[strongSwan] [StrongSwan] IKE_AUTH packet not reaching the VPN gateway
Ccf Cloud
ccfcloud at gmail.com
Fri Jan 3 07:32:27 CET 2014
Hi,
I'm seeing this issue when I try to connect to my VPN gateway (Linux box)
with some public IP. I see that IKE_SA_INIT messages are exchanged
successfully between my Android device and my VPN gateway. However, the
next message, IKE_AUTH, never reaches the gateway. The tcp dump logs from
my Android device show that the IKE_AUTH messages are being sent from the
Android device.
I've enabled port forwarding for UDP port 500 and 4500 in my Wi-Fi router
but still do not see any improvements. Also, the net-filter logs at other
end as well does not show any packet drops.
logcat output form Android device:
01-03 11:31:42.807 I/charon ( 4893): 11[IKE] initiating IKE_SA android[3]
to 27.61.179.244
01-03 11:31:42.940 I/charon ( 4893): 11[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
01-03 11:31:42.940 I/charon ( 4893): 11[NET] sending packet: from
172.16.1.76[33612] to 27.61.179.244[500] (756 bytes)
01-03 11:31:44.940 I/charon ( 4893): 14[IKE] retransmit 1 of request with
message ID 0
01-03 11:31:44.940 I/charon ( 4893): 14[NET] sending packet: from
172.16.1.76[33612] to 27.61.179.244[500] (756 bytes)
01-03 11:31:46.260 I/charon ( 4893): 15[NET] received packet: from
27.61.179.244[500] to 172.16.1.76[33612] (440 bytes)
01-03 11:31:46.268 I/charon ( 4893): 15[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
01-03 11:31:46.424 I/charon ( 4893): 15[IKE] local host is behind NAT,
sending keep alives
01-03 11:31:46.768 I/charon ( 4893): 15[IKE] establishing CHILD_SA android
01-03 11:31:46.768 I/charon ( 4893): 15[ENC] generating IKE_AUTH request 1
[ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS DNS6) N(ESP_TFC_PAD_N) SA TSi
TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
01-03 11:31:46.776 I/charon ( 4893): 15[NET] sending packet: from
172.16.1.76[55860] to 27.61.179.244[4500] (3068 bytes)
01-03 11:31:47.198 I/charon ( 4893): 16[NET] received packet: from
27.61.179.244[500] to 172.16.1.76[33612] (440 bytes)
01-03 11:31:47.206 I/charon ( 4893): 16[ENC] parsed IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
01-03 11:31:47.206 I/charon ( 4893): 16[IKE] received message ID 0,
expected 1. Ignored
01-03 11:31:48.776 I/charon ( 4893): 02[IKE] retransmit 1 of request with
message ID 1
01-03 11:31:48.776 I/charon ( 4893): 02[NET] sending packet: from
172.16.1.76[55860] to 27.61.179.244[4500] (3068 bytes)
01-03 11:31:51.573 I/charon ( 4893): 01[IKE] retransmit 2 of request with
message ID 1
01-03 11:31:51.581 I/charon ( 4893): 01[NET] sending packet: from
172.16.1.76[55860] to 27.61.179.244[4500] (3068 bytes)
01-03 11:31:55.495 I/charon ( 4893): 12[IKE] retransmit 3 of request with
message ID 1
01-03 11:31:55.502 I/charon ( 4893): 12[NET] sending packet: from
172.16.1.76[55860] to 27.61.179.244[4500] (3068 bytes)
01-03 11:32:00.987 I/charon ( 4893): 13[IKE] giving up after 3 retransmits
01-03 11:32:00.987 ( 4893): SetErrorDisconnect
01-03 11:32:00.987 ( 4893): setErrorDisconnect: UNREACHABLE
01-03 11:32:00.987 ( 4893): disconnect()
01-03 11:32:00.995 I/charon ( 4893): 13[IKE] peer not responding, trying
again (2/0)
01-03 11:32:00.995 I/charon ( 4893): 13[IKE] initiating IKE_SA android[3]
to 27.61.179.244
Tcpdump logs from the android device:
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 96
bytes
11:31:42.945067 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP
(17), length 784) 172.16.1.76.33612 > 27.61.179.244.isakmp: isakmp 2.0
msgid cookie ->: phase 1 I #34[]: [|#33]
11:31:42.945708 IP (tos 0x0, ttl 64, id 48303, offset 0, flags [DF], proto
UDP (17), length 70) 172.16.1.76.61526 >
google-public-dns-a.google.com.domain: [udp sum ok] 44430+ PTR?
