IKEv2 VPN Server connects but no internet
I want to setup a VPS Server on my VPS.
I followed the following guide:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
Every thing seems to work, i test it on my Android Phone and i can connect to the server using StrongSwan, all is green.
But when i try to access the internet i have no connection.
My config file:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vps-8536.rickschmitz.network
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
The error log does not seem to give any error's: (or maybe i just cant read it :P)
Mar 16 00:05:49 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+
Mar 16 00:05:49 00[DMN] Starting IKE service (strongSwan 5.7.2, Android 9 - PPR1.180610.011.G955FXXU4DSBA/2019-02-01, SM-G955F - samsung/dream2ltexx/samsung, Linux 4.4.111-15411975, aarch64)
Mar 16 00:05:49 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar 16 00:05:49 00[JOB] spawning 16 worker threads
Mar 16 00:05:49 07[IKE] initiating IKE_SA android[3] to 5.157.82.219
Mar 16 00:05:49 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 16 00:05:49 07[NET] sending packet: from 192.168.1.141[37041] to 5.157.82.219[500] (716 bytes)
Mar 16 00:05:49 09[NET] received packet: from 5.157.82.219[500] to 192.168.1.141[37041] (270 bytes)
Mar 16 00:05:49 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 16 00:05:49 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Mar 16 00:05:49 09[IKE] local host is behind NAT, sending keep alives
Mar 16 00:05:49 09[IKE] remote host is behind NAT
Mar 16 00:05:49 09[IKE] sending cert request for "CN=VPN root CA"
Mar 16 00:05:49 09[IKE] establishing CHILD_SA android{3}
Mar 16 00:05:49 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 16 00:05:49 09[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (464 bytes)
Mar 16 00:05:49 08[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (1236 bytes)
Mar 16 00:05:49 08[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 16 00:05:49 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Mar 16 00:05:49 06[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (852 bytes)
Mar 16 00:05:49 06[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 16 00:05:49 06[ENC] received fragment #2 of 2, reassembled fragmented IKE message (2016 bytes)
Mar 16 00:05:49 06[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Mar 16 00:05:49 06[IKE] received end entity cert "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] using certificate "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] using trusted ca certificate "CN=VPN root CA"
Mar 16 00:05:49 06[CFG] checking certificate status of "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] certificate status is not available
Mar 16 00:05:49 06[CFG] reached self-signed root ca with a path length of 0
Mar 16 00:05:49 06[IKE] authentication of 'vps-8536.rickschmitz.network' with RSA_EMSA_PKCS1_SHA2_384 successful
Mar 16 00:05:49 06[IKE] server requested EAP_MSCHAPV2 authentication (id 0xF3)
Mar 16 00:05:49 06[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Mar 16 00:05:49 06[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (144 bytes)
Mar 16 00:05:49 13[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (144 bytes)
Mar 16 00:05:49 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 16 00:05:49 13[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Mar 16 00:05:49 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 16 00:05:49 13[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (80 bytes)
Mar 16 00:05:49 12[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (80 bytes)
Mar 16 00:05:49 12[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Mar 16 00:05:49 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 16 00:05:49 12[IKE] authentication of 'rick' (myself) with EAP
Mar 16 00:05:49 12[ENC] generating IKE_AUTH request 4 [ AUTH ]
Mar 16 00:05:49 12[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (96 bytes)
Mar 16 00:05:49 15[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (240 bytes)
Mar 16 00:05:49 15[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Mar 16 00:05:49 15[IKE] authentication of 'vps-8536.rickschmitz.network' with EAP successful
Mar 16 00:05:49 15[IKE] IKE_SA android[3] established between 192.168.1.141[rick]...5.157.82.219[vps-8536.rickschmitz.network]
Mar 16 00:05:49 15[IKE] scheduling rekeying in 35858s
Mar 16 00:05:49 15[IKE] maximum IKE_SA lifetime 36458s
Mar 16 00:05:49 15[IKE] installing DNS server 8.8.8.8
Mar 16 00:05:49 15[IKE] installing new virtual IP 10.10.10.1
Mar 16 00:05:49 15[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 16 00:05:49 15[IKE] CHILD_SA android{3} established with SPIs cc78ba06_i cf3b09e4_o and TS 10.10.10.1/32 === 0.0.0.0/0
Mar 16 00:05:49 15[DMN] setting up TUN device for CHILD_SA android{3}
Mar 16 00:05:50 15[DMN] successfully created TUN device
Mar 16 00:05:50 15[IKE] peer supports MOBIKE
Can anyone see whats wrong?
