I'm interested in how to modify this script to allow connection via Windows gui in network manager. For my purposes - easy use for NOT IT people - this would be better. Thanks for your help.

Hi, thanks for the script didnt get ikev2 to working after a few tutorials etc.
But now i get the following error with your script: ERROR: /etc/ipsec.conf: 9: keyword keyexchange, invalid value: ikev2
Is the problem in the current ubuntu package?

Don't have a hostname, would like to use an IP address instead

Hi,

I installed this on a nearly fresh install of Lubuntu 16.10 32bit ASUS eeepc notebook. The installation was seemingly successful as a congratulations massage appeared at the end. However tring to login with stromgswan client hangs on connecting and then fails with server unreachable. The strongswan log shows that the server is not resonding to packets sent from the client. I did not use this machine for anything else like iptables and etc. I also opened ports for both 22,443 tcp/udp but no change. I feel lost and I appreciate any help to overcome this issue. Thank you so much for the script.

Sami

I ran the setup script on a branch new 17.04 box, and I'm having trouble connecting from my home network (router is provided by Verizon FiOS, but I doubt that matters, it's a standard NAT setup).

Logs on the server:

May 13 07:21:05 charon[17287]: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
May 13 07:21:05 charon[17287]: 09[NET] sending packet: from SER.VER.IP[500] to CLI.ENT.IP[500] (38 bytes)
May 13 07:21:05 charon[17287]: 10[NET] received packet: from CLI.ENT.IP[500] to SER.VER.IP[500] (300 bytes)
May 13 07:21:05 charon[17287]: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 13 07:21:05 charon[17287]: 10[IKE] CLI.ENT.IP is initiating an IKE_SA
May 13 07:21:05 charon[17287]: 10[IKE] CLI.ENT.IP is initiating an IKE_SA
May 13 07:21:05 charon[17287]: 10[IKE] remote host is behind NAT
May 13 07:21:05 charon[17287]: 10[IKE] DH group ECP_521 inacceptable, requesting ECP_521
May 13 07:21:05 charon[17287]: 10[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
May 13 07:21:05 charon[17287]: 10[NET] sending packet: from SER.VER.IP[500] to CLI.ENT.IP[500] (38 bytes)

Logs on the client:

default	07:44:03.910071 -0400	neagent	0x7fdcb2315e00 opened /Users/user/Library/Keychains/login.keychain-db: 1779840 bytes
default	07:44:03.914720 -0400	neagent	getting current attributes...
default	07:44:03.914757 -0400	neagent	filling 16 attributes for type 2147483648
default	07:44:03.915368 -0400	neagent	looking at 16 attributes
default	07:44:03.915460 -0400	neagent	finished: 50ba5828bedc6a69250709880de01ce5e05e52b0c0b8e5c73acef30ecbb93cab
error	07:44:03.964986 -0400	neagent	Failed to process IKE SA Init packet

In particular, this line is baffling me: DH group ECP_521 inacceptable, requesting ECP_521.

Hello,

Is there a way that I can change the port that it this tries to run on? I would like to run it on port 47804 and when I modified it from port 443 it skips asking for the password for the SSH and user for the VPN. Im not sure exactly what I am doing wrong.

Thank you!

Please consider removing this setting from generated mac/iphone config.

It can be overridden in iOS but not in MacOS (in latter VPN stays lways on as the result).

Hi there :)
I was so exited when I saw your script I tough the idea was excellent.
I tried to install it on ubuntu 17.10 fresh install behind a router configured with ddns (dyn.com dns) and port forward to it (443/80 tcp and 500,1701,4500 udp) but it fails. I tried to find by myself if I could do anything to modify the script but wasn't able to do anything productive... Do you think you could help ? The issue clearly comes from letsencrypt but I dont know what to do / try. my dns resolve correctly to my router ipv4 address..
Any help would be appreciated :)

Here is the result I get from the script and the letsencrypt log. Do you think you could help ?

root@vpnserver:/home/ZZZ/IKEv2-setup# ./setup.sh

=== https://github.com/jawj/IKEv2-setup ===

--- Configuration: VPN settings ---

** Note: hostname must resolve to this machine already, to enable Let's Encrypt certificate setup **
Hostname for VPN (e.g. vpn.example.com): ZZZ.mine.nu
VPN username: XXXXXXXX
VPN password (no quotes, please):
Confirm VPN password:

--- Configuration: general server settings ---

Timezone (default: Europe/London): america/XXXXX
Email address for sysadmin (e.g. [email protected]): [email protected]

SSH log-in port (default: 22):
SSH log-in username: ZZZ
SSH log-in password (must be REALLY STRONG):
Confirm SSH log-in password:

--- Updating and installing software ---

Hit:1 http://security.ubuntu.com/ubuntu artful-security InRelease
Hit:2 http://ca.archive.ubuntu.com/ubuntu artful InRelease
Hit:3 http://ca.archive.ubuntu.com/ubuntu artful-updates InRelease
Hit:4 http://ca.archive.ubuntu.com/ubuntu artful-backports InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists... Done
Building dependency tree
Reading state information... Done
language-pack-en is already the newest version (1:17.10+20171012).
postfix is already the newest version (3.2.3-1).
certbot is already the newest version (0.17.0-2).
iptables-persistent is already the newest version (1.0.4+nmu2).
mailutils is already the newest version (1:3.1.1-1).
moreutils is already the newest version (0.60-1).
libcharon-extra-plugins is already the newest version (5.5.1-4ubuntu2.2).
libcharon-standard-plugins is already the newest version (5.5.1-4ubuntu2.2).
libstrongswan-standard-plugins is already the newest version (5.5.1-4ubuntu2.2).
strongswan is already the newest version (5.5.1-4ubuntu2.2).
strongswan-libcharon is already the newest version (5.5.1-4ubuntu2.2).
unattended-upgrades is already the newest version (0.98ubuntu1.1).
strongswan-ikev2 is already the newest version (5.5.1-4ubuntu2.2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Network interface: ens33
External IP: 123.123.123.12
Warning: ZZZ.mine.nu resolves to XXX.YYY.ZZZ.AAA, not 123.123.123.12
Either you are behind NAT, or something is wrong (e.g. hostname points to wrong IP, CloudFlare proxying shenanigans, ...)
Press [Return] to continue, or Ctrl-C to abort

--- Configuring firewall ---

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

--- Configuring RSA certificates ---

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Running pre-hook command: /sbin/iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ZZZ.mine.nu
Waiting for verification...
Cleaning up challenges
Running post-hook command: /sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
Failed authorization procedure. ZZZ.mine.nu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ZZZ.mine.nu/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXX: Timeout

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: ZZZ.mine.nu
  Type: connection
  Detail: Fetching
  http://ZZZ.mine.nu/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXX:
  Timeout

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
  root@vpnserver:/home/ZZZ/IKEv2-setup#

Windows 10, after connecting the server and data traffic only about 220MB, then, VPN is connected but no internet, no data traffic.

VPN must disconnect and connect again manually, and use data traffic about 220MB again...

Reset Windows 10 network is useless.

IOS is all good.

Assuming the client is actually a gateway, with NAT clients behind it, how would one alter the default configuration to allow them access through the tunnel?

Stuck in "connecting"

Would you be willing to make a version that wouldn't require the creation of a physical server account and would for instance make a myUser.p12 So that you don't have to use username/password auth and just use a passcode on that cert.
Thanks!

Thanks for the setup guide! Is there any possible to build a docker image ?

Is there a way to add IPv6 support? I am on U.S. T-Mobile and, even though I can connect to my VPN server, the traffic completely stops after connecting. That seems to be because T-Mobile only supports IPv6.

Hello,

Thanks for your work on this, very useful.

Their is an issue when using this script with a domain which has its DNS hosted at Cloudflare. It is necessary to disable the proxy feature and use DNS only, otherwise certbot fails.

Network interface: eth0
External IP: XXX
Warning: vpn.LLLL.net resolves to 104.28.23.28
104.28.22.28, not XXX
Either you are behind NAT, or something is wrong
Press [Return] to continue, or Ctrl-C to abort

Are you using Cloudflare?

If this was identified at this point as being an issue the option could even be given, so that:

certbot could be set to use the --standalone-supported-challenges http-01 flag

That's only one solution and I appreciate it may not be the best?

Hello!
With this script can i create new user?
Thank you!

when I execute this script with root via ssh,
it still asks me about my ssh port / username / password,
I don't want to create a new user / port ,
please fix this . thanks .

Vultr fresh installation

If I change the pre-qualifier for 17.04 to 16.04, will everything else install fine?