76.1.16.172.in-addr.arpa. (42)
11:31:43.080718 IP (tos 0x0, ttl 43, id 28320, offset 0, flags [none],
proto UDP (17), length 70) google-public-dns-a.google.com.domain >
172.16.1.76.61526: [udp sum ok] 44430 NXDomain q: PTR?
76.1.16.172.in-addr.arpa. 0/0/0 (42)
11:31:43.081878 IP (tos 0x0, ttl 64, id 48320, offset 0, flags [DF], proto
UDP (17), length 72) 172.16.1.76.50551 >
google-public-dns-a.google.com.domain: [udp sum ok] 32715+ PTR?
244.179.61.27.in-addr.arpa. (44)
11:31:43.175078 IP (tos 0x0, ttl 43, id 54802, offset 0, flags [none],
proto UDP (17), length 161) google-public-dns-a.google.com.domain >
172.16.1.76.50551: 32715 NXDomain q: PTR? 244.179.61.27.in-addr.arpa. 0/1/0
ns: 27.in-addr.arpa. (133)
11:31:43.176635 IP (tos 0x0, ttl 64, id 48332, offset 0, flags [DF], proto
UDP (17), length 66) 172.16.1.76.59663 >
google-public-dns-a.google.com.domain: [udp sum ok] 16386+ PTR?
8.8.8.8.in-addr.arpa. (38)
11:31:43.265655 IP (tos 0x0, ttl 43, id 778, offset 0, flags [none], proto
UDP (17), length 110) google-public-dns-a.google.com.domain >
172.16.1.76.59663: 16386 q: PTR? 8.8.8.8.in-addr.arpa. 1/0/0
8.8.8.8.in-addr.arpa. PTR[|domain]
11:31:44.948638 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP
(17), length 784) 172.16.1.76.33612 > 27.61.179.244.isakmp: isakmp 2.0
msgid cookie ->: phase 1 I #34[]: [|#33]
11:31:46.265807 IP (tos 0x10, ttl 53, id 0, offset 0, flags [DF], proto UDP
(17), length 468) 27.61.179.244.isakmp > 172.16.1.76.33612: isakmp 2.0
msgid cookie ->: phase 1 R #34[]: [|#33]
11:31:46.779479 IP (tos 0x0, ttl 64, id 42492, offset 0, flags [+], proto
UDP (17), length 1500) 172.16.1.76.55860 > 27.61.179.244.4500:
NONESP-encap: isakmp 2.0 msgid cookie ->: phase 2/others I #35[]: [|#46]
(len mismatch: isakmp 3068/ip 1468)
protoent* getprotobynumber(int)(3) is not implemented on Android
11:31:46.779998 IP (tos 0x0, ttl 64, id 42492, offset 1480, flags [+],
proto UDP (17), length 1500) 172.16.1.76 > 27.61.179.244: ip-proto-17
protoent* getprotobynumber(int)(3) is not implemented on Android
11:31:46.780395 IP (tos 0x0, ttl 64, id 42492, offset 2960, flags [none],
proto UDP (17), length 140) 172.16.1.76 > 27.61.179.244: ip-proto-17
11:31:47.204681 IP (tos 0x10, ttl 53, id 0, offset 0, flags [DF], proto UDP
(17), length 468) 27.61.179.244.isakmp > 172.16.1.76.33612: isakmp 2.0
msgid cookie ->: phase 1 R #34[]: [|#33]
11:31:47.950622 arp who-has 172.16.1.1 tell 172.16.1.76
11:31:47.951507 IP (tos 0x0, ttl 64, id 48944, offset 0, flags [DF], proto
UDP (17), length 69) 172.16.1.76.17358 >
google-public-dns-a.google.com.domain: [udp sum ok] 18140+ PTR?
