Followed this tutorial: Create an IKEv2 server
Ref documentation for that tutorial: Guide: How to Set Up and Use IKEv2 VPN
On Win 10, from powershell (Admin), I ran:
certutil -f -importpfx "C:\Users\Adrian\Downloads\vpnclient.p12" NoExport
powershell -command "Set-VpnConnectionIPsecConfiguration -ConnectionName 'My IKEv2 VPN' -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force"
Got this on Win10 using the built-in VPN connection:
The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which devices may be causing the problem.
I ran tail -f /var/log/auth.log
and then attempted to connect. Nothing was written to the log. Maybe nothing gets written to the auth.log? Should I check another log?
cat /etc/ipsec.conf
version 2.0
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24,%v4:!192.168.43.0/24
uniqueids=no
conn shared
left=%defaultroute
leftid=34.138.177.212
right=%any
encapsulation=yes
authby=secret
pfs=no
rekey=no
keyingtries=5
dpddelay=30
dpdtimeout=120
dpdaction=clear
ikev2=never
ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes256-sha2_512,aes128-sha2,aes256-sha2
ikelifetime=24h
salifetime=24h
sha2-truncbug=no
conn l2tp-psk
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
type=transport
also=shared
conn xauth-psk
auto=add
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.43.10-192.168.43.250
modecfgdns="8.8.8.8 8.8.4.4"
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
cisco-unity=yes
also=shared
include /etc/ipsec.d/*.conf
Already reviewed:
How to Set Up an IKEv2 VPN Server with StrongSwan on Ubuntu 20.04 <-- very helpful
ikev2 vpn cant connect to own server via vpn connection win10
VPN IKev2 Connection
Windows client cannot connect to StrongSwan: "EAP-Identity request configured, but not supported"
Update 1:
I think it has something to do with IP addresses.
root@ikev2vpn:~# service ipsec status
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-04-23 16:01:48 UTC; 3h 17min ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 1244 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exit
Process: 1245 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 1490 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 1491 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Main PID: 1502 (pluto)
Status: "Startup completed."
Tasks: 2 (limit: 666)
Memory: 4.5M
CPU: 359ms
CGroup: /system.slice/ipsec.service
└─1502 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Apr 23 16:01:48 ikev2vpn pluto[1502]: "ikev2-cp": added IKEv2 connection
Apr 23 16:01:48 ikev2vpn pluto[1502]: listening for IKE messages
Apr 23 16:01:48 ikev2vpn pluto[1502]: Kernel supports NIC esp-hw-offload
Apr 23 16:01:48 ikev2vpn pluto[1502]: adding UDP interface ens4 10.142.0.3:500
Apr 23 16:01:48 ikev2vpn pluto[1502]: adding UDP interface ens4 10.142.0.3:4500
Apr 23 16:01:48 ikev2vpn pluto[1502]: adding UDP interface lo 127.0.0.1:500
Apr 23 16:01:48 ikev2vpn pluto[1502]: adding UDP interface lo 127.0.0.1:4500
I don't know where those interface addresses are coming from. I would have expected the server's public address:500 or :4500 (so 34.138.177.212:500
or 34.138.177.212:4500
).
UPDATE #2: I created a new server to try from scratch with digital ocean's guide. It still failed to connect. I am now quite sure it has to do with this:
vusr@vpn2:~$ ip route show default
default via 10.142.0.1 dev ens4 proto dhcp src 10.142.0.4 metric 100
According to the documentation 10.142.0.1
is my server ip, which of course is not correct. 34.139.167.68
is the external ip of the new server. I used the external IP as leftid=34.139.167.68
and when building the VPN on win10
Add-VpnConnection -Name "VPN2" -ServerAddress "34.139.167.68" -TunnelType "IKEv2" -AuthenticationMethod "EAP" -EncryptionLevel "Maximum" -RememberCredential
Is that incorrect?
Update 3
I am now testing to find out which IP I should use as different tutorials say different things.
aw@ipsec-ikev2:~$ ip route show default
default via 138.197.160.1 dev eth0 proto static
aw@ipsec-ikev2:~$ dig @resolver1.opendns.com -t A -4 myip.opendns.com +short
138.197.172.52
I need to use 138.197.172.52
as the server name/ip when adding a VPN connection to Win10. But what is my leftid and CN (for cert)? Testing now.