[Rebelllious]

What did you mean by redoing iptables options?
I think, this is the point I am missing at the time. Otherwise, I am ready to provide you with the information necessary to give me little help...

P.S. Thanks to Guyzer for helping with the server. I still don't understand what was wrong with my own setup though.

[Djlatino]

Great guide, might have to go out and buy a small centos vps just for me. I wish you could use StrongSwan on Windows but oh well :/ I guess my 40$ RDP will be tucked away for this, crying.

[Guyzer]

Great guide, might have to go out and buy a small centos vps just for me. I wish you could use StrongSwan on Windows but oh well :/ I guess my 40$ RDP will be tucked away for this, crying.

not sure if it interests you but with amazon aws you get one linux instance and one windows instance free for a year. essentially windows 8 server which you can rdp into anytime you need.

[Djlatino]

not sure if it interests you but with amazon aws you get one linux instance and one windows instance free for a year. essentially windows 8 server which you can rdp into anytime you need.

I'll be sure to check it out!

[Evil Dead]

Plase, help me sombomebody! Never felt myself so stupid
Well, I created Amazon account and made instance and so on
To cut story short, I ended up with that damned PuTTY black screen which ask me login and password. Which ones it wants?

[Guyzer]

Login as root

Posted via CB10

[Evil Dead]

I found problem: for some reason server didn't accept my keypair, that's why it wanted password so I terminated instance and started new one. But headarche didn't stop yet : Permanent timeout that's only one I have. Any suggestions will be very welcomed.
Timeout of VPN link of course

[Guyzer]

I found problem: for some reason server didn't accept my keypair, that's why it wanted password so I terminated instance and started new one. But headarche didn't stop yet : Permanent timeout that's only one I have. Any suggestions will be very welcomed.
Timeout of VPN link of course

putty will time you out after a certain amount of inactivity. this setting can be changed but you shouldnt need to if you just input the commands as directed in forum...

like you said most likely an issue with not reading the instructions correctly. though i dont claim they are perfect and Im willing to help out and explain more clearly. though you need to describe exactly what your problem is. im only guessing what you meant by time out

[Evil Dead]

Well, I inputted exactly how You described, and nothing at all - just timeout instead of working VPN. Then I switched off FW - just timeout instead of working VPN. And "[msm] Connecting" then "Error - Timeout" then "Disconnecting" and finally "Not connected" in VPN log. After this the same funny sequence but with [tiw_sta0]. I really desperated, 'cos it's not just a fun for me: I haven't access to BBW & BBM without this damned VPN

[Guyzer]

Timeout typically means firewall issue. Are you sure you set aws firewall


Posted via CB10

[Evil Dead]

It's switched off now, as I said, thru iptables save then stop and those "bla-bla-bla" system answer I got

[Evil Dead]

If I understand correctly after FW stopped I MUST be linked to server. Internet surfing is another story, and it will be next problem, but connection with server must be established just now, right?

[Guyzer]

No your talking about wrong firewall. There are two. You need to follow instructions in beginning

Posted via CB10

[Evil Dead]

It's absolutely madness!
What I did today:
1.Double checked public server IP - no mistakes;
2.Double checked security group - all 4 inbound ports are in place;
3.Double checked every config file - absolutely identical to those ones in guide
4. inputted ipsec stop;
5. inputted /etc/init.d/iptables save
/etc/init.d/iptables stop
6.inputted iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
7.inputted ipsec start
Still no any progress.
Guyzer, can I send to You my auth data for VPN, maybe You will be luck to login outside my country?

[Guyzer]

pm me the details

[Guyzer]

also heres a test server. if you cant connect to this server your isp is preventing you

Create a new VPN profile using the following connection details:
Profile Name: anything
Server Address: 54.184.95.161
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: IPv4
MSCHAPv2 EAP Identity: anything, this field does not matter
MSCHAPv2 Username: user1
MSCHAPv2 Password: password2
Gateway Auth Type: PSK
Gateway Auth ID Type: IPv4
Gateway Preshared Key: password1
Perfect Forward Secrecy: not checked
There is no need to change any "Advanced" configurations.

[Evil Dead]

Connection was established
Oh, sorry, forgot to check. I-net surfing O.K.
Not sure: do You received my PM?