EDIT: a prevouse time i got one error message after the last line:
peer supports MOBIKE
[NET] error writing to socket: Network is unreachable
''
But thats gone now..
server 18.04 vpn
add a comment |
I want to setup a VPS Server on my VPS.
I followed the following guide:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
Every thing seems to work, i test it on my Android Phone and i can connect to the server using StrongSwan, all is green.
But when i try to access the internet i have no connection.
My config file:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vps-8536.rickschmitz.network
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
The error log does not seem to give any error's: (or maybe i just cant read it :P)
Mar 16 00:05:49 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+
Mar 16 00:05:49 00[DMN] Starting IKE service (strongSwan 5.7.2, Android 9 - PPR1.180610.011.G955FXXU4DSBA/2019-02-01, SM-G955F - samsung/dream2ltexx/samsung, Linux 4.4.111-15411975, aarch64)
Mar 16 00:05:49 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar 16 00:05:49 00[JOB] spawning 16 worker threads
Mar 16 00:05:49 07[IKE] initiating IKE_SA android[3] to 5.157.82.219
Mar 16 00:05:49 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 16 00:05:49 07[NET] sending packet: from 192.168.1.141[37041] to 5.157.82.219[500] (716 bytes)
Mar 16 00:05:49 09[NET] received packet: from 5.157.82.219[500] to 192.168.1.141[37041] (270 bytes)
Mar 16 00:05:49 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 16 00:05:49 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Mar 16 00:05:49 09[IKE] local host is behind NAT, sending keep alives
Mar 16 00:05:49 09[IKE] remote host is behind NAT
Mar 16 00:05:49 09[IKE] sending cert request for "CN=VPN root CA"
Mar 16 00:05:49 09[IKE] establishing CHILD_SA android{3}
Mar 16 00:05:49 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 16 00:05:49 09[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (464 bytes)
Mar 16 00:05:49 08[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (1236 bytes)
Mar 16 00:05:49 08[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 16 00:05:49 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Mar 16 00:05:49 06[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (852 bytes)
Mar 16 00:05:49 06[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 16 00:05:49 06[ENC] received fragment #2 of 2, reassembled fragmented IKE message (2016 bytes)
Mar 16 00:05:49 06[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Mar 16 00:05:49 06[IKE] received end entity cert "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] using certificate "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] using trusted ca certificate "CN=VPN root CA"
Mar 16 00:05:49 06[CFG] checking certificate status of "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] certificate status is not available
Mar 16 00:05:49 06[CFG] reached self-signed root ca with a path length of 0
Mar 16 00:05:49 06[IKE] authentication of 'vps-8536.rickschmitz.network' with RSA_EMSA_PKCS1_SHA2_384 successful
Mar 16 00:05:49 06[IKE] server requested EAP_MSCHAPV2 authentication (id 0xF3)
Mar 16 00:05:49 06[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Mar 16 00:05:49 06[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (144 bytes)
Mar 16 00:05:49 13[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (144 bytes)
Mar 16 00:05:49 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 16 00:05:49 13[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Mar 16 00:05:49 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 16 00:05:49 13[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (80 bytes)
Mar 16 00:05:49 12[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (80 bytes)
Mar 16 00:05:49 12[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Mar 16 00:05:49 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 16 00:05:49 12[IKE] authentication of 'rick' (myself) with EAP
Mar 16 00:05:49 12[ENC] generating IKE_AUTH request 4 [ AUTH ]
Mar 16 00:05:49 12[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (96 bytes)
Mar 16 00:05:49 15[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (240 bytes)
Mar 16 00:05:49 15[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Mar 16 00:05:49 15[IKE] authentication of 'vps-8536.rickschmitz.network' with EAP successful
Mar 16 00:05:49 15[IKE] IKE_SA android[3] established between 192.168.1.141[rick]...5.157.82.219[vps-8536.rickschmitz.network]
Mar 16 00:05:49 15[IKE] scheduling rekeying in 35858s
Mar 16 00:05:49 15[IKE] maximum IKE_SA lifetime 36458s
Mar 16 00:05:49 15[IKE] installing DNS server 8.8.8.8
Mar 16 00:05:49 15[IKE] installing new virtual IP 10.10.10.1
Mar 16 00:05:49 15[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 16 00:05:49 15[IKE] CHILD_SA android{3} established with SPIs cc78ba06_i cf3b09e4_o and TS 10.10.10.1/32 === 0.0.0.0/0
Mar 16 00:05:49 15[DMN] setting up TUN device for CHILD_SA android{3}
Mar 16 00:05:50 15[DMN] successfully created TUN device
Mar 16 00:05:50 15[IKE] peer supports MOBIKE
Can anyone see whats wrong?
