IPSec: strongswan, charon, resolvconf - DNS Server cannot be registered

I recently switched from some Debian based distro to fedora. After copying my strongswan config files and fixing some new SELinux issues, I still cannot connect to my company’s VPN (IKEv2 with PSK).

The issue I am facing is this line:
resolvconf: Failed to set DNS configuration: Could not activate remote peer.

complete log:

charon-systemd[2145]: initiating IKE_SA IKEv2PSK[1] to 81.81.81.81
charon-systemd[2145]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
charon-systemd[2145]: sending packet: from 192.168.86.154[500] to 81.81.81.81[500] (464 bytes)
charon-systemd[2145]: received packet: from 81.81.81.81[500] to 192.168.86.154[500] (503 bytes)
charon-systemd[2145]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(FRAG_SUP) CERTREQ V ]
charon-systemd[2145]: received unknown vendor ID: 81:75:2e:b5:91:4d:73:5c:df:cd:c8:58:c3:a8:ed:7c:1c:66:d1:42
charon-systemd[2145]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
charon-systemd[2145]: local host is behind NAT, sending keep alives
charon-systemd[2145]: received 1 cert requests for an unknown ca
charon-systemd[2145]: authentication of 'marcwittke@my.comp.any' (myself) with pre-shared key
charon-systemd[2145]: establishing CHILD_SA work{1}
charon-systemd[2145]: generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
charon-systemd[2145]: sending packet: from 192.168.86.154[4500] to 81.81.81.81[4500] (336 bytes)
charon-systemd[2145]: received packet: from 81.81.81.81[4500] to 192.168.86.154[4500] (272 bytes)
charon-systemd[2145]: parsed IKE_AUTH response 1 [ IDr AUTH CPRP(DNS DNS ADDR) TSi TSr N(INIT_CONTACT) SA ]
charon-systemd[2145]: authentication of 'marcwittke@my.comp.any' with pre-shared key successful
charon-systemd[2145]: IKE_SA IKEv2PSK[1] established between 192.168.86.154[marcwittke@my.comp.any]...81.81.81.81[marcwittke@my.comp.any]
charon-systemd[2145]: scheduling rekeying in 13590s
charon-systemd[2145]: maximum IKE_SA lifetime 15030s
charon-systemd[2145]: installing DNS server 192.168.0.132 via resolvconf
charon-systemd[2145]: resolvconf: Failed to set DNS configuration: Could not activate remote peer.
charon-systemd[2145]: removing DNS server 192.168.0.132 via resolvconf
charon-systemd[2145]: resolvconf: Failed to revert interface configuration: Could not activate remote peer.
charon-systemd[2145]: adding DNS server failed
charon-systemd[2145]: installing DNS server 192.168.0.132 via resolvconf
charon-systemd[2145]: resolvconf: Failed to set DNS configuration: Could not activate remote peer.

any hint where to dig further? systemd-resolved is running. No SELinux policy issues popping up any more.

1 Like

Re-enable and restart the resolver and temporarily disable SELinux:

sudo systemctl --now enable systemd-resolved.service
sudo systemctl restart systemd-resolved.service
sudo setenforce 0

Then check the output:

systemctl --no-pager status systemd-resolved.service
ls -l /etc/resolv.conf
grep -v -e ^# -e ^$ /etc/resolv.conf
resolvectl --no-pager status
getenforce

Re-establish the connection and check if the issue persists.

Also, which method are you using to set up the connection?

1 Like

thanks for replying. Here the command outputs:

$ systemctl --no-pager status systemd-resolved.service

● systemd-resolved.service - Network Name Resolution
     Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: disabled)
     Active: active (running) since Fri 2020-09-11 20:05:32 -03; 46s ago
       Docs: man:systemd-resolved.service(8)
             https://www.freedesktop.org/wiki/Software/systemd/resolved
             https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
             https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
   Main PID: 7849 (systemd-resolve)
     Status: "Processing requests..."
      Tasks: 1 (limit: 38227)
     Memory: 8.7M
     CGroup: /system.slice/systemd-resolved.service
             └─7849 /usr/lib/systemd/systemd-resolved

Sep 11 20:05:32 mw-lat5591.fritz.box systemd[1]: Starting Network Name Resolution...
Sep 11 20:05:32 mw-lat5591.fritz.box systemd-resolved[7849]: Positive Trust Anchors:
Sep 11 20:05:32 mw-lat5591.fritz.box systemd-resolved[7849]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
Sep 11 20:05:32 mw-lat5591.fritz.box systemd-resolved[7849]: Negative trust anchors: 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arpa 21.172.in-addr.arpa 22.172.in-addr.a…
Sep 11 20:05:32 mw-lat5591.fritz.box systemd-resolved[7849]: Using system hostname 'mw-lat5591.fritz.box'.
Sep 11 20:05:32 mw-lat5591.fritz.box systemd[1]: Started Network Name Resolution.
Hint: Some lines were ellipsized, use -l to show in full.