I followed the guide carefully, everything was then working well. I was connected to my VPN (connection established). So I tested browsing on www, it worked great but few minutes after my PC crashes (bluescreen) giving an error and I tried it again and again and everytime few minutes after I start the connection, windows 10 crashes. @jawj

Tested your script and the emailing of the finished config does not work. It uses -A instead of -a when it try to attach the vpn.mobileconfig file.

Hello,

This seems like a wonderful project. I installed it on a Google Compute instance (Ubuntu 17.04).

During the installation, I get the following error:

Processing triggers for ufw (0.35-4) ...

Network interface: ens4
External IP: 10.142.0.2
Warning: vpn.myDomain.com resolves to 104.196.47.118, not 10.142.0.2
Either you are behind NAT, or something is wrong (e.g. hostname points to wrong IP, CloudFlare proxying shenanigans, ...)
Press [Return] to continue, or Ctrl-C to abort

Well, my external IP of the instance is 104.196.47.118 and the internal IP is 10.142.0.2. Why should my domain point to the internal IP address? That makes no sense.

May you please advise on this?

Many Thanks,
Houman

Getting this error on google compute engine. Ubuntu 16.10 image.

iptables v1.6.0: invalid port/service -j' specified Try iptables -h' or 'iptables --help' for more information.

Hey I'm having trouble connecting using this script on the new software. I figured it was something on Apple's end but just wanted to post something on here.

Tried on iOS 11.0.3 and macOS 10.13.0.

Anybody else having the same trouble?

Things I've tried:

1. Rebooting the server
2. Rebooting Phone
3. Fresh install of iOS 11 & High Sierra
4. Reinstalling the mobileconfig profile.
5. Tested and same VPN profile connects on older software (iOS 10 and macOS 10.12.6)

I have another issue, whenever I start torrenting using my VPN, it seems like after few minutes or seconds the vpn dies and I have to manually reconnect to it (I get disconnected automatically). Is this related to performance issues or more like few settings I could change?

I attempted to use your script on a fresh 16.04 installation and i was unable to to complete due to certbot package not being available for ubuntu?

I use setup.sh and its working correctly.I can connect from strongswan android client and for ios ,I install .mobileconfig and it works.
my question is how can I connect programmatically in ios using xcode?
I use multiple samples for IKEv2 connection in ios but not working some of the samples need certificate file for connection(.p12).
how cat I export .p12 certificate?

Hi, i used this script but cannot connect with the following errors. The server is Ubuntu 16.10 behind NAT with UDP 500 & 4500 forwarded. The client is iOS 10 on a public LTE network.

I find it a bit confusing that there are two external ip's mentioned. Is my mobile operator doing something funky?

Mar 15 11:37:00 mainframe charon-custom: 09[NET] received packet: from 94.254.161.xxx[11684] to 10.0.0.2[500] (308 bytes)
Mar 15 11:37:00 mainframe charon-custom: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 15 11:37:00 mainframe charon-custom: 09[IKE] 94.254.161.xxx is initiating an IKE_SA
Mar 15 11:37:00 mainframe charon-custom: 09[IKE] local host is behind NAT, sending keep alives
Mar 15 11:37:00 mainframe charon-custom: 09[IKE] remote host is behind NAT
Mar 15 11:37:00 mainframe charon-custom: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Mar 15 11:37:00 mainframe charon-custom: 09[NET] sending packet: from 10.0.0.2[500] to 94.254.161.xxx[11684] (316 bytes)
Mar 15 11:37:05 mainframe charon-custom: 11[NET] received packet: from 5.79.68.xxx[48661] to 10.0.0.2[500] (192 bytes)
Mar 15 11:37:05 mainframe charon-custom: 11[ENC] parsed ID_PROT request 0 [ SA ]
Mar 15 11:37:05 mainframe charon-custom: 11[IKE] no IKE config found for 10.0.0.2...5.79.68.xxx, sending NO_PROPOSAL_CHOSEN
Mar 15 11:37:05 mainframe charon-custom: 11[ENC] generating INFORMATIONAL_V1 request 1899030108 [ N(NO_PROP) ]
Mar 15 11:37:05 mainframe charon-custom: 11[NET] sending packet: from 10.0.0.2[500] to 5.79.68.xxx[48661] (40 bytes)
Mar 15 11:37:14 mainframe charon-custom: 15[NET] received packet: from 5.79.68.xxx[48662] to 10.0.0.2[500] (192 bytes)
Mar 15 11:37:14 mainframe charon-custom: 15[ENC] parsed ID_PROT request 0 [ SA ]
Mar 15 11:37:14 mainframe charon-custom: 15[IKE] no IKE config found for 10.0.0.2...5.79.68.xxx, sending NO_PROPOSAL_CHOSEN
Mar 15 11:37:14 mainframe charon-custom: 15[ENC] generating INFORMATIONAL_V1 request 1077021290 [ N(NO_PROP) ]
Mar 15 11:37:14 mainframe charon-custom: 15[NET] sending packet: from 10.0.0.2[500] to 5.79.68.xxx[48662] (40 bytes)

