<div dir="ltr"><div><div>Hi,<br><br></div><div>I'm seeing this issue when I try to connect to my VPN gateway (Linux box) with some public IP. I see that IKE_SA_INIT messages are exchanged successfully between my Android device and my VPN gateway. However, the next message, IKE_AUTH, never reaches the gateway. The tcp dump logs from my Android device show that the IKE_AUTH messages are being sent from the Android device.<br>
<br></div><div>I've enabled port forwarding for UDP port 500 and 4500 in my Wi-Fi router but still do not see any improvements. Also, the net-filter logs at other end as well does not show any packet drops.<br></div><div>
<br></div><div>logcat output form Android device:<br><br>01-03 11:31:42.807 I/charon ( 4893): 11[IKE] initiating IKE_SA android[3] to 27.61.179.244<br>01-03 11:31:42.940 I/charon ( 4893): 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
01-03 11:31:42.940 I/charon ( 4893): 11[NET] sending packet: from 172.16.1.76[33612] to 27.61.179.244[500] (756 bytes)<br>01-03 11:31:44.940 I/charon ( 4893): 14[IKE] retransmit 1 of request with message ID 0<br>01-03 11:31:44.940 I/charon ( 4893): 14[NET] sending packet: from 172.16.1.76[33612] to 27.61.179.244[500] (756 bytes)<br>
01-03 11:31:46.260 I/charon ( 4893): 15[NET] received packet: from 27.61.179.244[500] to 172.16.1.76[33612] (440 bytes)<br>01-03 11:31:46.268 I/charon ( 4893): 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
01-03 11:31:46.424 I/charon ( 4893): 15[IKE] local host is behind NAT, sending keep alives<br>01-03 11:31:46.768 I/charon ( 4893): 15[IKE] establishing CHILD_SA android<br>01-03 11:31:46.768 I/charon ( 4893): 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
01-03 11:31:46.776 I/charon ( 4893): 15[NET] sending packet: from 172.16.1.76[55860] to 27.61.179.244[4500] (3068 bytes)<br>01-03 11:31:47.198 I/charon ( 4893): 16[NET] received packet: from 27.61.179.244[500] to 172.16.1.76[33612] (440 bytes)<br>
01-03 11:31:47.206 I/charon ( 4893): 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>01-03 11:31:47.206 I/charon ( 4893): 16[IKE] received message ID 0, expected 1. Ignored<br>
01-03 11:31:48.776 I/charon ( 4893): 02[IKE] retransmit 1 of request with message ID 1<br>01-03 11:31:48.776 I/charon ( 4893): 02[NET] sending packet: from 172.16.1.76[55860] to 27.61.179.244[4500] (3068 bytes)<br>01-03 11:31:51.573 I/charon ( 4893): 01[IKE] retransmit 2 of request with message ID 1<br>
01-03 11:31:51.581 I/charon ( 4893): 01[NET] sending packet: from 172.16.1.76[55860] to 27.61.179.244[4500] (3068 bytes)<br>01-03 11:31:55.495 I/charon ( 4893): 12[IKE] retransmit 3 of request with message ID 1<br>01-03 11:31:55.502 I/charon ( 4893): 12[NET] sending packet: from 172.16.1.76[55860] to 27.61.179.244[4500] (3068 bytes)<br>
01-03 11:32:00.987 I/charon ( 4893): 13[IKE] giving up after 3 retransmits<br>01-03 11:32:00.987 ( 4893): SetErrorDisconnect<br>01-03 11:32:00.987 ( 4893): setErrorDisconnect: UNREACHABLE<br>01-03 11:32:00.987 ( 4893): disconnect()<br>
01-03 11:32:00.995 I/charon ( 4893): 13[IKE] peer not responding, trying again (2/0)<br>01-03 11:32:00.995 I/charon ( 4893): 13[IKE] initiating IKE_SA android[3] to 27.61.179.244<br></div><div><br><br>Tcpdump logs from the android device:<br>
