strongSwan

Note, that the gateway turns on NATP.

It looks like that strongSwan treats initial establishing UDP packets from both machines as if these packets were from a single machine. Even if the source UDP ports from the two machines are different.

Hello, Tobias

I read the whole article but I did not find useful information to fix my issue. The connection mode is roadwarrrior and uniqueids=never has already be set up. If I set rekey=no, all clients in my LAN could connect the Strongswan server simultaneously, but the connection is not stable that every few minutes the connection is lost.

If I delete the configuration of rekey=no, the connection is stable, but only one client in my LAN can connect successfully. Two clients could be connect successfully, but at present they must not be behind a same NAT.

PS: I connect successfully for my Mac which is behind my home NAT gateway, and I connect successfully for my iPhone which is behind the mobile network NAT. If the iPhone is behind the home NAT gateway, only one client could connect successfully.

Thanks.

I read the whole article but I did not find useful information to fix my issue. The connection mode is roadwarrrior and uniqueids=never has already be set up. If I set rekey=no, all clients in my LAN could connect the Strongswan server simultaneously, but the connection is not stable that every few minutes the connection is lost.

If I delete the configuration of rekey=no, the connection is stable, but only one client in my LAN can connect successfully. Two clients could be connect successfully, but at present they must not be behind a same NAT.

How is any of that related to what you described before (which was actually not clear in the least). Please do your own research and ask concrete questions here. And please read HelpRequests too.

PS: I connect successfully for my Mac which is behind my home NAT gateway, and I connect successfully for my iPhone which is behind the mobile network NAT. If the iPhone is behind the home NAT gateway, only one client could connect successfully.

Read the log and fix whatever it indicates (e.g. don't use the same identity to connect from the same IP/NAT).

So did you mean if two clients behind a same SNAT want to connect the server successfully at same time, two identities/accounts for Roadwarrior login are needed?

Is it possible to use only one identity/account to connect the server (Roadwarrior mode) for two clients behind a same SNAT at the same time?

Tom

Try it and read the logs to answer these questions yourself.

I don't know. It seems that there is no error information in the log.

Something rekeyed:

Mar 5 14:22:43 server-vu charon: 08[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (604 bytes)
...
Mar 5 14:22:43 server-vu charon: 08[IKE] x.x.x.x is initiating an IKE_SA
...
Mar 5 14:22:44 server-vu ipsec[21158]: 06[IKE] IKE_SA roadwarrior[100] rekeyed between x.x.x.x[domain.com]...x.x.x.x[192.168.1.21]
...
Mar 5 14:22:44 server-vu ipsec[21158]: 09[IKE] deleting IKE_SA roadwarrior[99] between x.x.x.x[domain.com]...x.x.x.x[192.168.1.21]
...
Mar 5 14:22:44 server-vu ipsec[21158]: 10[IKE] inbound CHILD_SA roadwarrior{139} established with SPIs xxx and TS 0.0.0.0/0 === 192.168.13.1/32
...
Mar 5 14:22:44 server-vu ipsec[21158]: 05[IKE] outbound CHILD_SA roadwarrior{139} established with SPIs xxx and TS 0.0.0.0/0 === 192.168.13.1/32

Then something about the second client:

Mar 5 14:22:44 server-vu charon: 06[CFG] looking for peer configs matching x.x.x.x[domain.com]...x.x.x.x[192.168.2.28]
...
Mar 5 14:22:44 server-vu charon: 06[IKE] authentication of 'xxx' (myself) with RSA signature successful
...
Mar 5 14:22:47 server-vu charon: 09[IKE] received retransmit of request with ID x, retransmitting response
...


I did not say anything about errors in the log. And why would you think such partial logs would help in any way? Did you even read HelpRequests?