[Rebelllious]

Please start your iptables and check its FORWARD section. If it contains any "REJECT" rules before the one you added to forward your packets, remove it by

Code:

iptables -D FORWARD 1

where 1 is the number of the rule with "REJECT".
This seemed to help me in my research (after Guyzer had made a working instance for me).

[Evil Dead]

well, did I right?
/etc/init.d/iptables start
iptables -D FORWARD 1
If it's right, it didn't bring me nothing

I inputted iptables -L -v -n and could see some packets in INPUT chain, some packets in OUTPUT chain and absolutely no packets in FORWARD chain. I tried to connect to VPN, so something must to be here. Maybe as rejected packets, but it should be. Or it's wrong?

[Evil Dead]

O.K. I finally did it! Well, what my little research showed up:
What I found at wiki.strongswan.org about VPN creation on AWS services: Allow any incoming traffic from the pool's subnet into all VPC instances. It means You SHOULD kill any REJECT command in table "filters" -> chain "INPUT" of iptables or You'll can't get any net activity between Blackberry and server. Like me was . Next You SHOULD kill any REJECT command in table "filters" -> chain "FORWARD" of iptables or You'll can't get any internet activity between server and internet.
P.S. My thanks to Guyzer and Rebelllious for their advance in my discoverings
P.P.S. actually You don't need to stop iptables. Just make edit I wrote above, add 2 strings as discribed by OP and VPN will start without problems

[Evil Dead]

Well, I digged a little bit deeper and found port 1701 not needed here: it's for L2TP VPN connection. Our VPN definitely not L2TP, so I deleted this one from security group and everything looks fine: I tried surfing and dowloading both without any problem. So doing it other peeps seems good idea: less open ports, less security issues.

[DinLangkawi]

Will try this out.. thanks

Posted via CB10

[vladlem]

Thanks a lot for this guide. Followed it to set up a VPN server on a CentOS 6.5 (64 bit). Not on Amazon though but on a JiffyBox (German VPS provider).

Since there was no web interface to set up firewall exceptions I had to open the three ports mentioned in the beginning of the guide by editing /etc/sysconfig/iptables.

Code:

nano /etc/sysconfig/iptables

Code:

-A INPUT -m state --state NEW -m udp -p udp --dport 500 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 1701 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 4500 -j ACCEPT

Code:

 iptables-restore < /etc/sysconfig/iptables

I was now able to connect to the VPN but without internet connection. Adding the following line to the %default connection in ipsec.conf was what finally did it for me.

Code:

leftfirewall=yes

Complete ipsec.conf now looks like this:

Code:

config setup
    strictcrlpolicy=no

conn %default
   ikelifetime=24h
   keylife=24h
   keyexchange=ikev2
   dpdaction=clear
   dpdtimeout=3600s
   dpddelay=3600s
   compress=yes
   leftfirewall=yes

conn rem
   rekey=no
   leftsubnet=0.0.0.0/0
   leftauth=psk
   leftid=SERVER_PUBLIC_IP_ADDRESS
   right=%any
   rightsourceip=192.168.2.100/29
   rightauth=eap-mschapv2
   rightsendcert=never
   eap_identity=%any
   auto=add

[Guyzer]

I will try it out and update the howto thanks for your input

Posted via CB10

[Serge Simon]

Hello, i tried to follow this tutorial but I got stuck here:

[root@ip-172-31-40-7 ~]# ipsec start
Starting strongSwan 5.1.1 IPsec [starter]...
/etc/ipsec.conf:1: syntax error, unexpected STRING [Config]
unable to start strongSwan -- fatal errors in config

What should I do next?


In this instance config setup
strictcrlpolicy=no

conn %default
ikelifetime=24h
keylife=24h
keyexchange=ikev2
dpdaction=clear
dpdtimeout=3600s
dpddelay=3600s
compress=yes

conn rem
rekey=no
leftsubnet=0.0.0.0/0
leftauth=psk
leftid=SERVER_PUBLIC_IP_ADDRESS
right=%any
rightsourceip=192.168.2.100/29
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add

That bold part is to be replaced. only that one without the * at the end of the Ip... I tried this way and it does not work.

or I got another part wrong?