Strongswan IKEv2 VPN server Ubuntu 22.04 LTS - network connection between your computer & VPN svr could not be established..remote svr not responding

Question

Followed this tutorial: Create an IKEv2 server

Ref documentation for that tutorial: Guide: How to Set Up and Use IKEv2 VPN
On Win 10, from powershell (Admin), I ran:

certutil -f -importpfx "C:\Users\Adrian\Downloads\vpnclient.p12" NoExport
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"

Got this on Win10 using the built-in VPN connection:

The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which devices may be causing the problem.

I ran tail -f /var/log/auth.log and then attempted to connect. Nothing was written to the log. Maybe nothing gets written to the auth.log? Should I check another log?

cat /etc/ipsec.conf

version 2.0

config setup
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
  uniqueids=no

conn shared
  left=%defaultroute
  leftid=34.138.177.212
  right=%any
  encapsulation=yes
  authby=secret
  pfs=no
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear
  ikev2=never
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
  ikelifetime=24h
  salifetime=24h
  sha2-truncbug=no

conn l2tp-psk
  auto=add
  leftprotoport=17/1701
  rightprotoport=17/%any
  type=transport
  also=shared

conn xauth-psk
  auto=add
  leftsubnet=0.0.0.0/0
  rightaddresspool=192.168.43.10-192.168.43.250
  modecfgdns="8.8.8.8 8.8.4.4"
  leftxauthserver=yes
  rightxauthclient=yes
  leftmodecfgserver=yes
  rightmodecfgclient=yes
  modecfgpull=yes
  cisco-unity=yes
  also=shared

include /etc/ipsec.d/*.conf

Already reviewed:
How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 20.04 <-- very helpful
ikev2 vpn cant connect to own server via vpn connection win10
VPN IKev2 Connection
Windows client cannot connect to StrongSwan: "EAP-Identity request configured, but not supported"

Update 1:
I think it has something to do with IP addresses.

root@ikev2vpn:~# service ipsec status
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-04-23 16:01:48 UTC; 3h 17min ago
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
    Process: 1244 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exit
    Process: 1245 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
    Process: 1490 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
    Process: 1491 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
   Main PID: 1502 (pluto)
     Status: "Startup completed."
      Tasks: 2 (limit: 666)
     Memory: 4.5M
        CPU: 359ms
     CGroup: /system.slice/ipsec.service
             └─1502 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Apr 23 16:01:48 ikev2vpn pluto[1502]: "ikev2-cp": added IKEv2 connection
Apr 23 16:01:48 ikev2vpn pluto[1502]: listening for IKE messages
Apr 23 16:01:48 ikev2vpn pluto[1502]: Kernel supports NIC esp-hw-offload
Apr 23 16:01:48 ikev2vpn pluto[1502]: adding UDP interface ens4 10.142.0.3:500
Apr 23 16:01:48 ikev2vpn pluto[1502]: adding UDP interface ens4 10.142.0.3:4500
Apr 23 16:01:48 ikev2vpn pluto[1502]: adding UDP interface lo 127.0.0.1:500
Apr 23 16:01:48 ikev2vpn pluto[1502]: adding UDP interface lo 127.0.0.1:4500

I don't know where those interface addresses are coming from. I would have expected the server's public address:500 or :4500 (so 34.138.177.212:500 or 34.138.177.212:4500).

UPDATE #2: I created a new server to try from scratch with digital ocean's guide. It still failed to connect. I am now quite sure it has to do with this:

vusr@vpn2:~$ ip route show default
default via 10.142.0.1 dev ens4 proto dhcp src 10.142.0.4 metric 100

According to the documentation 10.142.0.1 is my server ip, which of course is not correct. 34.139.167.68 is the external ip of the new server. I used the external IP as leftid=34.139.167.68 and when building the VPN on win10

Add-VpnConnection -Name "VPN2" -ServerAddress "34.139.167.68" -TunnelType "IKEv2" -AuthenticationMethod "EAP" -EncryptionLevel "Maximum" -RememberCredential

Is that incorrect?

Update 3

I am now testing to find out which IP I should use as different tutorials say different things.

aw@ipsec-ikev2:~$ ip route show default
default via 138.197.160.1 dev eth0 proto static
aw@ipsec-ikev2:~$ dig @resolver1.opendns.com -t A -4 myip.opendns.com +short
138.197.172.52

I need to use 138.197.172.52 as the server name/ip when adding a VPN connection to Win10. But what is my leftid and CN (for cert)? Testing now.

Answer 1

I needed to use leftid=138.197.172.52 where 138.197.172.52 is my public IP found near my instance name in GCP or Digital ocean, but also retrievable by ~$ dig @resolver1.opendns.com -t A -4 myip.opendns.com +short

pki --pub --in ~/pki/private/server-key.pem --type rsa \
    | pki --issue --lifetime 1825 \
        --cacert ~/pki/cacerts/ca-cert.pem \
        --cakey ~/pki/private/ca-key.pem \
        --dn "CN=138.197.172.52" --san 138.197.172.52 --san 138.197.172.52 \
        --flag serverAuth --flag ikeIntermediate --outform pem \
    >  ~/pki/certs/server-cert.pem

It's connected and working!!