<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
Back to <a moz-do-not-send="true"
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">pro
forma</a>.<br>
<br>
It is clear that a substantial amount of the IKE2 negotiation is
taking place, but a pivotal port 4500 packet being emitted by the
daemon:<br>
<font color="#000099">...<br>
Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to
172.56.42.76[49548] <br>
Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA
(unnamed)[3] <br>
Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA
successful<br>
<font color="#cc0000">Thu, 2018-03-22 09:51 04[NET] sending
packet: from 192.168.1.16[4500] to 172.56.42.76[49548]</font> <br>
Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting<br>
... <br>
</font><u>is not even reaching the IPSec gateway's eth0 interface</u>
-- given <br>
# tcpdump -i eth0 'port 4500'<br>
-- which should show port 4500 packets whether source or
destination. Never reaches its own interface, much less the LAN
gateway's interfaces to be forwarded on to the phone.<br>
<font color="#000099"><br>
tcpdump -i eth0 'port 4500'<br>
verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size
262144 bytes<br>
09:51:19.856709 IP 172.56.42.76.49548 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]<br>
09:51:19.866511 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:19.868865 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:19.877097 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:19.892642 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:19.900879 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:19.907531 IP 172.56.42.76.49548 >
cygnus.darkmstter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:19.912761 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:21.859074 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:21.865476 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:21.871270 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:21.876364 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:21.892450 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:21.898712 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:21.903636 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:21.907806 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:24.661125 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:24.667805 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:24.675749 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:24.681522 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:24.705097 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:24.705549 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:24.718250 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:24.718301 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:28.577816 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:28.583546 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:28.589597 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:28.594677 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:28.600772 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:28.614748 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:28.618611 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:28.621593 IP 172.56.42.76.49548 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]<br>
09:51:38.119194 IP cygnus.darkmatter.org.ipsec-nat-t >
172.56.42.76.49548: isakmp-nat-keep-alive<br>
^C<br>
33 packets captured<br>
35 packets received by filter<br>
0 packets dropped by kernel<br>
</font><br>
-------------------------------------------------------------------------------------------------------<br>
No port 4500 packet hitting its own interface. Only a keep-alive.<br>
<br>
Since that port 4500 packet never makes it out the IPSec gateway's
interface, through the LAN gateway, and out to the phone, of course
the phone times out and tears down the circuit. And since the
daemon never gets a response to its 4500 out, it eventually tears
down its circuit too.<br>
<br>
Attached hereto: charon.log, Ss Android app log, iptables-save.
SELinux is Permissive.<br>
<br>
-------------------------------------------------------------------------------------------------------<br>
<font color="#000099"><br>
</font><u>strongswan.conf:</u><br>
charon {<br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
include strongswan.d/*.conf<br>
<br>
<br>
<u>charon.conf</u><br>
charon {<br>
<br>
# two defined file loggers<br>
filelog {<br>
/var/log/charon.log {<br>
time_format = %a, %Y-%m-%d %R<br>
ike_name = yes<br>
append = no<br>
default = 2<br>
flush_line = yes<br>
}<br>
stderr {<br>
mgr = 0<br>
net = 1<br>
enc = 1<br>
asn = 1<br>
job = 1<br>
knl = 1<br>
}<br>
}<br>
<br>
<br>
<u>swanctl.conf:</u><br>
connections {<br>
ikev2-pubkey {<br>
version = 2<br>
rekey_time = 0s<br>
local {<br>
id = quantum-equities.com<br>
id = zeta.darkmtter.org<br>
}<br>
remote {<br>
# defaults are fine.<br>
}<br>
children {<br>
ikev2-pubkey {<br>
local_ts = 192.168.1.0/24<br>
mode = transport<br>
}<br>
}<br>
}<br>
}<br>
<br>
<br>
# swanctl -L<br>
ikev2-pubkey: IKEv2, no reauthentication, no rekeying<br>
local: %any<br>
remote: %any<br>
local unspecified authentication:<br>
id: zeta.darkmtter.org<br>
remote unspecified authentication:<br>
ikev2-pubkey: TRANSPORT, rekeying every 3600s<br>
local: 192.168.1.0/24<br>
remote: dynamic<br>
# swanctl -l<br>
#<br>
<br>
# ip route show table all<br>
default via 192.168.111.1 dev wlp3s0 proto static metric 600 <br>
192.168.1.0/24 dev wlp3s0 proto kernel scope link src 192.168.1.2
metric 600 <br>
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1 <br>
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1 <br>
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1 <br>
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1 <br>
broadcast 192.168.1.0 dev wlp3s0 table local proto kernel scope link
src 192.168.1.2 <br>
local 192.168.1.2 dev wlp3s0 table local proto kernel scope host src
192.168.1.2 <br>
broadcast 192.168.1.255 dev wlp3s0 table local proto kernel scope
link src 192.168.1.2 <br>
unreachable ::/96 dev lo metric 1024 error -113 <br>
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113 <br>
unreachable 2002:a00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:7f00::/24 dev lo metric 1024 error -113 <br>
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:ac10::/28 dev lo metric 1024 error -113 <br>
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113 <br>
unreachable 2002:e000::/19 dev lo metric 1024 error -113 <br>
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113 <br>
fe80::/64 dev wlp3s0 proto kernel metric 256 <br>
local ::1 dev lo table local proto kernel metric 0 <br>
local fe80::3602:86ff:fe43:de1f dev wlp3s0 table local proto kernel
metric 0 <br>
ff00::/8 dev wlp3s0 table local metric 256<br>
<br>
<br>
# ip address<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
UNKNOWN qlen 1000<br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet 127.0.0.1/8 scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host <br>
valid_lft forever preferred_lft forever<br>
2: enp0s25: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast state DOWN qlen 1000<br>
link/ether 54:ee:75:54:80:4a brd ff:ff:ff:ff:ff:ff<br>
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq
state UP qlen 1000<br>
link/ether 34:02:86:43:de:1f brd ff:ff:ff:ff:ff:ff<br>
inet 192.168.1.2/24 brd 192.168.1.255 scope global wlp3s0<br>
valid_lft forever preferred_lft forever<br>
inet6 fe80::3602:86ff:fe43:de1f/64 scope link <br>
valid_lft forever preferred_lft forever<br>
<br>
<br>
</body>
</html>