I set up a IKEv2 server which works fine with clients from Europe. A connection from China fails, log of an unsuccessful attempt is at the end of this email. And please excuse me if the log is too long, it is the first time I set up such an environment (one week ago).
Can I do some changes at the configuration to make it work from China to Germany? Cheers Oliver Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 09[NET] received packet: from 114.219.152.248[56667] to 172.31.1.100[500] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 09[NET] waiting for data on sockets Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] checkout IKE_SA by message Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] created IKE_SA (unnamed)[50] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[NET] received packet: from 114.219.152.248[56667] to 172.31.1.100[500] (880 bytes) Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] looking for an ike config for 172.31.1.100...114.219.152.248 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] candidate: %any...%any, prio 28 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] found matching ike config: %any...%any with prio 28 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received MS-Negotiation Discovery Capable vendor ID Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] received Vid-Initial-Contact vendor ID Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] 114.219.152.248 is initiating an IKE_SA Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] IKE_SA (unnamed)[50] state change: CREATED => CONNECTING Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting proposal: Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting proposal: Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting proposal: Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selecting proposal: Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] proposal matches Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/AES_CBC_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_GCM_16_256/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_12_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] local host is behind NAT, sending keep alives Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] remote host is behind NAT Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] sending cert request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA" Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] (337 bytes) Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] checkin IKE_SA (unnamed)[50] Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[MGR] check-in of IKE_SA successful. Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] checkout IKE_SA Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] IKE_SA (unnamed)[50] successfully checked out Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[IKE] sending keep alive to 114.219.152.248[56667] Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] checkin IKE_SA (unnamed)[50] Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] check-in of IKE_SA successful. Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 05[MGR] check-in of IKE_SA successful. Oct 10 14:54:11 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 09[NET] received packet: from 114.219.152.248[56667] to 172.31.1.100[500] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 09[NET] waiting for data on sockets Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] checkout IKE_SA by message Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] created IKE_SA (unnamed)[51] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[NET] received packet: from 114.219.152.248[56667] to 172.31.1.100[500] (880 bytes) Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] looking for an ike config for 172.31.1.100...114.219.152.248 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] candidate: %any...%any, prio 28 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] found matching ike config: %any...%any with prio 28 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received MS-Negotiation Discovery Capable vendor ID Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] received Vid-Initial-Contact vendor ID Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] 114.219.152.248 is initiating an IKE_SA Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] IKE_SA (unnamed)[51] state change: CREATED => CONNECTING Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting proposal: Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting proposal: Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting proposal: Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] no acceptable ENCRYPTION_ALGORITHM found Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selecting proposal: Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] proposal matches Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_192/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/AES_CBC_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_GCM_16_256/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_12_128/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_4096/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] local host is behind NAT, sending keep alives Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] remote host is behind NAT Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[IKE] sending cert request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA" Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] (337 bytes) Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: from 172.31.1.100[500] to 114.219.152.248[56667] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] checkin IKE_SA (unnamed)[51] Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] check-in of IKE_SA successful. Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkout IKE_SA Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] IKE_SA (unnamed)[50] successfully checked out Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[JOB] deleting half open IKE_SA after timeout Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkin and destroy IKE_SA (unnamed)[50] Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[JOB] deleting half open IKE_SA after timeout Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkin and destroy IKE_SA (unnamed)[50] Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[IKE] IKE_SA (unnamed)[50] state change: CONNECTING => DESTROYING Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] check-in and destroy of IKE_SA successful Oct 10 14:54:31 Ubuntu-1604-xenial-64-minimal charon: 04[MGR] checkout IKE_SA
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users