I set up my strongswan server on a virtual Ubuntu 22 behind a NAT. It works well for RCA using login password. But I need to work using only PSK key. I tried a bunch of options, I can not connect from my android. At the moment the configs are:
cat /etc/ipsec.secrets
: PSK 6VvBHiM3vZlaY4elIgiKhuD/6aAWo5c2
cat /etc/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
conn ikev2-ipsec-psk
auto=add
compress=no
type=tunnel
keyexchange=ikev2
# authby=secret
authby=psk
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=%any
# [email protected]
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=1.1.1.1,1.0.0.1
rightsourceip=10.101.0.0/16
cat rules.v4
# Generated by iptables-save v1.8.7 on Fri Jul 7 17:37:44 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -s 10.101.0.0/16 -o ens33 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Jul 7 17:37:44 2023
# Generated by iptables-save v1.8.7 on Fri Jul 7 17:37:44 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83911:86155655]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens33 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i ens33 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i ens33 -p esp -j ACCEPT
-A INPUT -i ens33 -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.101.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.101.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o ens33 -p esp -j ACCEPT
-A OUTPUT -o ens33 -p ah -j ACCEPT
-A OUTPUT -o ens33 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o ens33 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
COMMIT
# Completed on Fri Jul 7 17:37:44 2023
# Generated by iptables-save v1.8.7 on Fri Jul 7 17:37:44 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A POSTROUTING -s 10.101.0.0/16 -o ens33 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.101.0.0/16 -o ens33 -j MASQUERADE
COMMIT
# Completed on Fri Jul 7 17:37:44 2023
Port forwarded on NAT:
# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 401M packets, 47G bytes)
pkts bytes target prot opt in out source destination
...
84 23694 DNAT udp -- sfp2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:10.5.23.88:4500
904 363K DNAT udp -- sfp2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 to:10.5.23.88:500
483 26400 DNAT tcp -- sfp2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 to:10.5.23.88:80
16 1568 DNAT udp -- sfp2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 to:10.5.23.88:1701
Chain INPUT (policy ACCEPT 77M packets, 5830M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 34M packets, 3513M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 31M packets, 3036M bytes)
pkts bytes target prot opt in out source destination
1094M 182G SNAT all -- * * 10.0.0.0/8 0.0.0.0/0 to:x.y.z.b
On the Ubuntu server, when I try to connect to the log, I get this (178.168.214.112 ip users, 10.5.23.88 LAN ip server) :
Jul 11 18:22:16 ubuntu22 charon: 01[NET] received packet: from 178.168.214.112[64102] to 10.5.23.88[500] (1072 bytes)
Jul 11 18:22:16 ubuntu22 charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] 178.168.214.112 is initiating an IKE_SA
Jul 11 18:22:16 ubuntu22 charon: 01[CFG] received proposals: IKE:AES_CTR_256/AES_CBC_256/AES_CTR_192/AES_CBC_192/AES_CTR_128/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_4096/CURVE_25519/MODP_3072/MODP_2048, IKE:CHACHA20_POLY1305/AES_GCM_16_256/AES_GCM_12_256/AES_GCM_8_256/AES_GCM_16_192/AES_GCM_12_192/AES_GCM_8_192/AES_GCM_16_128/AES_GCM_12_128/AES_GCM_8_128/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_4096/CURVE_25519/MODP_3072/MODP_2048
Jul 11 18:22:16 ubuntu22 charon: 01[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] local host is behind NAT, sending keep alives
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] remote host is behind NAT
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] received proposals unacceptable
Jul 11 18:22:16 ubuntu22 charon: 01[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jul 11 18:22:16 ubuntu22 charon: 01[NET] sending packet: from 10.5.23.88[500] to 178.168.214.112[64102] (36 bytes)
modp1024
) and isn't proposed anymore by the client. You could just remove theike
andesp
options to use the default proposals.