Hi everyone.

Today’s post is about how to solve common StrongSwan IPSec VPN problems. If you are a Linux user, you may noticed that when you install StrongSwan using APT or building from source, the VPN is not working correctly: the network is _unreachable _or the traffic is not being encapsulated. This is a common problem in latest Debian based distributions or other ones that use systemd as resolver.

Well, the solution is pretty simple actually. Come with me for learning how to solve this.

The first step will be installing StrongSwan client with all required dependencies. You can do it via APT by:

1
2
sudo apt update
sudo apt install strongswan strongswan-libcharon strongswan-starter strongswan-nm strongswan-charon strongswan-swanctl strongswan-pki libcharon-standard-plugins libcharon-extra-plugins --install-recommends

Then, we must check out NetworkManager settings:

1
sudo NetworkManager --print-config
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# NetworkManager configuration: /etc/NetworkManager/NetworkManager.conf 

[main]
# rc-manager=symlink
# auth-polkit=true
# dhcp=dhclient
dns=default
plugins=ifupdown,keyfile

[connectivity]
uri=http://connectivity-check.ubuntu.com/

# it is important that this value is "false"
[ifupdown]
managed=false

[logging]
# backend=journal
# audit=true

[device]
wifi.scan-rand-mac-address=no

[device-mac-addr-change-wifi]
match-device=driver:rtl8723bs,driver:rtl8189es,driver:r8188eu,driver:8188eu,driver:eagle_sdio,driver:wl
wifi.scan-rand-mac-address=no
wifi.cloned-mac-address=preserve
ethernet.cloned-mac-address=preserve

[connection]
wifi.powersave=3

As we can see in the result above, it is important that the [ifupdown] is set to false (it can work with it set to true).

In addition, check that you have the line that says dns=default. If it is not, you must change it in order to have Internet connection later. For this purpose, you just edit the NetworkManager.conf file and add, in the [main] section, the dns=default:

1
sudo nano /etc/NetworkManager/NetworkManager.conf

Now, we are going to disable systemd-resolve for letting NetworkManager completely manage the network connections – this is useful client side only; when working with servers, NetworkManager is not being as used as systemd-resolve or other utilities.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
echo "Stopping systemd-resolved service"
sudo systemctl stop systemd-resolved

echo "Disabling systemd-resolved - now NetworkManager manages the connections"
sudo systemctl disable systemd-resolved

echo "Removing old resolv.con"
sudo rm -f /etc/resolv.conf

echo "Updating resolv.conf with latest changes"
sudo systemctl restart NetworkManager

And that is it! We now have NetworkManager handling all connections and now our VPN client should work correctly. If you have any issues, please feel free to comment below either asking at some Telegram group.

Please, consider sharing this article if you found it useful 😄


Reference: https://s.javinator9889.com/Q4k3Jl