Conceal

[deleted unhelpful comment]

.

@jkr If you have references you’d care to share in IM I’d appreciate it. Otherwise I’m skipping it because I’m not getting anything out it at this point.

Edit: thanks for the IM! I still don’t know what I’m doing but I’m back to a learning-per-hour rate > 0 . Edit 2: and making progress. Still no user but I’ve learned some stuff and am confident I’ll get it eventually.

@n00kie said:

@Warlord711 said:
What client do you guys use to connect ? I tried vpnc but seems not to connect at all

charon-cmd

Dont think its possible using only charon-cmd. I think we need strongswan installed and configured properly. Charon-cmd only got predefined profiles and none on them matches here.

For me, it is very interesting to learn about the Linux clients. I am trying to translate what worked on Windows to Linux and vice versa.

@Warlord711 Thanks for the confirmation! I looked into this client and did not find the options to exactly replicate what already worked on Windows - but I was not sure if you can use some or all of the options of the ‘strong bird client’ also in charon.

@Warlord711 that’s a helpful bit of direction, thanks from all of us

I stop here for now until i find some time to invest hours into configuring another PITA piece of software like vpn client under linux - why keep things simple if you can overcomplicate everything with hundreds of config files and a pretty useless wiki/documentation.

The strong service has numerous configuration scenarios in its manpage. I am confident that one of them is the right one. :anguished:

Giving it a try…

@ferreirasc said:
The strong service has numerous configuration scenarios in its manpage. I am confident that one of them is the right one. :anguished:

Giving it a try…

Yea thats what I did for hours, rebuilding the scenarios, editing the .conf files, adding/changing settings but always run into NO PROPOSAL CHOSEN even with correct proposals set in the conn

Anyone trying with libreswan?

I wrote a couple of scripts to try different command configurations “eventhough I know what should be the correct one”, and I tried various configurations of the IP***.conf file… I tried and installed various plugins to swan, and even tried multiple configurations on a Windows VM… and kept getting the same policy error.

This is where I can confidently say: “this is a stupid machine… goodbye”

@Warlord711 said:

@n00kie said:

@Warlord711 said:
What client do you guys use to connect ? I tried vpnc but seems not to connect at all

charon-cmd

Dont think its possible using only charon-cmd. I think we need strongswan installed and configured properly. Charon-cmd only got predefined profiles and none on them matches here.

thats true just wanted to lead the way to strongswan thought throwing that in as hint.

by any chance have you used or found anything better than charon-cmd ? the debugging on it is a story 20 chapters long

@n00kie said:

@Warlord711 said:

@n00kie said:

@Warlord711 said:
What client do you guys use to connect ? I tried vpnc but seems not to connect at all

charon-cmd

Dont think its possible using only charon-cmd. I think we need strongswan installed and configured properly. Charon-cmd only got predefined profiles and none on them matches here.

thats true just wanted to lead the way to strongswan thought throwing that in as hint.

by any chance have you used or found anything better than charon-cmd ? the debugging on it is a story 20 chapters long

"charondebug =

How much charon debugging output should be logged. A comma-separated list containing
type/level pairs may be specified, e.g: dmn 3, ike 1, net -1.

Acceptable values for types are dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts and the level is one of [-1, 0, 1, 2, 3, 4] (for silent, audit, control, controlmore, raw, private). By default, the level is set to 1 for all types."


The logging is very customisable, and you may or may not find it helpful.

@23Y4D said:
I wrote a couple of scripts to try different command configurations “eventhough I know what should be the correct one”, and I tried various configurations of the IP***.conf file… I tried and installed various plugins to swan, and even tried multiple configurations on a Windows VM… and kept getting the same policy error.

This is where I can confidently say: “this is a stupid machine… goodbye”

This !
Dont get it, ‘the’ scan tools only gives a valid response using a specific set of proposals but using these proposals, configured in ipsec.conf or using charon, alwas result in NO PROPOSAL CHOSEN error. Searching for the error only returns basic stuff like “install plugins” etc but do not solve the situation here.

Plugins are installed and available, not sure why it always fails.

RFC 2409 - The Internet Key Exchange (IKE) maybe helpful

I am in the middle of privesc right now but if I have time, I can help those who are stuck using a certain strong application. It can be a pain in the ■■■■!

Edit - I will not hand you answers if you haven’t done anything to research it :slight_smile:

@rewks said:

@n00kie said:

@Warlord711 said:

@n00kie said:

@Warlord711 said:
What client do you guys use to connect ? I tried vpnc but seems not to connect at all

charon-cmd

Dont think its possible using only charon-cmd. I think we need strongswan installed and configured properly. Charon-cmd only got predefined profiles and none on them matches here.

thats true just wanted to lead the way to strongswan thought throwing that in as hint.

by any chance have you used or found anything better than charon-cmd ? the debugging on it is a story 20 chapters long

"charondebug =

How much charon debugging output should be logged. A comma-separated list containing
type/level pairs may be specified, e.g: dmn 3, ike 1, net -1.

Acceptable values for types are dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts and the level is one of [-1, 0, 1, 2, 3, 4] (for silent, audit, control, controlmore, raw, private). By default, the level is set to 1 for all types."


The logging is very customisable, and you may or may not find it helpful.

Thank you !

the debug logs were useless for me :stuck_out_tongue: unfortunately this one is a guessing game.

Can someone pm me to discuss about privesc ?

Edit: NVM found it.

To save lot of time try to enable logging and for every change do see log to understand what is went wrong. Make sure you read wiki page for most important proto port part. https://wiki.strongswan.org/projects/strongswan/wiki/connsection

The moment you co-work with someone to solve the connection problem on the machine and he managed to connect but after all doesnt give you a hint.

rooted. thank god root wasnt as much of a pita as user.

for the folks working on user - this link helped me troubleshoot. https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html

So knowing your error and what it might mean, read through the config man page relevant section AND TRY EVERYTHING YOU SEE. It’s a bit of a PITA as you’re just guessing but there isn’t much to try.