Question

Hello everyone when after all the configurations, when trying to establish a vpn connection using this command “sudo charon-cmd --cert ca-ce

Hello everyone when after all the configurations, when trying to establish a vpn connection using this command “sudo charon-cmd --cert ca-cert.pem --host vpn_domain_or_IP --identity your_username” im not able to connect it shows

 root[@ubuntuN1](https://www.digitalocean.com/community/users/ubuntun1):~# sudo charon-cd •-cert /etc/ipsec.d/cacerts/ca-cert.pem --host 10.0.2.14 - -identity ubuntu 00[LIB] created TUN device: ipseco 00[LIB] dropped capabilities, running as uid 0, gid o ∞OLDMNI Starting charon-cd IKE client (strongSwan 5.8.2, Ltnux 5.15.0-79-generic, X86_64) 00[LIB] loaded plugins: charon-cmd ldap pkcs11 tpm aesnt aes rc2 shaz shal md5 mgf1 rdrand random nonce ×509 revocation constr nts pubkey pkcs1 pkcs? pkcss pkcs12 sshkey pen openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr m gem ntru drbg curl kernel-libipsec kernel-netlink resolve socket-default bypass•lan eap-identity eap-nd5 eap-gte eap-mschapvi eap-tls eap-ttls eap-peap auth -generic 00[30B] spawning 16 worker threads 07[IKE] installed bypass policy for 10.0.2.0/24 07 [KNL] error installing route with policy 169.254.0.0/16 === 169.254.0.0/16 out 07[IKE] installed bypass policy for 169.254.0.0/16 07 [KNL] error installing route with policy fee:: /64 ea= fe80:: /64 out 07[IKE] installed bypass policy for fe80::/64 09[IKE] initiating IKE_SA cd[1] to 10.0.2.14 09[ENC] generating IKE_SA_INIT request • [ SA KE NO N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 09 [NET] sending packet: from 10.0.2.5[58408] to 10.0.2.14[4500] (1128 bytes) 10 [IKE] retransmit 1 of request with message ID © 10 [NET] sending packet: from 10.0.2.5[58408] to 10.0.2.14[4500] (1128 bytes) ^COO [DMNI signal of type SIGINT received. Shutting down 00[IKE] destroying IKE_SA in state CONNECTING without notification 00[IKE] uninstalling bypass policy for fe80:: /64 00[IKE] uninstalling bypass policy for 10.0.2.0/24 00[IKE] uninstalling bypass policy for 169.254.0.0/16 root[@UbuntuN1](https://www.digitalocean.com/community/users/ubuntun1):~# sudo charon-cmd --cert /etc/ipsec.d/cacerts/ca-cert.pen •-host 10.0.2.14 •-identity ubuntu 00[LIB] created TUN device: ipseco O[LIB] dropped capabilities, running as uid o, gid o 00[DMN] Starting charon-cmd IKE client (strongSwan 5.8.2, Linux 5.15.0-79-generic, ×86_64) 00[LIB] loaded plugins: charon-d ldap pkcs11 tpm aesnt aes rc2 shaz shal md5 mgf1 rdrand random nonce ×509 revocation constrat nts pubkey pkcsi pkcs? pkcs8 pcs12 sshkey pem openssl gerypt af-alg fips-prf gmp curve25519 agent chapoly cbe cmac hmac ctr cc m gem ntru drbg curl kernel-libipsec kernel-netlink resolve socket-default bypass-lan eap-identity eap-md5 eap-gte eap-mschapuz eap-tls eap-ttls eap-peap auth-generic 00[JOB] spawning 16 worker threads 15[IKE] installed bypass policy for 10.0.2.0/24 15[KNL] error installing route with policy 169.254.0.0/16 === 169.254.0.0/16 out 15[IKE] installed bypass policy for 169.254.0.0/16 15[KNL1 error installing route with policy fe80::/64 =a= fe80::/64 out 05[IKE] initiating IKE_SA cd[1] to 10.0.2.14 15[IKE] installed bypass policy for fe80:: /64 OS[ENC] generating IKE_SA_INIT request O [ SA KE No N(NATD S_IP) N(NATD_-D_IP) N(FRAG_ SUP) N(HASH_ ALG) N(REDIR_ SUP) 1 05[NET] sending packet: from 10.0.2.5[40798] to 10.0.2.14[4500] (1128 bytes) 06[IKE] retransmit 1 of request with message ID I 06[NET] sending packet: from 10.0.2.5[40798] to 10.0.2.14[45001 (1128 bytes) 07 [IKE] retransmit 2 of request with message ID O 07 [NET] sending packet: from 10.0.2.5[40798] to 10.0.2.14[4500] (1128 bytes) 16[IKE] retransmit 3 of request with message ID O 16[NET] sending packet: from 10.0.2.5[40798] to 10.0.2.14[4500] (1128 bytes)

please help !!!


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
August 29, 2023

Heya,

The error logs you provided indicate that your client is initiating a connection to the VPN server, but there’s no response from the server, causing the client to retransmit the initial request multiple times.

Here are some potential solutions and checks you can perform:

  1. Firewall Configuration: Ensure there’s no firewall blocking the connection. VPNs, especially IPsec, require specific ports to be open:

    • Ensure that UDP ports 500 and 4500 are open on both the server and the client.
  2. Server Configuration: Make sure the StrongSwan or other VPN software is running and correctly configured on the server:

    • Check its status (e.g., sudo systemctl status strongswan).
    • Ensure the server configuration allows connections from your client IP or network.
  3. Network Configuration:

    • The logs also show errors related to “error installing route with policy.” It might indicate a network configuration issue. Ensure that the IP ranges you’ve configured for the VPN don’t conflict with other network routes on the system.
    • Check if the VPN server IP (10.0.2.14 in your case) is reachable from the client.
  4. Logs on the Server: Checking the logs on the VPN server might provide more information about why it’s not responding. Typically, you’d check /var/log/syslog or /var/log/charon.log on the server to see if there are any incoming requests and errors related to them.

  5. Client Configuration:

    • Ensure that the client’s configuration matches the server’s. Any mismatch in cryptographic settings, for example, can prevent a successful connection.
    • Try connecting without specifying --cert to see if that’s causing an issue. If the server doesn’t require client certificate authentication, this option might be unnecessary.
  6. Time Synchronization: IPsec relies on having synchronized clocks between the client and the server. Ensure both machines have their clocks synchronized using ntpd or chronyd.

  7. Protocol & Encryption Mismatches: Double-check that both your server and client configurations are using the same IKE and IPsec versions (IKEv1 vs. IKEv2) and the same encryption/authentication algorithms.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel