EAP-MS-CHAPv2 verification failed Arch Linux (strongswan)

Question

I cannot get Strongswan, networkmanager-strongswan (client) work on your Arch-PC. My vpn-strongswan server (hereinafter deb (server)) has been configured for a long time, any devices (such as android, windows), except for my arch linux (hereinafter arch (client)) are successfully connected to it.

When I try to connect to my vpn deb (server), I get an error that the user data is invalid. I am using the same certificate for the connection as on other devices. I've tried different unique users, but I always get a message with incorrect user information. What am I doing wrong?

I have installed Strongswan and networkmanager-strongswan on my arch (client)

sudo pacman -S networkmanager-strongswan strongswan

My other device can connect to the server from the same network as my arch (client), so the error about nat has nothing to do with it.

ipsec.secrets file on my deb (server) of correct format:

: RSA "server-key.pem"
test : EAP "password"

On deb (server), the time is different from Arch(client) time (on Android and Windows the time is the same as on Arch(client)), this is due to the fact that deb (server) is in a different time zone. But this does not prevent other devices from connecting to it without problems.

log on arch(client)

-- Journal begins at Tue 2021-10-05 23:12:10 MSK, ends at Wed 2021-10-06 21:10:15 MSK. --
Oct 06 21:10:13 Arch-PC charon-nm[16823]: 01[IKE] server requested EAP_MSCHAPV2 authentication (id 0x8B)
Oct 06 21:10:13 Arch-PC charon-nm[16823]: 01[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Oct 06 21:10:13 Arch-PC charon-nm[16823]: 01[NET] sending packet: from 172.16.1.20[53461] to my_white_ip_vpn[4500] (140 bytes)
Oct 06 21:10:15 Arch-PC charon-nm[16823]: 07[NET] received packet: from my_white_ip_vpn[4500] to 172.16.1.20[53461] (124 bytes)
Oct 06 21:10:15 Arch-PC charon-nm[16823]: 07[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Oct 06 21:10:15 Arch-PC audit[16823]: SYSCALL arch=c000003e syscall=44 success=yes exit=40 a0=8 a1=7f69867fb5a0 a2=28 a3=0 items=0 ppid=1 pid=16823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="charon-nm" exe="/usr/lib/strongswan/charon-nm" key=(null)
Oct 06 21:10:15 Arch-PC charon-nm[16823]: 07[IKE] EAP-MS-CHAPv2 failed with error ERROR_AUTHENTICATION_FAILURE: '(null)'
Oct 06 21:10:15 Arch-PC charon-nm[16823]: 07[IKE] EAP_MSCHAPV2 method failed
Oct 06 21:10:15 Arch-PC charon-nm[16823]: 07[ENC] generating INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Oct 06 21:10:15 Arch-PC charon-nm[16823]: 07[NET] sending packet: from 172.16.1.20[53461] to my_white_ip_vpn[4500] (76 bytes)

log on deb(server)

