Join Log in
Score:1
avatar Server

Established connection to StrongSwan VPN running on Ubuntu but can't connect to the internet

br flag
nealous3

I have an issue connecting to the internet though I have established connection to IKEv2 VPN running on an Ubuntu VM on GCP. I have connected to the VPN from my Macbook. I followed this tutorial to install the VPN on an Ubuntu VM. The only difference from the tutorial is that I changed the domain names in the tutorial to an IP address of the GCP VM.

Here is the /etc/ipsec.conf configuration:

config setup
  charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
  strictcrlpolicy=no
  uniqueids=yes
  cachecrls=no

conn ipsec-ikev2-vpn
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%any
  leftid=xx.xxx.xxx.219
  leftcert=server.cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=192.168.0.0/24
  rightdns=8.8.8.8 # DNS to be assigned to clients
  rightsendcert=never
  eap_identity=%identity

Here is the iptables:

$ iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 751 packets, 119K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain INPUT (policy ACCEPT 7 packets, 3808 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 35 packets, 2840 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 767 packets, 116K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

/etc/sysctl.conf:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

If I ssh into the ubuntu server I can curl any public website. This leads me to believe its something to do with the strongswan configuration. I have some pics of the Network configuration on GCP for the VM if needed.

enter image description here

enter image description here

What configuration do I change to access the internet via the IKEv2 VPN?

