The remote phone's Strongswan app is not getting a port 4500 response back from
the IPSec gateway. It's trying and waiting for a response on port 4500.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On March 21, 2018 9:35 AM, <colony.th...@protonmail.ch> wrote:
> I have an IPSec gateway, which is just an OpenStack instance in my LAN.
> Remote machines reach it with Strongswan through the LAN gateway. When I try
> to set up the VPN using a remote phone and the Strongswan app it gets a good
> bit of the ways, but times out waiting for a port 4500 response from the
> IPSec gateway. The IPSec gateway for its part claims that it'd sent the port
> 4500 response which never gets there.
>
> There are no Shorewall messages in dmesg regarding ports 500 or 4500, in
> either the IPSec gateway or the LAN gateway.
>
> IPSec gateway:
> rules:
> # VPN
> ACCEPT net $FW udp 500,4500 -
> ACCEPT $FW net udp 500,4500 -
>
> snat:
> MASQUERADE 192.168.111.0/24 eth0
>
> LAN gateway:
> rules
>
> # VPN
> DNAT net local:192.168.111.16 udp 500,ipsec-nat-t -
> ð0
>
> snat
> MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0
>
> (10.1.1.30 is the DMZ)
>
> The goal is to have all remote machines and all machines in the LAN
> communicate by VPN transparently. I'm back to basics with just an IPSec
> gateway and one remote machine. I suspect that when I get all the LAN
> machines on trapped IPSec that the devices which do not support IPSec
> (printers, Z-wave) will need to reach the rest of the LAN through the IPSec
> gateway so am using SNAT there.
>
> So for some reason it seems that port 4500 is getting blocked outgoing from
> the IPSec gateway. For some reason # tcpdump 'tcp port 500' and 4500 yield
> -nothing- when aimed at the relevant interfaces on both gateways.
> shorewall_dump.txt forwarded directly to Tom.
---------------------------------------------------------------------------------------------------
On the LAN gateway, I see lots of packets going in to the IPSec gateway on
(internal) eth1, but none going back out:
# tcpdump -i eth1 'port 4500'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:26:44.372723 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:44.375540 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:44.377621 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:44.380078 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:44.383287 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:44.385543 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:44.398217 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:44.400500 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:46.422571 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:46.426444 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:46.430634 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:46.439986 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:46.445641 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:46.449896 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:46.452713 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:46.455215 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:49.198687 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:49.203642 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:49.208845 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:49.214348 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:49.218238 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:49.225086 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:49.231584 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:49.234940 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:53.140601 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:53.145698 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:53.145745 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:53.150653 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:53.154544 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:53.157221 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:53.166925 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:26:53.166977 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
13:27:02.707053 IP 192.168.111.16.ipsec-nat-t > 172.56.42.131.39547:
isakmp-nat-keep-alive
q^C
33 packets captured
33 packets received by filter
0 packets dropped by kernel
---------------------------------------------------------------------------------------------------
... So no response to the 4500 hails. The last packet going back out is just
keepalive.
Well no sense in checking the LAN gateway's outside interface since we see no
4500 response coming back from the IPSec gateway.
Well, in the IPSec gateway is Strongswan actually sending a 4500 response back
out to all the IKE2 that came in?
---------------------------------------------------------------------------------------------------
Wed, 2018-03-21 13:57 12[ENC] <2> generating payload of type NOTIFY
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 0 U_INT_8
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 1 FLAG
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 2 RESERVED_BIT
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 3 RESERVED_BIT
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 4 RESERVED_BIT
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 5 RESERVED_BIT
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 6 RESERVED_BIT
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 7 RESERVED_BIT
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 8 RESERVED_BIT
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 9 PAYLOAD_LENGTH
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 10 U_INT_8
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 11 SPI_SIZE
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 12 U_INT_16
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 13 SPI
Wed, 2018-03-21 13:57 12[ENC] <2> generating rule 14 CHUNK_DATA
Wed, 2018-03-21 13:57 12[ENC] <2> generating NOTIFY payload finished
Wed, 2018-03-21 13:57 12[NET] <2> sending packet: from 192.168.111.16[500] to
172.56.42.131[42799] (299 bytes)
Wed, 2018-03-21 13:57 01[JOB] next event in 3s 974ms, waiting
Wed, 2018-03-21 13:57 04[NET] sending packet: from 192.168.111.16[500] to
172.56.42.131[42799]
Wed, 2018-03-21 13:57 12[MGR] <2> checkin IKE_SA (unnamed)[2]
Wed, 2018-03-21 13:57 12[MGR] <2> checkin of IKE_SA successful
Wed, 2018-03-21 13:57 01[JOB] next event in 3s 973ms, waiting
Wed, 2018-03-21 13:57 01[JOB] got event, queuing job for execution
Wed, 2018-03-21 13:57 01[JOB] next event in 10s 8ms, waiting
Wed, 2018-03-21 13:57 09[MGR] checkout IKEv2 SA with SPIs a8fad75e552dc267_i
2da2ca50f20be830_r
Wed, 2018-03-21 13:57 09[MGR] IKE_SA (unnamed)[1] successfully checked out
Wed, 2018-03-21 13:57 09[IKE] <1> sending keep alive to 172.56.42.131[41197]
---------------------------------------------------------------------------------------------------
Yep sure did. But did it make it to the IPSec gateway's interface?
---------------------------------------------------------------------------------------------------
# tcpdump -i eth0 'port 4500'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:15:11.790496 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:11.802477 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:11.802512 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:11.803176 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:11.806236 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:11.820669 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:11.823789 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:11.826228 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:13.797395 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:13.797418 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:13.797421 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:13.798041 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:13.803177 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:13.809077 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:13.814198 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:13.819611 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:16.617445 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:16.617505 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:16.617515 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:16.617526 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:16.617533 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:16.622776 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:16.630134 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:16.638712 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:20.528223 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:20.531369 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:20.531381 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:20.533833 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:20.533844 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:20.539615 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:20.544749 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:20.549253 IP 172.56.42.131.50806 > cygnus.darkmatter.org.ipsec-nat-t:
NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:15:30.039021 IP cygnus.darkmatter.org.ipsec-nat-t > 172.56.42.131.50806:
isakmp-nat-keep-alive
^C
33 packets captured
34 packets received by filter
0 packets dropped by kernel
---------------------------------------------------------------------------------------------------
No, it didn't. How can it not make it from the daemon to the only interface in
the IPSec gateway?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users