[strongSwan] Getting reply from the wrong ip?!

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 3 19:24:49 CET 2020


Hello Peter,

UDP is a stateless (connectionless) protocol so that there is a message from another IP logged does not mean it's a reply. Check if you still get these requests
even if you don't initiate an IKE_SA.

Kind regards

Noel

Am 02.01.20 um 17:18 schrieb Peter Andersson:
> Hi!
> 
> I'm having trouble getting the strongSwan server to work. I'm trying to connect to a remote VPN server and I get replies from an entirely different server from a different company.
> The log looks like this:
> 
> Jan  2 16:59:21 Server charon: 08[NET] sending packet: from 46.246.XXX.XXX[500] to 62.181.XXX.XXX[500] (1036 bytes)
> Jan  2 16:59:25 Server charon: 09[IKE] retransmit 1 of request with message ID 0
> Jan  2 16:37:43 Server charon: 09[NET] sending packet: from 46.246.XXX.XXX[500] to 62.181.XXX.XXX[500] (1036 bytes)
> Jan  2 16:37:46 Server charon: 10[NET] received packet: from 80.72.XXX.XXX[500] to 46.246.XXX.XXX[500] (284 bytes)
> 
> Our ISP only delivers internet connections, no firewalls, vpn services or something similar.
> And all our firewall does is to allow connections on UDP port 500 from 62.181.XXX.XXX. It has no port forwarding or anything special.
> I'm at a total loss here as we have never had any contact with the company with the 80.72.XXX.XXX address.
> We did have a hardware firewall (Sonicwall) that was working just fine with the same settings.
> 
> I would be extremely grateful if any of you experts could help me find a solution or point me in the right direction.
> 
> Thanks!
> 
> /Peter
> 
> 
> This is my config:
> 
> config setup
>         charondebug="cfg 2"
>         strictcrlpolicy=no
> 
> conn VPN
> authby=secret
> left=46.246.XXX.XXX
> leftsubnet=1.1.1.0/24
> leftfirewall=yes
> right=62.181.XXX.XXX
> rightsubnet=1.1.10.200/32
> ike=aes128-sha1-modp1024
> esp=aes128-sha1
> keyexchange=ike
> keyingtries=0
> ikelifetime=12h
> lifetime=6h
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> auto=start
> type=tunnel
> 
> ipsec.secrets;
> 46.246.XXX.XXX 62.181.XXX.XXX : PSK 'ABCDEFGH'
> 
> strongswan.conf:
> charon {
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>         }
> }
> include strongswan.d/*.conf
> 
> And the log:
> 
> Jan  2 17:11:07 Server charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 5.3.0-24-generic, x86_64)
> Jan  2 17:11:07 Server charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Jan  2 17:11:07 Server charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Jan  2 17:11:07 Server charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Jan  2 17:11:07 Server charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Jan  2 17:11:07 Server charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Jan  2 17:11:07 Server charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Jan  2 17:11:07 Server charon: 00[CFG]   loaded IKE secret for 46.246.XXX.XXX 62.181.XXX.XXX
> Jan  2 17:11:07 Server charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
> Jan  2 17:11:07 Server charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Jan  2 17:11:07 Server charon: 00[JOB] spawning 16 worker threads
> Jan  2 17:11:07 Server charon: 05[CFG] received stroke: add connection 'VPN'
> Jan  2 17:11:07 Server charon: 05[CFG] conn VPN
> Jan  2 17:11:07 Server charon: 05[CFG]   left=46.246.XXX.XXX
> Jan  2 17:11:07 Server charon: 05[CFG]   leftsubnet=1.1.1.0/24
