[strongSwan] Unable to establish VPN tunnel from China (Strongswan IKEv2)
Oliver Söder
osoeder at gmx.de
Thu Oct 13 13:01:55 CEST 2016
I set up a IKEv2 server which works fine with clients from Europe.
A connection from China fails, log of an unsuccessful attempt is at the end
of this email.
And please excuse me if the log is too long, it is the first time I set up
such an environment (one week ago).
Can I do some changes at the configuration to make it work from China to
Germany?
Cheers
Oliver
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 09[NET] received
packet: from 114.219.152.248[56667] to 172.31.1.100[500]
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 09[NET] waiting for
data on sockets
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] checkout
IKE_SA by message
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] created
IKE_SA (unnamed)[50]
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[NET] received
packet: from 114.219.152.248[56667] to 172.31.1.100[500] (880 bytes)
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] looking for
an ike config for 172.31.1.100...114.219.152.248
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] candidate:
%any...%any, prio 28
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] found
matching ike config: %any...%any with prio 28
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received MS
NT5 ISAKMPOAKLEY v9 vendor ID
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received
MS-Negotiation Discovery Capable vendor ID
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received
Vid-Initial-Contact vendor ID
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] received
unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE]
114.219.152.248 is initiating an IKE_SA
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] IKE_SA
(unnamed)[50] state change: CREATED => CONNECTING
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting
proposal:
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no
acceptable ENCRYPTION_ALGORITHM found
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting
proposal:
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no
acceptable ENCRYPTION_ALGORITHM found
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting
proposal:
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no
acceptable ENCRYPTION_ALGORITHM found
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting
proposal:
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] proposal
matches
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] received
proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] configured
proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/AES_CBC_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096,
IKE:AES_GCM_16_256/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_12_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selected
proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] local host is
behind NAT, sending keep alives
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] remote host
is behind NAT
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] sending cert
request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA"
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[NET] sending
packet: from 172.31.1.100[500] to 114.219.152.248[56667] (337 bytes)
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending
packet: from 172.31.1.100[500] to 114.219.152.248[56667]
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] checkin
IKE_SA (unnamed)[50]
Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] check-in of
IKE_SA successful.
Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] checkout
IKE_SA
Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] IKE_SA
(unnamed)[50] successfully checked out
Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[IKE] sending keep
alive to 114.219.152.248[56667]
Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] checkin
IKE_SA (unnamed)[50]
Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] check-in of
IKE_SA successful.
Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending
packet: from 172.31.1.100[500] to 114.219.152.248[56667]
Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] check-in of
IKE_SA successful.
Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending
packet: from 172.31.1.100[500] to 114.219.152.248[56667]
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 09[NET] received
packet: from 114.219.152.248[56667] to 172.31.1.100[500]
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 09[NET] waiting for
data on sockets
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] checkout
IKE_SA by message
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] created
IKE_SA (unnamed)[51]
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[NET] received
packet: from 114.219.152.248[56667] to 172.31.1.100[500] (880 bytes)
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] parsed
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] looking for
an ike config for 172.31.1.100...114.219.152.248
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] candidate:
%any...%any, prio 28
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] found
matching ike config: %any...%any with prio 28
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received MS
NT5 ISAKMPOAKLEY v9 vendor ID
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received
MS-Negotiation Discovery Capable vendor ID
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received
Vid-Initial-Contact vendor ID
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] received
unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE]
114.219.152.248 is initiating an IKE_SA
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] IKE_SA
(unnamed)[51] state change: CREATED => CONNECTING
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting
proposal:
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no
acceptable ENCRYPTION_ALGORITHM found
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting
proposal:
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no
acceptable ENCRYPTION_ALGORITHM found
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting
proposal:
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no
acceptable ENCRYPTION_ALGORITHM found
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting
proposal:
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] proposal
matches
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] received
proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] configured
proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/AES_CBC_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048,
IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096,
IKE:AES_GCM_16_256/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_12_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selected
proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] local host is
behind NAT, sending keep alives
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] remote host
is behind NAT
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] sending cert
request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA"
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[NET] sending
packet: from 172.31.1.100[500] to 114.219.152.248[56667] (337 bytes)
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending
packet: from 172.31.1.100[500] to 114.219.152.248[56667]
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] checkin
IKE_SA (unnamed)[51]
Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] check-in of
IKE_SA successful.
Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkout
IKE_SA
Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] IKE_SA
(unnamed)[50] successfully checked out
Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[JOB] deleting half
open IKE_SA after timeout
Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkin and
destroy IKE_SA (unnamed)[50]
Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[JOB] deleting half
open IKE_SA after timeout
Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkin and
destroy IKE_SA (unnamed)[50]
Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[IKE] IKE_SA
(unnamed)[50] state change: CONNECTING => DESTROYING
Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] check-in and
destroy of IKE_SA successful
Oct 10 14:54:31 Ubuntu-1604-xenial-64-minimal charon: 04[MGR] checkout
IKE_SA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161013/a150ac78/attachment-0001.html>
More information about the Users
mailing list