<br>tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes<br>11:31:42.945067 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 784) 172.16.1.76.33612 > 27.61.179.244.isakmp: isakmp 2.0 msgid cookie ->: phase 1 I #34[]: [|#33]<br>
11:31:42.945708 IP (tos 0x0, ttl 64, id 48303, offset 0, flags [DF], proto UDP (17), length 70) 172.16.1.76.61526 > google-public-dns-a.google.com.domain: [udp sum ok] 44430+ PTR? 76.1.16.172.in-addr.arpa. (42)<br>11:31:43.080718 IP (tos 0x0, ttl 43, id 28320, offset 0, flags [none], proto UDP (17), length 70) google-public-dns-a.google.com.domain > 172.16.1.76.61526: [udp sum ok] 44430 NXDomain q: PTR? 76.1.16.172.in-addr.arpa. 0/0/0 (42)<br>
11:31:43.081878 IP (tos 0x0, ttl 64, id 48320, offset 0, flags [DF], proto UDP (17), length 72) 172.16.1.76.50551 > google-public-dns-a.google.com.domain: [udp sum ok] 32715+ PTR? 244.179.61.27.in-addr.arpa. (44)<br>11:31:43.175078 IP (tos 0x0, ttl 43, id 54802, offset 0, flags [none], proto UDP (17), length 161) google-public-dns-a.google.com.domain > 172.16.1.76.50551: 32715 NXDomain q: PTR? 244.179.61.27.in-addr.arpa. 0/1/0 ns: 27.in-addr.arpa. (133)<br>
11:31:43.176635 IP (tos 0x0, ttl 64, id 48332, offset 0, flags [DF], proto UDP (17), length 66) 172.16.1.76.59663 > google-public-dns-a.google.com.domain: [udp sum ok] 16386+ PTR? 8.8.8.8.in-addr.arpa. (38)<br>11:31:43.265655 IP (tos 0x0, ttl 43, id 778, offset 0, flags [none], proto UDP (17), length 110) google-public-dns-a.google.com.domain > 172.16.1.76.59663: 16386 q: PTR? 8.8.8.8.in-addr.arpa. 1/0/0 8.8.8.8.in-addr.arpa. PTR[|domain]<br>
11:31:44.948638 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 784) 172.16.1.76.33612 > 27.61.179.244.isakmp: isakmp 2.0 msgid cookie ->: phase 1 I #34[]: [|#33]<br>11:31:46.265807 IP (tos 0x10, ttl 53, id 0, offset 0, flags [DF], proto UDP (17), length 468) 27.61.179.244.isakmp > 172.16.1.76.33612: isakmp 2.0 msgid cookie ->: phase 1 R #34[]: [|#33]<br>
11:31:46.779479 IP (tos 0x0, ttl 64, id 42492, offset 0, flags [+], proto UDP (17), length 1500) 172.16.1.76.55860 > 27.61.179.244.4500: NONESP-encap: isakmp 2.0 msgid cookie ->: phase 2/others I #35[]: [|#46] (len mismatch: isakmp 3068/ip 1468)<br>
protoent* getprotobynumber(int)(3) is not implemented on Android<br>11:31:46.779998 IP (tos 0x0, ttl 64, id 42492, offset 1480, flags [+], proto UDP (17), length 1500) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ip-proto-17<br>
protoent* getprotobynumber(int)(3) is not implemented on Android<br>11:31:46.780395 IP (tos 0x0, ttl 64, id 42492, offset 2960, flags [none], proto UDP (17), length 140) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ip-proto-17<br>
11:31:47.204681 IP (tos 0x10, ttl 53, id 0, offset 0, flags [DF], proto UDP (17), length 468) 27.61.179.244.isakmp > 172.16.1.76.33612: isakmp 2.0 msgid cookie ->: phase 1 R #34[]: [|#33]<br>11:31:47.950622 arp who-has 172.16.1.1 tell 172.16.1.76<br>
11:31:47.951507 IP (tos 0x0, ttl 64, id 48944, offset 0, flags [DF], proto UDP (17), length 69) 172.16.1.76.17358 > google-public-dns-a.google.com.domain: [udp sum ok] 18140+ PTR? 1.1.16.172.in-addr.arpa. (41)<br>11:31:47.974547 arp reply 172.16.1.1 is-at 10:6f:3f:29:01:f0 (oui Unknown)<br>