I'm got this running swimmingly on a macOS client. However, which config options do I need to make it work on a linux (OpenWRT) client? I've got so far as adding the following to ipsec.conf:

conn [conn_name]
right=[host]
rightid=%[host]
rightsubnet=0.0.0.0/0
rightauth=pubkey
leftsourceip=%config
leftauth=eap
eap_identity=[username]
auto=add

Ideally I'd have it save the user's password too, instead of asking every time. Apologies - new to Strongswan!

Can you tell me, where the logs are saved? I can`t find any.. I need to find out where the logs are located to check my connection log with a single username

Is it possible connect by IP address through VPN, because when some enviornment blocked the domain of my server

Any chance you could add support for CentOS too please?

I just upgraded my server from Ubuntu 16.04 to 17.04 and installed your script but it showed error as follow:

Setting up libstrongswan-extra-plugins (5.5.1-1ubuntu3.1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for libc-bin (2.24-9ubuntu2.2) ...
Processing triggers for systemd (232-21ubuntu5) ...
Processing triggers for ufw (0.35-4) ...
Errors were encountered while processing:
postfix
mailutils
E: Sub-process /usr/bin/dpkg returned an error code (1)

How can I solve it? Thank you.

Hi, I just tested your script on Ubuntu Server 17.04 and it work like a charm.

Would it be easy to adapt it to Debian ?

Kind regards

I can connect to a remote machine through RDP. However, when I connect to my VPN server and then try to connect to the remote machine through RDP it does not work. I have tried this scenario through iOS and MacOS without positive results.

Any ideas on why this could be happening?

I am able to use other screen sharing protocols like VNC without issue.

Hello,

I wonder if it may be worth adding in a note about using alternative non logging DNS services, rather than Google's resolvers?

There's a good list available here: https://www.lifewire.com/free-and-public-dns-servers-2626062

For what it's worth I have found DNS.WATCH to be very reliable.

Hello

I have run the setup.sh on two VPS machines using linode and ran into the same issue each time. Everything seems to setup properly, but when it comes to connecting with my first device, nothing seems to work (the first device I try is an iPhone and the VPN status bounces between 'Connected' and 'Not Connected' repeatedly).

From /var/log/syslog (xxx is server and yyy is client):

Dec 17 03:25:09 LNVPN1 charon: 12[NET] sending packet: from xx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[4718] (65 bytes)
Dec 17 03:25:10 LNVPN1 charon: 13[NET] received packet: from yyy.yyy.yyy.yyy[500] to xxx.xxx.xxx.xxx[500] (300 bytes)
Dec 17 03:25:10 LNVPN1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Dec 17 03:25:10 LNVPN1 charon: 13[IKE] yyy.yyy.yyy.yyy is initiating an IKE_SA
Dec 17 03:25:10 LNVPN1 charon: 13[IKE] remote host is behind NAT
Dec 17 03:25:10 LNVPN1 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Dec 17 03:25:10 LNVPN1 charon: 13[NET] sending packet: from xxx.xxx.xxx.xxx[500] to 173.18.16.137[500] (316 bytes)
Dec 17 03:25:40 LNVPN1 charon: 11[JOB] deleting half open IKE_SA after timeout

When I run ipsec rereadsecrets some part of the issue seems to appear:

Dec 17 03:26:02 LNVPN1 charon: 12[CFG] rereading secrets
Dec 17 03:26:02 LNVPN1 charon: 12[CFG] loading secrets from '/etc/ipsec.secrets'
Dec 17 03:26:02 LNVPN1 charon: 12[LIB] opening '/etc/ipsec.d/private/privkey.pem' failed: No such file or directory
Dec 17 03:26:02 LNVPN1 charon: 12[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 11 builders
Dec 17 03:26:02 LNVPN1 charon: 12[CFG] loading private key from '/etc/ipsec.d/private/privkey.pem' failed
Dec 17 03:26:02 LNVPN1 charon: 12[CFG] loaded EAP secret for vpn-iphone %any

When I look into the etc/ipsec.d/private/ directory, there is a file in there...furthermore there are files in the /etc/letsencrypt/live/(hostname) folders.