EDIT: a prevouse time i got one error message after the last line:
peer supports MOBIKE
[NET] error writing to socket: Network is unreachable
''
But thats gone now..
server 18.04 vpn
It's probably a problem with forwarding the traffic on the server. See this page on the strongSwan wiki.
– ecdsa
Mar 17 at 19:31
add a comment |
I want to setup a VPS Server on my VPS.
I followed the following guide:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
Every thing seems to work, i test it on my Android Phone and i can connect to the server using StrongSwan, all is green.
But when i try to access the internet i have no connection.
My config file:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vps-8536.rickschmitz.network
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
The error log does not seem to give any error's: (or maybe i just cant read it :P)
Mar 16 00:05:49 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+
Mar 16 00:05:49 00[DMN] Starting IKE service (strongSwan 5.7.2, Android 9 - PPR1.180610.011.G955FXXU4DSBA/2019-02-01, SM-G955F - samsung/dream2ltexx/samsung, Linux 4.4.111-15411975, aarch64)
Mar 16 00:05:49 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar 16 00:05:49 00[JOB] spawning 16 worker threads
Mar 16 00:05:49 07[IKE] initiating IKE_SA android[3] to 5.157.82.219
Mar 16 00:05:49 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 16 00:05:49 07[NET] sending packet: from 192.168.1.141[37041] to 5.157.82.219[500] (716 bytes)
Mar 16 00:05:49 09[NET] received packet: from 5.157.82.219[500] to 192.168.1.141[37041] (270 bytes)
Mar 16 00:05:49 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 16 00:05:49 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Mar 16 00:05:49 09[IKE] local host is behind NAT, sending keep alives
Mar 16 00:05:49 09[IKE] remote host is behind NAT
Mar 16 00:05:49 09[IKE] sending cert request for "CN=VPN root CA"
Mar 16 00:05:49 09[IKE] establishing CHILD_SA android{3}
Mar 16 00:05:49 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 16 00:05:49 09[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (464 bytes)
Mar 16 00:05:49 08[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (1236 bytes)
Mar 16 00:05:49 08[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 16 00:05:49 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Mar 16 00:05:49 06[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (852 bytes)
Mar 16 00:05:49 06[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 16 00:05:49 06[ENC] received fragment #2 of 2, reassembled fragmented IKE message (2016 bytes)
Mar 16 00:05:49 06[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Mar 16 00:05:49 06[IKE] received end entity cert "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] using certificate "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] using trusted ca certificate "CN=VPN root CA"
Mar 16 00:05:49 06[CFG] checking certificate status of "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] certificate status is not available
Mar 16 00:05:49 06[CFG] reached self-signed root ca with a path length of 0
Mar 16 00:05:49 06[IKE] authentication of 'vps-8536.rickschmitz.network' with RSA_EMSA_PKCS1_SHA2_384 successful
Mar 16 00:05:49 06[IKE] server requested EAP_MSCHAPV2 authentication (id 0xF3)
Mar 16 00:05:49 06[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Mar 16 00:05:49 06[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (144 bytes)
Mar 16 00:05:49 13[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (144 bytes)
Mar 16 00:05:49 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 16 00:05:49 13[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Mar 16 00:05:49 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 16 00:05:49 13[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (80 bytes)
Mar 16 00:05:49 12[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (80 bytes)