Edit: Below are some logs from syslog

Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 000000000000
0000_r
Jul 18 07:09:41 vpn-instance charon: 09[MGR] created IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance charon: 09[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500] (604 byt
es)
Jul 18 07:09:41 vpn-instance charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NA
TD_D_IP) N(FRAG_SUP) ]
Jul 18 07:09:41 vpn-instance charon: 09[CFG] looking for an IKEv2 config for 10.152.0.2...xxx.xxx.xxx.112
Jul 18 07:09:41 vpn-instance charon: 09[CFG]   candidate: %any...%any, prio 28
Jul 18 07:09:41 vpn-instance charon: 09[CFG] found matching ike config: %any...%any with prio 28
Jul 18 07:09:41 vpn-instance charon: 09[IKE] xxx.xxx.xxx.112 is initiating an IKE_SA
Jul 18 07:09:41 vpn-instance charon: 09[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Jul 18 07:09:41 vpn-instance charon: 09[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance charon: 09[CFG]   proposal matches
Jul 18 07:09:41 vpn-instance charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_25
6/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMA
C_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1
/MODP_1024
Jul 18 07:09:41 vpn-instance charon: 09[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_
128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2
_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/P
RF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_255
19/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AE
S_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_1
28/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12
_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/EC
P_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2
048
Jul 18 07:09:41 vpn-instance charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256
/MODP_2048
Jul 18 07:09:41 vpn-instance charon: 09[IKE] local host is behind NAT, sending keep alives
Jul 18 07:09:41 vpn-instance charon: 09[IKE] remote host is behind NAT
Jul 18 07:09:41 vpn-instance charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
 N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 18 07:09:41 vpn-instance charon: 09[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500] (456 byte
s)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500]
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkin IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 10[MGR] IKE_SA (unnamed)[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 0.0.0.0/0 === 192.168.0.1/32 out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] getting iface index for ens4
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 192.168.0.1/32 === 0.0.0.0/0 in
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 192.168.0.1/32 === 0.0.0.0/0 fwd
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting SAD entry with SPI cf6c6551
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleted SAD entry with SPI cf6c6551
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting SAD entry with SPI 08f90a8f
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleted SAD entry with SPI 08f90a8f
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[CFG] lease 192.168.0.1 by 'users-name' went offline
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[MGR] checkin and destroy of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 07[MGR] checkout IKEv2 SA with SPIs 0bb3c1942e27aa5a_i 154ee3eb7c30364c_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 07[MGR] IKE_SA checkout not successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 0000000
000000000_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] created IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500] (60
4 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
 N(NATD_D_IP) N(FRAG_SUP) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] looking for an IKEv2 config for 10.152.0.2...xxx.xxx.xxx.112
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG]   candidate: %any...%any, prio 28
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] found matching ike config: %any...%any with prio 28
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] xxx.xxx.xxx.112 is initiating an IKE_SA
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG]   proposal matches
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SH
A2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PR
F_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC
_SHA1/MODP_1024
Jul 18 07:09:41 vpn-instance charon: 10[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (496 b
ytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES
_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC
_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_
256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURV
E_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_2
56/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM
_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_G
CM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_2
56/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/M
ODP_2048
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA
2_256/MODP_2048
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] local host is behind NAT, sending keep alives
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] remote host is behind NAT
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_
D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500] (456
 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkin IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] IKE_SA (unnamed)[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
496 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Jul 18 07:09:41 vpn-instance charon: 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MAS
K DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG] looking for peer configs matching 10.152.0.2[xxx.xxx.xxx.219]...12
5.168.239.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG]   candidate "ipsec-ikev2-vpn", match: 20/1/28 (me/other/ike)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG] selected peer config 'ipsec-ikev2-vpn'
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 18 07:09:41 vpn-instance charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHC
P DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Jul 18 07:09:41 vpn-instance charon: 10[CFG] looking for peer configs matching 10.152.0.2[xxx.xxx.xxx.219]...125.168
.239.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 10[CFG]   candidate "ipsec-ikev2-vpn", match: 20/1/28 (me/other/ike)
Jul 18 07:09:41 vpn-instance charon: 10[CFG] selected peer config 'ipsec-ikev2-vpn'
Jul 18 07:09:41 vpn-instance charon: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_DNS_DOMAIN attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 18 07:09:41 vpn-instance charon: 10[IKE] peer supports MOBIKE
Jul 18 07:09:41 vpn-instance charon: 10[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with RSA signature success
ful
Jul 18 07:09:41 vpn-instance charon: 10[IKE] sending end entity cert "CN=xxx.xxx.xxx.219"
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 18 07:09:41 vpn-instance charon: 10[ENC] splitting IKE message (1904 bytes) into 2 fragments
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jul 18 07:09:41 vpn-instance charon: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1236 b
ytes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (740 by
