Closed Semsem8519 closed 7 years ago
Is your eeePC definitely connected to the network (e.g. can you curl
a webpage from it)? Do you see anything at all in the strongSwan logs (or /var/log/syslog
) to indicate a connection being attempted?
This kind of thing can be tricky to diagnose from far away ...
Thanks for your help. Yes the machine is connected to the LAN and WAN. Also the strongswan shows trying to communicate with my external IP(I connected strongswn using no-ip address) but no response from my eeepc. During running the script, it asks me to enter hostanme which must resolve to this machine. I entered my no-ip domain address. Is that correct or it means something else? Thank you.
Can you clarify what you mean by a 'no-ip domain address’?
The host needs to be something you can get a public SSL certificate for (e.g. vpn.example.com http://vpn.example.com/).
Otherwise you will probably have to manually create a self-signed server certificate, and then distribute your CA cert to all clients.
That’s out of scope for this script, and not something I can guide you through, but I know there are other tutorials out there that cover this.
On 5 Jan 2017, at 16:47, Semsem8519 notifications@github.com wrote:
Thanks for your help. Yes the machine is connected to the LAN and WAN. Also the strongswan shows trying to communicate with my external IP(I connected strongswn using no-ip address). During running the script, it asks me to enter hostanme which must resolve to this machine. I entered my no-ip domain address. Is that correct or it means something else? Thank you.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/4#issuecomment-270693403, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIpNKtBCu3o0h57fvLAJ_AGjhGiDfZ9ks5rPR6dgaJpZM4Lb3Wp.
I mean I have a dynamic ip address updater provided by no-ip.com so that my hostname always reflects changes to my IP address provided by my Internet service provider(ISP). I will try and type the hostname as default http://vpn.examle.com and report later. Thanks.
OK — a no-ip.com http://no-ip.com/ address might work in principle, but Let’s Encrypt have a limit on the number of subdomains that can be registered (IIRC it’s 20 per week), so it’s possible that other people are exhausting that and then you can’t get your certificate.
Don’t type vpn.example.com http://vpn.example.com/ as the host — that was only an example!
On 5 Jan 2017, at 16:56, Semsem8519 notifications@github.com wrote:
I mean I have a dynamic ip address updater provided by no-ip.com so that my hostname always reflects changes to my IP address provided by my Internet service provider(ISP). I will try and type the hostname as default http://vpn.examle.com http://vpn.examle.com/ and report later. Thanks.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/4#issuecomment-270695829, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIpNPwyerXKskmPDoO2AVYA9dMpZ3_9ks5rPSDEgaJpZM4Lb3Wp.
I still dont know from where I can get a hostname? Can you provide a hint like a link please? Thanks.
You would need to register a domain name (with e.g. AWS, GoDaddy, Domain Monster), and probably then set up a CNAME record that aliases your no-ip.com http://no-ip.com/ domain name.
On 5 Jan 2017, at 17:14, Semsem8519 notifications@github.com wrote:
I still dont know from where I can get a public hostname? Can you provide a hint like a link please? Thanks.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jawj/IKEv2-setup/issues/4#issuecomment-270700519, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIpNAdaEgneGo45UtKh9Z6_SvH98s76ks5rPSTqgaJpZM4Lb3Wp.
Thank you. Is there a command to delete the files previously generated by the script and start from scratch?
No — I always run this on a VPS where it's easy to blow it away and start with a fresh distro install.
If all you need to do is request an alternative certificate then these commands from the middle section should do it (you will need to manually export EMAIL=me@example.com
and export VPNHOST=myvpn.example.com
first, and start with a sudo su
):
certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST
ln -s /etc/letsencrypt/live/$VPNHOST/cert.pem /etc/ipsec.d/certs/cert.pem
ln -s /etc/letsencrypt/live/$VPNHOST/privkey.pem /etc/ipsec.d/private/privkey.pem
ln -s /etc/letsencrypt/live/$VPNHOST/chain.pem /etc/ipsec.d/cacerts/chain.pem
echo "/etc/letsencrypt/archive/${VPNHOST}/* r," >> /etc/apparmor.d/local/usr.lib.ipsec.charon
aa-status --enabled && invoke-rc.d apparmor reload
I can't guarantee that's all you need, though ...