Here it is

Mar  5 15:00:08 server-vu charon: 11[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (604 bytes)
Mar  5 15:00:08 server-vu charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar  5 15:00:08 server-vu charon: 11[IKE] x.x.x.x is initiating an IKE_SA
Mar  5 15:00:08 server-vu charon: 11[IKE] remote host is behind NAT
Mar  5 15:00:08 server-vu charon: 11[IKE] sending cert request for "CN=Los Angeles strongSwan root CA, SN=20190218, C=US, L=Los Angeles, ST=California, O=TomHsiung, T=Clinical Pharmacy Speicalist, S=Hsiung, G=Tom" 
Mar  5 15:00:08 server-vu charon: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Mar  5 15:00:08 server-vu charon: 11[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (473 bytes)
Mar  5 15:00:11 server-vu charon: 14[NET] received packet: from x.x.x.x[1026] to x.x.x.x[4500] (528 bytes)
Mar  5 15:00:11 server-vu charon: 14[ENC] unknown attribute type (25)
Mar  5 15:00:11 server-vu charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mar  5 15:00:11 server-vu charon: 14[CFG] looking for peer configs matching x.x.x.x[my.domain.name]...x.x.x.x[192.168.11.28]
Mar  5 15:00:11 server-vu charon: 14[CFG] selected peer config 'roadwarrior'
Mar  5 15:00:11 server-vu charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar  5 15:00:11 server-vu charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar  5 15:00:11 server-vu charon: 14[IKE] peer supports MOBIKE
Mar  5 15:00:11 server-vu charon: 14[IKE] authentication of 'my.domain.name' (myself) with RSA signature successful
Mar  5 15:00:11 server-vu charon: 14[IKE] sending end entity cert "CN=Los Angeles strongSwan CA - my.domain.name, SN=20190218, C=US, L=Los Angeles, ST=California, O=TomHsiung, T=Clinical Pharmacy Speicalist, S=Hsiung, G=Tom" 
Mar  5 15:00:11 server-vu charon: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar  5 15:00:11 server-vu charon: 14[ENC] splitting IKE message with length of 2352 bytes into 2 fragments
Mar  5 15:00:11 server-vu charon: 14[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar  5 15:00:11 server-vu charon: 14[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar  5 15:00:11 server-vu charon: 14[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1236 bytes)
Mar  5 15:00:11 server-vu charon: 14[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1188 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 12[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
Mar  5 15:00:14 server-vu ipsec[21158]: 12[IKE] inbound CHILD_SA roadwarrior{149} established with SPIs c59b67fc_i 02745a56_o and TS 0.0.0.0/0 === 192.168.13.1/32
Mar  5 15:00:14 server-vu ipsec[21158]: 12[ENC] generating CREATE_CHILD_SA response 0 [ SA No TSi TSr ]
Mar  5 15:00:14 server-vu ipsec[21158]: 12[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (208 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 13[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (80 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 13[ENC] parsed INFORMATIONAL request 1 [ D ]
Mar  5 15:00:14 server-vu ipsec[21158]: 13[IKE] received DELETE for ESP CHILD_SA with SPI 020cf47e
Mar  5 15:00:14 server-vu ipsec[21158]: 13[IKE] closing CHILD_SA roadwarrior{148} with SPIs cb21fa32_i (1106550 bytes) 020cf47e_o (8113258 bytes) and TS 0.0.0.0/0 === 192.168.13.1/32
Mar  5 15:00:14 server-vu ipsec[21158]: 13[IKE] sending DELETE for ESP CHILD_SA with SPI cb21fa32
Mar  5 15:00:14 server-vu ipsec[21158]: 13[IKE] CHILD_SA closed
Mar  5 15:00:14 server-vu ipsec[21158]: 13[IKE] outbound CHILD_SA roadwarrior{149} established with SPIs c59b67fc_i 02745a56_o and TS 0.0.0.0/0 === 192.168.13.1/32
Mar  5 15:00:14 server-vu ipsec[21158]: 13[ENC] generating INFORMATIONAL response 1 [ D ]
Mar  5 15:00:14 server-vu ipsec[21158]: 13[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (80 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 15[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (192 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 15[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) SA No TSi TSr ]
Mar  5 15:00:14 server-vu ipsec[21158]: 15[IKE] inbound CHILD_SA roadwarrior{150} established with SPIs cb18311f_i 0da95d70_o and TS 0.0.0.0/0 === 192.168.13.1/32
Mar  5 15:00:14 server-vu ipsec[21158]: 15[ENC] generating CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Mar  5 15:00:14 server-vu ipsec[21158]: 15[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (208 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 16[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (80 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 16[ENC] parsed INFORMATIONAL request 3 [ D ]
Mar  5 15:00:14 server-vu ipsec[21158]: 16[IKE] received DELETE for ESP CHILD_SA with SPI 02745a56
Mar  5 15:00:14 server-vu ipsec[21158]: 16[IKE] closing CHILD_SA roadwarrior{149} with SPIs c59b67fc_i (0 bytes) 02745a56_o (0 bytes) and TS 0.0.0.0/0 === 192.168.13.1/32
