Comments (19)
Is your eeePC definitely connected to the network (e.g. can you curl
a webpage from it)? Do you see anything at all in the strongSwan logs (or /var/log/syslog
) to indicate a connection being attempted?
This kind of thing can be tricky to diagnose from far away ...
from ikev2-setup.
Thanks for your help. Yes the machine is connected to the LAN and WAN. Also the strongswan shows trying to communicate with my external IP(I connected strongswn using no-ip address) but no response from my eeepc. During running the script, it asks me to enter hostanme which must resolve to this machine. I entered my no-ip domain address. Is that correct or it means something else? Thank you.
from ikev2-setup.
from ikev2-setup.
I mean I have a dynamic ip address updater provided by no-ip.com so that my hostname always reflects changes to my IP address provided by my Internet service provider(ISP). I will try and type the hostname as default http://vpn.examle.com and report later. Thanks.
from ikev2-setup.
from ikev2-setup.
I still dont know from where I can get a hostname? Can you provide a hint like a link please? Thanks.
from ikev2-setup.
from ikev2-setup.
Thank you. Is there a command to delete the files previously generated by the script and start from scratch?
from ikev2-setup.
No — I always run this on a VPS where it's easy to blow it away and start with a fresh distro install.
If all you need to do is request an alternative certificate then these commands from the middle section should do it (you will need to manually export [email protected]
and export VPNHOST=myvpn.example.com
first, and start with a sudo su
):
certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST
ln -s /etc/letsencrypt/live/$VPNHOST/cert.pem /etc/ipsec.d/certs/cert.pem
ln -s /etc/letsencrypt/live/$VPNHOST/privkey.pem /etc/ipsec.d/private/privkey.pem
ln -s /etc/letsencrypt/live/$VPNHOST/chain.pem /etc/ipsec.d/cacerts/chain.pem
echo "/etc/letsencrypt/archive/${VPNHOST}/* r," >> /etc/apparmor.d/local/usr.lib.ipsec.charon
aa-status --enabled && invoke-rc.d apparmor reload
I can't guarantee that's all you need, though ...
from ikev2-setup.
I reinstalled Lubuntu 16.10 32bit and run setup script again. This time I am getting this
Setting up strongswan (5.3.5-1ubuntu4) ...
Setting up mailutils (1:2.99.99-1.1ubuntu3) ...
update-alternatives: using /usr/bin/frm.mailutils to provide /usr/bin/frm (frm) in auto mode
update-alternatives: using /usr/bin/from.mailutils to provide /usr/bin/from (from) in auto mode
update-alternatives: using /usr/bin/messages.mailutils to provide /usr/bin/messages (messages) in auto mode
update-alternatives: using /usr/bin/movemail.mailutils to provide /usr/bin/movemail (movemail) in auto mode
update-alternatives: using /usr/bin/readmsg.mailutils to provide /usr/bin/readmsg (readmsg) in auto mode
update-alternatives: using /usr/bin/dotlock.mailutils to provide /usr/bin/dotlock (dotlock) in auto mode
update-alternatives: using /usr/bin/mail.mailutils to provide /usr/bin/mailx (mailx) in auto mode
Setting up python-ndg-httpsclient (0.4.2-1) ...
Setting up python-acme (0.8.1-1) ...
Setting up python-certbot (0.8.1-2) ...
Setting up certbot (0.8.1-2) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for libc-bin (2.24-3ubuntu2) ...
Processing triggers for systemd (231-9ubuntu2) ...
Processing triggers for ufw (0.35-2) ...
Network interface: wlp2s0
External IP: 192.168.1.21
=== Configuring firewall ===
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
=== Configuring RSA certificates ===
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags
from ikev2-setup.
I made an account with Godaddy and made a CNAME record to point to my no-ip.com hostname.
from ikev2-setup.
Silly me I made a typo in email. Tried it again and got
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Network interface: wlp2s0
External IP: 192.168.1.21
=== Configuring firewall ===
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere state NEW recent: UPDATE seconds: 60 hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
all -- anywhere anywhere state NEW recent: SET name: DEFAULT side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.10.10.0/24 anywhere policy match dir in pol ipsec proto esp
ACCEPT all -- anywhere 10.10.10.0/24 policy match dir out pol ipsec proto esp
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
=== Configuring RSA certificates ===
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/vpn.semsem8519.com/fullchain.pem. Your cert
will expire on 2017-04-06. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew" -
If you lose your account credentials, you can recover through
e-mails sent to [email protected]. -
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal. -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
=== Configuring VPN ===
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...
