[strongSwan] IOS9 and IkeV2, Connection Stablished but not traffic.
Agustin M.
agustin at mattware.com.ar
Thu Nov 12 22:45:37 CET 2015
Hi guys.
I can stablish the connection against my Remote access IkeV2 server for
IOS with this settings:
#ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
#charondebug="lib 2,cfg 2,net 2,ike 3, enc 2, chd 2, mgr 2, dmn 2"
conn ikev2ios
#forceencaps=yes
keyexchange=ikev2
type=tunnel
leftsendcert=always
left=192.168.1.175
leftid=vpn.dowhale.com
leftfirewall=yes
leftcert=serverCert.pem
leftsubnet=0.0.0.0/0,::/0
#leftsourceip=192.168.1.175/24
leftauth=pubkey
leftdns=192.168.1.250
#lefthostaccess=yes
right=%any
rightauth=eap-tls
eap_identity=%any
rightsourceip=10.0.10.1/24
rightsubnet=10.0.10.0/24
rightdns=8.8.8.8
rightid=*@dowhale.com
dpdaction=clear
mobike=no
auto=add
The intention is to NAT between 10.0.10.0/24 and 192.168.1.175 to
provide access to the internet. Everything looks good, the connection is
stablished but no internet or local connectivity at all.
Server side I see:
16:41:50.468965 IP 192.168.1.175.ipsec-nat-t >
host136.181-117-6.telmex.net.ar.11730: UDP-encap:
ESP(spi=0x0ad9019d,seq=0xf2), length 148
16:41:50.858591 IP host136.181-117-6.telmex.net.ar.11730 >
192.168.1.175.ipsec-nat-t: UDP-encap: ESP(spi=0xc26d27e7,seq=0xe3),
length 116
16:41:50.858721 IP 192.168.1.175.49841 >
google-public-dns-a.google.com.domain: 21905+ A? b-api.facebook.com. (36)
16:41:50.879924 IP google-public-dns-a.google.com.domain >
192.168.1.175.49841: 21905 3/0/0 CNAME z-m.facebook.com., CNAME
z-m.c10r.facebook.com., A 31.13.73.37 (93)
16:41:50.879975 IP 192.168.1.175.ipsec-nat-t >
host136.181-117-6.telmex.net.ar.11730: UDP-encap:
ESP(spi=0x0ad9019d,seq=0xf3), length 164
16:41:51.012364 IP host136.181-117-6.telmex.net.ar.11730 >
192.168.1.175.ipsec-nat-t: UDP-encap: ESP(spi=0xc26d27e7,seq=0xe4),
length 116
16:41:51.012473 IP 192.168.1.175.63391 >
google-public-dns-a.google.com.domain: 6744+ A? b-graph.facebook.com. (38)
16:41:51.034466 IP google-public-dns-a.google.com.domain >
192.168.1.175.63391: 6744 3/0/0 CNAME z-m.facebook.com., CNAME
z-m.c10r.facebook.com., A 31.13.73.37 (95)
16:41:51.034506 IP 192.168.1.175.ipsec-nat-t >
host136.181-117-6.telmex.net.ar.11730: UDP-encap:
ESP(spi=0x0ad9019d,seq=0xf4), length 164
307, options [nop,nop,TS val 36060478 ecr 35625989], length 0
16:41:52.783476 IP host136.181-117-6.telmex.net.ar.11730 >
192.168.1.175.ipsec-nat-t: UDP-encap: ESP(spi=0xc26d27e7,seq=0xe5),
length 116
16:41:52.783915 IP 192.168.1.175.50464 >
google-public-dns-a.google.com.domain: 59128+ A? edge-mqtt.facebook.com.
