Comments (19)
jawj
commented on May 13, 2024
Is your eeePC definitely connected to the network (e.g. can you curl a webpage from it)? Do you see anything at all in the strongSwan logs (or /var/log/syslog) to indicate a connection being attempted?
This kind of thing can be tricky to diagnose from far away ...
from ikev2-setup.
Semsem8519
commented on May 13, 2024
Thanks for your help. Yes the machine is connected to the LAN and WAN. Also the strongswan shows trying to communicate with my external IP(I connected strongswn using no-ip address) but no response from my eeepc. During running the script, it asks me to enter hostanme which must resolve to this machine. I entered my no-ip domain address. Is that correct or it means something else? Thank you.
from ikev2-setup.
jawj
commented on May 13, 2024
Can you clarify what you mean by a 'no-ip domain address’?
The host needs to be something you can get a public SSL certificate for (e.g. vpn.example.com <http://vpn.example.com/>).
Otherwise you will probably have to manually create a self-signed server certificate, and then distribute your CA cert to all clients.
That’s out of scope for this script, and not something I can guide you through, but I know there are other tutorials out there that cover this.
… On 5 Jan 2017, at 16:47, Semsem8519 ***@***.***> wrote:
Thanks for your help. Yes the machine is connected to the LAN and WAN. Also the strongswan shows trying to communicate with my external IP(I connected strongswn using no-ip address). During running the script, it asks me to enter hostanme which must resolve to this machine. I entered my no-ip domain address. Is that correct or it means something else? Thank you.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAIpNKtBCu3o0h57fvLAJ_AGjhGiDfZ9ks5rPR6dgaJpZM4Lb3Wp>.
from ikev2-setup.
Semsem8519
commented on May 13, 2024
I mean I have a dynamic ip address updater provided by no-ip.com so that my hostname always reflects changes to my IP address provided by my Internet service provider(ISP). I will try and type the hostname as default http://vpn.examle.com and report later. Thanks.
from ikev2-setup.
jawj
commented on May 13, 2024
OK — a no-ip.com <http://no-ip.com/> address might work in principle, but Let’s Encrypt have a limit on the number of subdomains that can be registered (IIRC it’s 20 per week), so it’s possible that other people are exhausting that and then you can’t get your certificate.
Don’t type vpn.example.com <http://vpn.example.com/> as the host — that was only an example!
… On 5 Jan 2017, at 16:56, Semsem8519 ***@***.***> wrote:
I mean I have a dynamic ip address updater provided by no-ip.com so that my hostname always reflects changes to my IP address provided by my Internet service provider(ISP). I will try and type the hostname as default http://vpn.examle.com <http://vpn.examle.com/> and report later. Thanks.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAIpNPwyerXKskmPDoO2AVYA9dMpZ3_9ks5rPSDEgaJpZM4Lb3Wp>.
from ikev2-setup.
Semsem8519
commented on May 13, 2024
I still dont know from where I can get a hostname? Can you provide a hint like a link please? Thanks.
from ikev2-setup.
jawj
commented on May 13, 2024
You would need to register a domain name (with e.g. AWS, GoDaddy, Domain Monster), and probably then set up a CNAME record that aliases your no-ip.com <http://no-ip.com/> domain name.
… On 5 Jan 2017, at 17:14, Semsem8519 ***@***.***> wrote:
I still dont know from where I can get a public hostname? Can you provide a hint like a link please? Thanks.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#4 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAIpNAdaEgneGo45UtKh9Z6_SvH98s76ks5rPSTqgaJpZM4Lb3Wp>.
from ikev2-setup.
Semsem8519
commented on May 13, 2024
Thank you. Is there a command to delete the files previously generated by the script and start from scratch?
from ikev2-setup.
jawj
commented on May 13, 2024
No — I always run this on a VPS where it's easy to blow it away and start with a fresh distro install.
If all you need to do is request an alternative certificate then these commands from the middle section should do it (you will need to manually export [email protected] and export VPNHOST=myvpn.example.com first, and start with a sudo su):
certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST
ln -s /etc/letsencrypt/live/$VPNHOST/cert.pem /etc/ipsec.d/certs/cert.pem
ln -s /etc/letsencrypt/live/$VPNHOST/privkey.pem /etc/ipsec.d/private/privkey.pem
ln -s /etc/letsencrypt/live/$VPNHOST/chain.pem /etc/ipsec.d/cacerts/chain.pem
echo "/etc/letsencrypt/archive/${VPNHOST}/* r," >> /etc/apparmor.d/local/usr.lib.ipsec.charon
aa-status --enabled && invoke-rc.d apparmor reload
I can't guarantee that's all you need, though ...
from ikev2-setup.
Semsem8519
commented on May 13, 2024
I reinstalled Lubuntu 16.10 32bit and run setup script again. This time I am getting this
Setting up strongswan (5.3.5-1ubuntu4) ...
