I have an issue connecting to IKEv2 VPN running on an Ubuntu VM on GCP. I am trying to connect with MacOS and Windows. I followed this tutorial to install the VPN on an Ubuntu VM. I need a VPN so that I can have a static IP for multiple people and connect to apps running on GCP that are not public. I read that client/server VPN is the solution I need which is why I tried this tutorial. Possibly the issue with the configuration is that only Ubuntu OS will be able to connect to the VPN?
The only difference from the tutorial is that I changed the domain names in the tutorial to an IP address of the GCP VM. The error message on MacOS is "User Authentication failed" and I have loaded the ca.cert.pem
from the VPN server into Key chain Access on my MacOS. Connecting from Windows 10 is similar problem. I put the pem file in the Trusted Root Certification Authorities but couldn't connect using username and password.
Found following logs in Ubuntu server var/log/syslog
when trying to connect with MacOS inbuilt IKEv2 client:
Jun 13 12:54:14 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.152.0.2[500]
Jun 13 12:54:14 vpn-instance charon: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance charon: 09[MGR] checkout IKEv2 SA by message with SPIs e2706de3b7c70401_i 0000000000000000_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (740 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 10[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkout IKEv2 SA by message with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500] (80 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[IKE] initiating EAP_MSCHAPV2 method (id 0x9C)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (112 bytes)
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 11[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jun 13 12:54:14 vpn-instance ipsec[540]: 12[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 13[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkin IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 14[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jun 13 12:54:14 vpn-instance charon: 09[MGR] created IKE_SA (unnamed)[7]
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[5]
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => DESTROYING
Jun 13 12:54:14 vpn-instance ipsec[540]: 15[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] IKE_SA ipsec-ikev2-vpn[6] successfully checked out
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[6]
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[IKE] IKE_SA ipsec-ikev2-vpn[6] state change: CONNECTING => DESTROYING
Jun 13 12:54:14 vpn-instance ipsec[540]: 16[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 06[MGR] checkout IKEv2 SA with SPIs 05c7426145bd1401_i 0b4b7fc130e9023e_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 06[MGR] IKE_SA checkout not successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 05[MGR] checkout IKEv2 SA with SPIs 34ad7c643920ad6b_i 4b3661d3bf822b14_r
Jun 13 12:54:14 vpn-instance ipsec[540]: 05[MGR] IKE_SA checkout not successful
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.152.0.2[500]
Jun 13 12:54:14 vpn-instance ipsec[540]: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance ipsec[540]: 09[MGR] checkout IKEv2 SA by message with SPIs e2706de3b7c70401_i 0000000000000000_r
Jun 13 12:54:14 vpn-instance charon: 03[NET] waiting for data on sockets
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkout IKEv2 SA by message with SPIs 25159daea9f11f1d_i 64799938fac7
977c_r
Jun 13 12:54:14 vpn-instance charon: 14[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:14 vpn-instance charon: 14[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.152.0.2[4500] (80 by
tes)
Jun 13 12:54:14 vpn-instance charon: 14[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jun 13 12:54:14 vpn-instance charon: 14[IKE] initiating EAP_MSCHAPV2 method (id 0x4A)
Jun 13 12:54:14 vpn-instance charon: 14[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jun 13 12:54:14 vpn-instance charon: 14[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500] (112 by
tes)
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkin IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:14 vpn-instance charon: 14[MGR] checkin of IKE_SA successful
Jun 13 12:54:14 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:34 vpn-instance charon: 16[MGR] IKE_SA ipsec-ikev2-vpn[7] successfully checked out
Jun 13 12:54:34 vpn-instance charon: 16[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkin IKE_SA ipsec-ikev2-vpn[7]
Jun 13 12:54:34 vpn-instance charon: 16[MGR] checkin of IKE_SA successful
Jun 13 12:54:34 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:34 vpn-instance charon: 06[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:34 vpn-instance charon: 06[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkin IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:34 vpn-instance charon: 06[MGR] checkin of IKE_SA successful
Jun 13 12:54:34 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.xxx[4500]
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:44 vpn-instance charon: 05[MGR] IKE_SA ipsec-ikev2-vpn[7] successfully checked out
Jun 13 12:54:44 vpn-instance charon: 05[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[7]
Jun 13 12:54:44 vpn-instance charon: 05[IKE] IKE_SA ipsec-ikev2-vpn[7] state change: CONNECTING => DESTROYING
Jun 13 12:54:44 vpn-instance charon: 05[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:44 vpn-instance charon: 07[MGR] IKE_SA ipsec-ikev2-vpn[8] successfully checked out
Jun 13 12:54:44 vpn-instance charon: 07[JOB] deleting half open IKE_SA with xxx.xxx.xxx.xxx after timeout
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkin and destroy IKE_SA ipsec-ikev2-vpn[8]
Jun 13 12:54:44 vpn-instance charon: 07[IKE] IKE_SA ipsec-ikev2-vpn[8] state change: CONNECTING => DESTROYING
Jun 13 12:54:44 vpn-instance charon: 07[MGR] checkin and destroy of IKE_SA successful
Jun 13 12:54:54 vpn-instance charon: 08[MGR] checkout IKEv2 SA with SPIs e2706de3b7c70401_i 3ff8ef2239e91120_r
Jun 13 12:54:54 vpn-instance charon: 08[MGR] IKE_SA checkout not successful
Jun 13 12:54:54 vpn-instance charon: 09[MGR] checkout IKEv2 SA with SPIs 25159daea9f11f1d_i 64799938fac7977c_r
Jun 13 12:54:54 vpn-instance charon: 09[MGR] IKE_SA checkout not successful
Please let me know what could be wrong?
Edit
I added more syslog output above from when I try to connect from my log.
Here is the /etc/ipsec.conf
configuration:
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
strictcrlpolicy=no
uniqueids=yes
cachecrls=no
conn ipsec-ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=xx.xxx.xxx.219
leftcert=server.cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=192.168.0.0/24
rightdns=8.8.8.8 # DNS to be assigned to clients
rightsendcert=never
eap_identity=%identity
The MacOS VPN configuration is just Server Address and Remote ID being the IP address of the Ubuntu server and related Authentication Settings which is the username and password I set in /etc/ipsec.secrets
.
I could not see any vpn related events in logs in the Macbook such as racoon.log
or ppp.log
. Hard to find info about MacOS VPN logs on the net as well which is why figuring out this issue has been tricky. Anywhere else the IKEv2 VPN logs could be in BigSur?
Solved
Had to make sure the username and password is applied properly in the mac IKEv2 Authentication Settings.