tes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 01[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 01[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (80 by
tes)
Jul 18 07:09:41 vpn-instance charon: 01[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 18 07:09:41 vpn-instance charon: 01[IKE] received EAP identity 'users-name'
Jul 18 07:09:41 vpn-instance charon: 01[IKE] initiating EAP_MSCHAPV2 method (id 0x4D)
Jul 18 07:09:41 vpn-instance charon: 01[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 01[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (112 by
tes)
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 11[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 11[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (144 b
ytes)
Jul 18 07:09:41 vpn-instance charon: 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (144 by
tes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 13[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 13[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (80 by
tes)
Jul 18 07:09:41 vpn-instance charon: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 18 07:09:41 vpn-instance charon: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 18 07:09:41 vpn-instance charon: 13[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (80 byt
es)
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 12[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_DNS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_DNS_DOMAIN attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC paddi
ng
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] peer supports MOBIKE
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with RSA signature su
ccessful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] sending end entity cert "CN=xxx.xxx.xxx.219"
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] splitting IKE message (1904 bytes) into 2 fragments
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
236 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (7
40 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
80 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[IKE] received EAP identity 'users-name'
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[IKE] initiating EAP_MSCHAPV2 method (id 0x4D)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
12 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
144 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
44 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
80 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (8
0 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
112 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] authentication of '192.168.1.2' with EAP successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with EAP
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] established between 10.152.0.2[35.244.1
21.219]...xxx.xxx.xxx.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 12[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (112 b
ytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => ESTABLISHED
Jul 18 07:09:41 vpn-instance charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 18 07:09:41 vpn-instance charon: 12[IKE] authentication of '192.168.1.2' with EAP successful
Jul 18 07:09:41 vpn-instance charon: 12[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with EAP
Jul 18 07:09:41 vpn-instance charon: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] established between 10.152.0.2[xx.xxx.xxx.21
9]...xxx.xxx.xxx.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => ESTABLISHED
Jul 18 07:09:41 vpn-instance charon: 12[IKE] peer requested virtual IP %any
Jul 18 07:09:41 vpn-instance charon: 12[CFG] reassigning offline lease to 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] assigning virtual IP 192.168.0.1 to peer 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] peer requested virtual IP %any6
Jul 18 07:09:41 vpn-instance charon: 12[IKE] no virtual IP found for %any6 requested by 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] building INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 12[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Jul 18 07:09:41 vpn-instance charon: 12[CFG] proposing traffic selectors for us:
Jul 18 07:09:41 vpn-instance charon: 12[CFG]  0.0.0.0/0
Jul 18 07:09:41 vpn-instance charon: 12[CFG] proposing traffic selectors for other:
Jul 18 07:09:41 vpn-instance charon: 12[CFG]  192.168.0.1/32
Jul 18 07:09:41 vpn-instance charon: 12[CFG]   candidate "ipsec-ikev2-vpn" with prio 10+2
Jul 18 07:09:41 vpn-instance charon: 12[CFG] found matching child config "ipsec-ikev2-vpn" with prio 12
Jul 18 07:09:41 vpn-instance charon: 12[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance charon: 12[CFG]   proposal matches
Jul 18 07:09:41 vpn-instance charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:
AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_9
6/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA
2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[KNL] got SPI c37cf9e4
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[KNL] querying policy 0.0.0.0/0 === 192.168.0.1/32 out
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[KNL] querying SAD entry with SPI 079bf039
Jul 18 07:10:21 vpn-instance charon: 08[KNL] querying SAD entry with SPI 079bf039
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[IKE] sending keep alive to xxx.xxx.xxx.112[4500]
Jul 18 07:10:21 vpn-instance charon: 08[IKE] sending keep alive to xxx.xxx.xxx.112[4500]
Jul 18 07:10:21 vpn-instance charon: 08[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:10:21 vpn-instance charon: 08[MGR] checkin of IKE_SA successful
200
1 + 6
John Hanley avatar
cn flag
John Hanley
You did not enable IP Forwarding when you created the Compute Engine VM instance. https://cloud.google.com/vpc/docs/using-routes#canipforward
0
Reply
br flag
nealous3
@JohnHanley is it possible to enable after the VM is already created? I couldn't find where it allowed that.
0
Reply
jabbson avatar
sb flag
jabbson
You can only enable IP forwarding when you create an instance (as per [this doc](https://cloud.google.com/vpc/docs/using-routes#canipforward))
0
Reply
John Hanley avatar
cn flag
John Hanley
Shut down the instance and create an image. Then create a new instance specify the correct parameters and that image. Then delete the old VM.
0
Reply
Wojtek_B avatar
jp flag
Wojtek_B
Were you able to solve you issue with @John's help ?
0
Reply
br flag
nealous3
@JohnHanley I created a new vm with IP forwarding enabled but no luck. Still can't reach the internet.
0
Reply
Score:1
Wojtek_B avatar Server
jp flag
Wojtek_B

From the GCP firewall side your configuration looks OK. However installing & configuring StrongSwan is not a simple process and there are many steps that determine wheather it's sucessfull or not.

You can try to repeat the process on another VM (created one from scratch) and go over the steps again, but...

If you can use other solutions I'd recommend going for a Marketplace one - deploying them is much simpler and you're getting working solution out of the box - such as OpenVPN. And it's certified to work with GCP.

You can also try SoftEther VPN but there's no Marketplace ready to deploy solution yet for that so it would mean going over the installation as with the StronSwan.

0 + 2
Wytrzymały Wiktor avatar
it flag
Wytrzymały Wiktor
Hello @nealous3. Does this [answer your question](https://stackoverflow.com/help/someone-answers)?
0
Reply
br flag
nealous3
Thanks @Wojtek_B ill try OpenVPN
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.