Mar 16 00:05:49 12[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Mar 16 00:05:49 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 16 00:05:49 12[IKE] authentication of 'rick' (myself) with EAP
Mar 16 00:05:49 12[ENC] generating IKE_AUTH request 4 [ AUTH ]
Mar 16 00:05:49 12[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (96 bytes)
Mar 16 00:05:49 15[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (240 bytes)
Mar 16 00:05:49 15[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Mar 16 00:05:49 15[IKE] authentication of 'vps-8536.rickschmitz.network' with EAP successful
Mar 16 00:05:49 15[IKE] IKE_SA android[3] established between 192.168.1.141[rick]...5.157.82.219[vps-8536.rickschmitz.network]
Mar 16 00:05:49 15[IKE] scheduling rekeying in 35858s
Mar 16 00:05:49 15[IKE] maximum IKE_SA lifetime 36458s
Mar 16 00:05:49 15[IKE] installing DNS server 8.8.8.8
Mar 16 00:05:49 15[IKE] installing new virtual IP 10.10.10.1
Mar 16 00:05:49 15[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 16 00:05:49 15[IKE] CHILD_SA android{3} established with SPIs cc78ba06_i cf3b09e4_o and TS 10.10.10.1/32 === 0.0.0.0/0
Mar 16 00:05:49 15[DMN] setting up TUN device for CHILD_SA android{3}
Mar 16 00:05:50 15[DMN] successfully created TUN device
Mar 16 00:05:50 15[IKE] peer supports MOBIKE
Can anyone see whats wrong?
EDIT: a prevouse time i got one error message after the last line:
peer supports MOBIKE
[NET] error writing to socket: Network is unreachable
''
But thats gone now..
server 18.04 vpn
I want to setup a VPS Server on my VPS.
I followed the following guide:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-16-04
Every thing seems to work, i test it on my Android Phone and i can connect to the server using StrongSwan, all is green.
But when i try to access the internet i have no connection.
My config file:
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vps-8536.rickschmitz.network
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never
eap_identity=%identity
The error log does not seem to give any error's: (or maybe i just cant read it :P)
Mar 16 00:05:49 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+
Mar 16 00:05:49 00[DMN] Starting IKE service (strongSwan 5.7.2, Android 9 - PPR1.180610.011.G955FXXU4DSBA/2019-02-01, SM-G955F - samsung/dream2ltexx/samsung, Linux 4.4.111-15411975, aarch64)
Mar 16 00:05:49 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar 16 00:05:49 00[JOB] spawning 16 worker threads
Mar 16 00:05:49 07[IKE] initiating IKE_SA android[3] to 5.157.82.219
Mar 16 00:05:49 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 16 00:05:49 07[NET] sending packet: from 192.168.1.141[37041] to 5.157.82.219[500] (716 bytes)
Mar 16 00:05:49 09[NET] received packet: from 5.157.82.219[500] to 192.168.1.141[37041] (270 bytes)
Mar 16 00:05:49 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 16 00:05:49 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Mar 16 00:05:49 09[IKE] local host is behind NAT, sending keep alives
Mar 16 00:05:49 09[IKE] remote host is behind NAT
Mar 16 00:05:49 09[IKE] sending cert request for "CN=VPN root CA"
Mar 16 00:05:49 09[IKE] establishing CHILD_SA android{3}
Mar 16 00:05:49 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 16 00:05:49 09[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (464 bytes)
Mar 16 00:05:49 08[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (1236 bytes)
Mar 16 00:05:49 08[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 16 00:05:49 08[ENC] received fragment #1 of 2, waiting for complete IKE message
Mar 16 00:05:49 06[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (852 bytes)
Mar 16 00:05:49 06[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 16 00:05:49 06[ENC] received fragment #2 of 2, reassembled fragmented IKE message (2016 bytes)