11:31:48.048278 IP (tos 0x0, ttl 43, id 43054, offset 0, flags [none], proto UDP (17), length 69) google-public-dns-a.google.com.domain > 172.16.1.76.17358: [udp sum ok] 18140 NXDomain q: PTR? 1.1.16.172.in-addr.arpa. 0/0/0 (41)<br>
11:31:48.782622 IP (tos 0x0, ttl 64, id 42493, offset 0, flags [+], proto UDP (17), length 1500) 172.16.1.76.55860 > 27.61.179.244.4500: NONESP-encap: isakmp 2.0 msgid cookie ->: phase 2/others I #35[]: [|#46] (len mismatch: isakmp 3068/ip 1468)<br>
protoent* getprotobynumber(int)(3) is not implemented on Android<br>11:31:48.784759 IP (tos 0x0, ttl 64, id 42493, offset 1480, flags [+], proto UDP (17), length 1500) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ip-proto-17<br>
protoent* getprotobynumber(int)(3) is not implemented on Android<br>11:31:48.785552 IP (tos 0x0, ttl 64, id 42493, offset 2960, flags [none], proto UDP (17), length 140) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ip-proto-17<br>
11:31:51.586364 IP (tos 0x0, ttl 64, id 42494, offset 0, flags [+], proto UDP (17), length 1500) 172.16.1.76.55860 > 27.61.179.244.4500: NONESP-encap: isakmp 2.0 msgid cookie ->: phase 2/others I #35[]: [|#46] (len mismatch: isakmp 3068/ip 1468)<br>
protoent* getprotobynumber(int)(3) is not implemented on Android<br>11:31:51.587188 IP (tos 0x0, ttl 64, id 42494, offset 1480, flags [+], proto UDP (17), length 1500) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ip-proto-17<br>
protoent* getprotobynumber(int)(3) is not implemented on Android<br>11:31:51.588378 IP (tos 0x0, ttl 64, id 42494, offset 2960, flags [none], proto UDP (17), length 140) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ip-proto-17<br>
11:31:55.508330 IP (tos 0x0, ttl 64, id 42495, offset 0, flags [+], proto UDP (17), length 1500) 172.16.1.76.55860 > 27.61.179.244.4500: NONESP-encap: isakmp 2.0 msgid cookie ->: phase 2/others I #35[]: [|#46] (len mismatch: isakmp 3068/ip 1468)<br>
protoent* getprotobynumber(int)(3) is not implemented on Android<br>11:31:55.509521 IP (tos 0x0, ttl 64, id 42495, offset 1480, flags [+], proto UDP (17), length 1500) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ip-proto-17<br>
protoent* getprotobynumber(int)(3) is not implemented on Android<br>11:31:55.510772 IP (tos 0x0, ttl 64, id 42495, offset 2960, flags [none], proto UDP (17), length 140) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ip-proto-17<br>
11:32:01.165862 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 784) 172.16.1.76.33612 > 27.61.179.244.isakmp: isakmp 2.0 msgid cookie ->: phase 1 I #34[]: [|#33]<br>11:32:03.293792 IP (tos 0x10, ttl 53, id 0, offset 0, flags [DF], proto UDP (17), length 468) 27.61.179.244.isakmp > 172.16.1.76.33612: isakmp 2.0 msgid cookie ->: phase 1 R #34[]: [|#33]<br>
11:32:03.294066 IP (tos 0xd0, ttl 64, id 42496, offset 0, flags [none], proto ICMP (1), length 496) 172.16.1.76 > <a href="http://27.61.179.244">27.61.179.244</a>: ICMP 172.16.1.76 udp port 33612 unreachable, length 476<br>
IP (tos 0x10, ttl 53, id 0, offset 0, flags [DF], proto UDP (17), length 468) 27.61.179.244.isakmp > 172.16.1.76.33612: [|isakmp][|icmp]<br></div><div><br><br><br></div><div>Can someone please help me on this?<br><br>
</div><div><br></div>--Regards<br></div> Sam<br></div>