[strongSwan] strongswan android app: sending but not receiving bytes/packets

Noel Kuntze noel at familie-kuntze.de
Tue Sep 16 18:33:36 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Cindy,

By default, the strongSwan app also asks for the certificate chains of public CAs.
Also, your problem is not the NAT mapping, but potentially a broken vpn API on the client side.
If you want to access hosts other than your VPN server, see [1] for information on how to make that possible.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 16.09.2014 um 17:17 schrieb Cindy Moore:
> Testing connection with strongswan server and android using the
> strongswan android app and RSA certificates
>
> It connects successfully, but then I see that sent packages (from
> android to vpn) look okay but received packets is 0 bytes/0 packets
> and of course trying to do anything on the Android just stalls and
> freezes and ultimately behaves as if I'm not connected to the
> internet.
>
> I have googled up "NAT mappings of ESP CHILD" but most of my hits
> seemed to reference pre 5.0 bugs and setting nat_traversal=yes in the
> ipsec.conf which appear s to be deprecated now.
>
> Here's the relevant syslog output from the strongswan vpn server:
>
> Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any
> Sep 15 22:39:36 vpn charon: 09[CFG] reassigning offline lease to
> 'C=CH, O=strongSwan, CN=moi'
> Sep 15 22:39:36 vpn charon: 09[IKE] assigning virtual IP <client
> virtual ip> to peer 'C=CH, O=strongSwan, CN=moi'
> Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any6
> Sep 15 22:39:36 vpn charon: 09[IKE] no virtual IP found for %any6
> requested by 'C=CH, O=strongSwan, CN=moi'
> Sep 15 22:39:36 vpn charon: 09[CFG] looking for a child config for
> 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
> Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for us:
> Sep 15 22:39:36 vpn charon: 09[CFG]  0.0.0.0/0
> Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for other:
> Sep 15 22:39:36 vpn charon: 09[CFG]  <client virtual ip>/32
> Sep 15 22:39:36 vpn charon: 09[CFG]   candidate "roadwarrior" with prio 10+2
> Sep 15 22:39:36 vpn charon: 09[CFG] found matching child config
> "roadwarrior" with prio 12
> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
> Sep 15 22:39:36 vpn charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
> Sep 15 22:39:36 vpn charon: 09[CFG]   no acceptable INTEGRITY_ALGORITHM found
> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
> Sep 15 22:39:36 vpn charon: 09[CFG]   no acceptable ENCRYPTION_ALGORITHM found
> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
> Sep 15 22:39:36 vpn charon: 09[CFG]   proposal matches
> Sep 15 22:39:36 vpn charon: 09[CFG] received proposals:
> ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_
> CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
> Sep 15 22:39:36 vpn charon: 09[CFG] configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES
> _CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Sep 15 22:39:36 vpn charon: 09[CFG] selected proposal:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for us:
> Sep 15 22:39:36 vpn charon: 09[CFG]  config: 0.0.0.0/0, received:
> 0.0.0.0/0 => match: 0.0.0.0/0
> Sep 15 22:39:36 vpn charon: 09[CFG]  config: 0.0.0.0/0, received: ::/0
> => no match
> Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for other:
> Sep 15 22:39:36 vpn charon: 09[CFG]  config: <client virtual ip>/32,
> received: 0.0.0.0/0 => match: <client virtual ip>/32
> Sep 15 22:39:36 vpn charon: 09[CFG]  config: <client virtual ip>/32,
> received: ::/0 => no match
> Sep 15 22:39:36 vpn charon: 09[IKE] CHILD_SA roadwarrior{3}
> established with SPIs ca14eb50_i 01095b0e_o and TS 0.0.0.0/0 ===
> <client virtual ip>/32
> Sep 15 22:39:36 vpn charon: 09[ENC] generating IKE_AUTH response 1 [
> IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
> N(ADD_6_ADDR) N(ADD_6_ADD
> R) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
> Sep 15 22:39:36 vpn charon: 09[NET] sending packet: from <vpn's ip
> addr>[4500] to <client ip addr>[33534] (1820 bytes)
> Sep 15 22:39:36 vpn charon: 03[NET] sending packet: from <vpn's ip
> addr>[4500] to <client ip addr>[33534]
> Sep 15 22:51:12 vpn charon: 13[KNL] NAT mappings of ESP CHILD_SA with
> SPI ca14eb50 and reqid {3} changed, queuing update job
> Sep 15 22:56:26 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with
> SPI ca14eb50 and reqid {3} changed, queuing update job
> Sep 15 23:00:50 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with