Not sure what to try to clear this up.

Ran the setup.sh script on a fresh install of Ubuntu Server 17.04 with no modifications to anything. I'm able to successfully connect to the VPN server but there's no traffic passing through the tunnel.

The VPN server is a virtual machine running on Vmware Workstation Pro 12.5.7. The virtual network adapter is set to bridge mode and it's pulling it's own IP address from the router.

iptables -L output:

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

/etc/ipsec.conf

config setup
strictcrlpolicy=yes
uniqueids=never

conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384!
esp=aes256gcm16-sha256!
dpdaction=clear
dpddelay=180s
rekey=no
left=%any
leftid=@[server hostname]
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
eap_identity=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/24
rightsendcert=never

truncated and sanitised /var/log/syslog

Aug 26 04:12:08 VPN charon: 05[NET] received packet: from [client][500] to [server][500] (300 bytes)
Aug 26 04:12:08 VPN charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Aug 26 04:12:08 VPN charon: 05[IKE] [client] is initiating an IKE_SA
Aug 26 04:12:08 VPN charon: 05[IKE] local host is behind NAT, sending keep alives
Aug 26 04:12:08 VPN charon: 05[IKE] remote host is behind NAT
Aug 26 04:12:08 VPN charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Aug 26 04:12:08 VPN charon: 05[NET] sending packet: from [server][500] to [client][500] (316 bytes)
Aug 26 04:12:08 VPN charon: 03[NET] received packet: from [client][4500] to [server][4500] (352 bytes)
Aug 26 04:12:08 VPN charon: 03[ENC] unknown attribute type (25)
Aug 26 04:12:08 VPN charon: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
Aug 26 04:12:08 VPN charon: 03[CFG] looking for peer configs matching [server][server host name]...[client][server hostname]
Aug 26 04:12:08 VPN charon: 03[CFG] selected peer config 'roadwarrior'
Aug 26 04:12:08 VPN charon: 03[IKE] initiating EAP_IDENTITY method (id 0x00)
Aug 26 04:12:08 VPN charon: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 26 04:12:08 VPN charon: 03[IKE] peer supports MOBIKE
Aug 26 04:12:08 VPN charon: 03[IKE] authentication of 'server hostname' (myself) with RSA signature successful
Aug 26 04:12:08 VPN charon: 03[IKE] sending end entity cert "CN=server hostname"
Aug 26 04:12:08 VPN charon: 03[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Aug 26 04:12:08 VPN charon: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Aug 26 04:12:08 VPN charon: 03[ENC] splitting IKE message with length of 3337 bytes into 3 fragments
Aug 26 04:12:08 VPN charon: 03[ENC] generating IKE_AUTH response 1 [ EF(1/3) ]
Aug 26 04:12:08 VPN charon: 03[ENC] generating IKE_AUTH response 1 [ EF(2/3) ]
Aug 26 04:12:08 VPN charon: 03[ENC] generating IKE_AUTH response 1 [ EF(3/3) ]
Aug 26 04:12:08 VPN charon: 03[NET] sending packet: from [server][4500] to [client][4500] (1248 bytes)
Aug 26 04:12:08 VPN charon: 03[NET] sending packet: from [server][4500] to [client][4500] (1248 bytes)
Aug 26 04:12:08 VPN charon: 03[NET] sending packet: from [server][4500] to [client][4500] (967 bytes)
Aug 26 04:12:08 VPN charon: 06[NET] received packet: from [client][4500] to [server][4500] (72 bytes)
Aug 26 04:12:08 VPN charon: 06[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Aug 26 04:12:08 VPN charon: 06[IKE] received EAP identity 'VPNuser'
Aug 26 04:12:08 VPN charon: 06[IKE] initiating EAP_MSCHAPV2 method (id 0x2C)
Aug 26 04:12:08 VPN charon: 06[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Aug 26 04:12:08 VPN charon: 06[NET] sending packet: from [server][4500] to 10[client][4500] (97 bytes)
Aug 26 04:12:08 VPN charon: 04[NET] received packet: from [client][4500] to [server][4500] (128 bytes)
Aug 26 04:12:08 VPN charon: 04[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Aug 26 04:12:08 VPN charon: 04[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Aug 26 04:12:08 VPN charon: 04[NET] sending packet: from [server][4500] to [client][4500] (134 bytes)
Aug 26 04:12:08 VPN charon: 08[NET] received packet: from [client][4500] to [server][4500] (72 bytes)
Aug 26 04:12:08 VPN charon: 08[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Aug 26 04:12:08 VPN charon: 08[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Aug 26 04:12:08 VPN charon: 08[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Aug 26 04:12:08 VPN charon: 08[NET] sending packet: from [server][4500] to [client][4500] (65 bytes)
Aug 26 04:12:08 VPN charon: 09[NET] received packet: from [client][4500] to [server][4500] (104 bytes)
Aug 26 04:12:08 VPN charon: 09[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Aug 26 04:12:08 VPN charon: 09[IKE] authentication of 'server hostname' with EAP successful
Aug 26 04:12:08 VPN charon: 09[IKE] authentication of 'server hostname' (myself) with EAP
Aug 26 04:12:08 VPN charon: 09[IKE] IKE_SA roadwarrior[3] established between [server][server hostname]...[client][server hostname]
Aug 26 04:12:08 VPN charon: 09[IKE] peer requested virtual IP %any
Aug 26 04:12:08 VPN charon: 09[CFG] reassigning offline lease to 'VPNuser'
Aug 26 04:12:08 VPN charon: 09[IKE] assigning virtual IP 10.10.10.1 to peer 'VPNuser'
Aug 26 04:12:08 VPN charon: 09[IKE] peer requested virtual IP %any6
Aug 26 04:12:08 VPN charon: 09[IKE] no virtual IP found for %any6 requested by 'VPNuser'
Aug 26 04:12:08 VPN charon: 09[IKE] CHILD_SA roadwarrior{3} established with SPIs cd9e39cb_i 0652e9db_o and TS 0.0.0.0/0 === 10.10.10.1/32
Aug 26 04:12:08 VPN charon: 09[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Aug 26 04:12:08 VPN charon: 09[NET] sending packet: from [server][4500] to [client][4500] (229 bytes)

