Testing connection with strongswan server and android using the strongswan android app and RSA certificates
It connects successfully, but then I see that sent packages (from android to vpn) look okay but received packets is 0 bytes/0 packets and of course trying to do anything on the Android just stalls and freezes and ultimately behaves as if I'm not connected to the internet. I have googled up "NAT mappings of ESP CHILD" but most of my hits seemed to reference pre 5.0 bugs and setting nat_traversal=yes in the ipsec.conf which appear s to be deprecated now. Here's the relevant syslog output from the strongswan vpn server: Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any Sep 15 22:39:36 vpn charon: 09[CFG] reassigning offline lease to 'C=CH, O=strongSwan, CN=moi' Sep 15 22:39:36 vpn charon: 09[IKE] assigning virtual IP <client virtual ip> to peer 'C=CH, O=strongSwan, CN=moi' Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any6 Sep 15 22:39:36 vpn charon: 09[IKE] no virtual IP found for %any6 requested by 'C=CH, O=strongSwan, CN=moi' Sep 15 22:39:36 vpn charon: 09[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for us: Sep 15 22:39:36 vpn charon: 09[CFG] 0.0.0.0/0 Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for other: Sep 15 22:39:36 vpn charon: 09[CFG] <client virtual ip>/32 Sep 15 22:39:36 vpn charon: 09[CFG] candidate "roadwarrior" with prio 10+2 Sep 15 22:39:36 vpn charon: 09[CFG] found matching child config "roadwarrior" with prio 12 Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal: Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM found Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal: Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable INTEGRITY_ALGORITHM found Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal: Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM found Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal: Sep 15 22:39:36 vpn charon: 09[CFG] proposal matches Sep 15 22:39:36 vpn charon: 09[CFG] received proposals: ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_ CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ Sep 15 22:39:36 vpn charon: 09[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES _CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ Sep 15 22:39:36 vpn charon: 09[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for us: Sep 15 22:39:36 vpn charon: 09[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0 Sep 15 22:39:36 vpn charon: 09[CFG] config: 0.0.0.0/0, received: ::/0 => no match Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for other: Sep 15 22:39:36 vpn charon: 09[CFG] config: <client virtual ip>/32, received: 0.0.0.0/0 => match: <client virtual ip>/32 Sep 15 22:39:36 vpn charon: 09[CFG] config: <client virtual ip>/32, received: ::/0 => no match Sep 15 22:39:36 vpn charon: 09[IKE] CHILD_SA roadwarrior{3} established with SPIs ca14eb50_i 01095b0e_o and TS 0.0.0.0/0 === <client virtual ip>/32 Sep 15 22:39:36 vpn charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADD R) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Sep 15 22:39:36 vpn charon: 09[NET] sending packet: from <vpn's ip addr>[4500] to <client ip addr>[33534] (1820 bytes) Sep 15 22:39:36 vpn charon: 03[NET] sending packet: from <vpn's ip addr>[4500] to <client ip addr>[33534] Sep 15 22:51:12 vpn charon: 13[KNL] NAT mappings of ESP CHILD_SA with SPI ca14eb50 and reqid {3} changed, queuing update job Sep 15 22:56:26 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with SPI ca14eb50 and reqid {3} changed, queuing update job Sep 15 23:00:50 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with SPI ca14eb50 and reqid {3} changed, queuing update job Sep 15 23:01:20 vpn charon: 02[NET] received packet: from <client ip addr>[48986] to <vpn's ip addr>[4500] Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip addr>[48986] to <vpn's ip addr>[4500] (76 bytes) Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip addr>[48986] to <vpn's ip addr>[4500] (76 bytes) Sep 15 23:01:20 vpn charon: 08[ENC] parsed INFORMATIONAL request 2 [ N(NO_ADD_ADDR) ] Sep 15 23:01:20 vpn charon: 08[ENC] generating INFORMATIONAL response 2 [ ] Sep 15 23:01:20 vpn charon: 08[NET] sending packet: from <vpn's ip addr>[4500] to <client ip addr>[48986] (76 bytes) Sep 15 23:01:20 vpn charon: 03[NET] sending packet: from <vpn's ip addr>[4500] to <client ip addr>[48986] Sep 15 23:10:21 vpn charon: 10[KNL] NAT mappings of ESP CHILD_SA with SPI ca14eb50 and reqid {3} changed, queuing update job Sep 15 23:13:23 vpn charon: 09[KNL] NAT mappings of ESP CHILD_SA with SPI ca14eb50 and reqid {3} changed, queuing update job ------------------------ ALSO, when I reran this scenario (I checked out the nat_traversal anyway, although it failed to load, it's that deprecated), I noticed this in the connection negotiation: Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown ca with keyid 36:12:c2:39:c5:22:b9:1e:20:d4:8e:08:3c:be:69:e1:1d:a8:27:e5 Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70 ... Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA" Sep 16 00:07:24 vpn charon: 07[IKE] received 135 cert requests for an unknown ca Sep 16 00:07:24 vpn charon: 07[IKE] received end entity cert "C=CH, O=strongSwan, CN=moi" Sep 16 00:07:24 vpn charon: 07[CFG] looking for peer configs matching <vpn's ip addr>[%any]...<client ip addr>[C=CH, O=strongSwan, CN=moi] Sep 16 00:07:24 vpn charon: 07[CFG] candidate "roadwarrior", match: 1/1/1048 (me/other/ike) What would all those cert requests re unknown ca's be about? I included a couple examples (didn't think anyone wanted to see the full list). ----------------------- Current ipsec.conf: config setup charondebug="cfg 2, dmn 2, ike 2, net 2" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ike leftcert=vpnHostCert.pem leftid="C=CH, O=strongSwan, CN=vpn.example.com" conn roadwarrior left=<vpn's ip addr> leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=pubkey rightsourceip=<client virtual ip>/24 auto=add current ipsec.secrets: # This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". # doc: wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets # tell the bloody strongswan install where the bloody private key is : RSA vpnHostKey.pem version: root@vpn:/etc/ipsec.d# ipsec version Linux strongSwan U5.1.2/K3.13.0-35-generic root@vpn:/etc/ipsec.d# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty Android is a Nexus 4 with stock 4.3 on it. Strongswan app installed from Playstore yesterday. _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users