[strongSwan] strongswan android app: sending but not receiving bytes/packets

Cindy Moore ctmoore at cs.ucsd.edu
Tue Sep 16 17:17:59 CEST 2014 

Testing connection with strongswan server and android using the
strongswan android app and RSA certificates

It connects successfully, but then I see that sent packages (from
android to vpn) look okay but received packets is 0 bytes/0 packets
and of course trying to do anything on the Android just stalls and
freezes and ultimately behaves as if I'm not connected to the
internet.

I have googled up "NAT mappings of ESP CHILD" but most of my hits
seemed to reference pre 5.0 bugs and setting nat_traversal=yes in the
ipsec.conf which appear s to be deprecated now.

Here's the relevant syslog output from the strongswan vpn server:

Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any
Sep 15 22:39:36 vpn charon: 09[CFG] reassigning offline lease to
'C=CH, O=strongSwan, CN=moi'
Sep 15 22:39:36 vpn charon: 09[IKE] assigning virtual IP <client
virtual ip> to peer 'C=CH, O=strongSwan, CN=moi'
Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any6
Sep 15 22:39:36 vpn charon: 09[IKE] no virtual IP found for %any6
requested by 'C=CH, O=strongSwan, CN=moi'
Sep 15 22:39:36 vpn charon: 09[CFG] looking for a child config for
0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for us:
Sep 15 22:39:36 vpn charon: 09[CFG]  0.0.0.0/0
Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for other:
Sep 15 22:39:36 vpn charon: 09[CFG]  <client virtual ip>/32
Sep 15 22:39:36 vpn charon: 09[CFG]   candidate "roadwarrior" with prio 10+2
Sep 15 22:39:36 vpn charon: 09[CFG] found matching child config
"roadwarrior" with prio 12
Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
Sep 15 22:39:36 vpn charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
Sep 15 22:39:36 vpn charon: 09[CFG]   no acceptable INTEGRITY_ALGORITHM found
Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
Sep 15 22:39:36 vpn charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
Sep 15 22:39:36 vpn charon: 09[CFG]   proposal matches
Sep 15 22:39:36 vpn charon: 09[CFG] received proposals:
ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_
CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
Sep 15 22:39:36 vpn charon: 09[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES
_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Sep 15 22:39:36 vpn charon: 09[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for us:
Sep 15 22:39:36 vpn charon: 09[CFG]  config: 0.0.0.0/0, received:
0.0.0.0/0 => match: 0.0.0.0/0
Sep 15 22:39:36 vpn charon: 09[CFG]  config: 0.0.0.0/0, received: ::/0
=> no match
Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for other:
Sep 15 22:39:36 vpn charon: 09[CFG]  config: <client virtual ip>/32,
received: 0.0.0.0/0 => match: <client virtual ip>/32
Sep 15 22:39:36 vpn charon: 09[CFG]  config: <client virtual ip>/32,
received: ::/0 => no match
Sep 15 22:39:36 vpn charon: 09[IKE] CHILD_SA roadwarrior{3}
established with SPIs ca14eb50_i 01095b0e_o and TS 0.0.0.0/0 ===
<client virtual ip>/32
Sep 15 22:39:36 vpn charon: 09[ENC] generating IKE_AUTH response 1 [
IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_6_ADDR) N(ADD_6_ADD
R) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Sep 15 22:39:36 vpn charon: 09[NET] sending packet: from <vpn's ip
addr>[4500] to <client ip addr>[33534] (1820 bytes)
Sep 15 22:39:36 vpn charon: 03[NET] sending packet: from <vpn's ip
addr>[4500] to <client ip addr>[33534]
Sep 15 22:51:12 vpn charon: 13[KNL] NAT mappings of ESP CHILD_SA with
SPI ca14eb50 and reqid {3} changed, queuing update job
Sep 15 22:56:26 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with
SPI ca14eb50 and reqid {3} changed, queuing update job
Sep 15 23:00:50 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with
SPI ca14eb50 and reqid {3} changed, queuing update job
Sep 15 23:01:20 vpn charon: 02[NET] received packet: from <client ip
addr>[48986] to <vpn's ip addr>[4500]
Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets
Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip
addr>[48986] to <vpn's ip addr>[4500] (76 bytes)
Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets
Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip
addr>[48986] to <vpn's ip addr>[4500] (76 bytes)
Sep 15 23:01:20 vpn charon: 08[ENC] parsed INFORMATIONAL request 2 [
N(NO_ADD_ADDR) ]
Sep 15 23:01:20 vpn charon: 08[ENC] generating INFORMATIONAL response 2 [ ]
Sep 15 23:01:20 vpn charon: 08[NET] sending packet: from <vpn's ip
addr>[4500] to <client ip addr>[48986] (76 bytes)
Sep 15 23:01:20 vpn charon: 03[NET] sending packet: from <vpn's ip
addr>[4500] to <client ip addr>[48986]
Sep 15 23:10:21 vpn charon: 10[KNL] NAT mappings of ESP CHILD_SA with
SPI ca14eb50 and reqid {3} changed, queuing update job
Sep 15 23:13:23 vpn charon: 09[KNL] NAT mappings of ESP CHILD_SA with
SPI ca14eb50 and reqid {3} changed, queuing update job

------------------------
ALSO, when I reran this scenario (I checked out the nat_traversal
anyway, although it failed to load, it's that deprecated), I noticed
this in the connection negotiation:

Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown
ca with keyid 36:12:c2:39:c5:22:b9:1e:20:d4:8e:08:3c:be:69:e1:1d:a8:27:e5
Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown
ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70
...
Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for "C=CH,
O=strongSwan, CN=strongSwan Root CA"
Sep 16 00:07:24 vpn charon: 07[IKE] received 135 cert requests for an unknown ca
Sep 16 00:07:24 vpn charon: 07[IKE] received end entity cert "C=CH,
O=strongSwan, CN=moi"
Sep 16 00:07:24 vpn charon: 07[CFG] looking for peer configs matching
<vpn's ip addr>[%any]...<client ip addr>[C=CH, O=strongSwan, CN=moi]
Sep 16 00:07:24 vpn charon: 07[CFG]   candidate "roadwarrior", match:
1/1/1048 (me/other/ike)

What would all those cert requests re unknown ca's be about? I
included a couple examples (didn't think anyone wanted to see the full
list).
-----------------------

Current ipsec.conf:

config setup
        charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ike
        leftcert=vpnHostCert.pem
        leftid="C=CH, O=strongSwan, CN=vpn.example.com"

conn roadwarrior
        left=<vpn's ip addr>
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightauth=pubkey
        rightsourceip=<client virtual ip>/24
        auto=add


current ipsec.secrets:

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# doc: wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets

# tell the bloody strongswan install where the bloody private key is
: RSA vpnHostKey.pem


version:

root at vpn:/etc/ipsec.d# ipsec version
Linux strongSwan U5.1.2/K3.13.0-35-generic

root at vpn:/etc/ipsec.d# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.1 LTS
Release:        14.04
Codename:       trusty

Android is a Nexus 4 with stock 4.3 on it. Strongswan app installed
from Playstore yesterday.

More information about the Users mailing list