Setting up mailutils (1:2.99.99-1.1ubuntu3) ...
update-alternatives: using /usr/bin/frm.mailutils to provide /usr/bin/frm (frm) in auto mode
update-alternatives: using /usr/bin/from.mailutils to provide /usr/bin/from (from) in auto mode
update-alternatives: using /usr/bin/messages.mailutils to provide /usr/bin/messages (messages) in auto mode
update-alternatives: using /usr/bin/movemail.mailutils to provide /usr/bin/movemail (movemail) in auto mode
update-alternatives: using /usr/bin/readmsg.mailutils to provide /usr/bin/readmsg (readmsg) in auto mode
update-alternatives: using /usr/bin/dotlock.mailutils to provide /usr/bin/dotlock (dotlock) in auto mode
update-alternatives: using /usr/bin/mail.mailutils to provide /usr/bin/mailx (mailx) in auto mode
Setting up python-ndg-httpsclient (0.4.2-1) ...
Setting up python-acme (0.8.1-1) ...
Setting up python-certbot (0.8.1-2) ...
Setting up certbot (0.8.1-2) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for libc-bin (2.24-3ubuntu2) ...
Processing triggers for systemd (231-9ubuntu2) ...
Processing triggers for ufw (0.35-2) ...
Network interface: wlp2s0
External IP: 192.168.1.21
=== Configuring firewall ===
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
=== Configuring RSA certificates ===
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags
from ikev2-setup.
Semsem8519
commented on May 13, 2024
I made an account with Godaddy and made a CNAME record to point to my no-ip.com hostname.
from ikev2-setup.
Semsem8519
commented on May 13, 2024
Silly me I made a typo in email. Tried it again and got
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Network interface: wlp2s0
External IP: 192.168.1.21
=== Configuring firewall ===
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
=== Configuring RSA certificates ===
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/vpn.semsem8519.com/fullchain.pem. Your cert
will expire on 2017-04-06. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew" -
If you lose your account credentials, you can recover through
e-mails sent to [email protected]. -
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal. -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
=== Configuring VPN ===
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...
=== User ===
adduser: The user sami' already exists. sami@sami-900A:~$
from ikev2-setup.
Semsem8519
commented on May 13, 2024
If I use my internal IP address in the hostname field of strongswan android's client, I get this log of error. Connecting with my external IP fails all the time. Are there other ports to forward beside 22/443?
Jan 6 07:26:54 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.10.73-g4cd47b6, aarch64)
Jan 6 07:26:54 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Jan 6 07:26:54 00[JOB] spawning 16 worker threads
Jan 6 07:26:54 04[IKE] initiating IKE_SA android[13] to 192.168.1.21
Jan 6 07:26:54 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 6 07:26:54 04[NET] sending packet: from 192.168.1.188[41665] to 192.168.1.21[500] (744 bytes)
Jan 6 07:26:54 07[NET] received packet: from 192.168.1.21[500] to 192.168.1.188[41665] (38 bytes)
Jan 6 07:26:54 07[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 6 07:26:54 07[IKE] peer didn't accept DH group ECP_256, it requested ECP_521
Jan 6 07:26:54 07[IKE] initiating IKE_SA android[13] to 192.168.1.21
Jan 6 07:26:54 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 6 07:26:54 07[NET] sending packet: from 192.168.1.188[41665] to 192.168.1.21[500] (812 bytes)
Jan 6 07:26:54 09[NET] received packet: from 192.168.1.21[500] to 192.168.1.188[41665] (340 bytes)
Jan 6 07:26:54 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 6 07:26:54 09[IKE] remote host is behind NAT
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=Japanese Government, OU=ApplicationCA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign G2"
Jan 6 07:26:54 09[IKE] sending cert request for "O=RSA Security Inc, OU=RSA Security 2048 V3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI, CN=IGC/A, E=[email protected]"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Jan 6 07:26:54 09[IKE] sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=[email protected]"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Jan 6 07:26:54 09[IKE] sending cert request for "E=[email protected], C=EE, O=AS Sertifitseerimiskeskus, CN=Juur-SK"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=Generalitat Valenciana, OU=PKIGVA, CN=Root CA Generalitat Valenciana"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H6"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4"
Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=EBG Elektronik Sertifika Hizmet Sa??lay??c??s??, O=EBG Bili??im Teknolojileri ve Hizmetleri A.??., C=TR"
Jan 6 07:26:54 09[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=[email protected]"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root"
Jan 6 07:26:54 09[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public Root Certificate Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., OU=e-Szigno CA, CN=Microsec e-Szigno Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=Government Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c) Aral??k 2007"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=CA ???????????????"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
Jan 6 07:26:54 09[IKE] establishing CHILD_SA android
Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan 6 07:26:54 09[ENC] splitting IKE message with length of 3632 bytes into 3 fragments
Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(1/3) ]
Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(2/3) ]
Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(3/3) ]
Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1364 bytes)
Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1364 bytes)
Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1076 bytes)
Jan 6 07:26:55 11[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 11[ENC] parsed IKE_AUTH response 1 [ EF(1/8) ]
Jan 6 07:26:55 11[ENC] received fragment #1 of 8, waiting for complete IKE message
Jan 6 07:26:55 10[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 10[ENC] parsed IKE_AUTH response 1 [ EF(2/8) ]
Jan 6 07:26:55 10[ENC] received fragment #2 of 8, waiting for complete IKE message
Jan 6 07:26:55 16[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 16[ENC] parsed IKE_AUTH response 1 [ EF(3/8) ]
Jan 6 07:26:55 16[ENC] received fragment #3 of 8, waiting for complete IKE message
Jan 6 07:26:55 12[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 12[ENC] parsed IKE_AUTH response 1 [ EF(4/8) ]
Jan 6 07:26:55 12[ENC] received fragment #4 of 8, waiting for complete IKE message
Jan 6 07:26:55 07[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 07[ENC] parsed IKE_AUTH response 1 [ EF(5/8) ]
Jan 6 07:26:55 07[ENC] received fragment #5 of 8, waiting for complete IKE message
Jan 6 07:26:55 13[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 13[ENC] parsed IKE_AUTH response 1 [ EF(6/8) ]
Jan 6 07:26:55 13[ENC] received fragment #6 of 8, waiting for complete IKE message
Jan 6 07:26:55 04[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (260 bytes)
Jan 6 07:26:55 04[ENC] parsed IKE_AUTH response 1 [ EF(8/8) ]
Jan 6 07:26:55 04[ENC] received fragment #8 of 8, waiting for complete IKE message
Jan 6 07:26:55 08[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 08[ENC] parsed IKE_AUTH response 1 [ EF(7/8) ]
Jan 6 07:26:55 08[ENC] received fragment #7 of 8, reassembling fragmented IKE message
Jan 6 07:26:55 08[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Jan 6 07:26:55 08[IKE] received end entity cert "CN=vpn.semsem8519.com"
Jan 6 07:26:55 08[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Jan 6 07:26:55 08[CFG] using certificate "CN=vpn.semsem8519.com"
Jan 6 07:26:55 08[CFG] using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Jan 6 07:26:55 08[CFG] using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jan 6 07:26:55 08[CFG] reached self-signed root ca with a path length of 1
Jan 6 07:26:55 08[IKE] authentication of 'vpn.semsem8519.com' with RSA_EMSA_PKCS1_SHA2_384 successful
Jan 6 07:26:55 08[CFG] constraint check failed: identity '192.168.1.21' required
Jan 6 07:26:55 08[CFG] selected peer config 'android' inacceptable: constraint checking failed
Jan 6 07:26:55 08[CFG] no alternative config found
Jan 6 07:26:55 08[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Jan 6 07:26:55 08[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (96 bytes)
from ikev2-setup.
Semsem8519
commented on May 13, 2024
I opened port 500 and 4500 UDP and now the strongswan client is connected. Thank you very much for your help. Just one request please. Do you know if I can use Android native VPN client instead of strongswan app? The reason I want this because Android supports always-on VPN connection whereas strongswan app does not. I need this feature because I want to talk to my family from abroad with whatsapp as the calling feature is blocked there without VPN and I need to maintain VPN connection all the time because they may not know how to connect to it when it disconnects.
from ikev2-setup.
jawj
commented on May 13, 2024
Glad you got this working (though a bit confused, because my script already opens 500 and 4500 for UDP).
Afraid the built-in Android VPN client doesn't yet support IKEv2 AFAIK.
from ikev2-setup.
Semsem8519
commented on May 13, 2024
Sorry I meant I forwarded those ports in my router to my server machine local ip address.
from ikev2-setup.
jawj
commented on May 13, 2024
Oh, great. :)
from ikev2-setup.
Semsem8519
commented on May 13, 2024
Sorry I forgot to ask, while running the setup, we are asked to create a login user with a strong password, since a client is not using these info to login to the server, then what use they serve? Thanks
from ikev2-setup.
jawj
commented on May 13, 2024
The user name and password can be used to log in to the server via SSH.
from ikev2-setup.
Related Issues (20)
- generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] HOT 2
- Neither new message via email nor new file in home folder HOT 1
- Possible kernel problem in charon? HOT 1
- some problems HOT 1
- Speed limit HOT 1
- entered username and password is correct but 'user authentication failed' error is received HOT 6
- Received disconnect from x.x.x.x port 22:2: Too many authentication failures
- let's encrypt chain HOT 2
- Certificate is Not Signed (iOS) HOT 2
- no session limit for account HOT 1
- Windows 11 - Policy match error HOT 5
- Not connecting on older macOS HOT 1
- apache2 only VPN
- RouterOS as client HOT 1
- Python error when installing HOT 3
- Unable to register an account with ACME server HOT 1
- DNS leak Windows 11 HOT 2
- "The specified port is already open" error? HOT 3
- Strongswan: no private key found. Windows 10: error 13801 HOT 8
- certbot: error: unrecognized arguments: --key-type rsa HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ikev2-setup.