[strongSwan] Can't connect to port 4500 with Brighthouse cable hotspot

Noel Kuntze noel at familie-kuntze.de
Thu Dec 25 20:43:30 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Jay,

There is currently no way to change the source or destination port.
It seems like Brighthouse is brain dead and only blocks port 4500, but not 500.
Weird people.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 25.12.2014 um 16:58 schrieb Jay Claybaugh:
> I'm unable to establish a connection between my android cellphone
> strongswan app and my openwrt server when the android app is using a
> Brighthouse wireless hotspot.  The connection works find using other
> wireless networks such as my home, work, Lowes, and Starbucks. From the
> logs, it appears the server never receives the traffic on port 4500.  I'm
> not sure if this is because Brighthouse blocks this port or if it is
> something about their network NAT.
>
> In case they are blocking port 4500, I was going to try changing the port
> but I didn't see anything in the android client app to change this.  Is
> this possible?
>
> Android Strongswan: 1.4.5 (based on 5.2.1)
> OpenWrt Strongswan: 5.2.1
>
> [Client Log]
> Nov 29 08:24:12 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1,
> Linux 3.4.104-cyanogenmod-g2f8a2ec, armv7l)
> Nov 29 08:24:12 00[KNL] kernel-netlink plugin might require CAP_NET_ADMIN
> capability
> Nov 29 08:24:12 00[LIB] loaded plugins: androidbridge charon android-log
> openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-
> default kernel-netlink eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
> Nov 29 08:24:12 00[LIB] unable to load 9 plugin features (9 due to unmet
> dependencies)
> Nov 29 08:24:12 00[JOB] spawning 16 worker threads
> Nov 29 08:24:12 07[CFG] loaded user certificate 'C=US, ST=FL, O=Claybaugh,
> CN=Home' and private key
> Nov 29 08:24:12 07[CFG] loaded CA certificate 'C=US, ST=FL, O=Claybaugh,
> CN=Home'
> Nov 29 08:24:12 07[IKE] initiating IKE_SA android[1] to my.server
> Nov 29 08:24:12 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N
> (NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Nov 29 08:24:12 07[NET] sending packet: from 10.235.225.57[43444] to
> my.server[500] (996 bytes)
> Nov 29 08:24:13 14[NET] received packet: from my.server[500] to
> 10.235.225.57[43444] (465 bytes)
> Nov 29 08:24:13 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N
> (NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Nov 29 08:24:13 14[IKE] local host is behind NAT, sending keep alives
> Nov 29 08:24:13 14[IKE] received cert request for "C=US, ST=FL,
> O=Claybaugh, CN=Home"
> Nov 29 08:24:13 14[IKE] sending cert request for "C=US, ST=FL, O=Claybaugh,
> CN=Home"
> Nov 29 08:24:13 14[IKE] authentication of 'C=US, ST=FL, O=Claybaugh,
> CN=Home' (myself) with RSA signature successful
> Nov 29 08:24:13 14[IKE] sending end entity cert "C=US, ST=FL, O=Claybaugh,
> CN=Home"
> Nov 29 08:24:14 14[IKE] establishing CHILD_SA android
> Nov 29 08:24:14 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N
> (INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA
> TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> Nov 29 08:24:14 14[NET] sending packet: from 10.235.225.57[56813] to
> my.server[4500] (1772 bytes)
> Nov 29 08:24:16 16[IKE] retransmit 1 of request with message ID 1
> Nov 29 08:24:16 16[NET] sending packet: from 10.235.225.57[56813] to
> my.server[4500] (1772 bytes)
> Nov 29 08:24:18 15[IKE] retransmit 2 of request with message ID 1