Mar  5 15:00:14 server-vu ipsec[21158]: 16[IKE] sending DELETE for ESP CHILD_SA with SPI c59b67fc
Mar  5 15:00:14 server-vu ipsec[21158]: 16[IKE] CHILD_SA closed
Mar  5 15:00:14 server-vu ipsec[21158]: 16[IKE] outbound CHILD_SA roadwarrior{150} established with SPIs cb18311f_i 0da95d70_o and TS 0.0.0.0/0 === 192.168.13.1/32
Mar  5 15:00:14 server-vu ipsec[21158]: 16[ENC] generating INFORMATIONAL response 3 [ D ]
Mar  5 15:00:14 server-vu ipsec[21158]: 16[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (80 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 11[NET] received packet: from x.x.x.x[500] to x.x.x.x[500] (604 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar  5 15:00:14 server-vu ipsec[21158]: 11[IKE] x.x.x.x is initiating an IKE_SA
Mar  5 15:00:14 server-vu ipsec[21158]: 11[IKE] remote host is behind NAT
Mar  5 15:00:14 server-vu ipsec[21158]: 11[IKE] sending cert request for "CN=Los Angeles strongSwan root CA, SN=20190218, C=US, L=Los Angeles, ST=California, O=TomHsiung, T=Clinical Pharmacy Speicalist, S=Hsiung, G=Tom" 
Mar  5 15:00:14 server-vu ipsec[21158]: 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Mar  5 15:00:14 server-vu ipsec[21158]: 11[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (473 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 14[NET] received packet: from x.x.x.x[1026] to x.x.x.x[4500] (528 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 14[ENC] unknown attribute type (25)
Mar  5 15:00:14 server-vu ipsec[21158]: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mar  5 15:00:14 server-vu ipsec[21158]: 14[CFG] looking for peer configs matching x.x.x.x[my.domain.name]...x.x.x.x[192.168.11.28]
Mar  5 15:00:14 server-vu ipsec[21158]: 14[CFG] selected peer config 'roadwarrior'
Mar  5 15:00:14 server-vu ipsec[21158]: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar  5 15:00:14 server-vu ipsec[21158]: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar  5 15:00:14 server-vu ipsec[21158]: 14[IKE] peer supports MOBIKE
Mar  5 15:00:14 server-vu ipsec[21158]: 14[IKE] authentication of 'my.domain.name' (myself) with RSA signature successful
Mar  5 15:00:14 server-vu ipsec[21158]: 14[IKE] sending end entity cert "CN=Los Angeles strongSwan CA - my.domain.name, SN=20190218, C=US, L=Los Angeles, ST=California, O=TomHsiung, T=Clinical Pharmacy Speicalist, S=Hsiung, G=Tom" 
Mar  5 15:00:14 server-vu ipsec[21158]: 14[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar  5 15:00:14 server-vu ipsec[21158]: 14[ENC] splitting IKE message with length of 2352 bytes into 2 fragments
Mar  5 15:00:14 server-vu ipsec[21158]: 14[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar  5 15:00:14 server-vu ipsec[21158]: 14[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar  5 15:00:14 server-vu ipsec[21158]: 14[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1236 bytes)
Mar  5 15:00:14 server-vu charon: 12[NET] received packet: from x.x.x.x[1026] to x.x.x.x[4500] (528 bytes)
Mar  5 15:00:14 server-vu ipsec[21158]: 14[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1188 bytes)
Mar  5 15:00:14 server-vu charon: 12[ENC] unknown attribute type (25)
Mar  5 15:00:14 server-vu charon: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mar  5 15:00:14 server-vu charon: 12[IKE] received retransmit of request with ID 1, retransmitting response
Mar  5 15:00:14 server-vu charon: 12[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1236 bytes)
Mar  5 15:00:14 server-vu charon: 12[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1188 bytes)
Mar  5 15:00:17 server-vu charon: 13[NET] received packet: from x.x.x.x[1026] to x.x.x.x[4500] (528 bytes)
Mar  5 15:00:17 server-vu charon: 13[ENC] unknown attribute type (25)
Mar  5 15:00:17 server-vu charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mar  5 15:00:17 server-vu charon: 13[IKE] received retransmit of request with ID 1, retransmitting response
Mar  5 15:00:17 server-vu charon: 13[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1236 bytes)
Mar  5 15:00:17 server-vu charon: 13[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1188 bytes)
Mar  5 15:00:20 server-vu charon: 15[NET] received packet: from x.x.x.x[1026] to x.x.x.x[4500] (528 bytes)
Mar  5 15:00:20 server-vu charon: 15[ENC] unknown attribute type (25)
Mar  5 15:00:20 server-vu charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Mar  5 15:00:20 server-vu charon: 15[IKE] received retransmit of request with ID 1, retransmitting response
Mar  5 15:00:20 server-vu charon: 15[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1236 bytes)
Mar  5 15:00:20 server-vu charon: 15[NET] sending packet: from x.x.x.x[4500] to x.x.x.x[1026] (1188 bytes)
Mar  5 15:00:38 server-vu charon: 16[JOB] deleting half open IKE_SA with x.x.x.x after timeout

