cancel
Showing results for 
Search instead for 
Did you mean: 

IPSec connection issue

FIXED
FatalFlaw
Newbie
Posts: 3
Registered: ‎03-01-2018

IPSec connection issue

Hi Everyone. I have a problem connecting to my work IPSec VPN from my mac. I have tried using the built in mac VPN connector, and also the mac stronswan build. The server at work is strongswan. The issue is that they see my connection attempt, and respond, but I don't see the response. Here's a sample. This is what I see on my mac when I try to run strongswan:

 

root# /usr/local/bin/ipsec up d01
initiating IKE_SA d01[5] to <serverip>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.1.104[500] to <serverip>[500] (704 bytes)
retransmit 1 of request with message ID 0
sending packet: from 192.168.1.104[500] to <serverip>[500] (704 bytes)

Here's what they see on the other end:

Jan  3 12:38:12 longfw01 charon: 14[NET] <3974> received packet: from <clientip>[500] to <serverip>[500] (704 bytes)
Jan  3 12:38:12 longfw01 charon: 14[ENC] <3974> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan  3 12:38:12 longfw01 charon: 14[IKE] <3974> <clientip> is initiating an IKE_SA
Jan  3 12:38:12 longfw01 charon: 14[CFG] <3974> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/(31)/MODP_3072/MODP_4096/MODP_8192/MODP_2048
Jan  3 12:38:12 longfw01 charon: 14[CFG] <3974> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jan  3 12:38:12 longfw01 charon: 14[IKE] <3974> remote host is behind NAT
Jan  3 12:38:12 longfw01 charon: 14[IKE] <3974> received proposals inacceptable
Jan  3 12:38:12 longfw01 charon: 14[ENC] <3974> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jan  3 12:38:12 longfw01 charon: 14[NET] <3974> sending packet: from <serverip>[500] to <clientip>[500] (36 bytes)

Obviously I can see that there is a cipher mismatch, but I can resolve that ... the initial problem I need to get over however is that I don't receive the server's response at all. The client just goes on retrying. I have verified that there is no response received using wireshark.

I tried initially with the plusnet hub, and upgraded to a tplink vr900 thinking the router was the problem, but I still have the same issue. But ... if I tether off my phone using 4G, I do see the responses!

root# /usr/local/bin/ipsec up d01
initiating IKE_SA d01[6] to <serverip>
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.168.43.11[500] to <serverip>[500] (704 bytes)
received packet: from <serverip>[500] to 192.168.43.11[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify error
establishing connection 'd01' failed

So I believe the issue is that plusnet is not routing the response packet back to me.

For complete clarity - I have never had this working previously, though I was able to connect to the same VPN service using my PC. I have not analysed what the PC does differently to the mac.

Tagging Bob Pullen as I can see he solved some similar problems before: @bobpullen

Thank you!

Tags (2)
3 REPLIES 3
FatalFlaw
Newbie
Posts: 3
Registered: ‎03-01-2018

Re: IPSec connection issue

Anyone?

RobPN
Seasoned Hero
Posts: 5,229
Thanks: 2,754
Fixes: 13
Registered: ‎17-05-2013

Re: IPSec connection issue

Fix

@FatalFlaw

Just a long shot, but it might be worth looking at your PlusNet Firewall settings.

FatalFlaw
Newbie
Posts: 3
Registered: ‎03-01-2018

Re: IPSec connection issue

I didn't even know there was a 'broadband firewall'! It was set to 'High'. It is now 'Low'. The low setting has this, among other things, in the description: 'Please note: This is the only VPN (Virtual Private Network)-compatible firewall setting.'

I now get responses back from StrongSwan. Thank you!