I’ve set up 2 Strongswan VPNs in Digital Ocean. Both work.
2 of my attempts have failed in GGL cloud. Documenting process here.
Only noticeable difference is eth0
on DO vs. ens4
on GGL. I updated /etc/ufw/before.rules
accordingly.
ipsec.conf
conn UserandPass
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=My_server_IP_removed
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/28
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=aes256gcm16-sha384-prfsha512-ecp521
esp=aes256gcm16-ecp521,aes256-sha256
ikelifetime=10h
margintime=20m
Win10 client fails with:
“The network connection between your computer and the VPN server could not be established because the remote server is not responding”.
Strongswan Android client responds with establishing IKE_SA failed, peer not responding.
rebuilt ufw from scratch to ensure that isn’t the problem
500,4500/udp ALLOW Anywhere
Increased log level to 4 at the top of ipsec.conf
config setup
charondebug="ike 4, knl 4, cfg 4"
Ran sudo ipsec rereadsecrets && sudo service ipsec reload && sudo service ipsec restart
WIN10
Upgraded DH group by running:
Set-VpnConnectionIPsecConfiguration -Name "nfpvpn" -AuthenticationTransformConstants GCMAES256 -CipherTransformConstants GCMAES256 -DHGroup ECP384 -IntegrityCheckMethod SHA384 -PfsGroup ECP384 -EncryptionMethod GCMAES256
Rebooted. Still failing