Mar 16 00:05:49 06[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Mar 16 00:05:49 06[IKE] received end entity cert "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] using certificate "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] using trusted ca certificate "CN=VPN root CA"
Mar 16 00:05:49 06[CFG] checking certificate status of "CN=vps-8536.rickschmitz.network"
Mar 16 00:05:49 06[CFG] certificate status is not available
Mar 16 00:05:49 06[CFG] reached self-signed root ca with a path length of 0
Mar 16 00:05:49 06[IKE] authentication of 'vps-8536.rickschmitz.network' with RSA_EMSA_PKCS1_SHA2_384 successful
Mar 16 00:05:49 06[IKE] server requested EAP_MSCHAPV2 authentication (id 0xF3)
Mar 16 00:05:49 06[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Mar 16 00:05:49 06[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (144 bytes)
Mar 16 00:05:49 13[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (144 bytes)
Mar 16 00:05:49 13[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar 16 00:05:49 13[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Mar 16 00:05:49 13[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar 16 00:05:49 13[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (80 bytes)
Mar 16 00:05:49 12[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (80 bytes)
Mar 16 00:05:49 12[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Mar 16 00:05:49 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar 16 00:05:49 12[IKE] authentication of 'rick' (myself) with EAP
Mar 16 00:05:49 12[ENC] generating IKE_AUTH request 4 [ AUTH ]
Mar 16 00:05:49 12[NET] sending packet: from 192.168.1.141[32818] to 5.157.82.219[4500] (96 bytes)
Mar 16 00:05:49 15[NET] received packet: from 5.157.82.219[4500] to 192.168.1.141[32818] (240 bytes)
Mar 16 00:05:49 15[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Mar 16 00:05:49 15[IKE] authentication of 'vps-8536.rickschmitz.network' with EAP successful
Mar 16 00:05:49 15[IKE] IKE_SA android[3] established between 192.168.1.141[rick]...5.157.82.219[vps-8536.rickschmitz.network]
Mar 16 00:05:49 15[IKE] scheduling rekeying in 35858s
Mar 16 00:05:49 15[IKE] maximum IKE_SA lifetime 36458s
Mar 16 00:05:49 15[IKE] installing DNS server 8.8.8.8
Mar 16 00:05:49 15[IKE] installing new virtual IP 10.10.10.1
Mar 16 00:05:49 15[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Mar 16 00:05:49 15[IKE] CHILD_SA android{3} established with SPIs cc78ba06_i cf3b09e4_o and TS 10.10.10.1/32 === 0.0.0.0/0
Mar 16 00:05:49 15[DMN] setting up TUN device for CHILD_SA android{3}
Mar 16 00:05:50 15[DMN] successfully created TUN device
Mar 16 00:05:50 15[IKE] peer supports MOBIKE
Can anyone see whats wrong?
EDIT: a prevouse time i got one error message after the last line:
peer supports MOBIKE
[NET] error writing to socket: Network is unreachable
''
But thats gone now..
server 18.04 vpn
server 18.04 vpn
edited Mar 16 at 12:01
Rick
asked Mar 16 at 11:42
RickRick
53
53
It's probably a problem with forwarding the traffic on the server. See this page on the strongSwan wiki.
– ecdsa
Mar 17 at 19:31
add a comment |
It's probably a problem with forwarding the traffic on the server. See this page on the strongSwan wiki.
– ecdsa
Mar 17 at 19:31
It's probably a problem with forwarding the traffic on the server. See this page on the strongSwan wiki.
– ecdsa
Mar 17 at 19:31
It's probably a problem with forwarding the traffic on the server. See this page on the strongSwan wiki.
– ecdsa
Mar 17 at 19:31
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126144%2fikev2-vpn-server-connects-but-no-internet%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1126144%2fikev2-vpn-server-connects-but-no-internet%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
It's probably a problem with forwarding the traffic on the server. See this page on the strongSwan wiki.
– ecdsa
Mar 17 at 19:31