[strongSwan] 回复：Re: 回复：Re: strongSwan 5.7.2:_received_retransmit_of_response_with_ID_0,_but_next_request_already_sent

[ynicle at sina.com]

Hi Noel,
It's really strange. 

My Debian and Ubuntu is behind the same router, but Ubuntu works.
Let me check if port 4500 on Debian has been occupied or not.
The attached the log is  charon connection on Ubuntu.
****************************************************Sep 29 14:44:25 neo-VirtualBox charon: 11[IKE] initiating Main Mode IKE_SA cf12fa82-3ee8-400c-bda6-f6615a07d503[1] to 211.12.77.221
Sep 29 14:44:25 neo-VirtualBox charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Sep 29 14:44:25 neo-VirtualBox charon: 11[NET] sending packet: from 192.168.3.48[500] to 211.12.77.221[500] (212 bytes)
Sep 29 14:44:25 neo-VirtualBox charon: 12[NET] received packet: from 211.12.77.221[500] to 192.168.3.48[500] (208 bytes)
Sep 29 14:44:25 neo-VirtualBox charon: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
Sep 29 14:44:25 neo-VirtualBox charon: 12[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
Sep 29 14:44:25 neo-VirtualBox charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
Sep 29 14:44:25 neo-VirtualBox charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 29 14:44:25 neo-VirtualBox charon: 12[IKE] received FRAGMENTATION vendor ID
Sep 29 14:44:25 neo-VirtualBox charon: 12[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Sep 29 14:44:25 neo-VirtualBox charon: 12[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Sep 29 14:44:25 neo-VirtualBox charon: 12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Sep 29 14:44:25 neo-VirtualBox charon: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 29 14:44:25 neo-VirtualBox charon: 12[NET] sending packet: from 192.168.3.48[500] to 211.12.77.221[500] (244 bytes)
Sep 29 14:44:25 neo-VirtualBox charon: 13[NET] received packet: from 211.12.77.221[500] to 192.168.3.48[500] (260 bytes)
Sep 29 14:44:25 neo-VirtualBox charon: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 29 14:44:25 neo-VirtualBox charon: 13[IKE] local host is behind NAT, sending keep alives
Sep 29 14:44:25 neo-VirtualBox charon: 13[IKE] remote host is behind NAT
Sep 29 14:44:25 neo-VirtualBox charon: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
Sep 29 14:44:25 neo-VirtualBox charon: 13[NET] sending packet: from 192.168.3.48[4500] to 211.12.77.221[4500] (68 bytes)
Sep 29 14:44:25 neo-VirtualBox charon: 14[NET] received packet: from 211.12.77.221[4500] to 192.168.3.48[4500] (68 bytes)
Sep 29 14:44:25 neo-VirtualBox charon: 14[ENC] parsed ID_PROT response 0 [ ID HASH ]
Sep 29 14:44:25 neo-VirtualBox charon: 14[IKE] IKE_SA cf12fa82-3ee8-400c-bda6-f6615a07d503[1] established between 192.168.3.48[192.168.3.48]...211.12.77.221[10.2.64.181]


Best RegarsNeo

----- 原始邮件 -----
发件人：Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
收件人：ynicle at sina.com, users <users at lists.strongswan.org>
主题：Re: 回复：Re: [strongSwan] strongSwan 5.7.2:_received_retransmit_of_response_with_ID_0,_but_next_request_already_sent
日期：2019年10月08日 23点18分

