Need help with making a IKEv2 VPN server from a Ubuntu VirtualBox

VPN
1

I’ve been trying to make a VPN that uses the IKEv2 protocol using StrongSwan on Ubuntu following the instructions following this link: https://www.digitalocean.com/community/tutorials/how-to-set-up-an-ikev2-vpn-server-with-strongswan-on-ubuntu-18-04-2

i will try to give as much detail as possible to what i did following the instructions given.

in Step 1 i updated the local package cache as told to do, installed the StrongSwan package

in Step 2 i did the command : mkdir -p ~/pki/{cacerts,certs,private} , i was not too sure if i had to exactly that line so i did and also did all 3 individually : mkdir -p ~/pki/cacerts ""/certs and ""/private after that i just copy pasted the 3 command lines in.

In Step 3 i followed the steps, in the second part where i had to put a cn and a san i put 192.168.5.220 which is different from the VirtualBox that has a 192.168.5.12 ip, not sure if i was supposed to put the machine’s ip or if i was supposed to do what i did.

In Step 4 the first part where i had to type in sudo mv /etc/ipsec.conf{,.original}, that one like the first one, i wasn’t sure if i was supposed to copy paste the whole thing including "{,.original} but i did and it seemed to work, continued to follow the steps, where i had to put in an address next to “leftid:” i put in 192.168.5.220 again.

Step 5 followed the steps and restarted StrongSwan.

Step 6 i added the exceptions to the firewall, in before.rules i put instead of 10.10.10.0/24 i put 192.168.5.0/24 not sure either if that was what i was really supposed to do, for the rest i followed the steps and retarded the firewall.

Step 7 i retrieved the certificate, added it to another VirtualBox, could not connect, tried to add it the host, did not work, and could not make it work from my phone, all 3 devices got the unreachable error or Error 809. I could ping the ip 192.168.5.220 from the other VirtualBox(Win7) but got :

Reply from 192.168.5.14 : Destination host unreachable. 0% loss

Sorry for the long text, not sure if i did everything properly, did i do something wrong?

2

What network is the 192.168.5.X? Is the VPN subnet the 10. ? You’ve got some networking stuff going on good sir.

Is your firewall not capable of Client VPN management? If not you’d need to have forwarding rules in the Firewall directing inbound traffic to an internal network.

End all be all, your gateway should really be handling your Client VPN. If you REALLY want to run a vpn server you’d need to have it in your DMZ and not inside.

3

the 192.168.5.X network is the guest WiFi network, i simply told the VirtualBox to use the WiFi adapter that’s connected to the guest WiFi network. The 10. i am guessing you’re talking about the step six was Configuring the Firewall and Kernel IP Forwarding.

In the sixth step i had to configure the firewall for the VPN, and not sure what you mean by if it’s capable of Client VPN management.

This is all a learning experience for me and a personal project, i’m sorry if there are things that i don’t understand.

I was trying to test it by connecting to the same network that the VPN was running on and trying to use the local ip address to connect to it, so what i get from what you’re telling me and tell me if i’m wrong, to make it work i would need to add it the DMZ otherwise i can’t port forward it, is that right? Please bare with me, i really would like to make this work.

4

No worries!

So when you have a VPN server it is basically the friend introducing you to the room of people. Your firewall is probably your gateway which is the door to the house. You can’t be introduced if you’re still standing outside.

What you’re encountering is inbound filtering on your firewall preventing external clients from accessing internal resources, which it usually does by default. To use a VPN server you’d need to create a DMZ. Doing so you would create an extranet and an intranet, like game servers or streaming services.

For Firewalls handling VPN, like Cisco Meraki or Sophos, the Firewall is the Gateway and the VPN server. It handles negotiation into the intranet from the internet.

Another thing is that you can’t VPN into the same network that you are on or any network inside of your gateway. To test you would need to put a laptop on a 4g cell phone hotspot so that you’re entering from the internet otherwise you’ll hit errors connecting. Think of everything inside your gateway, umbrella’d under the same public IP address, as in the same place according to networking. (you can’t exactly make a tunnel without moving in space unless we’re going to have some crazy space time convo)

Hopefully this clarifies some things, but maybe take a look into network segmentation fundamentals. That’s the zone of study stopping this all from working.

