<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_quote"><div dir="ltr"><div dir="ltr"><div style="font-family:tahoma,sans-serif">Dear <span class="gmail_default" style="font-family:tahoma,sans-serif">Users</span>,</div><div style="font-family:tahoma,sans-serif"><br><a href="https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2" target="_blank">https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2</a><br></div><div style="font-family:tahoma,sans-serif"><div class="gmail-m_6515096958219806014gmail-" style="font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium"><div id="gmail-m_6515096958219806014gmail-:pu" class="gmail-m_6515096958219806014gmail-ii gmail-m_6515096958219806014gmail-gt" style="font-size:12.8px;direction:ltr;margin:8px 0px 0px;padding:0px"><div id="gmail-m_6515096958219806014gmail-:pt" class="gmail-m_6515096958219806014gmail-a3s gmail-m_6515096958219806014gmail-aXjCH" style="overflow:hidden;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><br></div></div></div></div></div></div></div></div><div style="font-family:tahoma,sans-serif"><span class="gmail_default" style="font-family:tahoma,sans-serif">I am trying to set up a VPN server on an Ubuntu 18.04 Cloud VPS. </span>Above is the tutorial I was following. All goes well and I can see the VPN server up and running. The problem comes in when I try to connect from a windows machine. And below is the error log. </div><div style="font-family:tahoma,sans-serif">The IP 102.1*9.2*9.** is the Ubuntu VPN server. The 154.153.1*4.*** is the Windows client trying to access.</div><div style="font-family:tahoma,sans-serif"><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif">This is my config setting:</div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">config setup</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> charondebug="ike 1, knl 1, cfg 0"</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> uniqueids=no</font></div><div class="gmail_default"><font face="tahoma, sans-serif"><br></font></div><div class="gmail_default"><font face="tahoma, sans-serif">conn ikev2-vpn</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> auto=add</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> compress=no</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> type=tunnel</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> keyexchange=ikev2</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> fragmentation=yes</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> forceencaps=yes</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> dpdaction=clear</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> dpddelay=300s</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rekey=no</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> left=%any</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> leftid=102.1*9.2*9.**</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> leftcert=server-cert.pem</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> leftsendcert=always</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></font></div><div class="gmail_default"><font face="tahoma, sans-serif"> right=%any</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightid=%any</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightauth=eap-mschapv2</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightsourceip=<a href="http://10.10.10.0/24">10.10.10.0/24</a></font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightdns=8.8.8.8,8.8.4.4</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> rightsendcert=never</font></div><div class="gmail_default"><font face="tahoma, sans-serif"> eap_identity=%identity</font><span style="font-family:tahoma,sans-serif"></span></div><br></div><div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif">Error log: </div></div><div style="font-family:tahoma,sans-serif"><br></div><div style="font-family:tahoma,sans-serif"><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 ipsec[877]: Starting strongSwan 5.6.2 IPsec [starter]...</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 polkitd[938]: started daemon version 0.105 using authority implementation `local' version `0.105'</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 dbus-daemon[841]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Authorization Manager.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 kernel: [ 16.055775] NET: Registered protocol family 15</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 accounts-daemon[866]: started daemon version 0.6.45</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Accounts Service.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started OpenBSD Secure Shell server.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 snapd[886]: daemon.go:379: started snapd/<a href="http://2.37.1.1" target="_blank">2.37.1.1</a>+18.04 (series 16; classic) ubuntu/18.04 (amd64) linux/4.15.0-39-generic.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Got response from server at 102.1*9.2*9.**</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started LXD - container startup/shutdown.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Timezone UTC already set</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud-set-all[867]: status</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud-set-all[867]: Executing password change</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 kernel: [ 16.119591] Initializing XFRM netlink socket</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-39-generic, x86_64)</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Snappy daemon.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Starting Wait until snapd is fully seeded...</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 00[JOB] spawning 16 worker threads</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 networkd-dispatcher[862]: No valid path found for iwconfig</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 networkd-dispatcher[862]: No valid path found for iw</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 ipsec[877]: charon (967) started after 100 ms</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Wait until snapd is fully seeded.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Starting Apply the settings specified in cloud-config...</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Dispatcher daemon for systemd-networkd.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Reached target Multi-User System.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Reached target Graphical Interface.</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Starting Update UTMP about System Runlevel Changes...</div><div>Feb 12 23:27:01 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Update UTMP about System Runlevel Changes.</div><div>Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud-init[997]: Cloud-init v. 18.4-0ubuntu1~18.04.1 running 'modules:config' at Tue, 12 Feb 2019 23:27:02 +0000. Up 16.66 seconds.</div><div>Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Apply the settings specified in cloud-config.</div><div>Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Starting Execute cloud user/final scripts...</div><div>Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud-init[1024]: Cloud-init v. 18.4-0ubuntu1~18.04.1 running 'modules:final' at Tue, 12 Feb 2019 23:27:02 +0000. Up 17.18 seconds.</div><div>Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud-init[1024]: Cloud-init v. 18.4-0ubuntu1~18.04.1 finished at Tue, 12 Feb 2019 23:27:02 +0000. Datasource DataSourceCloudStack. Up 17.27 seconds</div><div>Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Execute cloud user/final scripts.</div><div>Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Reached target Cloud-init target.</div><div>Feb 12 23:27:02 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Startup finished in 11.745s (kernel) + 5.584s (userspace) = 17.329s.</div><div>Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Found password server IP 102.1*9.2*9.** in /run/systemd/netif/leases/2</div><div>Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Sending request to password server at 102.1*9.2*9.**</div><div>Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Got response from server at 102.1*9.2*9.**</div><div>Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: VM has already saved a password from the password server at 102.1*9.2*9.**</div><div>Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Did not need to change password.</div><div>Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Sending request to ssh key server at 102.1*9.2*9.**</div><div>Feb 12 23:27:03 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 cloud: Got response from server at 102.1*9.2*9.**</div><div>Feb 12 23:27:06 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 snapd[886]: daemon.go:611: gracefully waiting for running hooks</div><div>Feb 12 23:27:06 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 snapd[886]: daemon.go:613: done waiting for running hooks</div><div>Feb 12 23:27:06 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 snapd[886]: daemon stop requested to wait for socket activation</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Created slice User Slice of root.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Starting User Manager for UID 0...</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started Session 1 of user root.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Listening on GnuPG cryptographic agent (ssh-agent emulation).</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Listening on GnuPG network certificate management daemon.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Listening on GnuPG cryptographic agent and passphrase cache.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Reached target Timers.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Reached target Paths.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Listening on GnuPG cryptographic agent and passphrase cache (access for web browsers).</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Reached target Sockets.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Reached target Basic System.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1]: Started User Manager for UID 0.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Reached target Default.</div><div>Feb 12 23:29:39 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 systemd[1145]: Startup finished in 51ms.</div><div>Feb 12 23:29:53 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 kernel: [ 188.126423] [UFW BLOCK] IN=ens3 OUT= MAC=06:65:26:00:00:ac:00:1d:b5:c0:a7:c0:08:00 SRC=185.176.27.74 DST=102.129.249.173 LEN=40 TOS=0x08 PREC=0x20 TTL=237 ID=40752 PROTO=TCP SPT=42090 DPT=41605 WINDOW=1024 RES=0x00 SYN URGP=0</div><div>Feb 12 23:30:36 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 kernel: [ 231.244647] [UFW BLOCK] IN=ens3 OUT= MAC=06:65:26:00:00:ac:00:1d:b5:c0:a7:c0:08:00 SRC=60.15.34.250 DST=102.129.249.173 LEN=40 TOS=0x08 PREC=0x20 TTL=243 ID=45268 PROTO=TCP SPT=17626 DPT=9901 WINDOW=1024 RES=0x00 SYN URGP=0</div><div>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[NET] received packet: from 154.153.1*4.***[500] to 102.129.249.173[500] (632 bytes)</div><div>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]</div><div>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID</div><div>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE] received MS-Negotiation Discovery Capable vendor ID</div><div>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE] received Vid-Initial-Contact vendor ID</div><div>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02</div><div>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE] 154.153.1*4.*** is initiating an IKE_SA</div><div><b><span class="gmail_default" style="font-family:tahoma,sans-serif"><i></i></span><i>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE] remote host is behind NAT</i></b></div><div><b><i>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[IKE] received proposals inacceptable</i></b></div><div><b><i>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]</i></b></div><div>Feb 12 23:30:43 VM-e9f8789c-0edf-48a5-9317-59e88b6c4d84 charon: 06[NET] sending packet: from 102.129.249.173[500] to 154.153.1*4.***[500] (36 bytes)</div><div><br></div><div><br></div><div><div class="gmail_default" style="font-family:tahoma,sans-serif">Please assist.. </div><div class="gmail_default" style="font-family:tahoma,sans-serif"><br></div><div class="gmail_default" style="font-family:tahoma,sans-serif">Thanks,</div><div class="gmail_default" style="font-family:tahoma,sans-serif">Moses Kariuki</div><br></div><div><br></div></div></div></div>
</div></div></div>