> Jan  2 17:11:07 Server charon: 05[CFG]   leftauth=psk
> Jan  2 17:11:07 Server charon: 05[CFG]   leftupdown=ipsec _updown iptables
> Jan  2 17:11:07 Server charon: 05[CFG]   right=62.181.XXX.XXX
> Jan  2 17:11:07 Server charon: 05[CFG]   rightsubnet=1.1.10.200/32
> Jan  2 17:11:07 Server charon: 05[CFG]   rightauth=psk
> Jan  2 17:11:07 Server charon: 05[CFG]   ike=aes128-sha1-modp1024
> Jan  2 17:11:07 Server charon: 05[CFG]   esp=aes128-sha1
> Jan  2 17:11:07 Server charon: 05[CFG]   dpddelay=30
> Jan  2 17:11:07 Server charon: 05[CFG]   dpdtimeout=120
> Jan  2 17:11:07 Server charon: 05[CFG]   dpdaction=3
> Jan  2 17:11:07 Server charon: 05[CFG]   sha256_96=no
> Jan  2 17:11:07 Server charon: 05[CFG]   mediation=no
> Jan  2 17:11:07 Server charon: 05[CFG] added configuration 'VPN'
> Jan  2 17:11:07 Server charon: 08[CFG] received stroke: initiate 'VPN'
> Jan  2 17:11:07 Server charon: 08[IKE] initiating IKE_SA VPN[1] to 62.181.XXX.XXX
> Jan  2 17:11:07 Server charon: 08[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048,
> IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
> Jan  2 17:11:07 Server charon: 08[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
> Jan  2 17:11:07 Server charon: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> Jan  2 17:11:07 Server charon: 08[NET] sending packet: from 46.246.XXX.XXX[500] to 62.181.XXX.XXX[500] (1036 bytes)
> Jan  2 17:11:09 Server charon: 09[NET] received packet: from 80.72.XXX.XXX[500] to 46.246.XXX.XXX[500] (284 bytes)
> Jan  2 17:11:09 Server charon: 09[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
> Jan  2 17:11:09 Server charon: 09[CFG] looking for an IKEv1 config for 46.246.XXX.XXX...80.72.XXX.XXX
> Jan  2 17:11:09 Server charon: 09[IKE] no IKE config found for 46.246.XXX.XXX...80.72.XXX.XXX, sending NO_PROPOSAL_CHOSEN
> Jan  2 17:11:09 Server charon: 09[ENC] generating INFORMATIONAL_V1 request 2752600603 [ N(NO_PROP) ]
> Jan  2 17:11:09 Server charon: 09[NET] sending packet: from 46.246.XXX.XXX[500] to 80.72.XXX.XXX[500] (40 bytes)
> Jan  2 17:11:11 Server charon: 10[IKE] retransmit 1 of request with message ID 0
> Jan  2 17:11:11 Server charon: 10[NET] sending packet: from 46.246.XXX.XXX[500] to 62.181.XXX.XXX[500] (1036 bytes)
> Jan  2 17:11:18 Server charon: 12[IKE] retransmit 2 of request with message ID 0
> Jan  2 17:11:18 Server charon: 12[NET] sending packet: from 46.246.XXX.XXX[500] to 62.181.XXX.XXX[500] (1036 bytes)
> Jan  2 17:11:21 Server charon: 11[NET] received packet: from 80.72.XXX.XXX[500] to 46.246.XXX.XXX[500] (284 bytes)
> Jan  2 17:11:21 Server charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
> Jan  2 17:11:21 Server charon: 11[CFG] looking for an IKEv1 config for 46.246.XXX.XXX...80.72.XXX.XXX
> Jan  2 17:11:21 Server charon: 11[IKE] no IKE config found for 46.246.XXX.XXX...80.72.XXX.XXX, sending NO_PROPOSAL_CHOSEN
> Jan  2 17:11:21 Server charon: 11[ENC] generating INFORMATIONAL_V1 request 2913320541 [ N(NO_PROP) ]
> Jan  2 17:11:21 Server charon: 11[NET] sending packet: from 46.246.XXX.XXX[500] to 80.72.XXX.XXX[500] (40 bytes)
> Jan  2 17:11:31 Server charon: 13[IKE] retransmit 3 of request with message ID 0
> Jan  2 17:11:31 Server charon: 13[NET] sending packet: from 46.246.XXX.XXX[500] to 62.181.XXX.XXX[500] (1036 bytes)
> Jan  2 17:11:32 Server charon: 00[DMN] signal of type SIGINT received. Shutting down

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200103/b2d171be/attachment.sig>


More information about the Users mailing list