Hello Neo,
Looks like port 4500 isn't open on the remote end or something on the network path drops the packets to that port.
>> Sep 29 10:30:40 debian charon: 13[NET] sending packet: from 192.168.3.8[4500] to 211.12.77.221[4500] (68 bytes)
>> Sep 29 10:30:40 debian charon: 14[NET] received packet: from 211.12.77.221[500] to 192.168.3.8[500] (260 bytes)
Kind regards
Noel
Am 08.10.19 um 17:17 schrieb ynicle at sina.com:
> Hi Noel,
> 
> Thanks for your reply.
> 
> Any possible reason which causes "remote peer doesn't get the reply"?
> 
> I have ubuntu 19.04 + virtual box on the same machine, and it can connect that vpn server with same vpn client settings.
> 
> Best regards
> Neo
> 
> 
> 
> 
> ----- 原始邮件 -----
> 发件人：Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
> 收件人：ynicle at sina.com, users <users at lists.strongswan.org>
> 主题：Re: [strongSwan] strongSwan 5.7.2: received retransmit of response with ID 0, but next request already sent
> 日期：2019年09月30日 17点38分
> 
> Hello,
> I'd say the remote peer doesn't get the reply.
> Kind regards
> Noel
> Am 30.09.19 um 05:37 schrieb ynicle at sina.com:
>>  HI all,
>>
>> I got a problem on my debian 10 PC box when connecting to a windows VPN server.
>>
>> The strongSwan always  returns the error:  "received retransmit of response with ID 0, but next request already sent".
>>
>> Please ref the following log. And most strange thing is the line in red , it seems strongSwan receives the duplicated repsonse from remote 500 port.
>>
>> Meanwhile I have another Ubuntu 19.04 with strongSwan 5.7.1, and it works fine while connecting the same VPN server.
>>
>> Any reply will be welcomed.
>>
>>
>> Sep 29 10:30:39 debian charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-6-amd64, x86_64)
>> Sep 29 10:30:39 debian charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>> Sep 29 10:30:39 debian charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>> Sep 29 10:30:39 debian charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>> Sep 29 10:30:39 debian charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>> Sep 29 10:30:39 debian charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> Sep 29 10:30:39 debian charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>> Sep 29 10:30:39 debian charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
>> Sep 29 10:30:39 debian charon: 00[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-435fa988-7950-40c4-b115-22344e7352d0.secrets'
>> Sep 29 10:30:39 debian charon: 00[CFG]   loaded IKE secret for %any
>> Sep 29 10:30:39 debian charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
>> Sep 29 10:30:39 debian charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
>> Sep 29 10:30:39 debian charon: 00[JOB] spawning 16 worker threads
>> Sep 29 10:30:39 debian charon: 05[CFG] received stroke: add connection '435fa988-7950-40c4-b115-22344e7352d0'
>> Sep 29 10:30:39 debian charon: 05[CFG] added configuration '435fa988-7950-40c4-b115-22344e7352d0'
>> Sep 29 10:30:40 debian charon: 07[CFG] rereading secrets
>> Sep 29 10:30:40 debian charon: 07[CFG] loading secrets from '/etc/ipsec.secrets'
>> Sep 29 10:30:40 debian charon: 07[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
>> Sep 29 10:30:40 debian charon: 07[CFG] loading secrets from '/etc/ipsec.d/nm-l2tp-ipsec-435fa988-7950-40c4-b115-22344e7352d0.secrets'
>> Sep 29 10:30:40 debian charon: 07[CFG]   loaded IKE secret for %any
>> Sep 29 10:30:40 debian charon: 09[CFG] received stroke: initiate '435fa988-7950-40c4-b115-22344e7352d0'
>> Sep 29 10:30:40 debian charon: 11[IKE] initiating Main Mode IKE_SA 435fa988-7950-40c4-b115-22344e7352d0[1] to 211.12.77.221
>> Sep 29 10:30:40 debian charon: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
>> Sep 29 10:30:40 debian charon: 11[NET] sending packet: from 192.168.3.8[500] to 211.12.77.221[500] (212 bytes)
>> Sep 29 10:30:40 debian charon: 12[NET] received packet: from 211.12.77.221[500] to 192.168.3.8[500] (208 bytes)
>> Sep 29 10:30:40 debian charon: 12[ENC] parsed ID_PROT response 0 [ SA V V V V V V ]
>> Sep 29 10:30:40 debian charon: 12[IKE] received MS NT5 ISAKMPOAKLEY vendor ID
>> Sep 29 10:30:40 debian charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
>> Sep 29 10:30:40 debian charon: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
>> Sep 29 10:30:40 debian charon: 12[IKE] received FRAGMENTATION vendor ID
>> Sep 29 10:30:40 debian charon: 12[ENC] received unknown vendor ID: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
>> Sep 29 10:30:40 debian charon: 12[ENC] received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
>> Sep 29 10:30:40 debian charon: 12[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
>> Sep 29 10:30:40 debian charon: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
>> Sep 29 10:30:40 debian charon: 12[NET] sending packet: from 192.168.3.8[500] to 211.12.77.221[500] (244 bytes)
>> Sep 29 10:30:40 debian charon: 13[NET] received packet: from 211.12.77.221[500] to 192.168.3.8[500] (260 bytes)
>> Sep 29 10:30:40 debian charon: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
>> Sep 29 10:30:40 debian charon: 13[IKE] local host is behind NAT, sending keep alives
>> Sep 29 10:30:40 debian charon: 13[IKE] remote host is behind NAT
>> Sep 29 10:30:40 debian charon: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
>> Sep 29 10:30:40 debian charon: 13[NET] sending packet: from 192.168.3.8[4500] to 211.12.77.221[4500] (68 bytes)
>> Sep 29 10:30:40 debian charon: 14[NET] received packet: from 211.12.77.221[500] to 192.168.3.8[500] (260 bytes)
>> Sep 29 10:30:40 debian charon: 14[IKE] received retransmit of response with ID 0, but next request already sent
>> Sep 29 10:30:44 debian charon: 06[IKE] sending retransmit 1 of request message ID 0, seq 3
>> Sep 29 10:30:44 debian charon: 06[NET] sending packet: from 192.168.3.8[4500] to 211.12.77.221[4500] (68 bytes)
>> Sep 29 10:30:44 debian charon: 05[NET] received packet: from 211.12.77.221[500] to 192.168.3.8[500] (260 bytes)
>> Sep 29 10:30:44 debian charon: 05[IKE] received retransmit of response with ID 0, but next request already sent
>> Sep 29 10:30:50 debian NetworkManager[645]: Stopping strongSwan IPsec...
>> Sep 29 10:30:50 debian charon: 00[DMN] signal of type SIGINT received. Shutting down
>> Sep 29 10:30:50 debian charon: 00[IKE] destroying IKE_SA in state CONNECTING without notification
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191008/373638b5/attachment-0001.html>