[strongSwan] Can't connect to port 4500 with Brighthouse cable hotspot

Jay Claybaugh gambit990 at gmail.com
Thu Dec 25 16:58:59 CET 2014 

I'm unable to establish a connection between my android cellphone 
strongswan app and my openwrt server when the android app is using a 
Brighthouse wireless hotspot.  The connection works find using other 
wireless networks such as my home, work, Lowes, and Starbucks. From the 
logs, it appears the server never receives the traffic on port 4500.  I'm 
not sure if this is because Brighthouse blocks this port or if it is 
something about their network NAT.

In case they are blocking port 4500, I was going to try changing the port 
but I didn't see anything in the android client app to change this.  Is 
this possible?

Android Strongswan: 1.4.5 (based on 5.2.1)
OpenWrt Strongswan: 5.2.1

[Client Log]
Nov 29 08:24:12 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, 
Linux 3.4.104-cyanogenmod-g2f8a2ec, armv7l)
Nov 29 08:24:12 00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN 
capability
Nov 29 08:24:12 00[LIB] loaded plugins: androidbridge charon android-log 
openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-
default kernel-netlink eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Nov 29 08:24:12 00[LIB] unable to load 9 plugin features (9 due to unmet 
dependencies)
Nov 29 08:24:12 00[JOB] spawning 16 worker threads
Nov 29 08:24:12 07[CFG] loaded user certificate 'C=US, ST=FL, O=Claybaugh, 
CN=Home' and private key
Nov 29 08:24:12 07[CFG] loaded CA certificate 'C=US, ST=FL, O=Claybaugh, 
CN=Home'
Nov 29 08:24:12 07[IKE] initiating IKE_SA android[1] to my.server
Nov 29 08:24:12 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N
(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 29 08:24:12 07[NET] sending packet: from 10.235.225.57[43444] to 
my.server[500] (996 bytes)
Nov 29 08:24:13 14[NET] received packet: from my.server[500] to 
10.235.225.57[43444] (465 bytes)
Nov 29 08:24:13 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N
(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 29 08:24:13 14[IKE] local host is behind NAT, sending keep alives
Nov 29 08:24:13 14[IKE] received cert request for "C=US, ST=FL, 
O=Claybaugh, CN=Home"
Nov 29 08:24:13 14[IKE] sending cert request for "C=US, ST=FL, O=Claybaugh, 
CN=Home"
Nov 29 08:24:13 14[IKE] authentication of 'C=US, ST=FL, O=Claybaugh, 
CN=Home' (myself) with RSA signature successful
Nov 29 08:24:13 14[IKE] sending end entity cert "C=US, ST=FL, O=Claybaugh, 
CN=Home"
Nov 29 08:24:14 14[IKE] establishing CHILD_SA android
Nov 29 08:24:14 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N
(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA 
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 29 08:24:14 14[NET] sending packet: from 10.235.225.57[56813] to 
my.server[4500] (1772 bytes)
Nov 29 08:24:16 16[IKE] retransmit 1 of request with message ID 1
Nov 29 08:24:16 16[NET] sending packet: from 10.235.225.57[56813] to 
my.server[4500] (1772 bytes)
Nov 29 08:24:18 15[IKE] retransmit 2 of request with message ID 1
Nov 29 08:24:18 15[NET] sending packet: from 10.235.225.57[56813] to 
my.server[4500] (1772 bytes)
Nov 29 08:24:22 03[IKE] retransmit 3 of request with message ID 1
Nov 29 08:24:22 03[NET] sending packet: from 10.235.225.57[56813] to 
my.server[4500] (1772 bytes)
Nov 29 08:24:28 01[IKE] giving up after 3 retransmits
Nov 29 08:24:28 01[IKE] peer not responding, trying again (2/0)
Nov 29 08:24:28 01[IKE] initiating IKE_SA android[1] to my.server
Nov 29 08:24:28 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N
(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 29 08:24:28 01[NET] sending packet: from 10.235.225.57[43444] to 
my.server[500] (996 bytes)
Nov 29 08:24:28 10[IKE] destroying IKE_SA in state CONNECTING without 
notification


[Server log]
Sat Nov 29 13:24:13 2014 daemon.info syslog: 16[NET] received packet: from 
71.46.56.125[59535] to my.server[500] (996 bytes)
Sat Nov 29 13:24:13 2014 daemon.info syslog: 16[ENC] parsed IKE_SA_INIT 
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Sat Nov 29 13:24:13 2014 daemon.info syslog: 16[IKE] 71.46.56.125 is 
initiating an IKE_SA
Sat Nov 29 13:24:13 2014 authpriv.info syslog: 16[IKE] 71.46.56.125 is 
initiating an IKE_SA
Sat Nov 29 13:24:14 2014 daemon.info syslog: 16[IKE] remote host is behind 
NAT
Sat Nov 29 13:24:14 2014 daemon.info syslog: 16[IKE] sending cert request 
for "C=US, ST=FL, O=Claybaugh, CN=Home"
Sat Nov 29 13:24:14 2014 daemon.info syslog: 16[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sat Nov 29 13:24:14 2014 daemon.info syslog: 16[NET] sending packet: from 
my.server[500] to 71.46.56.125[59535] (465 bytes)
Sat Nov 29 13:24:29 2014 daemon.info syslog: 09[NET] received packet: from 
71.46.56.125[59535] to my.server[500] (996 bytes)
Sat Nov 29 13:24:29 2014 daemon.info syslog: 09[ENC] parsed IKE_SA_INIT 
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Sat Nov 29 13:24:29 2014 daemon.info syslog: 09[IKE] 71.46.56.125 is 
initiating an IKE_SA
Sat Nov 29 13:24:29 2014 authpriv.info syslog: 09[IKE] 71.46.56.125 is 
initiating an IKE_SA
Sat Nov 29 13:24:30 2014 daemon.info syslog: 09[IKE] remote host is behind 
NAT
Sat Nov 29 13:24:30 2014 daemon.info syslog: 09[IKE] sending cert request 
for "C=US, ST=FL, O=Claybaugh, CN=Home"
Sat Nov 29 13:24:30 2014 daemon.info syslog: 09[ENC] generating IKE_SA_INIT 
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Sat Nov 29 13:24:30 2014 daemon.info syslog: 09[NET] sending packet: from 
my.server[500] to 71.46.56.125[59535] (465 bytes)
Sat Nov 29 13:24:44 2014 daemon.info syslog: 12[JOB] deleting half open 
IKE_SA after timeout

More information about the Users mailing list