Re: [strongSwan] Unable to establish VPN tunnel from China (Strongswan IKEv2)
On 13.10.2016 13:01, Oliver Söder wrote: > Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[NET] sending packet: > from 172.31.1.100[500] to 114.219.152.248[56667] (337 bytes) > Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 10[NET] sending packet: > from 172.31.1.100[500] to 114.219.152.248[56667] > Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] checkin IKE_SA > (unnamed)[51] > Oct 10 14:54:16 Ubuntu-1604-xenial-64-minimal charon: 01[MGR] check-in of > IKE_SA successful. > Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkout IKE_SA > Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] IKE_SA > (unnamed)[50] successfully checked out > Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[JOB] deleting half > open IKE_SA after timeout > Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkin and > destroy IKE_SA (unnamed)[50] > Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[JOB] deleting half > open IKE_SA after timeout > Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] checkin and > destroy IKE_SA (unnamed)[50] > Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[IKE] IKE_SA > (unnamed)[50] state change: CONNECTING => DESTROYING > Oct 10 14:54:21 Ubuntu-1604-xenial-64-minimal charon: 11[MGR] check-in and > destroy of IKE_SA successful > Oct 10 14:54:31 Ubuntu-1604-xenial-64-minimal charon: 04[MGR] checkout IKE_SA The initiator does not send any packet back. Looks like the GFW drops the packets. You can not work around this. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Unable to establish VPN tunnel from China (Strongswan IKEv2)
Hi, From my personal experience it looks like the other party did not send back a certificate as requested by this host, or the packet got lost on the network. IKE packets can be as large as 3,000 bytes, and China's Internet is known to have Path MTU "black holes" [1]. Please try ECDSA certificates (instead of the usual RSA) in addition to ECDH cipher suites to reduce datagram size if this is an option for you. Cheers, Tianjie Mao 1) https://en.wikipedia.org/wiki/Path_MTU_Discovery#Problems > On 13 Oct 2016, at 19:01, Oliver Söder wrote: > > Oct 10 14:53:51 Ubuntu-1604-xenial-64-minimal charon: 14[IKE] sending cert > request for "C=DE, O=Eugenia Raff, CN=strongSwan Root CA" ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