1.1.16.172.in-addr.arpa. (41)
11:31:47.974547 arp reply 172.16.1.1 is-at 10:6f:3f:29:01:f0 (oui Unknown)
11:31:48.048278 IP (tos 0x0, ttl 43, id 43054, offset 0, flags [none],
proto UDP (17), length 69) google-public-dns-a.google.com.domain >
172.16.1.76.17358: [udp sum ok] 18140 NXDomain q: PTR?
1.1.16.172.in-addr.arpa. 0/0/0 (41)
11:31:48.782622 IP (tos 0x0, ttl 64, id 42493, offset 0, flags [+], proto
UDP (17), length 1500) 172.16.1.76.55860 > 27.61.179.244.4500:
NONESP-encap: isakmp 2.0 msgid cookie ->: phase 2/others I #35[]: [|#46]
(len mismatch: isakmp 3068/ip 1468)
protoent* getprotobynumber(int)(3) is not implemented on Android
11:31:48.784759 IP (tos 0x0, ttl 64, id 42493, offset 1480, flags [+],
proto UDP (17), length 1500) 172.16.1.76 > 27.61.179.244: ip-proto-17
protoent* getprotobynumber(int)(3) is not implemented on Android
11:31:48.785552 IP (tos 0x0, ttl 64, id 42493, offset 2960, flags [none],
proto UDP (17), length 140) 172.16.1.76 > 27.61.179.244: ip-proto-17
11:31:51.586364 IP (tos 0x0, ttl 64, id 42494, offset 0, flags [+], proto
UDP (17), length 1500) 172.16.1.76.55860 > 27.61.179.244.4500:
NONESP-encap: isakmp 2.0 msgid cookie ->: phase 2/others I #35[]: [|#46]
(len mismatch: isakmp 3068/ip 1468)
protoent* getprotobynumber(int)(3) is not implemented on Android
11:31:51.587188 IP (tos 0x0, ttl 64, id 42494, offset 1480, flags [+],
proto UDP (17), length 1500) 172.16.1.76 > 27.61.179.244: ip-proto-17
protoent* getprotobynumber(int)(3) is not implemented on Android
11:31:51.588378 IP (tos 0x0, ttl 64, id 42494, offset 2960, flags [none],
proto UDP (17), length 140) 172.16.1.76 > 27.61.179.244: ip-proto-17
11:31:55.508330 IP (tos 0x0, ttl 64, id 42495, offset 0, flags [+], proto
UDP (17), length 1500) 172.16.1.76.55860 > 27.61.179.244.4500:
NONESP-encap: isakmp 2.0 msgid cookie ->: phase 2/others I #35[]: [|#46]
(len mismatch: isakmp 3068/ip 1468)
protoent* getprotobynumber(int)(3) is not implemented on Android
11:31:55.509521 IP (tos 0x0, ttl 64, id 42495, offset 1480, flags [+],
proto UDP (17), length 1500) 172.16.1.76 > 27.61.179.244: ip-proto-17
protoent* getprotobynumber(int)(3) is not implemented on Android
11:31:55.510772 IP (tos 0x0, ttl 64, id 42495, offset 2960, flags [none],
proto UDP (17), length 140) 172.16.1.76 > 27.61.179.244: ip-proto-17
11:32:01.165862 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP
(17), length 784) 172.16.1.76.33612 > 27.61.179.244.isakmp: isakmp 2.0
msgid cookie ->: phase 1 I #34[]: [|#33]
11:32:03.293792 IP (tos 0x10, ttl 53, id 0, offset 0, flags [DF], proto UDP
(17), length 468) 27.61.179.244.isakmp > 172.16.1.76.33612: isakmp 2.0
msgid cookie ->: phase 1 R #34[]: [|#33]
11:32:03.294066 IP (tos 0xd0, ttl 64, id 42496, offset 0, flags [none],
proto ICMP (1), length 496) 172.16.1.76 > 27.61.179.244: ICMP 172.16.1.76
udp port 33612 unreachable, length 476
IP (tos 0x10, ttl 53, id 0, offset 0, flags [DF], proto UDP (17),
length 468) 27.61.179.244.isakmp > 172.16.1.76.33612: [|isakmp][|icmp]
Can someone please help me on this?
--Regards
Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140103/34033ec2/attachment.html>
More information about the Users
mailing list