=== User ===
adduser: The user sami' already exists. sami@sami-900A:~$
from ikev2-setup.
If I use my internal IP address in the hostname field of strongswan android's client, I get this log of error. Connecting with my external IP fails all the time. Are there other ports to forward beside 22/443?
Jan 6 07:26:54 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.10.73-g4cd47b6, aarch64)
Jan 6 07:26:54 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Jan 6 07:26:54 00[JOB] spawning 16 worker threads
Jan 6 07:26:54 04[IKE] initiating IKE_SA android[13] to 192.168.1.21
Jan 6 07:26:54 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 6 07:26:54 04[NET] sending packet: from 192.168.1.188[41665] to 192.168.1.21[500] (744 bytes)
Jan 6 07:26:54 07[NET] received packet: from 192.168.1.21[500] to 192.168.1.188[41665] (38 bytes)
Jan 6 07:26:54 07[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 6 07:26:54 07[IKE] peer didn't accept DH group ECP_256, it requested ECP_521
Jan 6 07:26:54 07[IKE] initiating IKE_SA android[13] to 192.168.1.21
Jan 6 07:26:54 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 6 07:26:54 07[NET] sending packet: from 192.168.1.188[41665] to 192.168.1.21[500] (812 bytes)
Jan 6 07:26:54 09[NET] received packet: from 192.168.1.21[500] to 192.168.1.188[41665] (340 bytes)
Jan 6 07:26:54 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jan 6 07:26:54 09[IKE] remote host is behind NAT
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=CA WoSign ECC Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=Japanese Government, OU=ApplicationCA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign G2"
Jan 6 07:26:54 09[IKE] sending cert request for "O=RSA Security Inc, OU=RSA Security 2048 V3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI, CN=IGC/A, E=[email protected]"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Trusted Certificate Services"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Qualified CA Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Jan 6 07:26:54 09[IKE] sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., CN=StartCom Certification Authority G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=[email protected]"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Jan 6 07:26:54 09[IKE] sending cert request for "E=[email protected], C=EE, O=AS Sertifitseerimiskeskus, CN=Juur-SK"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ch, O=Swisscom, OU=Digital Certificate Services, CN=Swisscom Root EV CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=Generalitat Valenciana, OU=PKIGVA, CN=Root CA Generalitat Valenciana"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H6"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=Secure Certificate Services"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 CA 1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
Jan 6 07:26:54 09[IKE] sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4"
Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=Certification Authority of WoSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Public CA Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=EBG Elektronik Sertifika Hizmet Sa??lay??c??s??, O=EBG Bili??im Teknolojileri ve Hizmetleri A.??., C=TR"
Jan 6 07:26:54 09[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=[email protected]"
Jan 6 07:26:54 09[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
Jan 6 07:26:54 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust TTP Network, CN=AddTrust Class 1 CA Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root"
Jan 6 07:26:54 09[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Wells Fargo WellsSecure, OU=Wells Fargo Bank NA, CN=WellsSecure Public Root Certificate Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., OU=e-Szigno CA, CN=Microsec e-Szigno Root CA"
Jan 6 07:26:54 09[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA"
Jan 6 07:26:54 09[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
Jan 6 07:26:54 09[IKE] sending cert request for "C=TW, O=Government Root Certification Authority"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
Jan 6 07:26:54 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
Jan 6 07:26:54 09[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
Jan 6 07:26:54 09[IKE] sending cert request for "CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c) Aral??k 2007"
Jan 6 07:26:54 09[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root"
Jan 6 07:26:54 09[IKE] sending cert request for "C=CN, O=WoSign CA Limited, CN=CA ???????????????"
