Skip to content
Bath CS Wiki

strongSwan VPN on Linux

The GlobalProtect VPN has been decommissioned by DDaT. Unfortunately, this was the only easily working VPN on Linux. The new strongSwan VPN should just work on popular distros like Mint with the instructions given at https://connect.bath.ac.uk/. Unfortunately, for the rest of us, it often does not “just work”.

This page contains troubleshooting steps for if a basic connection doesn’t work.

Connect instructions

This section covers the basic connection instructions from https://connect.bath.ac.uk and what to expect for a successful connection. This might help your troubleshooting. If it doesn’t, giving DDaT information about what happens here might be useful.

  1. Install the correct packages. The name of these packages differs from distro to distro, so you might have to do some searching. These packages (in the Ubuntu apt repositories) are libcharon-extra-plugins, network-manager-strongswan, and possibly network-manager-strongswan-gnome (if you’re using the Gnome desktop environment).
  2. Using the NetworkManager GUI (might just be called network settings or similar), add a VPN connection with the following:
    • Connection Name: University of Bath VPN
    • Server Name: vpn.bath.ac.uk
    • VPN Type: IKEv2
    • Type of sign-in: Username and Password/EAP-MSCHAPv2 or simply “EAP”
    • Other Options: Request an inner IP address, Enforce UDP encapsulation
  3. You may need to use the university’s DNS servers (138.38.1.1 and 138.38.1.2) or a public DNS server like Cloudflare’s 1.1.1.1.

The instructions also give the following troubleshooting advice:

You may also need to run the command below if you find DNS lookups fail for some university resources:

Terminal window
sudo ln -sfv /run/systemd/resolve/resolv.conf /etc/resolv.conf

Though, we’re not sure this is a great idea, nor are we sure this will work on any distro.

What to expect

Now that you’ve followed the university’s instructions, you should be able to connect using the NetworkManager GUI, it should ask you for a username and password (if you haven’t already supplied the username in the configuration), put your university credentials in (the username should be without the @bath.ac.uk), and you should get a Microsoft authenticator request via the app.

To confirm you are connected to the university VPN correctly, check you can visit any internal site. For example, go to https://2024-25.moodle-archive.bath.ac.uk/. If the page loads, you’re connected! If not, you’ll need to do some troubleshooting.

Troubleshooting

First, wipe the slate clean (delete the connection), update your system, and reboot. Once you’ve done that, try again. This should narrow the chances of your system being in some weird state. If it works, great! If not, it’s time to get troubleshooting.

Some of the following sections will require the use of the command line. If you’re unfamiliar, there are plenty of good guides out there and unfortunately teaching the command line is out of scope for this document. We assume basic command line competence from here on out.

I can’t add the connection whatsoever

First of all, check if NetworkManager has the connection saved, you can list connections with:

Terminal window
nmcli connection

Or, nmcli has short-hand commands:

Terminal window
nmcli c

This should list all your connections, look for one with the name you gave it (which would be University of Bath VPN if you followed the instructions in the first section). If it does exist, try connecting with:

Terminal window
nmcli c up "University of Bath VPN" --ask

You’ll be asked for your password and you should get a Microsoft authenticator request. If you get a successful connection as per this section, great! If not and you didn’t get a Microsoft authenticator request, carry on reading this section. If you didn’t get a successful connection but did get a Microsoft authenticator request, check the next section.

First, let’s clean the slate. Check your connections with:

Terminal window
nmcli c

Then delete the VPN connections by their UUID (UUIDs look something like 7abdc95a-4b2a-42bb-9a4a-38104d288737, yours will be different):

Terminal window
nmcli c delete <uuid of the VPN connection>

Now, we’d suggest adding the connection via nmcli, the command line for NetworkManager. To do this, you can use the following command. Note that you’ll have replace the placeholder text with your Bath username:

Terminal window
nmcli connection add \
    con-name "University of Bath VPN" \
    type vpn \
    vpn-type org.freedesktop.NetworkManager.strongswan \
    ifname "*" \
    ipv4.dns "138.38.1.1,138.38.1.2" \
    ipv4.ignore-auto-dns yes \
    vpn.data "address=vpn.bath.ac.uk, method=eap, user=<your bath username without the @bath.ac.uk>, encap=yes, virtual=yes"

This sets up a strongSwan VPN connection using the university’s DNS servers and the vpn.bath.ac.uk VPN server. It should also use your username, set UDP encapsulation enforcement, and should request an inner IP.

