Ok, I just created a new ec2 instance, generated a new server certificate and set up strongswan so let's say the authentication problem is solved. There is still original problem: I cannot establish connection due to fragmentation filtering and when I add 'fragmentation=yes' in conn %default section, strongswan does not seem to notice it, which can be seen from the logs after I run 'sudo ipsec restart':
Sep 28 06:43:53 ******** charon: 11[CFG] received stroke: add connection 'IPSec-IKEv2' Sep 28 06:43:53 ******** charon: 11[CFG] conn IPSec-IKEv2 Sep 28 06:43:53 ******** charon: 11[CFG] left=%any Sep 28 06:43:53 ******** charon: 11[CFG] leftsubnet=0.0.0.0/0 Sep 28 06:43:53 ******** charon: 11[CFG] leftcert=server2Cert.pem Sep 28 06:43:53 ******** charon: 11[CFG] right=%any Sep 28 06:43:53 ******** charon: 11[CFG] rightsourceip=172.16.16.0/24 Sep 28 06:43:53 ******** charon: 11[CFG] rightdns=31.3.135.232,87.98.175.85 Sep 28 06:43:53 ******** charon: 11[CFG] ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes25$ -sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp$ 024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! Sep 28 06:43:53 ******** charon: 11[CFG] esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1$ modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,a$ s256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-$ odp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! Sep 28 06:43:53 ******** charon: 11[CFG] dpddelay=300 Sep 28 06:43:53 ******** charon: 11[CFG] dpdtimeout=150 Sep 28 06:43:53 ******** charon: 11[CFG] dpdaction=1 Sep 28 06:43:53 ******** charon: 11[CFG] mediation=no Sep 28 06:43:53 ******** charon: 11[CFG] keyexchange=ikev2 Sep 28 06:43:53 ******** charon: 11[CFG] adding virtual IP address pool 172.16.16.0/24 Sep 28 06:43:53 ******** charon: 11[CFG] loaded certificate "******" from 'server2Cert.pem' Sep 28 06:43:53 ******** charon: 11[CFG] id '%any' not confirmed by certificate, defaulting to '******' Sep 28 06:43:53 ******** charon: 11[CFG] added configuration 'IPSec-IKEv2' Sep 28 06:43:53 ******** charon: 13[CFG] received stroke: add connection 'IPSec-IKEv2-EAP' Sep 28 06:43:53 ******** charon: 13[CFG] conn IPSec-IKEv2-EAP Sep 28 06:43:53 ******** charon: 13[CFG] left=%any Sep 28 06:43:53 ******** charon: 13[CFG] leftsubnet=0.0.0.0/0 Sep 28 06:43:53 ******** charon: 13[CFG] leftcert=server2Cert.pem Sep 28 06:43:53 ******** charon: 13[CFG] right=%any Sep 28 06:43:53 ******** charon: 13[CFG] rightsourceip=172.16.16.0/24 Sep 28 06:43:53 ******** charon: 13[CFG] rightdns=31.3.135.232,87.98.175.85 Sep 28 06:43:53 ******** charon: 13[CFG] rightauth=eap-mschapv2 Sep 28 06:43:53 ******** charon: 13[CFG] eap_identity=%any Sep 28 06:43:53 ******** charon: 13[CFG] ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256 -sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1 024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! Sep 28 06:43:53 ******** charon: 13[CFG] esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1- modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,ae s256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-m odp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! Sep 28 06:43:53 ******** charon: 13[CFG] dpddelay=300 Sep 28 06:43:53 ******** charon: 13[CFG] dpdtimeout=150 Sep 28 06:43:53 ******** charon: 13[CFG] dpdaction=1 Sep 28 06:43:53 ******** charon: 13[CFG] mediation=no Sep 28 06:43:53 ******** charon: 13[CFG] keyexchange=ikev2 Sep 28 06:43:53 ******** charon: 13[CFG] reusing virtual IP address pool 172.16.16.0/24 Sep 28 06:43:53 ******** charon: 13[CFG] loaded certificate "******" from 'server2Cert.pem' Sep 28 06:43:53 ******** charon: 13[CFG] id '%any' not confirmed by certificate, defaulting to '******' Sep 28 06:43:53 ******** charon: 13[CFG] added configuration 'IPSec-IKEv2-EAP' Sep 28 06:43:53 ******** charon: 14[CFG] received stroke: add connection 