Jan 6 07:26:54 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
Jan 6 07:26:54 09[IKE] establishing CHILD_SA android
Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan 6 07:26:54 09[ENC] splitting IKE message with length of 3632 bytes into 3 fragments
Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(1/3) ]
Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(2/3) ]
Jan 6 07:26:54 09[ENC] generating IKE_AUTH request 1 [ EF(3/3) ]
Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1364 bytes)
Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1364 bytes)
Jan 6 07:26:54 09[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (1076 bytes)
Jan 6 07:26:55 11[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 11[ENC] parsed IKE_AUTH response 1 [ EF(1/8) ]
Jan 6 07:26:55 11[ENC] received fragment #1 of 8, waiting for complete IKE message
Jan 6 07:26:55 10[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 10[ENC] parsed IKE_AUTH response 1 [ EF(2/8) ]
Jan 6 07:26:55 10[ENC] received fragment #2 of 8, waiting for complete IKE message
Jan 6 07:26:55 16[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 16[ENC] parsed IKE_AUTH response 1 [ EF(3/8) ]
Jan 6 07:26:55 16[ENC] received fragment #3 of 8, waiting for complete IKE message
Jan 6 07:26:55 12[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 12[ENC] parsed IKE_AUTH response 1 [ EF(4/8) ]
Jan 6 07:26:55 12[ENC] received fragment #4 of 8, waiting for complete IKE message
Jan 6 07:26:55 07[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 07[ENC] parsed IKE_AUTH response 1 [ EF(5/8) ]
Jan 6 07:26:55 07[ENC] received fragment #5 of 8, waiting for complete IKE message
Jan 6 07:26:55 13[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 13[ENC] parsed IKE_AUTH response 1 [ EF(6/8) ]
Jan 6 07:26:55 13[ENC] received fragment #6 of 8, waiting for complete IKE message
Jan 6 07:26:55 04[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (260 bytes)
Jan 6 07:26:55 04[ENC] parsed IKE_AUTH response 1 [ EF(8/8) ]
Jan 6 07:26:55 04[ENC] received fragment #8 of 8, waiting for complete IKE message
Jan 6 07:26:55 08[NET] received packet: from 192.168.1.21[4500] to 192.168.1.188[48020] (532 bytes)
Jan 6 07:26:55 08[ENC] parsed IKE_AUTH response 1 [ EF(7/8) ]
Jan 6 07:26:55 08[ENC] received fragment #7 of 8, reassembling fragmented IKE message
Jan 6 07:26:55 08[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Jan 6 07:26:55 08[IKE] received end entity cert "CN=vpn.semsem8519.com"
Jan 6 07:26:55 08[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Jan 6 07:26:55 08[CFG] using certificate "CN=vpn.semsem8519.com"
Jan 6 07:26:55 08[CFG] using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
Jan 6 07:26:55 08[CFG] using trusted ca certificate "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jan 6 07:26:55 08[CFG] reached self-signed root ca with a path length of 1
Jan 6 07:26:55 08[IKE] authentication of 'vpn.semsem8519.com' with RSA_EMSA_PKCS1_SHA2_384 successful
Jan 6 07:26:55 08[CFG] constraint check failed: identity '192.168.1.21' required
Jan 6 07:26:55 08[CFG] selected peer config 'android' inacceptable: constraint checking failed
Jan 6 07:26:55 08[CFG] no alternative config found
Jan 6 07:26:55 08[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Jan 6 07:26:55 08[NET] sending packet: from 192.168.1.188[48020] to 192.168.1.21[4500] (96 bytes)
from ikev2-setup.
I opened port 500 and 4500 UDP and now the strongswan client is connected. Thank you very much for your help. Just one request please. Do you know if I can use Android native VPN client instead of strongswan app? The reason I want this because Android supports always-on VPN connection whereas strongswan app does not. I need this feature because I want to talk to my family from abroad with whatsapp as the calling feature is blocked there without VPN and I need to maintain VPN connection all the time because they may not know how to connect to it when it disconnects.
from ikev2-setup.
Glad you got this working (though a bit confused, because my script already opens 500 and 4500 for UDP).
Afraid the built-in Android VPN client doesn't yet support IKEv2 AFAIK.
from ikev2-setup.
Sorry I meant I forwarded those ports in my router to my server machine local ip address.
from ikev2-setup.
Oh, great. :)
from ikev2-setup.
Sorry I forgot to ask, while running the setup, we are asked to create a login user with a strong password, since a client is not using these info to login to the server, then what use they serve? Thanks
from ikev2-setup.
The user name and password can be used to log in to the server via SSH.
from ikev2-setup.
Related Issues (20)
- generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ] HOT 2
- Neither new message via email nor new file in home folder HOT 1
- Possible kernel problem in charon? HOT 1
- some problems HOT 1
- Speed limit HOT 1
- entered username and password is correct but 'user authentication failed' error is received HOT 6
- Received disconnect from x.x.x.x port 22:2: Too many authentication failures
- let's encrypt chain HOT 2
- Certificate is Not Signed (iOS) HOT 2
- no session limit for account HOT 1
- Windows 11 - Policy match error HOT 5
- Not connecting on older macOS HOT 1
- apache2 only VPN
- RouterOS as client HOT 1
- Python error when installing HOT 3
- Unable to register an account with ACME server HOT 1
- DNS leak Windows 11 HOT 2
- "The specified port is already open" error? HOT 3
- Strongswan: no private key found. Windows 10: error 13801 HOT 8
- certbot: error: unrecognized arguments: --key-type rsa HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ikev2-setup.