Hello. First of all, you have made very nice script. I got scaleway VPS. Lateset ubuntu is 17.04 so i did some changes.

1. allow to start from 17.04 ubuntu
2. add dig command check and install dnsutils if not

On my android device with strongswan app installed everything is ok. But i'm unable to connect to sever from any other device. IOS with script generated config and windows 7/10 with default vpn client.

What should i do to make it work?

Thank you

After install on my Google cloud server, I can't connect to the server at any port, it's not responding.

When trying to install this I get the following:

=== Requesting configuration data ===

Timezone (e.g. Europe/London): Eastern
Email address for sysadmin (e.g. [email protected]): [email protected]
Port for SSH login (e.g. 22): 22

Login username: sparkle
Login password (must be STRONG!):
Confirm login password:

** Hostname for VPN must ALREADY resolve to this machine, to enable Let's Encrypt certificate setup**
Hostname for VPN (e.g. vpn.example.com): ivpn.mysparklepools.com
VPN username: sparkle
VPN password (no quotes, please):
Confirm VPN password:

=== Updating and installing software ===

Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
Hit:2 http://us.archive.ubuntu.com/ubuntu xenial InRelease
Get:3 http://us.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]
Ign:4 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0 InRelease
Get:5 http://us.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB]
Ign:6 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0 Release
Ign:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse i386 Packages
Hit:8 https://deb.nodesource.com/node_5.x xenial InRelease
Ign:9 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse all Packages
Ign:10 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en_US
Get:11 http://us.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [433 kB]
Ign:12 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en
Ign:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse i386 Packages
Get:13 http://us.archive.ubuntu.com/ubuntu xenial-updates/main Translation-en [172 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe i386 Packages [366 kB]
Get:15 http://us.archive.ubuntu.com/ubuntu xenial-updates/universe Translation-en [135 kB]
Get:16 http://us.archive.ubuntu.com/ubuntu xenial-updates/multiverse Translation-en [3,080 B]
Ign:9 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse all Packages
Ign:10 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en_US
Ign:12 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en
Ign:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse i386 Packages
Ign:9 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse all Packages
Ign:10 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en_US
Ign:12 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en
Ign:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse i386 Packages
Ign:9 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse all Packages
Ign:10 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en_US
Ign:12 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en
Ign:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse i386 Packages
Ign:9 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse all Packages
Ign:10 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en_US
Ign:12 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en
Err:7 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse i386 Packages
404 Not Found
Ign:9 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse all Packages
Ign:10 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en_US
Ign:12 http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0/multiverse Translation-en
Fetched 1,416 kB in 3s (385 kB/s)
Reading package lists... Done
W: The repository 'http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.0 Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch http://repo.mongodb.org/apt/ubuntu/dists/xenial/mongodb-org/3.0/multiverse/binary-i386/Packages 404 Not Found
E: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package certbot