Oct 06 18:10:14 vpn-srv charon[1611]: 16[NET] received packet: from my_white_ip_home[34671] to 172.26.6.255[500] (464 bytes)
Oct 06 18:10:14 vpn-srv charon[1611]: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 06 18:10:14 vpn-srv charon[1611]: 16[IKE] my_white_ip_home is initiating an IKE_SA
Oct 06 18:10:14 vpn-srv charon[1611]: 16[IKE] my_white_ip_home is initiating an IKE_SA
Oct 06 18:10:14 vpn-srv charon[1611]: 16[IKE] local host is behind NAT, sending keep alives
Oct 06 18:10:14 vpn-srv charon[1611]: 16[IKE] remote host is behind NAT
Oct 06 18:10:14 vpn-srv charon[1611]: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Oct 06 18:10:14 vpn-srv charon[1611]: 16[NET] sending packet: from 172.26.6.255[500] to my_white_ip_home[34671] (472 bytes)
Oct 06 18:10:14 vpn-srv charon[1611]: 05[NET] received packet: from my_white_ip_home[53461] to 172.26.6.255[4500] (348 bytes)
Oct 06 18:10:14 vpn-srv charon[1611]: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 06 18:10:14 vpn-srv charon[1611]: 05[IKE] received cert request for "CN=VPN Root CA"
Oct 06 18:10:14 vpn-srv charon[1611]: 05[IKE] initiating EAP_IDENTITY method (id 0x00)
Oct 06 18:10:14 vpn-srv charon[1611]: 05[IKE] peer supports MOBIKE
Oct 06 18:10:14 vpn-srv charon[1611]: 05[IKE] authentication of 'my_deb_vpn_server_domain' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Oct 06 18:10:14 vpn-srv charon[1611]: 05[IKE] sending end entity cert "CN=my_deb_vpn_server_domain"
Oct 06 18:10:14 vpn-srv charon[1611]: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 06 18:10:14 vpn-srv charon[1611]: 05[ENC] splitting IKE message (1980 bytes) into 2 fragments
Oct 06 18:10:14 vpn-srv charon[1611]: 05[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 06 18:10:14 vpn-srv charon[1611]: 05[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 06 18:10:14 vpn-srv charon[1611]: 05[NET] sending packet: from 172.26.6.255[4500] to my_white_ip_home[53461] (1248 bytes)
Oct 06 18:10:14 vpn-srv charon[1611]: 05[NET] sending packet: from 172.26.6.255[4500] to my_white_ip_home[53461] (800 bytes)
Oct 06 18:10:14 vpn-srv charon[1611]: 06[NET] received packet: from my_white_ip_home[53461] to 172.26.6.255[4500] (76 bytes)
Oct 06 18:10:14 vpn-srv charon[1611]: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Oct 06 18:10:14 vpn-srv charon[1611]: 06[IKE] received EAP identity 'test'
Oct 06 18:10:14 vpn-srv charon[1611]: 06[IKE] initiating EAP_MSCHAPV2 method (id 0x8B)
Oct 06 18:10:14 vpn-srv charon[1611]: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Oct 06 18:10:14 vpn-srv charon[1611]: 06[NET] sending packet: from 172.26.6.255[4500] to my_white_ip_home[53461] (108 bytes)
Oct 06 18:10:14 vpn-srv charon[1611]: 07[NET] received packet: from my_white_ip_home[53461] to 172.26.6.255[4500] (140 bytes)
Oct 06 18:10:14 vpn-srv charon[1611]: 07[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Oct 06 18:10:14 vpn-srv charon[1611]: 07[IKE] EAP-MS-CHAPv2 verification failed, retry (1)
Oct 06 18:10:16 vpn-srv charon[1611]: 07[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Oct 06 18:10:16 vpn-srv charon[1611]: 07[NET] sending packet: from 172.26.6.255[4500] to my_white_ip_home[53461] (124 bytes)
Oct 06 18:10:16 vpn-srv charon[1611]: 08[NET] received packet: from my_white_ip_home[53461] to 172.26.6.255[4500] (76 bytes)
Oct 06 18:10:16 vpn-srv charon[1611]: 08[ENC] parsed INFORMATIONAL request 4 [ N(AUTH_FAILED) ]
Oct 06 18:10:16 vpn-srv charon[1611]: 08[ENC] generating INFORMATIONAL response 4 [ N(AUTH_FAILED) ]
Oct 06 18:10:16 vpn-srv charon[1611]: 08[NET] sending packet: from 172.26.6.255[4500] to my_white_ip_home[53461] (76 bytes)

What should i do so that i can connect to my vpn? Help me please

Answer 1

To connect from the console, this guide on configuring the client stronswan helped me: https://protonvpn.com/support/linux-ikev2-protonvpn/

In IDE when you first connect your new VPN connection, the NetworkManager-Strongswan asks for a password from the VPN, not from the Sudo. Because of this, when connecting from ide, an authorization error occurred.