Hello, i can’t seem to make a VPN to my home network work anymore, since several udpates ago. Everything was working as intented, but for some reason it stopped working at one point, I think i was around the time the udpate to support WireGuard was rolled out. I tried the IPSec with L2TP, IKEv2, and with WireGuard.
Nothing seems to work, even when my public ip is pingable, same with me ddns record.
Did someone run into the same issue ?
Have you looked at the Route10 logs at all, or this post? IPsec - Site > Site - #3 by Alta-MikeD
Hello Jeff, yes I already looked, for me, it’s for the remote access. For the logs, I see some activity when I activate-deactivate the VPN, but no error when I try to connect from outside.
Also, tried the command from the response of MikeD in the other post, here is what i get :
root@JDB-AR1:/etc/swanctl# swanctl --list-sas
plugin ‘kdf’: failed to load - kdf_plugin_create not found and no plugin file available
connecting to ‘unix:///var/run/charon.vici’ failed: Connection refused
Error: connecting to ‘default’ URI failed: Connection refused
strongSwan 5.9.14 swanctl
usage:
swanctl --list-sas [–ike |–ike-id ] [–child |–child-id ]
[–raw|–pretty]
–help (-h) show usage information
–ike (-i) filter IKE_SAs by name
–ike-id (-I) filter IKE_SAs by unique identifier
–child (-c) filter CHILD_SAs by name
–child-id (-C) filter CHILD_SAs by unique identifier
–noblock (-n) don’t wait for IKE_SAs in use
–raw (-r) dump raw response message
–pretty (-P) dump raw response message in pretty print
–debug (-v) set debug level, default: 1
–options (-+) read command line options from file
–uri (-u) service URI to connect to
root@JDB-AR1:/etc/swanctl# swanctl --list-conns
plugin ‘kdf’: failed to load - kdf_plugin_create not found and no plugin file available
connecting to ‘unix:///var/run/charon.vici’ failed: Connection refused
Error: connecting to ‘default’ URI failed: Connection refused
strongSwan 5.9.14 swanctl
usage:
swanctl --list-conns [–raw|–pretty]
–help (-h) show usage information
–raw (-r) dump raw response message
–pretty (-P) dump raw response message in pretty print
–debug (-v) set debug level, default: 1
–options (-+) read command line options from file
–uri (-u) service URI to connect to
root@JDB-AR1:/etc/swanctl# swanctl --list-certs
plugin ‘kdf’: failed to load - kdf_plugin_create not found and no plugin file available
connecting to ‘unix:///var/run/charon.vici’ failed: Connection refused
Error: connecting to ‘default’ URI failed: Connection refused
strongSwan 5.9.14 swanctl
usage:
swanctl --list-certs [–subject <dn/san>] [–pem]
[–type x509|x509_ac|x509_crl|ocsp_response|pubkey]
[–flag none|ca|aa|ocsp|any] [–raw|–pretty|–short|–utc]
–help (-h) show usage information
–subject (-s) filter by certificate subject
–type (-t) filter by certificate type
–flag (-f) filter by X.509 certificate flag
–pem (-p) print PEM encoding of certificate
–raw (-r) dump raw response message
–pretty (-P) dump raw response message in pretty print
–short (-S) omit some certificate details
–utc (-U) use UTC for time fields
–debug (-v) set debug level, default: 1
–options (-+) read command line options from file
–uri (-u) service URI to connect to
root@JDB-AR1:/etc/swanctl# swanctl --list-pools
plugin ‘kdf’: failed to load - kdf_plugin_create not found and no plugin file available
connecting to ‘unix:///var/run/charon.vici’ failed: Connection refused
Error: connecting to ‘default’ URI failed: Connection refused
strongSwan 5.9.14 swanctl
usage:
swanctl --list-pools [–leases] [–raw|–pretty]
–help (-h) show usage information
–raw (-r) dump raw response message
–pretty (-P) dump raw response message in pretty print
–leases (-l) list leases of each pool
–name (-n) filter pools by name
–debug (-v) set debug level, default: 1
–options (-+) read command line options from file
–uri (-u) service URI to connect to
root@JDB-AR1:/etc/swanctl# cd
Seems to me there is an error with swanctl, or am I mistaken ?
It looks like charon is not running at all, which usually indicates that a VPN server is not configured.
Can you grab the output of “cfg”, and send your (redacted) /cfg/config.json file via DM?
I see the problem in your configuration. The port forward you have on port 8000 does not specify a destination, which makes it a wildcard. e.g. that tells it to forward every port coming into WAN to that LAN host on port 8000. Since nothing is listening on UDP 8000 on that host, it’s sending an unreachable in response. Port forwards override anything bound locally on the router by design and nature of iptables. So since that port forward was added as it currently stands, nothing would be able to connect to any services bound to Route10’s WAN.
Just need to set the destination port as desired. If you use port 8000 from the WAN side too, then make the destination “:8000” so it only catches traffic coming into port 8000. Otherwise replace 8000 with whichever port you use WAN-side. So long as it’s not 500 and 4500 (for IPsec types), or 51820 (for Wireguard) it’ll be fine.