$ ls -l /etc/resolv.conf

-rw-r--r--. 1 root root 38 Sep 11 09:07 /etc/resolv.conf

$ grep -v -e ^# -e ^$ /etc/resolv.conf

search fritz.box
nameserver 127.0.0.1

$ resolvectl --no-pager status

Global
       LLMNR setting: yes                 
MulticastDNS setting: yes                 
  DNSOverTLS setting: no                  
      DNSSEC setting: allow-downgrade     
    DNSSEC supported: yes                 
  Current DNS Server: 127.0.0.1           
         DNS Servers: 127.0.0.1           
Fallback DNS Servers: 1.1.1.1             
                      8.8.8.8             
                      1.0.0.1             
                      8.8.4.4             
                      2606:4700:4700::1111
                      2001:4860:4860::8888
                      2606:4700:4700::1001
                      2001:4860:4860::8844
          DNS Domain: fritz.box           
          DNSSEC NTA: 10.in-addr.arpa     
                      16.172.in-addr.arpa 
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa 
                      18.172.in-addr.arpa 
                      19.172.in-addr.arpa 
                      20.172.in-addr.arpa 
                      21.172.in-addr.arpa 
                      22.172.in-addr.arpa 
                      23.172.in-addr.arpa 
                      24.172.in-addr.arpa 
                      25.172.in-addr.arpa 
                      26.172.in-addr.arpa 
                      27.172.in-addr.arpa 
                      28.172.in-addr.arpa 
                      29.172.in-addr.arpa 
                      30.172.in-addr.arpa 
                      31.172.in-addr.arpa 
                      corp                
                      d.f.ip6.arpa        
                      home                
                      internal            
                      intranet            
                      lan                 
                      local               
                      private             
                      test                

Link 8 (br-cd1156217be9)
      Current Scopes: none           
DefaultRoute setting: no             
       LLMNR setting: yes            
MulticastDNS setting: no             
  DNSOverTLS setting: no             
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes            

Link 7 (docker0)
      Current Scopes: none           
DefaultRoute setting: no             
       LLMNR setting: yes            
MulticastDNS setting: no             
  DNSOverTLS setting: no             
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes            

Link 6 (virbr0-nic)
      Current Scopes: none           
DefaultRoute setting: no             
       LLMNR setting: yes            
MulticastDNS setting: no             
  DNSOverTLS setting: no             
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes            

Link 5 (virbr0)
      Current Scopes: none           
DefaultRoute setting: no             
       LLMNR setting: yes            
MulticastDNS setting: no             
  DNSOverTLS setting: no             
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes            

Link 4 (wlo1)
      Current Scopes: none           
DefaultRoute setting: no             
       LLMNR setting: yes            
MulticastDNS setting: no             
  DNSOverTLS setting: no             
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes            

Link 3 (eno2)
      Current Scopes: none           
DefaultRoute setting: no             
       LLMNR setting: yes            
MulticastDNS setting: no             
  DNSOverTLS setting: no             
      DNSSEC setting: allow-downgrade
    DNSSEC supported: yes            

Link 2 (enp0s20f0u5u2)
      Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
DefaultRoute setting: yes                      
       LLMNR setting: yes                      
MulticastDNS setting: no                       
  DNSOverTLS setting: no                       
      DNSSEC setting: allow-downgrade          
    DNSSEC supported: yes                      
  Current DNS Server: 192.168.86.254           
         DNS Servers: 192.168.86.254           
                      127.0.0.1                
          DNS Domain: ~.                       
                      fritz.box  

$ getenforce

permissive

Some more details about the environment: 192.168.86.254 is my (Wifi-)Router, I’m connected through the USB-C dock’s Ethernet enp0s20f0u5u2, neither wlo1 nor eno2 (onboard ethernet adapter) are connected. Docker is running, therefore docker0. And kvm as well, also providing some logical ethernet devices.

However, in the meantime I was able to connect. I enabled dnsmasq on 127.0.0.1:53, having a static entry to force resolution of my.comp.any via 192.168.0.132 (our DNS-Server at work). I configured strongswan to establish the tunnel on demand, as described here.