> Nov 29 08:24:18 15[NET] sending packet: from 10.235.225.57[56813] to
> my.server[4500] (1772 bytes)
> Nov 29 08:24:22 03[IKE] retransmit 3 of request with message ID 1
> Nov 29 08:24:22 03[NET] sending packet: from 10.235.225.57[56813] to
> my.server[4500] (1772 bytes)
> Nov 29 08:24:28 01[IKE] giving up after 3 retransmits
> Nov 29 08:24:28 01[IKE] peer not responding, trying again (2/0)
> Nov 29 08:24:28 01[IKE] initiating IKE_SA android[1] to my.server
> Nov 29 08:24:28 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N
> (NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> Nov 29 08:24:28 01[NET] sending packet: from 10.235.225.57[43444] to
> my.server[500] (996 bytes)
> Nov 29 08:24:28 10[IKE] destroying IKE_SA in state CONNECTING without
> notification
>
>
> [Server log]
> Sat Nov 29 13:24:13 2014 daemon.info syslog: 16[NET] received packet: from
> 71.46.56.125[59535] to my.server[500] (996 bytes)
> Sat Nov 29 13:24:13 2014 daemon.info syslog: 16[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
> Sat Nov 29 13:24:13 2014 daemon.info syslog: 16[IKE] 71.46.56.125 is
> initiating an IKE_SA
> Sat Nov 29 13:24:13 2014 authpriv.info syslog: 16[IKE] 71.46.56.125 is
> initiating an IKE_SA
> Sat Nov 29 13:24:14 2014 daemon.info syslog: 16[IKE] remote host is behind
> NAT
> Sat Nov 29 13:24:14 2014 daemon.info syslog: 16[IKE] sending cert request
> for "C=US, ST=FL, O=Claybaugh, CN=Home"
> Sat Nov 29 13:24:14 2014 daemon.info syslog: 16[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Sat Nov 29 13:24:14 2014 daemon.info syslog: 16[NET] sending packet: from
> my.server[500] to 71.46.56.125[59535] (465 bytes)
> Sat Nov 29 13:24:29 2014 daemon.info syslog: 09[NET] received packet: from
> 71.46.56.125[59535] to my.server[500] (996 bytes)
> Sat Nov 29 13:24:29 2014 daemon.info syslog: 09[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
> Sat Nov 29 13:24:29 2014 daemon.info syslog: 09[IKE] 71.46.56.125 is
> initiating an IKE_SA
> Sat Nov 29 13:24:29 2014 authpriv.info syslog: 09[IKE] 71.46.56.125 is
> initiating an IKE_SA
> Sat Nov 29 13:24:30 2014 daemon.info syslog: 09[IKE] remote host is behind
> NAT
> Sat Nov 29 13:24:30 2014 daemon.info syslog: 09[IKE] sending cert request
> for "C=US, ST=FL, O=Claybaugh, CN=Home"
> Sat Nov 29 13:24:30 2014 daemon.info syslog: 09[ENC] generating IKE_SA_INIT
> response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Sat Nov 29 13:24:30 2014 daemon.info syslog: 09[NET] sending packet: from
> my.server[500] to 71.46.56.125[59535] (465 bytes)
> Sat Nov 29 13:24:44 2014 daemon.info syslog: 12[JOB] deleting half open
> IKE_SA after timeout
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUnGjiAAoJEDg5KY9j7GZYMHMP/Rr6alG6FVNTcl4xOHAfVYSU
SAbdUZ1flAv+o1A6J5VnFfe5+kAYlHQNXfVs243XARJD2FXz9yL9Yn9JNG1CiATJ
fjmXunyX+N/Ap4yHsk7E2CPKyIoaerc1Dv95W5pecZpzCgRnFVaEWXFs2IO++BO+
BSi/hH7oPwQNYzUq3nFBpP93+gfA8BnZ2Y5ix5YlbHU/RJgPmlYIC2X1wH3hrsmB
iKEOLTa0b+J25nfe2MoVPlVR/Lb/ZqrukJFbv7JcdE9eU3TIR3U7LzO9yZV6La8+
KmXvLaWSnAt5Sy393gCtiisLkt9q3lC0w/rNhBjAxWLYyNCzmPIlJd5NsaHcw8ft
KLO9UT4bDzzqMtKF9KPvIfb/O8f22hoPsYN3k1Hbzz9w3Z+21U/1K8NbOeCVeUAG
n8WaqBYR7ASE1LRcfBD0lQIyHA7DPUFtvz00y+rRGAMo3auoiy6KU2o4aaGy16ue
hGr62NxafaNYQyuzSGdHm1CpMJWde3L2c7JdXIzuOqf3usGmJcOMz9vhtuMo/0Ws
86s/37ks0fgli8Ee61W/Q/NfJ6Dy+V4uI3ZB2MkGZOLjL69i2xuaTv3vplbPbyJJ
tf52sqvyy0sJUsJgW7xw7yLe+0slyyDgPFVXuVAZGEaMm7Ww9wJyS8MLo0LTqOrt
rG31+PX5Z25ImY8DRG/d
=PevS
-----END PGP SIGNATURE-----



More information about the Users mailing list