(40)
16:41:52.795216 IP google-public-dns-a.google.com.domain >
192.168.1.175.50464: 59128 2/0/0 CNAME mqtt.c10r.facebook.com., A
31.13.73.3 (80)
16:41:52.795372 IP 192.168.1.175.ipsec-nat-t >
host136.181-117-6.telmex.net.ar.11730: UDP-encap:
ESP(spi=0x0ad9019d,seq=0xf5), length 148
So far I see that the Nat's working, and I see the traffic comming from
192.168.1.175 and DNS's working too:
16:41:44.165694 IP google-public-dns-a.google.com.domain >
192.168.1.175.65214: 57625 3/0/0 CNAME api.facebook.com., CNAME
star.c10r.facebook.com., A 31.13.73.1 (94)
Here's another connection log:
6:40:58.055805 IP 192.168.1.175.ipsec-nat-t >
host136.181-117-6.telmex.net.ar.11730: isakmp-nat-keep-alive
16:40:58.426581 IP host136.181-117-6.telmex.net.ar.11730 >
192.168.1.175.ipsec-nat-t: isakmp-nat-keep-alive
16:41:00.555884 IP host136.181-117-6.telmex.net.ar.11730 >
192.168.1.175.ipsec-nat-t: UDP-encap: ESP(spi=0xc26d27e7,seq=0xca),
length 100
16:41:00.556002 IP 192.168.1.175.61482 >
google-public-dns-a.google.com.domain: 11386+ A? www.bing.com. (30)
16:41:00.566130 IP google-public-dns-a.google.com.domain >
192.168.1.175.61482: 11386 2/0/0 CNAME any.edge.bing.com., A
204.79.197.200 (69)
16:41:00.566182 IP 192.168.1.175.ipsec-nat-t >
host136.181-117-6.telmex.net.ar.11730: UDP-encap:
ESP(spi=0x0ad9019d,seq=0xda), length 148
16:41:01.527171 IP host136.181-117-6.telmex.net.ar.11730 >
192.168.1.175.ipsec-nat-t: UDP-encap: ESP(spi=0xc26d27e7,seq=0xcb),
length 100
16:41:01.527303 IP 192.168.1.175.61482 >
google-public-dns-a.google.com.domain: 11386+ A? www.bing.com. (30)
16:41:01.539553 IP google-public-dns-a.google.com.domain >
192.168.1.175.61482: 11386 2/0/0 CNAME any.edge.bing.com., A
204.79.197.200 (69)
16:41:01.539711 IP 192.168.1.175.ipsec-nat-t >
host136.181-117-6.telmex.net.ar.11730: UDP-encap:
ESP(spi=0x0ad9019d,seq=0xdb), length 148
16:41:03.052671 IP 192.168.1.175.54919 > 192.168.1.250.domain: 28306+
PTR? 168.168.168.224.in-addr.arpa. (46)
16:41:03.222720 IP 192.168.1.250.domain > 192.168.1.175.54919: 28306
NXDomain 0/1/0 (103)
16:41:04.051638 IP 192.168.1.175.54736 > 192.168.1.250.domain: 14624+
PTR? 220.220.67.208.in-addr.arpa. (45)
16:41:04.052496 IP 192.168.1.250.domain > 192.168.1.175.54736: 14624
1/13/0 PTR resolver2.opendns.com. (291)
16:41:04.052772 IP 192.168.1.175.60859 > 192.168.1.250.domain: 12956+
PTR? 222.222.67.208.in-addr.arpa. (45)
16:41:04.053493 IP 192.168.1.250.domain > 192.168.1.175.60859: 12956
1/13/0 PTR resolver1.opendns.com. (291)
16:41:04.988464 IP host136.181-117-6.telmex.net.ar.11730 >
192.168.1.175.ipsec-nat-t: UDP-encap: ESP(spi=0xc26d27e7,seq=0xcc),
length 100
16:41:04.988631 IP 192.168.1.175.61482 >
google-public-dns-a.google.com.domain: 11386+ A? www.bing.com. (30)
16:41:05.002629 IP google-public-dns-a.google.com.domain >
192.168.1.175.61482: 11386 2/0/0 CNAME any.edge.bing.com., A
204.79.197.200 (69)
16:41:05.002673 IP 192.168.1.175.ipsec-nat-t >
host136.181-117-6.telmex.net.ar.11730: UDP-encap:
ESP(spi=0x0ad9019d,seq=0xdc), length 148
16:41:11.051572 IP 192.168.1.175.51632 > 192.168.1.250.domain: 61342+
PTR? 115.1.168.192.in-addr.arpa. (44)
16:41:11.196753 IP 192.168.1.250.domain > 192.168.1.175.51632: 61342
0/1/0 (103)
Seems like there's no ESP decryption.
I've found this article referring this issue:
https://forums.developer.apple.com/thread/16699
Thanks in advance!
Tano
More information about the Users
mailing list