Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
littleguga2016-09-29 17:32:04
VPN
littleguga, 2016-09-29 17:32:04

What is the problem with connecting to ipsec+ikev2 through certificates?

I watch with wireshark on the client and tcpdump on the server.
It goes like this:
the client asks the server for ikev_init; the
server responds ;
the client sends its certificate and the supported ciphers; the
server receives them and sends a response;
the client does not receive this response! (in some networks, the same client receives it and then the VPN connection succeeds)
The server sends a packet, but it does not reach the client:
mysite = domain of my server
clientdomain - my client

17:27:23.187306 IP (tos 0x0, ttl 64, id 48370, offset 0, flags [DF], proto UDP (17), length 365)
    mysite.isakmp > clientdomain.432: isakmp 2.0 msgid 00000000: parent_sa ikev2_init[R]:
    (sa: len=44
        (p: #2 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0100))
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=modp1024 )))
    (v2ke: len=128 group=modp1024)
    (nonce: len=32 data=(c4a4d5aed36e40823c9a...bf291b136ca24898abf4000b0000000800004014))
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
    (v2cr: len=21)
    (n: prot_id=#0 type=16404(status))

There is no this package on the wireshark client, the rest are:
0ccbcdc9ab844e078bff0d6ab32201f9.png
What could be the problem?
This is in some networks (2com, some from mgts). In some networks from MGTS, this magic packet reaches and then connects to the VPN successfully.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
athacker, 2016-09-30
@littleguga

There is reason to believe that this is a crookedly configured ALG on the provider's network. You have a client behind a provider NAT, and this NAT cuts packets. In Online, this happens with L2TP in the network - the server sends a packet for negotiating connection parameters, the client receives it and ANSWERS. But the response does not reach the server. An output - is cut by provider. Fighting this is probably useless. I've been butting with online since April about this. "Your appeal has been forwarded to the relevant department, blah blah blah." Moreover, they do not say which particular department is the "profile" department. Well, that is, in other words, they put a bolt on such applications, and it is not redirected to any "profile departments".
In your case, the way out is to build IPSec in another tunnel - L2TP or PPTP.

Report
A
Andrew, 2016-09-29
@OLS

Try checking MTU

Similar questions
I
impressive172019-12-04 00:39:50
What is the difference between the structure of projects in Obj C and Swift languages? 6Reply
B
b_alex2017-01-23 23:41:08
Mikrotik, port forwarding via VPN, with access from LAN 1, LAN 2 and WAN? 2Reply
S
s2019-06-20 17:51:13
Why am I getting notifications from blocked sites without a VPN? 2Reply
M
MadGreen2015-01-27 11:29:34
How to connect 2 vpn servers to each other via VPN over TOR? 0Reply
V
Vitaly Petrov2015-02-03 05:53:05
Mikrotik - VPN stopped working and beeps after reboot. What to do? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question