If I am using the strongswan app on android to make the connection, how is it a "broken vpn API on the client side"?
Also, contents of my vpn.example.com /etc/sysctl.conf file: # VPN (strongswan) net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 However, vpn.example.com is not also our nat gateway, is that the difference (both servers are on the same network)? On Tue, Sep 16, 2014 at 9:33 AM, Noel Kuntze <n...@familie-kuntze.de> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Cindy, > > By default, the strongSwan app also asks for the certificate chains of public > CAs. > Also, your problem is not the NAT mapping, but potentially a broken vpn API > on the client side. > If you want to access hosts other than your VPN server, see [1] for > information on how to make that possible. > > [1] > https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling > > Mit freundlichen Grüßen/Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > Am 16.09.2014 um 17:17 schrieb Cindy Moore: >> Testing connection with strongswan server and android using the >> strongswan android app and RSA certificates >> >> It connects successfully, but then I see that sent packages (from >> android to vpn) look okay but received packets is 0 bytes/0 packets >> and of course trying to do anything on the Android just stalls and >> freezes and ultimately behaves as if I'm not connected to the >> internet. >> >> I have googled up "NAT mappings of ESP CHILD" but most of my hits >> seemed to reference pre 5.0 bugs and setting nat_traversal=yes in the >> ipsec.conf which appear s to be deprecated now. >> >> Here's the relevant syslog output from the strongswan vpn server: >> >> Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any >> Sep 15 22:39:36 vpn charon: 09[CFG] reassigning offline lease to >> 'C=CH, O=strongSwan, CN=moi' >> Sep 15 22:39:36 vpn charon: 09[IKE] assigning virtual IP <client >> virtual ip> to peer 'C=CH, O=strongSwan, CN=moi' >> Sep 15 22:39:36 vpn charon: 09[IKE] peer requested virtual IP %any6 >> Sep 15 22:39:36 vpn charon: 09[IKE] no virtual IP found for %any6 >> requested by 'C=CH, O=strongSwan, CN=moi' >> Sep 15 22:39:36 vpn charon: 09[CFG] looking for a child config for >> 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0 >> Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for us: >> Sep 15 22:39:36 vpn charon: 09[CFG] 0.0.0.0/0 >> Sep 15 22:39:36 vpn charon: 09[CFG] proposing traffic selectors for other: >> Sep 15 22:39:36 vpn charon: 09[CFG] <client virtual ip>/32 >> Sep 15 22:39:36 vpn charon: 09[CFG] candidate "roadwarrior" with prio 10+2 >> Sep 15 22:39:36 vpn charon: 09[CFG] found matching child config >> "roadwarrior" with prio 12 >> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal: >> Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM >> found >> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal: >> Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable INTEGRITY_ALGORITHM found >> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal: >> Sep 15 22:39:36 vpn charon: 09[CFG] no acceptable ENCRYPTION_ALGORITHM >> found >> Sep 15 22:39:36 vpn charon: 09[CFG] selecting proposal: >> Sep 15 22:39:36 vpn charon: 09[CFG] proposal matches >> Sep 15 22:39:36 vpn charon: 09[CFG] received proposals: >> ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ, >> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_ >> CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, >> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ >> Sep 15 22:39:36 vpn charon: 09[CFG] configured proposals: >> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, >> ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES >> _CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ >> Sep 15 22:39:36 vpn charon: 09[CFG] selected proposal: >> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ >> Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for us: >> Sep 15 22:39:36 vpn charon: 09[CFG] config: 0.0.0.0/0, received: >> 0.0.0.0/0 => match: 0.0.0.0/0 >> Sep 15 22:39:36 vpn charon: 09[CFG] config: 0.0.0.0/0, received: ::/0 >> => no match >> Sep 15 22:39:36 vpn charon: 09[CFG] selecting traffic selectors for other: >> Sep 15 22:39:36 vpn charon: 09[CFG] config: <client virtual ip>/32, >> received: 0.0.0.0/0 => match: <client virtual ip>/32 >> Sep 15 22:39:36 vpn charon: 09[CFG] config: <client virtual ip>/32, >> received: ::/0 => no match >> Sep 15 22:39:36 vpn charon: 09[IKE] CHILD_SA roadwarrior{3} >> established with SPIs ca14eb50_i 01095b0e_o and TS 0.0.0.0/0 === >> <client virtual ip>/32 >> Sep 15 22:39:36 vpn charon: 09[ENC] generating IKE_AUTH response 1 [ >> IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) >> N(ADD_6_ADDR) N(ADD_6_ADD >> R) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] >> Sep 15 22:39:36 vpn charon: 09[NET] sending packet: from <vpn's ip >> addr>[4500] to <client ip addr>[33534] (1820 bytes) >> Sep 15 22:39:36 vpn charon: 03[NET] sending packet: from <vpn's ip >> addr>[4500] to <client ip addr>[33534] >> Sep 15 22:51:12 vpn charon: 13[KNL] NAT