Question
Hello everyone when after all the configurations, when trying to establish a vpn connection using this command “sudo charon-cmd --cert ca-ce
- Posted on August 28, 2023
- VPN
Asked by Abdul Haseeb Khan
Hello everyone when after all the configurations, when trying to establish a vpn connection using this command “sudo charon-cmd --cert ca-cert.pem --host vpn_domain_or_IP --identity your_username” im not able to connect it shows
root[@ubuntuN1](https://www.digitalocean.com/community/users/ubuntun1):~# sudo charon-cd •-cert /etc/ipsec.d/cacerts/ca-cert.pem --host 10.0.2.14 - -identity ubuntu 00[LIB] created TUN device: ipseco 00[LIB] dropped capabilities, running as uid 0, gid o ∞OLDMNI Starting charon-cd IKE client (strongSwan 5.8.2, Ltnux 5.15.0-79-generic, X86_64) 00[LIB] loaded plugins: charon-cmd ldap pkcs11 tpm aesnt aes rc2 shaz shal md5 mgf1 rdrand random nonce ×509 revocation constr nts pubkey pkcs1 pkcs? pkcss pkcs12 sshkey pen openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr m gem ntru drbg curl kernel-libipsec kernel-netlink resolve socket-default bypass•lan eap-identity eap-nd5 eap-gte eap-mschapvi eap-tls eap-ttls eap-peap auth -generic 00[30B] spawning 16 worker threads 07[IKE] installed bypass policy for 10.0.2.0/24 07 [KNL] error installing route with policy 169.254.0.0/16 === 169.254.0.0/16 out 07[IKE] installed bypass policy for 169.254.0.0/16 07 [KNL] error installing route with policy fee:: /64 ea= fe80:: /64 out 07[IKE] installed bypass policy for fe80::/64 09[IKE] initiating IKE_SA cd[1] to 10.0.2.14 09[ENC] generating IKE_SA_INIT request • [ SA KE NO N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 09 [NET] sending packet: from 10.0.2.5[58408] to 10.0.2.14[4500] (1128 bytes) 10 [IKE] retransmit 1 of request with message ID © 10 [NET] sending packet: from 10.0.2.5[58408] to 10.0.2.14[4500] (1128 bytes) ^COO [DMNI signal of type SIGINT received. Shutting down 00[IKE] destroying IKE_SA in state CONNECTING without notification 00[IKE] uninstalling bypass policy for fe80:: /64 00[IKE] uninstalling bypass policy for 10.0.2.0/24 00[IKE] uninstalling bypass policy for 169.254.0.0/16 root[@UbuntuN1](https://www.digitalocean.com/community/users/ubuntun1):~# sudo charon-cmd --cert /etc/ipsec.d/cacerts/ca-cert.pen •-host 10.0.2.14 •-identity ubuntu 00[LIB] created TUN device: ipseco O[LIB] dropped capabilities, running as uid o, gid o 00[DMN] Starting charon-cmd IKE client (strongSwan 5.8.2, Linux 5.15.0-79-generic, ×86_64) 00[LIB] loaded plugins: charon-d ldap pkcs11 tpm aesnt aes rc2 shaz shal md5 mgf1 rdrand random nonce ×509 revocation constrat nts pubkey pkcsi pkcs? pkcs8 pcs12 sshkey pem openssl gerypt af-alg fips-prf gmp curve25519 agent chapoly cbe cmac hmac ctr cc m gem ntru drbg curl kernel-libipsec kernel-netlink resolve socket-default bypass-lan eap-identity eap-md5 eap-gte eap-mschapuz eap-tls eap-ttls eap-peap auth-generic 00[JOB] spawning 16 worker threads 15[IKE] installed bypass policy for 10.0.2.0/24 15[KNL] error installing route with policy 169.254.0.0/16 === 169.254.0.0/16 out 15[IKE] installed bypass policy for 169.254.0.0/16 15[KNL1 error installing route with policy fe80::/64 =a= fe80::/64 out 05[IKE] initiating IKE_SA cd[1] to 10.0.2.14 15[IKE] installed bypass policy for fe80:: /64 OS[ENC] generating IKE_SA_INIT request O [ SA KE No N(NATD S_IP) N(NATD_-D_IP) N(FRAG_ SUP) N(HASH_ ALG) N(REDIR_ SUP) 1 05[NET] sending packet: from 10.0.2.5[40798] to 10.0.2.14[4500] (1128 bytes) 06[IKE] retransmit 1 of request with message ID I 06[NET] sending packet: from 10.0.2.5[40798] to 10.0.2.14[45001 (1128 bytes) 07 [IKE] retransmit 2 of request with message ID O 07 [NET] sending packet: from 10.0.2.5[40798] to 10.0.2.14[4500] (1128 bytes) 16[IKE] retransmit 3 of request with message ID O 16[NET] sending packet: from 10.0.2.5[40798] to 10.0.2.14[4500] (1128 bytes)
please help !!!
Submit an answer
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.
Get started for free
Enter your email to get $200 in credit for your first 60 days with DigitalOcean.
New accounts only. By submitting your email you agree to our Privacy Policy.
Heya,
The error logs you provided indicate that your client is initiating a connection to the VPN server, but there’s no response from the server, causing the client to retransmit the initial request multiple times.
Here are some potential solutions and checks you can perform:
Firewall Configuration: Ensure there’s no firewall blocking the connection. VPNs, especially IPsec, require specific ports to be open:
Server Configuration: Make sure the StrongSwan or other VPN software is running and correctly configured on the server:
sudo systemctl status strongswan).Network Configuration:
10.0.2.14in your case) is reachable from the client.Logs on the Server: Checking the logs on the VPN server might provide more information about why it’s not responding. Typically, you’d check
/var/log/syslogor/var/log/charon.logon the server to see if there are any incoming requests and errors related to them.Client Configuration:
--certto see if that’s causing an issue. If the server doesn’t require client certificate authentication, this option might be unnecessary.Time Synchronization: IPsec relies on having synchronized clocks between the client and the server. Ensure both machines have their clocks synchronized using
ntpdorchronyd.Protocol & Encryption Mismatches: Double-check that both your server and client configurations are using the same IKE and IPsec versions (IKEv1 vs. IKEv2) and the same encryption/authentication algorithms.