Why does a VPN configured according to the standard and proven instructions in Yandex.Cloud not work?

L

Lelouch2018-12-29 22:51:47

linux

Lelouch, 2018-12-29 22:51:47

Hello.
I had a need to raise my VPN in Russia for a couple of months. Since Yandex is now just distributing two-month access to its cloud, I decided to use it.
Raised StrongSwan on CentOS 7. And it didn't work for me. I'm not strong in administration, so I found the instructions , according to which I already set up the server on DigitalOcean myself. I repeated everything exactly step by step. But for some reason it didn't work again. The connection goes well, but the traffic does not run, sites do not open, ping and traceroute do not go through. Certificate from Lets's Encrypt.
ipsec.conf

#global configuration IPsec
#chron logger
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

#define new ipsec connection
conn hakase-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]тут_мой_домен
    leftcert=fullchain.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.15.1.0/24
    rightdns=1.1.1.1,8.8.8.8
    rightsendcert=never
    eap_identity=%identity

ipsec.secrets

: RSA "privkey.pem"
user : EAP "password"

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client http https ipsec
  ports: 500/udp 4500/udp
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
  rule protocol value="esp" accept
  rule protocol value="ah" accept

# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

I suspect that the problem is in the network settings. Apparently Yandex has something tricky there. After all, the virtual machine there turns out to be created in a virtual network. And I'm completely zero in the networks. I will be grateful for help.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

L

Lelouch, 2020-02-08
@Lelouch

By the way, the problem was eventually resolved through Yandex support. I checked the DDoS protection box in vain (in general, in the end, you can tick this box, but they somehow cleverly implemented this protection there, so that the VPN did not work.

S

solalex, 2018-12-30
@solalex

Answer - ask Yandex.Cloud technical support

C

CityCat4, 2018-12-30
@CityCat4

VPN in Russia

Is this a joke, haha? It is possible that port 500 was simply banned on NG, in order to avoid takskzat ...
If you do not understand what you are doing, do not take up certificate authentication. Use PSK. On-site shvan documentation wagon and small trolley