The value trap installs a trap policy, which triggers the tunnel as soon as matching traffic has been detected.

However, sometimes (especially after undocking and switching to wifi) I have to restart the strongswan service and initiate the connection manually like this:

$ swanctl --initiate --child companyvpn

initiating IKE_SA IKEv2PSK[1] to 81.81.81.81
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.86.154[500] to 81.81.81.81[500] (464 bytes)
[NET] received packet: from 81.81.81.81[500] to 192.168.86.154[500] (503 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(FRAG_SUP) CERTREQ V ]
[ENC] received unknown vendor ID: 81:75:2e:b5:91:4d:73:5c:df:cd:c8:58:c3:a8:ed:7c:1c:66:d1:42
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
[IKE] local host is behind NAT, sending keep alives
[IKE] received 1 cert requests for an unknown ca
[IKE] authentication of 'marcwittke@my.comp.any' (myself) with pre-shared key
[IKE] establishing CHILD_SA companyvpn{2}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.86.154[4500] to 81.81.81.81[4500] (352 bytes)
[NET] received packet: from 81.81.81.81[4500] to 192.168.86.154[4500] (272 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH CPRP(DNS DNS ADDR) TSi TSr N(INIT_CONTACT) SA ]
[IKE] authentication of 'marcwittke@my.comp.any' with pre-shared key successful
[IKE] IKE_SA IKEv2PSK[1] established between 192.168.86.154[marcwittke@my.comp.any]...81.81.81.81[marcwittke@my.comp.any]
[IKE] scheduling rekeying in 13756s
[IKE] maximum IKE_SA lifetime 15196s
[IKE] installing DNS server 192.168.0.132 via resolvconf
[IKE] 
[IKE] removing DNS server 192.168.0.132 via resolvconf
[IKE] 
[IKE] adding DNS server failed
[IKE] installing DNS server 192.168.0.132 via resolvconf
[IKE] 
[IKE] removing DNS server 192.168.0.132 via resolvconf
[IKE] 
[IKE] adding DNS server failed
[CFG] handling INTERNAL_IP4_DNS attribute failed
[IKE] installing DNS server 192.168.0.133 via resolvconf
[IKE] 
[IKE] removing DNS server 192.168.0.133 via resolvconf
[IKE] 
[IKE] adding DNS server failed
[CFG] handling INTERNAL_IP4_DNS attribute failed
[IKE] installing new virtual IP 192.168.0.209
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
[IKE] CHILD_SA companyvpn{2} established with SPIs c8e1e976_i 50a2c8ef_o and TS 192.168.0.209/32 === 192.168.0.0/24
initiate completed successfully

The DNS error is still present, but is mitigated by my configuration of dnsmasq. BUT: after a reboot I was unable to establish the tunnel. It complained about some kernel module related stuff:

[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
[KNL] received netlink error: Protocol not supported (93)
[KNL] unable to add SAD entry with SPI c3ced924 (FAILED)
[KNL] received netlink error: Protocol not supported (93)
[KNL] unable to add SAD entry with SPI bd0ca47e (FAILED)
[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
[IKE] failed to establish CHILD_SA, keeping IKE_SA

according to the strongswan wiki this is caused by missing kernel modules. I am very unsure about this, because when I ran the shell commands you requested (including switching to permissive mode) it suddenly worked! And: it still works when re-enabling the enforcing mode. What is going on here?

1 Like

This looks like some kind of race condition.
You can try to modify the persistent configuration to localize the issue:

sudo sed -i -e "/^SELINUX=/s/enforcing/permissive/" /etc/selinux/config
sudo systemctl reboot

Unfortunately, I don’t have enough experience with strongSwan/IPsec.
Did you consider using WireGuard or OpenVPN?

1 Like

I was happy to master IKEv2 to the grade to be able to connect. And I have limited influence about the company’s endpoint, which is a quite veteran Lancom Router. So I guess I’m stuck with ipsec

1 Like

Since fedora comes with libreswan as first class citizen I decided to give it a try. It worked out of the box with this config

conn work
    ikev2=insist

    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftid=marcwittke@my.comp.any
    leftmodecfgclient=yes

    right=81.81.81.81
    rightid=marcwittke@my.comp.any
    rightsubnet=192.168.0.0/24

    auto=add
    authby=secret
    mobike=yes
    narrowing=yes
    dpddelay=30
    dpdtimeout=90
    dpdaction=restart

However, the config auto=ondemand does not work because ot an arbitary error. I’ll provide more details tomorrow.

2 Likes

follow-up: Bringing up libreswan ipsec tunnel ondemand fails