5

I’ve looked up network segmentation fundamentals and what i’m getting from that is that it is basically what a firewall does right?

I am encountering an inbound filtering on my firewall you said so i added an inbound rule to my host firewall to allow inbound connection to the remote ip 192.168.5.12(the vm hosting the vpn), i also added it to the DMZ, added it to the advanced one, not sure if it’s necessary, it is described as:

The advanced DMZ feature allows a device to use the modem’s WAN IP address as its own. It also puts the device outside the modem’s firewall. Your modem’s WAN IP is: xxxxxxxxx…

and it still doesn’t work so i am guessing that i still did something wrong, i would think that it is probably an ip somewhere that i didn’t setup properly

in step 3 i needed to generate a certificate for the VPN server, one of the lines were:

 --dn "CN=server_domain_or_IP" --san "server_domain_or_IP" \

i put at first the local ip of the machine but right now i have the WAN ip address set for both CN and san, was this what i was supposed to do?

Step 4 i had to configure StrongSwan there was this line:

leftid=@server_domain_or_IP

i’m guessing it should be the same as the dn so i put in the WAN ip again, i’ve also just noticed this line:

rightsourceip=10.10.10.0/24

i’m guessing that i should change that to 192.168.5.0/24 , i’l change it to that and see if it’ll work afterward

Step 6 Configuring the Firewall & Kernel IP Forwarding, pretty sure there was no problem with configuring the firewall, i checked the status and it seemed to work, as for the kernel ip forwarding part

*nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT *mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT

-A ufw-before-forward --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
-A ufw-before-forward --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT

i replaced every 10.10.10.0/24 with 192.168.5.0/24 since the rightsourceip was 10.10.10.0/24 it could be why it was not working, because it was not the same as the kernel port forwarding rule

That should be everything involving ip addresses, i don’t think this can get more detailed than that haha

6

Can you connect to the VPN server? (I assume L2TP IP/Sec). If not then can you ping the public IP. It is totally possible that if you are using an ISP provided modem it is declining ICMP requests.

If possible, please list in order all network devices, like so…

Modem > router > switch > server/clients (replace the devices with your own going from public space into private)

Apologies for the late reply; Put my firefighter hat on today

7

No worries, unfortunately i still can’t get to my vpn, the protocol is actually IKEv2 and no i cannot ping the public ip, I’ve also port forwarded both ports 500 and 4500 udp, i also added an inbound rule for those ports.

Home Hub 3000 > pc > virtual box
But because i set it as bridged and told it to use the wifi card adapter it is more like so:
Home Hub 3000 > virtual box

8

I would imagine the VPN handshake is TCP but hmm. Let me think on this

9

Alright, thanks a lot for the help by the way

Edit:: i think what I’ll do is also try see if i switch my virtual machine’s network method from bridged to NAT and port forward the host machine instead.

Just in the case Bridged wouldn’t work, I don’t know why it would be the case but we’ll see.(will try this once i get back from school)

I disabled DMZ on my router, don’t know if that’s a problem, sorry that i forgot to mention that, when you explained it I didn’t quite understand if it was really necessary, i was testing the vpn from an LTE connection to.

10

No worries! I love problem solving this stuff.

Does the device running the VM have dual NIC by chance? I think what may need to happen is a dual nic set up with a software firewall on the VM. But again I’ll think on it through the day

11

the vm already has a software firewall, i’ll see if using dual nic fixes it

12

Kk so grilled some coworkers and this is what we landed on.

The device handling your vpn server also needs to be your network gateway. That would mean having your firewall downstream of it. Is essentially a layer 1 issue of cable flow. If you have dual nic on the device handling the software firewall and it is also the VPN server you will need to configure the vpn server to use the firewall as its gateway and use forwarding rules to direct traffic inwards on specific ports (vpn address 222.233.244.254:8001)

Even then it’s shaky but good luck