Hi Houman,
The information on the Wiki is probably old, and it is not wrong
anyway.
3des is broken and shouldn't be used if the client can do better.
The behavior I see in the log this time is very different from the
previous
email. Last time we could see a complete and successful negotiation
leading
to established connections. That is why I asked you to run "ipsec
statusall".
This time around, the client doesn't seem to be getting responses from
your server.
you can see multiple IKE_SA_INIT packets received, indicating the client
is not
seeing the responses.
Since This is a completely different behavior, it is hard to draw
conclusions.
The best way to debug is to have strongSwan at both ends so you can see
complete
logs both ends.
--Jafar
On 2018-05-12 05:15, Houman wrote:
Hello Jafar,
Thank you for the final proposals. I have entered them and it works
great with iOS and OSX. I have no Windows to test it yet.
The only reason I had picked 3des-shal1, was because the StrongSwan
Wiki claims this was needed for Mac (OSX)
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients.
But I can see it works even without that.
My user in Iran still can't connect successfully. I have followed your
instructions. I have tailed the syslog below, hence this is all I can
see:
May 12 11:03:07 vpn-server charon: 02[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
May 12 11:03:07 vpn-server charon: 02[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 12 11:03:07 vpn-server charon: 02[IKE] 91.99.xxx.xxx is initiating
an IKE_SA
May 12 11:03:07 vpn-server charon: 02[IKE] local host is behind NAT,
sending keep alives
May 12 11:03:07 vpn-server charon: 02[IKE] remote host is behind NAT
May 12 11:03:07 vpn-server charon: 02[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(MULT_AUTH) ]
May 12 11:03:07 vpn-server charon: 02[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
May 12 11:03:13 vpn-server charon: 11[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
May 12 11:03:13 vpn-server charon: 11[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 12 11:03:13 vpn-server charon: 11[IKE] received retransmit of
request with ID 0, retransmitting response
May 12 11:03:13 vpn-server charon: 11[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
May 12 11:03:16 vpn-server charon: 12[NET] received packet: from
91.99.xxx.xxx[500] to 172.31.xxx.xxx[500] (604 bytes)
May 12 11:03:16 vpn-server charon: 12[ENC] parsed IKE_SA_INIT request
0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
May 12 11:03:16 vpn-server charon: 12[IKE] received retransmit of
request with ID 0, retransmitting response
May 12 11:03:16 vpn-server charon: 12[NET] sending packet: from
172.31.xxx.xxx[500] to 91.99.xxx.xxx[500] (448 bytes)
May 12 11:03:27 vpn-server charon: 10[IKE] sending keep alive to
91.99.xxx.xxx[500]
May 12 11:03:37 vpn-server charon: 05[JOB] deleting half open IKE_SA
after timeout
I have also executed ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1057-aws,
x86_64):
uptime: 68 minutes, since May 12 09:55:31 2018
malloc: sbrk 1773568, mmap 0, used 572416, free 1201152
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark farp stroke updown
eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic
xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11
tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Virtual IP pools (size/online/offline):
10.10.10.0/24 [5]: 254/0/1
Listening IP addresses:
172.31.xxx.xxx
Connections:
roadwarrior: %any...%any IKEv2, dpddelay=180s
roadwarrior: local: [vpn1.xxx.com [1]] uses public key
authentication
roadwarrior: cert: "CN=vpn1.xxx.com [1]"
roadwarrior: remote: uses EAP_MSCHAPV2 authentication with EAP
identity '%any'
roadwarrior: child: 0.0.0.0/0 [2] === dynamic TUNNEL,
dpdaction=clear
Security Associations (0 up, 0 connecting):
none
I can't quite see from this if they have blocked ESP or not. But I
suspect this is the case.
Many Thanks for your help,
Houman