'CiscoIPSec' Sep 28 06:43:53 ******** charon: 14[CFG] conn CiscoIPSec Sep 28 06:43:53 ******** charon: 14[CFG] left=%any Sep 28 06:43:53 ******** charon: 14[CFG] leftsubnet=0.0.0.0/0 Sep 28 06:43:53 ******** charon: 14[CFG] leftcert=server2Cert.pem Sep 28 06:43:53 ******** charon: 14[CFG] right=%any Sep 28 06:43:53 ******** charon: 14[CFG] rightsourceip=172.16.16.0/24 Sep 28 06:43:53 ******** charon: 14[CFG] rightdns=31.3.135.232,87.98.175.85 Sep 28 06:43:53 ******** charon: 14[CFG] rightauth=pubkey Sep 28 06:43:53 ******** charon: 14[CFG] rightauth2=xauth Sep 28 06:43:53 ******** charon: 14[CFG] ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256 -sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1 024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024! Sep 28 06:43:53 ******** charon: 14[CFG] esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1- modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,ae s256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-m odp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1! Sep 28 06:43:53 ******** charon: 14[CFG] dpddelay=300 Sep 28 06:43:53 ******** charon: 14[CFG] dpdtimeout=150 Sep 28 06:43:53 ******** charon: 14[CFG] dpdaction=1 Sep 28 06:43:53 ******** charon: 14[CFG] mediation=no Sep 28 06:43:53 ******** charon: 14[CFG] keyexchange=ikev1 Sep 28 06:43:53 ******** charon: 14[CFG] reusing virtual IP address pool 172.16.16.0/24 Sep 28 06:43:53 ******** charon: 14[CFG] loaded certificate "******" from 'server2Cert.pem' Sep 28 06:43:53 ******** charon: 14[CFG] id '%any' not confirmed by certificate, defaulting to '******' Sep 28 06:43:53 ******** charon: 14[CFG] added configuration 'CiscoIPSec' In case it matters, I used this guide for setup: https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/ My strongSwan version: Linux strongSwan U5.3.5/K4.4.0-1022-aws 2017-09-27 3:17 GMT+03:00 Noel Kuntze < [email protected]>: > Hi, > > UDP packets can not be fragmented on the transport layer. UDP packets > represent a complete datagram, not a byte stream like TCP. Fragmentation > needs to be implemented on the application layer, which is what charon > supports with IKEv1 and IKEv2 fragmentation, configurable with > fragmentation=yes, which enables support for it. It is used, if the remote > peer indicates support for it as well. > > Yes, the problem is caused by your new ISP (or some other hop to the other > peer) dropping IP fragments. > > Kind regards > > Noel > > On 23.09.2017 18:46, Anvar Kuchkartaev wrote: > > You can use fragmentation=yes option in your server side configuration > file and authentication request/responce will be fragmented before forming > ip packets. > > > > Anvar Kuchkartaev > > [email protected] > > *From: *Олег Пруц > > *Sent: *sábado, 23 de septiembre de 2017 05:09 p.m. > > *To: *[email protected] > > *Subject: *[strongSwan] Cannot connect to IPsec gateway in a roadwarrior > scenario because of large packet lengths > > > > > > Hello strongSwan team, > > > > Thank you for your great job. You are enabling user privacy and internet > freedom for people really concerned with this. As for me, this is my use > case: I purchased AWS instance with Ubuntu 16.04.2 and installed strongSwan > on it, so I was successfully connecting from my home computer to it and was > able to bypass restrictions. > > > > However, as I have to use another network now, the connection is not > establishing anymore. I did IP packet captures both on the server and on my > machine and found out that the server fragments packets and sends packets > with size larger than my MTU during key exchange. I set server MTU to be > 1000, but fragmentation is still there, and fragmented packets do not pass > to my machine. It seems to be an issue with my new ISP which does not > handle fragmented packets. > > > > I can supply the captures if necessary. > > > > Regards, > > Oleg Prutz > > > > > >
