I have configured a VPN gateway and a tunnel, but its not coming up getting below error.
charon: 13[IKE] no IKE config found for 10.0.1.211...125.17.97.4, sending NO_PROPOSAL_CHOSEN
This indicates that there was no match between the algorithms configured on the pair of VPN gateways.
Please note that, In IKEv1, the set of algorithms must be a complete match. In IKEv2, there must be one common algorithm between the two configurations VPN Troubleshooting
a) You should configure:
keyexchange=ike for IKEv1 and IKEv2 support, but initiate with IKEv2.
b) Also, change the ikelifetimefor IKEv2=36000s (10 hrs). You can see all the parameters for VPNs in GCP Supported IKE ciphers
c) Also remember, EAP is not supported on Cloud VPN.
d) Finally a good guide for creating a VPN between GCP and Strongswan.VPN between strongSwan and Cloud VPN.
Good Luck!
Related
Should I use HTTP or HTTPS to communicate between services on my virtual private network (VPC)? What are the risks (if any) of using HTTP in such scenario?
My naive reasoning is that given the inherent privacy of the network, HTTP should be suffice for internal communication between servers inside of said network. Am I wrong to make such assumption?
I've searched through GCloud VPC documentation, yet can't find anything regarding this question. I've also found this article on AWS HTTPS, yet again no indication as to whether one or other should be preferred.
I'd link up more sources, but I can not find any articles arguing for either.
As per my understanding, a VPC network isolates the traffic and puts some security measures in place that prevent your traffic from being seen from a different VPC. That being said, the security of the resources is a shared responsibility in cloud environments. In case there is a security breach inside GCP that allows someone to gain access to my VPC and sniff the traffic, if I'm using HTTPS, the communication is encrypted and I am adding another layer of security. Therefore, I would always go with the safest option (HTTPS).
I've been trying to set up a server using Google Compute Engine but find myself being stuck.
I've installed everything that needs to be installed, I can start the server, no problem. Only thing is, i'm unable to connect to the server.
I've opened the required ports in a firewall rule (udp:16261; tcp:16262-16270) for all source IP as normal, but when I try to connect, i get this message on the server's console :
User jet is trying to connect.
Connected new client jet ID # 0 and assigned DL port 16262
testing TCP download port 16262
And it waits and waits, nothin happens. I'm pretty sure it's because no connection has been requested from the outsite of the network on that specific port (16262) that the outgoing traffic can't be sent, but I was wondering if anyone else has tried to make it work.
Thanks for your help guys !
According to the documentation; in the "Forwarding Required Ports" Section:
Project Zomboid dedicated servers require the following open ports to successfully connect to clients:
8766 UDP
16261 UDP
If the client's public ip address is known, you can perform a basic troubleshooting whitin Google Compute Engine using Cloud Logging. A basic query returning all the logs containing that ip address as source or destination would be:
jsonPayload.connection.src_ip="public-ip-address" OR jsonPayload.connection.dest_ip="public-ip-address"
Firewall Rules Logging has to be "on" for every rule involved in the connection. Follow these steps for Enabling firewall rules logging.
For troubleshooting purposes an "allow all" Firewall rule can be created and logging enabled on it, that would allow you to see exactly what ports are involved.
Note: If the traffic hitting the firewall rule(s) is too much, it can lead to unanticipated storage costs. Please enable the firewall rules logging just for troubleshooting purposes, don't forget to disable it after you're done.
Case
I own a singular VPS hosting account at Hostgator and also a shaired hosting account. This question is mostly intended to gain knowledge, so I would so much appreciate a good explanation than a how-to.
I truly apolagise for mentioning their name but I had to say it so that someone who knows has the required information to help me.
With any type of their accounts, an SSH login is provided but, only with VPS Hosting root access to the same is available.
What I want to do
I want to create a private tunnel to encrypt my browsing data between external servers and my home PC so that my ISP cannot modify or read the data that belong to me.
