0

I set up my strongswan server on a virtual Ubuntu 22 behind a NAT. It works well for RCA using login password. But I need to work using only PSK key. I tried a bunch of options, I can not connect from my android. At the moment the configs are:

cat /etc/ipsec.secrets
: PSK 6VvBHiM3vZlaY4elIgiKhuD/6aAWo5c2


cat /etc/ipsec.conf
config setup
    charondebug="all"
    uniqueids=yes

conn ikev2-ipsec-psk
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
#    authby=secret
    authby=psk
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=%any
#    [email protected]
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightdns=1.1.1.1,1.0.0.1
    rightsourceip=10.101.0.0/16


cat rules.v4
# Generated by iptables-save v1.8.7 on Fri Jul  7 17:37:44 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -s 10.101.0.0/16 -o ens33 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Jul  7 17:37:44 2023
# Generated by iptables-save v1.8.7 on Fri Jul  7 17:37:44 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83911:86155655]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens33 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i ens33 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i ens33 -p esp -j ACCEPT
-A INPUT -i ens33 -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.101.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.101.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o ens33 -p esp -j ACCEPT
-A OUTPUT -o ens33 -p ah -j ACCEPT
-A OUTPUT -o ens33 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o ens33 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
COMMIT
# Completed on Fri Jul  7 17:37:44 2023
# Generated by iptables-save v1.8.7 on Fri Jul  7 17:37:44 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A POSTROUTING -s 10.101.0.0/16 -o ens33 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.101.0.0/16 -o ens33 -j MASQUERADE
COMMIT
# Completed on Fri Jul  7 17:37:44 2023

Port forwarded on NAT:

# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 401M packets, 47G bytes)
 pkts bytes target     prot opt in     out     source               destination
 ...
   84 23694 DNAT       udp  --  sfp2   *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500 to:10.5.23.88:4500
  904  363K DNAT       udp  --  sfp2   *       0.0.0.0/0            0.0.0.0/0            udp dpt:500 to:10.5.23.88:500
  483 26400 DNAT       tcp  --  sfp2   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:88 to:10.5.23.88:80
   16  1568 DNAT       udp  --  sfp2   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1701 to:10.5.23.88:1701

Chain INPUT (policy ACCEPT 77M packets, 5830M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 34M packets, 3513M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 31M packets, 3036M bytes)
 pkts bytes target     prot opt in     out     source               destination
1094M  182G SNAT       all  --  *      *       10.0.0.0/8           0.0.0.0/0            to:x.y.z.b

On the Ubuntu server, when I try to connect to the log, I get this (178.168.214.112 ip users, 10.5.23.88 LAN ip server) :

Jul 11 18:22:16 ubuntu22 charon: 01[NET] received packet: from 178.168.214.112[64102] to 10.5.23.88[500] (1072 bytes)
Jul 11 18:22:16 ubuntu22 charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] 178.168.214.112 is initiating an IKE_SA
Jul 11 18:22:16 ubuntu22 charon: 01[CFG] received proposals: IKE:AES_CTR_256/AES_CBC_256/AES_CTR_192/AES_CBC_192/AES_CTR_128/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_4096/CURVE_25519/MODP_3072/MODP_2048, IKE:CHACHA20_POLY1305/AES_GCM_16_256/AES_GCM_12_256/AES_GCM_8_256/AES_GCM_16_192/AES_GCM_12_192/AES_GCM_8_192/AES_GCM_16_128/AES_GCM_12_128/AES_GCM_8_128/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_4096/CURVE_25519/MODP_3072/MODP_2048
Jul 11 18:22:16 ubuntu22 charon: 01[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] local host is behind NAT, sending keep alives
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] remote host is behind NAT
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] received proposals unacceptable
Jul 11 18:22:16 ubuntu22 charon: 01[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jul 11 18:22:16 ubuntu22 charon: 01[NET] sending packet: from 10.5.23.88[500] to 178.168.214.112[64102] (36 bytes)
3
  • I tried this solution but it didn't work for me serverfault.com/questions/867509/… Commented Jul 11, 2023 at 16:01
  • Your proposal uses a DH group that's too weak (modp1024) and isn't proposed anymore by the client. You could just remove the ike and esp options to use the default proposals.
    – ecdsa
    Commented Jul 12, 2023 at 7:08
  • Thank you! Connected! Can you give any other recommendations to improve my config? Commented Jul 12, 2023 at 15:05

0

You must log in to answer this question.

Browse other questions tagged .