It looks like for some reason the IKE_AUTH response does not get through to the client (it sends retransmits of the request). Might be a problem with your NAT router (e.g. some kind of misbehaving IPsec passthrough feature, so check its settings) or an MTU issue (if the 1236 bytes IKEv2 fragment is too large for some reason).

It's strange. I made some experiments, only one device could connect at the same time. The first client to connect will succeed. The latter could not.

Tom

It's strange. I made some experiments, only one device could connect at the same time. The first client to connect will succeed. The latter could not.

If the log looks the same in each case (e.g. UDP ports and retransmits) then refer to my comment above (i.e. it's a network issue you have to sort out). If it's something else, post the log.

That problem is likely caused by "IPsec passthrough". A setting that is completely useless and only breaks IPsec tunnels nowadays. Disable it on the router. Then the problem should be resolved.

And I test the potential reason of one identity / account. It is ruled out. Despite I tried to connect with different authentic identities on two clients, same error happens.

My router is a Ubuntu computer, how to turn off the IPsec passthrough function?

Tom

And I found a iptables rule in my -t mangle

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN tcpmss match 1400:65495 TCPMSS clamp to PMTU

Is this causing the issue?

And I just notice that:

This is the succeeded try, the client's UDP port was 4500.

Mar  5 17:29:06 server-vu charon: 09[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (473 bytes)
Mar  5 17:29:06 server-vu charon: 11[NET] received packet: from x.x.x.x[4500] to x.x.x.x[4500] (528 bytes)

This is the failed try, not the client's UDP port was changed to 1026.

Mar  5 15:00:08 server-vu charon: 11[NET] sending packet: from x.x.x.x[500] to x.x.x.x[500] (473 bytes)
Mar  5 15:00:11 server-vu charon: 14[NET] received packet: from x.x.x.x[1026] to x.x.x.x[4500] (528 bytes)

Maybe UDP 1026 port has been captured by another program. Or some configuration cause the issue.

Maybe the changed client UPD port number is a cue.

And I tried to connect from both clients in another local network. I use my iPhone as the router to connect local and Internet.

Both clients could connect to my storngSwan server successfully.

This is client 1, succeeded.

Mar  5 18:11:06 server-vu charon: 14[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  5 18:11:06 server-vu charon: 14[NET] sending packet: from x.x.x.x[4500] to 117.136.63.159[11548] (272 bytes)

This is client 2, succeeded too.

Mar  5 18:14:09 server-vu charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  5 18:14:09 server-vu charon: 12[NET] sending packet: from x.x.x.x[4500] to 117.136.63.159[11549] (272 bytes)

Note the client UDP port is 11548 and 11549 for each client, respectively.

Tom

And of note that I have installed strongSwan on my ubuntu router gateway.

Is this causing the issue?

No, that rule only affects TCP. But you should check the other firewall rules.

Maybe UDP 1026 port has been captured by another program. Or some configuration cause the issue.
Maybe the changed client UPD port number is a cue.

No, that's normal. Linux first tries to keep the same source port and if that't not possible because there would be conflicts it creates a new NAT mapping. And I can't imagine that conntrack would use a port that's already used by a UDP socket on the system (but you could check with netstat).

And of note that I have installed strongSwan on my ubuntu router gateway.

That shouldn't really matter unless it's configured and running and policies/SAs interfere with this traffic somehow.

Is there another NAT between that Ubuntu router and the server? Or is the public IP of that router actually seen in the server log? You can try capturing traffic on the router to see if the response is actually received and forwarded.

