 is the same certificate that i configured in ipsec.secrets
: P12 MY_PERSONAL_P12.p12 'SOME_DARK_PASSWORD'
and azure console Point-to-site configuration in your Virtual network gateway
4- after this I restarted the service "ipsec restart" and tried to connect "ipsec up azure" and all fine

@cherylmc @lawrencegripper @msrini-MSFT @anzaman

I have found the problem. I noticed the following error:

EAP_IDENTITY not supported, sending EAP_NAK

This happened because I was missing a package. I figured it out after checking this post. In order to have EAP_IDENTITY support, I had to run

sudo apt install -y libcharon-extra-plugins

After that, everything worked.

Thank you

I was need to install some other libs. My final list is:

apt-get install -y strongswan libcharon-extra-plugins libcharon-standard-plugins libstrongswan-standard-plugins libstrongswan-extra-plugins