VPN config works locally on bitrise CLI but fails on bitrise.io

#1

Hello,

I am attempting to configure a VPN for a bitrise Mac build following this guide:
devcenter.bitrise.io/tutorials/vpn-configuration/
I basically use this guide although I am using XAuth instead of certificate auth. I am able to get this config working with the bitrise CLI using my Macbook and a test bitrise.yml file. However, when I add the step to bitrise.io as a Script step in my workflow, the VPN connection consistently fails with the same error.

Snip from the logs:

XAuth authentication of 'bitrise' (myself) successful
IKE_SA VPN[1] established between 10.100.2.73[vpn-group]...XXX.XXX.XX.XXX[XXX.XXX.XX.XX]
scheduling reauthentication in 86220s
maximum IKE_SA lifetime 86400s
generating TRANSACTION response 1877530591 [ HASH CPA(X_STATUS) ]
sending packet: from 10.100.2.73[4500] to XXX.XXX.XX.XXX[4500] (76 bytes)
generating TRANSACTION request 682091945 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 10.100.2.73[4500] to XXX.XXX.XX.XXX[4500] (76 bytes)
received packet: from XXX.XXX.XX.XXX[4500] to 10.100.2.73[4500] (92 bytes)
parsed TRANSACTION response 682091945 [ HASH CPRP(ADDR DNS DNS) ]
installing 192.168.21.1 as DNS server
installing 192.168.21.2 as DNS server
installing new virtual IP 192.168.9.175
created TUN device: utun1
virtual IP 192.168.9.175 did not appear on utun1
installing virtual IP 192.168.9.175 failed
generating QUICK_MODE request 1350114181 [ HASH SA No ID ID ]
sending packet: from 10.100.2.73[4500] to XXX.XXX.XX.XXX[4500] (204 bytes)
sending retransmit 1 of request message ID 1350114181, seq 4
sending packet: from 10.100.2.73[4500] to XXX.XXX.XX.XXX[4500] (204 bytes)
sending retransmit 2 of request message ID 1350114181, seq 4
sending packet: from 10.100.2.73[4500] to XXX.XXX.XX.XXX[4500] (204 bytes)
sending retransmit 3 of request message ID 1350114181, seq 4
sending packet: from 10.100.2.73[4500] to XXX.XXX.XX.XXX[4500] (204 bytes)
sending keep alive to XXX.XXX.XX.XXX[4500]
sending retransmit 4 of request message ID 1350114181, seq 4
sending packet: from 10.100.2.73[4500] to XXX.XXX.XX.XXX[4500] (204 bytes)
sending keep alive to XXX.XXX.XX.XXX[4500]
sending keep alive to XXX.XXX.XX.XXX[4500]
sending retransmit 5 of request message ID 1350114181, seq 4
sending packet: from 10.100.2.73[4500] to XXX.XXX.XX.XXX[4500] (204 bytes)
sending keep alive to XXX.XXX.XX.XXX[4500]
sending keep alive to XXX.XXX.XX.XXX[4500]
sending keep alive to XXX.XXX.XX.XXX[4500]
giving up after 5 retransmits
establishing connection 'VPN' failed

I don’t think that this is related to the stronswan config, because as I mentioned, I’ve gotten it to work locally through Bitrise (and also tested the config successfully on multiple other clients [centos/ubuntu/mac] with strongswan/ipsec directly) and this is getting a bit maddening.

Does anyone have any ideas or places I might want to consider looking?

Thanks

0 Likes

#2

Hi @jtcastillo,

Did you check your server’s logs?

0 Likes

#3

Hi Viktor, thanks for your response.

The VPN is attempting to connect the mac VM and our firewall/gateway, and when I check the firewall logs, I’m seeing is this:

IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 0.0.0.0/0 type IPv4_subnet protocol 0 port 0, received remote id: 10.100.6.236/32 type IPv4_address protocol 0 port 0.’

This means it could be my config, but its a little confusing as I hadn’t had this problem locally on OS X or testing from AWS machines in Linux. I’ve done a bit more testing to see if I can change the expected Proxy ID through our firewall locally, or through the strongswan configuration, but it hasnt been very fruitful.

Based on my understanding of this error, it seems like the bitrise mac vm, unlike my testing machines, is trying to use policy-based VPN instead of route-based VPN. I am not completely sure why this would be, because at the client level, the strongswan config is exactly the same. I suspect this is something I will need to sort out myself, but any insights or ideas would be greatly appreciated.

0 Likes

#4

Indeed this is most likely related to your setup in some way. One thing which worth to check in pretty much every case like this is to compare the tool versions, in this case the strongswan version on your Mac vs the one on Bitrise.io. Newer versions of the tool (in general) might change default configurations or configuration options overall.

0 Likes

#5

I just wanted to follow up and say that although I was never able to get my strongswan config working, I was able to get this up and running using the brew package ‘macosvpn’, which allows you to configure VPN connections with the native Mac VPN client through the CLI, and the OSX command scutil. So that might be worth a shot for anyone who finds this and is also struggling with Mac VPN issues.

The set-up was easy for me, this is basically the whole script for Mac:

brew install macosvpn
sudo macosvpn create --cisco [vpn config]
scutil --nc start [vpn name]
1 Like

How to configure bitrise to access an internally hosted git repository
How to register a GitHub Enterprise repository
#6

Thanks for sharing the infos & script @jtcastillo! :wink:

0 Likes

#7

Hello guys, I am trying to use macosvpn, it creates well the VPN but it is not active after running scutil.

see my below logs…

  • sudo macosvpn create --l2tp Dvpn --endpoint [REDACTED] --username [REDACTED] --password [REDACTED] --sharedsecret [REDACTED]
    Successfully created L2TP over IPSec VPN Dvpn with ID 12346
    Finished without errors.

  • sudo networksetup -setdnsservers Dvpn 8.8.8.8

  • scutil --nc start Dvpn --secret [REDACTED]

  • scutil --nc status Dvpn
    Disconnected
    Extended Status {
    PPP : {
    DeviceLastCause : 0
    LastCause : 25
    Status : 0
    }
    Status : 0
    }

@jtcastillo any tip?

0 Likes

#8

I mange to make it work by adding a new step where I start the vpn plus some sleeping time. New step shall show something like.

sleep 5s
scutil --nc start Dvpn --secret [REDACTED]

0 Likes