Thank your for your great reply, Tobias.

That shouldn't really matter unless it's configured and running and policies/SAs interfere with this traffic somehow.

I have two stongSwan servers. One is installed on my home gateway, a ubuntu server which serves as the router connecting my home network and Internet. The other is a VPS located somewhere remotely.

1.The home ubuntu server has two network interfaces, one for home network and the other gets a public IP address. The MASQUERADE is enabled on the ubuntu server.

2.I primarily connect from clients in my home network to the VPS stongSwan server. So the client's packets to the VPS strongSwan server are modified by the MASQUERADE rule. I found that, the source port of the UDP packets is changed to 500, 4500, and that 1026. Because the Ubuntu server already has used UDP port 500 and 4500 for srongSwan service, would it cause some conflict?

Interestingly, syslog show that the successful connection to the VPS stongSwan server is between port 500/4500 and 500/4500. And the failed connection to VPS strongSwan is between 500/1026 and 500/4500.

This was the initial UDP pack from client 1 (succeeded try). Note client 1's original port (I don't know what number it is) was replaced by MASQUERADE rule to 500 port.

Mar  5 17:29:06 server-vu charon: 09[NET] received packet: from 182.148.28.103[500] to x.x.x.x[500] (604 bytes)

Then, response 0 succeeded

Mar  5 17:29:06 server-vu charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Mar  5 17:29:06 server-vu charon: 09[NET] sending packet: from x.x.x.x[500] to 182.148.28.103[500] (473 bytes)

And because device is behind NAT, 4500 port replaced the 500 port. Note that client 1's original port was replaced by MASQUERADE rule to 4500 port.

Mar  5 17:29:06 server-vu charon: 11[NET] received packet: from 182.148.28.103[4500] to x.x.x.x[4500] (528 bytes)

And final two log records, still the 4500 port. So the 4500 port after MASQUERADE was a coincidence? I don't think so.

Mar  5 17:29:17 server-vu charon: 16[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  5 17:29:17 server-vu charon: 16[NET] sending packet: from x.x.x.x[4500] to 182.148.28.103[4500] (272 bytes)

=========
Just know that, the issue has resolved and I don't what I have done to make it works.

1.I reboot my home ubuntu server for some times.

2.I run the update commands and autoremove commands on my home ubuntu server.

sudo apt-get update
sudo apt-get upgrade
sudo apt autoremove
sudo apt clean

Some results:

After this operation, 668 MB disk space will be freed.
Do you want to continue? [Y/n] y

Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  lxd lxd-client
The following packages will be upgraded:
  initramfs-tools initramfs-tools-bin initramfs-tools-core landscape-common libidn11 python3-gi
6 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
Need to get 355 kB of archives.
After this operation, 3,072 B of additional disk space will be used.
Do you want to continue? [Y/n] y

3.Client 1 use both the WiFi and Ethernet. Ethernet is in private LAN1 connected directly to the home ubuntu server (gateway). WiFi in in private LAN2. LAN1 and LAN2 is connected by a TP-Link router which turns on NATP function. I disabled the ethernet and keep WiFi enabled.

4.I rebooted my VPS stongSwan server once.

5.I modify the iptables rule of my VPS stongSwan.

I changed the rule

iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE

to

iptables -t nat -A POSTROUTING -o ens3 -j SNAT --to-source x.x.x.x

Because the Ubuntu server already has used UDP port 500 and 4500 for srongSwan service, would it cause some conflict?

Yes, but that doesn't matter. The source ports don't have to be 500 or 4500. More problematic is probably that the IPsec policies/SAs on this host might interfere with the VPN of clients behind the router (depending on the actual traffic selectors). And the NAT itself could also be a problem (see ForwardingAndSplitTunneling).

Just know that, the issue has resolved and I don't what I have done to make it works.

OK, great.

Today, the issue turns up again.

And it seems that, if the I try to connect from the second client to VPS, and the home ubuntu server router's MASQUERADE assigned port 1026 to the second client's packets, the connection will failed to connect.

Tom

And I think a little. Later, I tried to modify the UDP port range of MASQUERADE, by

sudo iptables -t nat -A POSTROUTING --protocol udp -o ppp0 -j MASQUERADE --to-ports 52000-52999

After that, the UDP 1026 issue seems to be resolved.

I don't know what is wrong with the UDP 1026 port.

Thanks!

Tom