You can now attempt to connect again, following the same steps as before. If you get a connection, great! If not, look for the section that best describes your issue.

I’m not getting a Microsoft authenticator request

Before you start this section, make sure to follow the instructions in the previous subsection so you’re in a known state.

When you connect with nmcli c up "University of Bath VPN --ask", if you get an error such as:

Error: Connection activation failed: No valid secrets

You might need a certificate, or you may have entered your password incorrectly. To check the latter, delete the VPN connection and try again.

If you’re not getting a Microsoft authenticator request still, you might need a certificate. The university uses Sectigo certificates for the strongSwan VPN. These should be bundled in your distro’s trust store, but either charon-nm or NetworkManager might not be checking for them properly and so your connection might be failing. Unfortunately, there is no easy way with a VPN connection to get around this.

The following instructions are a bit messy, but are mostly distro-agnostic and should resolve the issue if it is a certificate problem.

There are some extra steps you can do first to confirm it is a certificate issue, though different distros package software differently and so this isn’t guaranteed to give results:

Terminal window
# look for anything that suggests a certificate is missing or untrusted
journalctl -u NetworkManager | grep charon


# if the above doesn't show anything, try just looking through NetworkManager's logs
journalctl -u NetworkManager


# if that doesn't immediately show anything, you can try the following
journalctl | grep Sectigo

Anything that does come up may be useful to DDaT for troubleshooting if our troubleshooting steps don’t resolve the issue.

Firstly, you’ll have to download the Sectigo Public Server Authentication Root R46 certificate. This can be found here: https://crt.sh/?d=4256644734. If you don’t trust us or the certificate has changed, find the correct certificate on this page: https://www.sectigo.com/knowledge-base/detail/Sectigo-Public-Intermediates-and-Roots.

Once you’ve got the certificate, move it somewhere you won’t accidentally delete it. We recommend something like ~/.uni-vpn/sectigo-root.crt.

Now, delete your VPN connection (again, just to make sure you’re in a known state) and add the following connection. You will need to replace your username AND the path to the Sectigo root certificate:

Terminal window
nmcli connection add \
    con-name "University of Bath VPN" \
    type vpn \
    vpn-type org.freedesktop.NetworkManager.strongswan \
    ifname "*" \
    ipv4.dns "138.38.1.1,138.38.1.2" \
    ipv4.ignore-auto-dns yes \
    vpn.data "address=vpn.bath.ac.uk, method=eap, user=<your bath username without the @bath.ac.uk>, encap=yes, virtual=yes, certificate=/full/path/to/sectigo-root.crt"

If you used our suggested location, you can replace the certificate path with $HOME/.uni-vpn/sectigo-root.crt.

Attempt to connect as before. If you get a Microsoft authenticator request but don’t get a connection afterwards, go to the next section. If you don’t get a Microsoft authenticator request, file a ticket.

I get a Microsoft authenticator request, but no connection

Firstly, try to connect again, accept the Microsoft authenticator request, and then wait ~40-50 seconds without retrying. If you get a secondary Microsoft authenticator request, this may be due to a routing misconfiguration.

First, check for a rule under 210 or 220 with the following command:

Terminal window
ip rule

If you don’t see a line similar to:

210:  not from all fwmark 0xd2 lookup 210

You may have a configuration or routing issue. Double check you’ve installed all the correct packages for your distro.

To test if routing is your issue, you can add the following route:

Terminal window
ip route add 138.38.3.176/28 via <default gateway> table 210

Replacing the default gateway with the IP after “default via” from running ip r. Then, try connecting again. If that doesn’t work, file a ticket. If that works, disconnect and delete the route by replacing the add with del in the above command. You can configure NetworkManager to create the route for you when you connect to the VPN, this way it won’t be forever lingering on your system.

To do so, you can run the following:

Terminal window
nmcli c modify "University of Bath VPN" ipv4.route-table 210

You may need to restart the NetworkManager daemon, this will temporarily disconnect you. On a systemd based system, this can be done with:

Terminal window
systemctl restart NetworkManager.service

Now, you should be able to connect to the VPN without issues. If not, file a ticket.

File a ticket

If the troubleshooting steps given here don’t work, you should file a ticket with DDaT at: https://topdesk.bath.ac.uk/ (DDaT Support: IT & Audio Visual > Report an Issue > Report a Network Issue).