> SPI ca14eb50 and reqid {3} changed, queuing update job
> Sep 15 23:01:20 vpn charon: 02[NET] received packet: from <client ip
> addr>[48986] to <vpn's ip addr>[4500]
> Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets
> Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip
> addr>[48986] to <vpn's ip addr>[4500] (76 bytes)
> Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets
> Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip
> addr>[48986] to <vpn's ip addr>[4500] (76 bytes)
> Sep 15 23:01:20 vpn charon: 08[ENC] parsed INFORMATIONAL request 2 [
> N(NO_ADD_ADDR) ]
> Sep 15 23:01:20 vpn charon: 08[ENC] generating INFORMATIONAL response 2 [ ]
> Sep 15 23:01:20 vpn charon: 08[NET] sending packet: from <vpn's ip
> addr>[4500] to <client ip addr>[48986] (76 bytes)
> Sep 15 23:01:20 vpn charon: 03[NET] sending packet: from <vpn's ip
> addr>[4500] to <client ip addr>[48986]
> Sep 15 23:10:21 vpn charon: 10[KNL] NAT mappings of ESP CHILD_SA with
> SPI ca14eb50 and reqid {3} changed, queuing update job
> Sep 15 23:13:23 vpn charon: 09[KNL] NAT mappings of ESP CHILD_SA with
> SPI ca14eb50 and reqid {3} changed, queuing update job
>
> ------------------------
> ALSO, when I reran this scenario (I checked out the nat_traversal
> anyway, although it failed to load, it's that deprecated), I noticed
> this in the connection negotiation:
>
> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown
> ca with keyid 36:12:c2:39:c5:22:b9:1e:20:d4:8e:08:3c:be:69:e1:1d:a8:27:e5
> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown
> ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70
> ...
> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for "C=CH,
> O=strongSwan, CN=strongSwan Root CA"
> Sep 16 00:07:24 vpn charon: 07[IKE] received 135 cert requests for an unknown ca
> Sep 16 00:07:24 vpn charon: 07[IKE] received end entity cert "C=CH,
> O=strongSwan, CN=moi"
> Sep 16 00:07:24 vpn charon: 07[CFG] looking for peer configs matching
> <vpn's ip addr>[%any]...<client ip addr>[C=CH, O=strongSwan, CN=moi]
> Sep 16 00:07:24 vpn charon: 07[CFG]   candidate "roadwarrior", match:
> 1/1/1048 (me/other/ike)
>
> What would all those cert requests re unknown ca's be about? I
> included a couple examples (didn't think anyone wanted to see the full
> list).
> -----------------------
>
> Current ipsec.conf:
>
> config setup
>         charondebug="cfg 2, dmn 2, ike 2, net 2"
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ike
>         leftcert=vpnHostCert.pem
>         leftid="C=CH, O=strongSwan, CN=vpn.example.com"
>
> conn roadwarrior
>         left=<vpn's ip addr>
>         leftsubnet=0.0.0.0/0
>         right=%any
>         rightid=%any
>         rightauth=pubkey
>         rightsourceip=<client virtual ip>/24
>         auto=add
>
>
> current ipsec.secrets:
>
> # This file holds shared secrets or RSA private keys for authentication.
>
> # RSA private key for this host, authenticating it to any other host
> # which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
> # or configuration of other implementations, can be extracted conveniently
> # with "ipsec showhostkey".
>
> # doc: wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets
>
> # tell the bloody strongswan install where the bloody private key is
> : RSA vpnHostKey.pem
>
>
> version:
>
> root at vpn:/etc/ipsec.d# ipsec version
> Linux strongSwan U5.1.2/K3.13.0-35-generic
>
> root at vpn:/etc/ipsec.d# lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:    Ubuntu 14.04.1 LTS
> Release:        14.04
> Codename:       trusty
>
> Android is a Nexus 4 with stock 4.3 on it. Strongswan app installed
> from Playstore yesterday.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUGGZgAAoJEDg5KY9j7GZYbi4P/iS5slESqid9trfeig1ysZZd
CJ//p2wVagPIqB/CEmQ4N0vJVLT4GI/d8Dqv8R0dY1mrW5j6W0jc7y6FIJYfuYWo
6gRNjF2Otcn9UTMjDbuerivThVljWlm83yRgbLHjb4czRALHbIvwGOhhBY9PQe2c
LJJFSBkA3z3jTUPrxpKsS8Y/mnAY+1yU7P5TnjOASzSvCUlhwFNiUhHqh+vBCfc6
I8G6KHcd8BLLfDkjS/WsfNmoEZgCGfxgBuaztlmMRVv2Ru2YJfAvZ71Y4R/dOnuC
IC4KaL3gj8HpyUGTgez24jmu7ySxipD/pTul02nxXjodOVqqNNdSnmxvx2CLf5Ox
wvqeZCpWR+HUhUpcfqdnDvXfnpNiQLfa7VWpk2ffFQ0/gPnFt9Xw/oVdGWA9L9bG
XeJ6/EzcYTsWefusxAFusGcUv9QTp3uA2LX7CjgqUF3b0HEAyrLz/EiAw57vSa5b
MC31FBJGmvrK69iwSu3aa55U+z+88oevRMW3JAH13JO+8eNxHQxzYorydhjpViuj
km9qkPpeTKGcCaG5rb2+miq0elNRSOoTsC7BnvWk9OmnUNE0ONkHMZBf8Rfq+zxJ
6ERaWgCCdNJkbceRt+D4lkeL5KwZunnftpwrfvsumoGDR1SqLMQRW+32+M2ssML5
oZJSi6xi4VNgmqnf3l9R
=ObEM
-----END PGP SIGNATURE-----



More information about the Users mailing list