I reinstalled Lubuntu 16.10 32bit and run setup script again. This time I am getting this
Setting up strongswan (5.3.5-1ubuntu4) ... Setting up mailutils (1:2.99.99-1.1ubuntu3) ... update-alternatives: using /usr/bin/frm.mailutils to provide /usr/bin/frm (frm) in auto mode update-alternatives: using /usr/bin/from.mailutils to provide /usr/bin/from (from) in auto mode update-alternatives: using /usr/bin/messages.mailutils to provide /usr/bin/messages (messages) in auto mode update-alternatives: using /usr/bin/movemail.mailutils to provide /usr/bin/movemail (movemail) in auto mode update-alternatives: using /usr/bin/readmsg.mailutils to provide /usr/bin/readmsg (readmsg) in auto mode update-alternatives: using /usr/bin/dotlock.mailutils to provide /usr/bin/dotlock (dotlock) in auto mode update-alternatives: using /usr/bin/mail.mailutils to provide /usr/bin/mailx (mailx) in auto mode Setting up python-ndg-httpsclient (0.4.2-1) ... Setting up python-acme (0.8.1-1) ... Setting up python-certbot (0.8.1-2) ... Setting up certbot (0.8.1-2) ... Processing triggers for ureadahead (0.100.0-19) ... Processing triggers for libc-bin (2.24-3ubuntu2) ... Processing triggers for systemd (231-9ubuntu2) ... Processing triggers for ufw (0.35-2) ...
Network interface: wlp2s0 External IP: 192.168.1.21
=== Configuring firewall ===
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
=== Configuring RSA certificates ===
You should register before running non-interactively, or provide --agree-tos and --email
I made an account with Godaddy and made a CNAME record to point to my no-ip.com hostname.
Silly me I made a typo in email. Tried it again and got
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Network interface: wlp2s0 External IP: 192.168.1.21
=== Configuring firewall ===
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
=== Configuring RSA certificates ===
IMPORTANT NOTES:
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
=== Configuring VPN ===
net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 Stopping strongSwan IPsec... Starting strongSwan 5.3.5 IPsec [starter]...
=== User ===
adduser: The user sami' already exists. sami@sami-900A:~$
If I use my internal IP address in the hostname field of strongswan android's client, I get this log of error. Connecting with my external IP fails all the time. Are there other ports to forward beside 22/443? Jan 6 07:26:54 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.10.73-g4cd47b6, aarch64) Jan 6 07:26:54 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls Jan 6 07:26:54 00[JOB] spawning 16 worker threads Jan 6 07:26:54 04[IKE] initiating IKE_SA android[13] to 192.168.1.21 Jan 6 07:26:54 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 6 07:26:54 04[NET] sending packet: from 192.168.1.188[41665] to 192.168.1.21[500] (744 bytes) Jan 6 07:26:54 07[NET] received packet: from 192.168.1.21[500] to 192.168.1.188[41665] (38 bytes) Jan 6 07:26:54 07[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] Jan 6 07:26:54 07[IKE] peer didn't accept DH group ECP_256, it requested ECP_521 Jan 6 07:26:54 07[IKE] initiating IKE_SA android[13] to 192.168.1.21 Jan 6 07:26:54 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 6 07:26:54 07[NET] sending packet: from 192.168.1.188[41665] to 192.168.1.21[500] (812 bytes) Jan 6 07:26:54 09[NET] received packet: from 192.168.1.21[500] to 192.168.1.188[41665] (340 bytes) Jan 6 07:26:54 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Jan 6 07:26:54 09[IKE] remote host is behind NAT Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1" Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1" Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=Japanese Government, OU=ApplicationCA" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G1" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2" Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign G2" Jan 6 07:26:54 09[IKE] sending cert request for "O=RSA Security Inc, OU=RSA Security 2048 V3" Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2" Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4" Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI, CN=IGC/A, E=igca@sgdn.pm.gouv.fr" Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services" Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3" Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES" Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3" Jan 6 07:26:54 09[IKE] sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2" Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2" Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1" Jan 6 07:26:54 09[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1" Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2" Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3" Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info@e-szigno.hu" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial" Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009" Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068" Jan 6 07:26:54 09[IKE] sending cert request for "E=pki@sk.ee, C=EE, O=AS Sertifitseerimiskeskus, CN=Juur-SK" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA 2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware" Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=Generalitat Valenciana, OU=PKIGVA, CN=Root CA Generalitat Valenciana" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6" Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com" Jan 6 07:26:54 09[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G1" Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H6" Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services" Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services" Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1" Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5" Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 1" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny" Jan 6 07:26:54 09[IKE] sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4" Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign" Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3" Jan 6 07:26:54 09[IKE] sending cert request for "CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign" Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2" Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3" Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3" Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA" Jan 6 07:26:54 09[IKE] sending cert request for "CN=EBG Elektronik Sertifika Hizmet Sa??lay??c??s??, O=EBG Bili??im Teknolojileri ve