Is this set up properly or no? It doesn't seem it haha any ideas what is going on? I ran this as sudo ./setup.sh

Hi. I found a curious problem.
I have clean Ubuntu 17 image on DigitalOcean, where I installed StrongSwan. It works nicely.
I also installed Apache2 and enabled it in the UFW.

Problem is that I can't access it from my browser - not by IP, not by hostname. SSH to machine works, VPN clients connect, but not HTTP. If I wget' my hostname or IP on the local terminal (in SSH), I am able to receive contents of my test index.html, so it is certainly not Apache's problem, but firewall's.

It is certainly an issue with the way the script has configured firewall rules, but I can't figure it out. Please point me in the right direction.

Hi,

Thanks a lot for this great script.
I was wondering, if using a Public CA (Let's Encrypt) for certificates would be wise?
Isn't it better and more secure if we self-signed the certs?
I am not sure if this comment in this -> https://serverfault.com/a/763694 question is technically right or not, but if it is, then a self-signed cert would be a lot better.

Thanks.

I follow tutorial but vpn client did not connect to server
I can ping to my domain address on my own VPS but I can't ping on out side of it.
did you think this is the main problem or some thing other?

Hi,
Everything looks good in my environment. The clients can get an IP address from the DHCP Server and can go to LAN and WAN without any problem, but.....all the clients get the same IP address from the DHCP Server. I have tested with another DHCP Server (1st was a Firewall DHCP and 2nd was a Windows Server DHCP) and it's the same.

My Config files are:
/etc/ipsec.conf

config setup
strictcrlpolicy=no
uniqueids=never
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn roadwarrior
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384!
esp=aes256gcm16-sha256!
dpdaction=clear
dpddelay=180s
rekey=no

left=%any
[email protected]
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0

right=%any
rightid=%any
rightauth=eap-mschapv2
eap_identity=%any
rightdns=dns1 ip address, dns2 IP address
rightsourceip=%dhcp
rightsendcert=never
/etc/sysctl.d/99-strongswan.conf

net.ipv4.ip_forward=1
/etc/strongswan.d/charon/dhcp.conf

dhcp {
force_server_address = yes
identity_lease = yes
interface = eth0
load = yes
server = 10.10.0.1 #DHCP IP address
}
charon {
load_modular = yes
dns1 = dns 1 ip address
dns2 = dns 2 ip address
plugins {
include strongswan.d/charon/*.conf
attr {
split-include = 10.10.0.0/16 # Send only traffic destined to leftsubnet to the tunnel interface
split-exclude = 0.0.0.0/0 # Mac OS X client responsible for routing all non-tunnel traffic elsewhere
28674 = rva.org
dns = dns 1 ip address, dns 2 ip address
}
}
}

include strongswan.d/*.conf
IPTABLES
#PS: That is not my config, but I tested with that to make sure that there is nothing wrong with it.

#Clean IP Tables

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
Questions 1: How to fix that the DHCP gives a different IP address to each VPN Client ?

Like...I made a test using rightsourceip=10.10.1.247/32 and the client works with no problem, but for the firewall, looks like the connection comes from the server. The server have free access to the internet, but the Clients should auth first.

How to change the way that the VPN Client go to the LAN, to because a normal client ?
Or how to fix the DHCP Issue that gives the same IP address to all the VPN Client?

On the regular script, verification will fail with timeout due to IPTables being set to deny all but HTTPS. however, the command used by certbot is HTTP; I had to edit my setup.sh to allow (and then deny) port 80 not 443. This should be added into the script if possible (I'd PR but I don't know if there's a better way)

Hi. I would greatly appreciate if you'd add basic filtering capability to block requests to known ad/analytics osts, such as Google Analytics.