[strongSwan] strongswan android app: sending but not receiving bytes/packets
Cindy Moore
ctmoore at cs.ucsd.edu
Tue Sep 16 19:10:56 CEST 2014
If I am using the strongswan app on android to make the connection,
how is it a "broken vpn API on the client side"?
Also, contents of my vpn.example.com /etc/sysctl.conf file:
# VPN (strongswan)
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
However, vpn.example.com is not also our nat gateway, is that the
difference (both servers are on the same network)?
On Tue, Sep 16, 2014 at 9:33 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Cindy,
>
> By default, the strongSwan app also asks for the certificate chains of public CAs.
> Also, your problem is not the NAT mapping, but potentially a broken vpn API on the client side.
> If you want to access hosts other than your VPN server, see [1] for information on how to make that possible.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 16.09.2014 um 17:17 schrieb Cindy Moore:
>> Testing connection with strongswan server and android using the
>> strongswan android app and RSA certificates
>>
>> It connects successfully, but then I see that sent packages (from
>> android to vpn) look okay but received packets is 0 bytes/0 packets
>> and of course trying to do anything on the Android just stalls and
>> freezes and ultimately behaves as if I'm not connected to the
>> internet.
>>
>> I have googled up "NAT mappings of ESP CHILD" but most of my hits
>> seemed to reference pre 5.0 bugs and setting nat_traversal=yes in the
>> ipsec.conf which appear s to be deprecated now.
>>
>> Here's the relevant syslog output from the strongswan vpn server:
>>
>> Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any
>> Sep 15 22:39:36 vpn charon: 09[CFG] reassigning offline lease to
>> 'C=CH, O=strongSwan, CN=moi'
>> Sep 15 22:39:36 vpn charon: 09[IKE] assigning virtual IP <client
>> virtual ip> to peer 'C=CH, O=strongSwan, CN=moi'
>> Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any6
>> Sep 15 22:39:36 vpn charon: 09[IKE] no virtual IP found for %any6
>> requested by 'C=CH, O=strongSwan, CN=moi'
>> Sep 15 22:39:36 vpn charon: 09[CFG] looking for a child config for
>> 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
>> Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for us:
>> Sep 15 22:39:36 vpn charon: 09[CFG] 0.0.0.0/0
>> Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for other:
>> Sep 15 22:39:36 vpn charon: 09[CFG] <client virtual ip>/32
>> Sep 15 22:39:36 vpn charon: 09[CFG] candidate "roadwarrior" with prio 10+2
>> Sep 15 22:39:36 vpn charon: 09[CFG] found matching child config
>> "roadwarrior" with prio 12
>> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
>> Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
>> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
>> Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable INTEGRITY_ALGORITHM found
>> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
>> Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM found
>> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal:
>> Sep 15 22:39:36 vpn charon: 09[CFG] proposal matches
>> Sep 15 22:39:36 vpn charon: 09[CFG] received proposals:
>> ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ,
>> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_
>> CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
>> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
>> Sep 15 22:39:36 vpn charon: 09[CFG] configured proposals:
>> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
>> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES
>> _CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>> Sep 15 22:39:36 vpn charon: 09[CFG] selected proposal:
>> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
>> Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for us:
>> Sep 15 22:39:36 vpn charon: 09[CFG] config: 0.0.0.0/0, received:
>> 0.0.0.0/0 => match: 0.0.0.0/0
>> Sep 15 22:39:36 vpn charon: 09[CFG] config: 0.0.0.0/0, received: ::/0
>> => no match
>> Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for other:
>> Sep 15 22:39:36 vpn charon: 09[CFG] config: <client virtual ip>/32,
>> received: 0.0.0.0/0 => match: <client virtual ip>/32
>> Sep 15 22:39:36 vpn charon: 09[CFG] config: <client virtual ip>/32,
>> received: ::/0 => no match
>> Sep 15 22:39:36 vpn charon: 09[IKE] CHILD_SA roadwarrior{3}
>> established with SPIs ca14eb50_i 01095b0e_o and TS 0.0.0.0/0 ===
>> <client virtual ip>/32
>> Sep 15 22:39:36 vpn charon: 09[ENC] generating IKE_AUTH response 1 [
>> IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
>> N(ADD_6_ADDR) N(ADD_6_ADD
>> R) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
>> Sep 15 22:39:36 vpn charon: 09[NET] sending packet: from <vpn's ip
>> addr>[4500] to <client ip addr>[33534] (1820 bytes)
>> Sep 15 22:39:36 vpn charon: 03[NET] sending packet: from <vpn's ip
>> addr>[4500] to <client ip addr>[33534]
>> Sep 15 22:51:12 vpn charon: 13[KNL] NAT mappings of ESP CHILD_SA with
>> SPI ca14eb50 and reqid {3} changed, queuing update job
>> Sep 15 22:56:26 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with
>> SPI ca14eb50 and reqid {3} changed, queuing update job
>> Sep 15 23:00:50 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with
>> SPI ca14eb50 and reqid {3} changed, queuing update job
>> Sep 15 23:01:20 vpn charon: 02[NET] received packet: from <client ip
>> addr>[48986] to <vpn's ip addr>[4500]
>> Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets
>> Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip
>> addr>[48986] to <vpn's ip addr>[4500] (76 bytes)
>> Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets
>> Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip
>> addr>[48986] to <vpn's ip addr>[4500] (76 bytes)
>> Sep 15 23:01:20 vpn charon: 08[ENC] parsed INFORMATIONAL request 2 [
>> N(NO_ADD_ADDR) ]
>> Sep 15 23:01:20 vpn charon: 08[ENC] generating INFORMATIONAL response 2 [ ]
>> Sep 15 23:01:20 vpn charon: 08[NET] sending packet: from <vpn's ip
>> addr>[4500] to <client ip addr>[48986] (76 bytes)
>> Sep 15 23:01:20 vpn charon: 03[NET] sending packet: from <vpn's ip
>> addr>[4500] to <client ip addr>[48986]
>> Sep 15 23:10:21 vpn charon: 10[KNL] NAT mappings of ESP CHILD_SA with
>> SPI ca14eb50 and reqid {3} changed, queuing update job
>> Sep 15 23:13:23 vpn charon: 09[KNL] NAT mappings of ESP CHILD_SA with
>> SPI ca14eb50 and reqid {3} changed, queuing update job
>>
>> ------------------------
>> ALSO, when I reran this scenario (I checked out the nat_traversal
>> anyway, although it failed to load, it's that deprecated), I noticed
>> this in the connection negotiation:
>>
>> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown
>> ca with keyid 36:12:c2:39:c5:22:b9:1e:20:d4:8e:08:3c:be:69:e1:1d:a8:27:e5
>> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown
>> ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70
>> ...
>> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for "C=CH,
>> O=strongSwan, CN=strongSwan Root CA"
>> Sep 16 00:07:24 vpn charon: 07[IKE] received 135 cert requests for an unknown ca
>> Sep 16 00:07:24 vpn charon: 07[IKE] received end entity cert "C=CH,
>> O=strongSwan, CN=moi"
>> Sep 16 00:07:24 vpn charon: 07[CFG] looking for peer configs matching
>> <vpn's ip addr>[%any]...<client ip addr>[C=CH, O=strongSwan, CN=moi]
>> Sep 16 00:07:24 vpn charon: 07[CFG] candidate "roadwarrior", match:
>> 1/1/1048 (me/other/ike)
>>
>> What would all those cert requests re unknown ca's be about? I
>> included a couple examples (didn't think anyone wanted to see the full
>> list).
>> -----------------------
>>
>> Current ipsec.conf:
>>
>> config setup
>> charondebug="cfg 2, dmn 2, ike 2, net 2"
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ike
>> leftcert=vpnHostCert.pem
>> leftid="C=CH, O=strongSwan, CN=vpn.example.com"
>>
>> conn roadwarrior
>> left=<vpn's ip addr>
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightid=%any
>> rightauth=pubkey
>> rightsourceip=<client virtual ip>/24
>> auto=add
>>
>>
>> current ipsec.secrets:
>>
>> # This file holds shared secrets or RSA private keys for authentication.
>>
>> # RSA private key for this host, authenticating it to any other host
>> # which knows the public part. Suitable public keys, for ipsec.conf, DNS,
>> # or configuration of other implementations, can be extracted conveniently
>> # with "ipsec showhostkey".
>>
>> # doc: wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets
>>
>> # tell the bloody strongswan install where the bloody private key is
>> : RSA vpnHostKey.pem
>>
>>
>> version:
>>
>> root at vpn:/etc/ipsec.d# ipsec version
>> Linux strongSwan U5.1.2/K3.13.0-35-generic
>>
>> root at vpn:/etc/ipsec.d# lsb_release -a
>> No LSB modules are available.
>> Distributor ID: Ubuntu
>> Description: Ubuntu 14.04.1 LTS
>> Release: 14.04
>> Codename: trusty
>>
>> Android is a Nexus 4 with stock 4.3 on it. Strongswan app installed
>> from Playstore yesterday.
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUGGZgAAoJEDg5KY9j7GZYbi4P/iS5slESqid9trfeig1ysZZd
> CJ//p2wVagPIqB/CEmQ4N0vJVLT4GI/d8Dqv8R0dY1mrW5j6W0jc7y6FIJYfuYWo
> 6gRNjF2Otcn9UTMjDbuerivThVljWlm83yRgbLHjb4czRALHbIvwGOhhBY9PQe2c
> LJJFSBkA3z3jTUPrxpKsS8Y/mnAY+1yU7P5TnjOASzSvCUlhwFNiUhHqh+vBCfc6
> I8G6KHcd8BLLfDkjS/WsfNmoEZgCGfxgBuaztlmMRVv2Ru2YJfAvZ71Y4R/dOnuC
> IC4KaL3gj8HpyUGTgez24jmu7ySxipD/pTul02nxXjodOVqqNNdSnmxvx2CLf5Ox
> wvqeZCpWR+HUhUpcfqdnDvXfnpNiQLfa7VWpk2ffFQ0/gPnFt9Xw/oVdGWA9L9bG
> XeJ6/EzcYTsWefusxAFusGcUv9QTp3uA2LX7CjgqUF3b0HEAyrLz/EiAw57vSa5b
> MC31FBJGmvrK69iwSu3aa55U+z+88oevRMW3JAH13JO+8eNxHQxzYorydhjpViuj
> km9qkPpeTKGcCaG5rb2+miq0elNRSOoTsC7BnvWk9OmnUNE0ONkHMZBf8Rfq+zxJ
> 6ERaWgCCdNJkbceRt+D4lkeL5KwZunnftpwrfvsumoGDR1SqLMQRW+32+M2ssML5
> oZJSi6xi4VNgmqnf3l9R
> =ObEM
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list