IPSec connection issue
FIXED- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- IPSec connection issue
03-01-2018 1:31 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Hi Everyone. I have a problem connecting to my work IPSec VPN from my mac. I have tried using the built in mac VPN connector, and also the mac stronswan build. The server at work is strongswan. The issue is that they see my connection attempt, and respond, but I don't see the response. Here's a sample. This is what I see on my mac when I try to run strongswan:
root# /usr/local/bin/ipsec up d01 initiating IKE_SA d01[5] to <serverip> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.1.104[500] to <serverip>[500] (704 bytes) retransmit 1 of request with message ID 0 sending packet: from 192.168.1.104[500] to <serverip>[500] (704 bytes)
Here's what they see on the other end:
Jan 3 12:38:12 longfw01 charon: 14[NET] <3974> received packet: from <clientip>[500] to <serverip>[500] (704 bytes) Jan 3 12:38:12 longfw01 charon: 14[ENC] <3974> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Jan 3 12:38:12 longfw01 charon: 14[IKE] <3974> <clientip> is initiating an IKE_SA Jan 3 12:38:12 longfw01 charon: 14[CFG] <3974> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048 Jan 3 12:38:12 longfw01 charon: 14[CFG] <3974> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Jan 3 12:38:12 longfw01 charon: 14[IKE] <3974> remote host is behind NAT Jan 3 12:38:12 longfw01 charon: 14[IKE] <3974> received proposals inacceptable Jan 3 12:38:12 longfw01 charon: 14[ENC] <3974> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] Jan 3 12:38:12 longfw01 charon: 14[NET] <3974> sending packet: from <serverip>[500] to <clientip>[500] (36 bytes)
Obviously I can see that there is a cipher mismatch, but I can resolve that ... the initial problem I need to get over however is that I don't receive the server's response at all. The client just goes on retrying. I have verified that there is no response received using wireshark.
I tried initially with the plusnet hub, and upgraded to a tplink vr900 thinking the router was the problem, but I still have the same issue. But ... if I tether off my phone using 4G, I do see the responses!
root# /usr/local/bin/ipsec up d01 initiating IKE_SA d01[6] to <serverip> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 192.168.43.11[500] to <serverip>[500] (704 bytes) received packet: from <serverip>[500] to 192.168.43.11[500] (36 bytes) parsed IKE_SA_INIT response 0 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN notify error establishing connection 'd01' failed
So I believe the issue is that plusnet is not routing the response packet back to me.
For complete clarity - I have never had this working previously, though I was able to connect to the same VPN service using my PC. I have not analysed what the PC does differently to the mac.
Tagging Bob Pullen as I can see he solved some similar problems before: @bobpullen
Thank you!
Fixed! Go to the fix.
Re: IPSec connection issue
05-01-2018 7:08 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Anyone?
06-01-2018 1:23 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
Just a long shot, but it might be worth looking at your PlusNet Firewall settings.
Re: IPSec connection issue
06-01-2018 2:39 PM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Highlight
- Report to Moderator
I didn't even know there was a 'broadband firewall'! It was set to 'High'. It is now 'Low'. The low setting has this, among other things, in the description: 'Please note: This is the only VPN (Virtual Private Network)-compatible firewall setting.'
I now get responses back from StrongSwan. Thank you!
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Plusnet Community
- :
- Forum
- :
- Other forums
- :
- Tech Help - Software/Hardware etc
- :
- IPSec connection issue