Question
If I have SSH supported by provider on the server side, does it mean that I have SOCKS5 too?
What else is needed for me to set-up my secure tunnel to find way out using my existing web server account?
If SOCKS5 doesnt come for shaired hosting servers for free or if its not possible, how can one use Socks5 with such servers and establish a secure connection?
SSH supports creating a SOCKS tunnel with the -D option. See http://wiki.vpslink.com/Instant_SOCKS_Proxy_over_SSH for for more details on how to use it. But, this will only be a SOCKS4, not a SOCKS5 tunnel, which means that DNS lookups still will be done outside the tunnel.
Can anyone confirm that using a persistent outgoing TCP connection on port 80 will not be blocked by the vast majority of consumer firewalls?
That has been assumption based on the fact that HTTP runs over TCP, but of course it is theoretically possible to analyze the packets. Question is do most CONSUMER firewalls do this or not?
The feature is called ALG, Application Layer Gateway. This is where the firewall is aware of and perhaps even participates in an application protocol
There are two main reasons a firewall may do this:
Protocol support, in order to support the protocol it is necessary to snoop/participate, e.g. opening up additional ports for non passive FTP or media ports for SIP+SDP
Additional security, an ALG may function as a transparent proxy and filter protocol commands and actions to enforce policy. E.g. preventing the HTTP CONNECT method
ALGs have been a common feature of stateful firewalls for many years, though often the source of instability.
For security proscriptive environments expect HTTP to be validated and filtered either by a firewall or other dedicated policy enforcement appliance.
Residential broadband routers do not tend to have advanced firewall features. I would be surprised to find any with HTTP validation / filtering on port 80.
Personal software firewalls come in two flavours, basic and advanced. Most consumers will have a basic one that probably comes with their operating system and will not do any HTTP validation / filtering.
However, there is a rising trend in antivirus product differentiation of advanced internet content filtering for threat protection, there is significant possibility these may filter HTTP activity (but is difficult to determine with certainty from their Feature Lists).
It's almost impossible to answer this question with anything other than "it depends".
Most leading firewall vendor solutions will do this through their configuration.
You will find paranoid organisations (financial, government, military, gambling etc) will typically have such application intelligence enabled. They will detect the traffic as not valid HTTP and so block it for both security and performance reasons.
This type of feature is (these days) typically turned on by default and as you know, most people don't change a default configuration after the vendor or consultant has left.
However, some companies, where the techies don't understand or they have no power in the decision-making, will turn such application intelligence off because it interferes with business, i.e. internal apps or external apps (running on the LAN and connecting back), developed as bespoke solutions, work over TCP port 80 (hey, it's always open) and are non-http.
You don't just have to worry about firewalls though, most companies run internal proxy servers for outgoing traffic and these typically now only allow valid HTTP on port 80 and their configuration isn't changed as a proxy server is usually requested by the infrastructure and security teams and they don't want non-http over port 80. Additionally, there's also load balancers and they're typically configured for HTTP on port 80, for a variety of reasons such as content switching, rewrites, load-balancing and security.
To summarise, in my experience, that'd be a yes but I haven't worked a lot with SMEs, primarily larger corporates.
port 80 is blocked by many firewalls for example you have to add exceptions like i allow Skype or msn messenger to use port 80 for out going traffic
I have 50 machines in a LAN and each of these have internet access. Can a program be developed using vc++ which will tell what are all the websites which is being opened by users in each machine?
You can easily accomplish this by writing an application which captures packets outbound on port 80 (and the associated DNS information). The problem is that this application must run on every client computer which you want to trace. The easier method, as stated by others, is to take advantage of your network architecture and tunnel all traffic through a central proxy which can record the same information.
There are many-many enterprise tools suited for just this task in the latter instance.
Route your internet traffic through a centralized proxy and monitor the traffic from proxy say using Fiddler, or something else. In case proxying is not possible, use Fiddler to generate data at known location and then collate it at required intervals.
Install a firewall, if you don't already have one, and use it to log connections.