Hizmetleri A.??., C=TR" Jan 6 07:26:54 09[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5" Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3" Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee" Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2" Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign" Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2" Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC" Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root" Jan 6 07:26:54 09[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1" Jan 6 07:26:54 09[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public Root Certificate Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., OU=e-Szigno CA, CN=Microsec e-Szigno Root CA" Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign" Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2" Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009" Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=Government Root Certification Authority" Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008" Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2" Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT" Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA" Jan 6 07:26:54 09[IKE] sending cert request for "CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c) Aral??k 2007" Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root" Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=CA ???????????????" Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking" Jan 6 07:26:54 09[IKE] establishing CHILD_SA android Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jan 6 07:26:54 09[ENC] splitting IKE message with length of 3632 bytes into 3 fragments Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(1/3) ] Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(2/3) ] Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(3/3) ] Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1364 bytes) Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1364 bytes) Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1076 bytes) Jan 6 07:26:55 11[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes) Jan 6 07:26:55 11[ENC] parsed IKE_AUTH response 1 [ EF(1/8) ] Jan 6 07:26:55 11[ENC] received fragment #1 of 8, waiting for complete IKE message Jan 6 07:26:55 10[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes) Jan 6 07:26:55 10[ENC] parsed IKE_AUTH response 1 [ EF(2/8) ] Jan 6 07:26:55 10[ENC] received fragment #2 of 8, waiting for complete IKE message Jan 6 07:26:55 16[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes) Jan 6 07:26:55 16[ENC] parsed IKE_AUTH response 1 [ EF(3/8) ] Jan 6 07:26:55 16[ENC] received fragment #3 of 8, waiting for complete IKE message Jan 6 07:26:55 12[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes) Jan 6 07:26:55 12[ENC] parsed IKE_AUTH response 1 [ EF(4/8) ] Jan 6 07:26:55 12[ENC] received fragment #4 of 8, waiting for complete IKE message Jan 6 07:26:55 07[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes) Jan 6 07:26:55 07[ENC] parsed IKE_AUTH response 1 [ EF(5/8) ] Jan 6 07:26:55 07[ENC] received fragment #5 of 8, waiting for complete IKE message Jan 6 07:26:55 13[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes) Jan 6 07:26:55 13[ENC] parsed IKE_AUTH response 1 [ EF(6/8) ] Jan 6 07:26:55 13[ENC] received fragment #6 of 8, waiting for complete IKE message Jan 6 07:26:55 04[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (260 bytes) Jan 6 07:26:55 04[ENC] parsed IKE_AUTH response 1 [ EF(8/8) ] Jan 6 07:26:55 04[ENC] received fragment #8 of 8, waiting for complete IKE message Jan 6 07:26:55 08[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes) Jan 6 07:26:55 08[ENC] parsed IKE_AUTH response 1 [ EF(7/8) ] Jan 6 07:26:55 08[ENC] received fragment #7 of 8, reassembling fragmented IKE message Jan 6 07:26:55 08[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ] Jan 6 07:26:55 08[IKE] received end entity cert "CN=vpn.semsem8519.com" Jan 6 07:26:55 08[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" Jan 6 07:26:55 08[CFG] using certificate "CN=vpn.semsem8519.com" Jan 6 07:26:55 08[CFG] using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" Jan 6 07:26:55 08[CFG] using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3" Jan 6 07:26:55 08[CFG] reached self-signed root ca with a path length of 1 Jan 6 07:26:55 08[IKE] authentication of 'vpn.semsem8519.com' with RSA_EMSA_PKCS1_SHA2_384 successful Jan 6 07:26:55 08[CFG] constraint check failed: identity '192.168.1.21' required Jan 6 07:26:55 08[CFG] selected peer config 'android' inacceptable: constraint checking failed Jan 6 07:26:55 08[CFG] no alternative config found Jan 6 07:26:55 08[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] Jan 6 07:26:55 08[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (96 bytes)
I opened port 500 and 4500 UDP and now the strongswan client is connected. Thank you very much for your help. Just one request please. Do you know if I can use Android native VPN client instead of strongswan app? The reason I want this because Android supports always-on VPN connection whereas strongswan app does not. I need this feature because I want to talk to my family from abroad with whatsapp as the calling feature is blocked there without VPN and I need to maintain VPN connection all the time because they may not know how to connect to it when it disconnects.
Glad you got this working (though a bit confused, because my script already opens 500 and 4500 for UDP).
Afraid the built-in Android VPN client doesn't yet support IKEv2 AFAIK.
Sorry I meant I forwarded those ports in my router to my server machine local ip address.
Oh, great. :)
Sorry I forgot to ask, while running the setup, we are asked to create a login user with a strong password, since a client is not using these info to login to the server, then what use they serve? Thanks
The user name and password can be used to log in to the server via SSH.
Hi,
I installed this on a nearly fresh install of Lubuntu 16.10 32bit ASUS eeepc notebook. The installation was seemingly successful as a congratulations massage appeared at the end. However tring to login with stromgswan client hangs on connecting and then fails with server unreachable. The strongswan log shows that the server is not resonding to packets sent from the client. I did not use this machine for anything else like iptables and etc. I also opened ports for both 22,443 tcp/udp but no change. I feel lost and I appreciate any help to overcome this issue. Thank you so much for the script.
Sami