mappings of ESP CHILD_SA with >> SPI ca14eb50 and reqid {3} changed, queuing update job >> Sep 15 22:56:26 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with >> SPI ca14eb50 and reqid {3} changed, queuing update job >> Sep 15 23:00:50 vpn charon: 06[KNL] NAT mappings of ESP CHILD_SA with >> SPI ca14eb50 and reqid {3} changed, queuing update job >> Sep 15 23:01:20 vpn charon: 02[NET] received packet: from <client ip >> addr>[48986] to <vpn's ip addr>[4500] >> Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets >> Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip >> addr>[48986] to <vpn's ip addr>[4500] (76 bytes) >> Sep 15 23:01:20 vpn charon: 02[NET] waiting for data on sockets >> Sep 15 23:01:20 vpn charon: 08[NET] received packet: from <client ip >> addr>[48986] to <vpn's ip addr>[4500] (76 bytes) >> Sep 15 23:01:20 vpn charon: 08[ENC] parsed INFORMATIONAL request 2 [ >> N(NO_ADD_ADDR) ] >> Sep 15 23:01:20 vpn charon: 08[ENC] generating INFORMATIONAL response 2 [ ] >> Sep 15 23:01:20 vpn charon: 08[NET] sending packet: from <vpn's ip >> addr>[4500] to <client ip addr>[48986] (76 bytes) >> Sep 15 23:01:20 vpn charon: 03[NET] sending packet: from <vpn's ip >> addr>[4500] to <client ip addr>[48986] >> Sep 15 23:10:21 vpn charon: 10[KNL] NAT mappings of ESP CHILD_SA with >> SPI ca14eb50 and reqid {3} changed, queuing update job >> Sep 15 23:13:23 vpn charon: 09[KNL] NAT mappings of ESP CHILD_SA with >> SPI ca14eb50 and reqid {3} changed, queuing update job >> >> ------------------------ >> ALSO, when I reran this scenario (I checked out the nat_traversal >> anyway, although it failed to load, it's that deprecated), I noticed >> this in the connection negotiation: >> >> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown >> ca with keyid 36:12:c2:39:c5:22:b9:1e:20:d4:8e:08:3c:be:69:e1:1d:a8:27:e5 >> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for unknown >> ca with keyid 30:a4:e6:4f:de:76:8a:fc:ed:5a:90:84:28:30:46:79:2c:29:15:70 >> ... >> Sep 16 00:07:24 vpn charon: 07[IKE] received cert request for "C=CH, >> O=strongSwan, CN=strongSwan Root CA" >> Sep 16 00:07:24 vpn charon: 07[IKE] received 135 cert requests for an >> unknown ca >> Sep 16 00:07:24 vpn charon: 07[IKE] received end entity cert "C=CH, >> O=strongSwan, CN=moi" >> Sep 16 00:07:24 vpn charon: 07[CFG] looking for peer configs matching >> <vpn's ip addr>[%any]...<client ip addr>[C=CH, O=strongSwan, CN=moi] >> Sep 16 00:07:24 vpn charon: 07[CFG] candidate "roadwarrior", match: >> 1/1/1048 (me/other/ike) >> >> What would all those cert requests re unknown ca's be about? I >> included a couple examples (didn't think anyone wanted to see the full >> list). >> ----------------------- >> >> Current ipsec.conf: >> >> config setup >> charondebug="cfg 2, dmn 2, ike 2, net 2" >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ike >> leftcert=vpnHostCert.pem >> leftid="C=CH, O=strongSwan, CN=vpn.example.com" >> >> conn roadwarrior >> left=<vpn's ip addr> >> leftsubnet=0.0.0.0/0 >> right=%any >> rightid=%any >> rightauth=pubkey >> rightsourceip=<client virtual ip>/24 >> auto=add >> >> >> current ipsec.secrets: >> >> # This file holds shared secrets or RSA private keys for authentication. >> >> # RSA private key for this host, authenticating it to any other host >> # which knows the public part. Suitable public keys, for ipsec.conf, DNS, >> # or configuration of other implementations, can be extracted conveniently >> # with "ipsec showhostkey". >> >> # doc: wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets >> >> # tell the bloody strongswan install where the bloody private key is >> : RSA vpnHostKey.pem >> >> >> version: >> >> root@vpn:/etc/ipsec.d# ipsec version >> Linux strongSwan U5.1.2/K3.13.0-35-generic >> >> root@vpn:/etc/ipsec.d# lsb_release -a >> No LSB modules are available. >> Distributor ID: Ubuntu >> Description: Ubuntu 14.04.1 LTS >> Release: 14.04 >> Codename: trusty >> >> Android is a Nexus 4 with stock 4.3 on it. Strongswan app installed >> from Playstore yesterday. >> _______________________________________________ >> Users mailing list >> Users@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/users > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJUGGZgAAoJEDg5KY9j7GZYbi4P/iS5slESqid9trfeig1ysZZd > CJ//p2wVagPIqB/CEmQ4N0vJVLT4GI/d8Dqv8R0dY1mrW5j6W0jc7y6FIJYfuYWo > 6gRNjF2Otcn9UTMjDbuerivThVljWlm83yRgbLHjb4czRALHbIvwGOhhBY9PQe2c > LJJFSBkA3z3jTUPrxpKsS8Y/mnAY+1yU7P5TnjOASzSvCUlhwFNiUhHqh+vBCfc6 > I8G6KHcd8BLLfDkjS/WsfNmoEZgCGfxgBuaztlmMRVv2Ru2YJfAvZ71Y4R/dOnuC > IC4KaL3gj8HpyUGTgez24jmu7ySxipD/pTul02nxXjodOVqqNNdSnmxvx2CLf5Ox > wvqeZCpWR+HUhUpcfqdnDvXfnpNiQLfa7VWpk2ffFQ0/gPnFt9Xw/oVdGWA9L9bG > XeJ6/EzcYTsWefusxAFusGcUv9QTp3uA2LX7CjgqUF3b0HEAyrLz/EiAw57vSa5b > MC31FBJGmvrK69iwSu3aa55U+z+88oevRMW3JAH13JO+8eNxHQxzYorydhjpViuj > km9qkPpeTKGcCaG5rb2+miq0elNRSOoTsC7BnvWk9OmnUNE0ONkHMZBf8Rfq+zxJ > 6ERaWgCCdNJkbceRt+D4lkeL5KwZunnftpwrfvsumoGDR1SqLMQRW+32+M2ssML5 > oZJSi6xi4VNgmqnf3l9R > =ObEM > -----END PGP SIGNATURE----- > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users