Project

General

Profile

Issue #3632

VPN client application cannot connect to server on GSM of one Operator

Added by Royi Cohen 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Category:
network / firewall
Affected version:
5.9.1
Resolution:
No change required

Description

Hi,
we notice that on one operator here in Israel, our client VPN for Android is not capable to establish a VPN connection to our server - this happens only when the phone is connected to this operator and not running on wifi.
Switching the phone to work with wifi or using a sim that belongs to the other operators works as expected.

Following is a log from the cline application when connected via this operator:
11-18 16:50:30.256 30845 31075 I charon : 05[CFG] checking certificate status of "OU=Domain Control Validated, CN=*.xxxxxxxxxx.com"
11-18 16:50:30.256 30845 31075 I charon : 05[CFG] requesting ocsp status from 'http://ocsp.godaddy.com/' ...
11-18 16:50:30.513 30845 31075 I charon : 05[LIB] ocsp response status: unauthorized
11-18 16:50:30.513 30845 31075 I charon : 05[LIB] building CRED_CERTIFICATE - OCSP_RESPONSE failed, tried 2 builders
11-18 16:50:30.513 30845 31075 I charon : 05[CFG] parsing ocsp response failed
11-18 16:50:30.513 30845 31075 I charon : 05[CFG] ocsp check failed, fallback to crl
11-18 16:50:30.515 30845 31075 I charon : 05[CFG] using certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
11-18 16:50:30.516 30845 31075 I charon : 05[CFG] using trusted ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.516 30845 31075 I charon : 05[CFG] reached self-signed root ca with a path length of 0
11-18 16:50:30.516 30845 31075 I charon : 05[CFG] crl correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
11-18 16:50:30.517 30845 31075 I charon : 05[CFG] crl is valid: until Nov 24 20:54:10 2020
11-18 16:50:30.517 30845 31075 I charon : 05[CFG] using cached crl
11-18 16:50:30.517 30845 31075 I charon : 05[CFG] certificate status is good
11-18 16:50:30.518 30845 31075 I charon : 05[CFG] using trusted ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.518 30845 31075 I charon : 05[CFG] checking certificate status of "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
11-18 16:50:30.518 30845 31075 I charon : 05[CFG] requesting ocsp status from 'http://ocsp.godaddy.com/' ...
11-18 16:50:30.616 30845 31075 I charon : 05[CFG] nonce in ocsp response doesn't match
11-18 16:50:30.617 30845 31075 I charon : 05[CFG] ocsp check failed, fallback to crl
11-18 16:50:30.617 30845 31075 I charon : 05[CFG] fetching crl from 'http://crl.godaddy.com/gdroot-g2.crl' ...
11-18 16:50:30.821 30845 31075 I charon : 05[CFG] using trusted certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.822 30845 31075 I charon : 05[CFG] crl correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.822 30845 31075 I charon : 05[CFG] crl is valid: until Sep 10 01:07:51 2021
11-18 16:50:30.822 30845 31075 I charon : 05[CFG] certificate status is good
11-18 16:50:30.822 30845 31075 I charon : 05[CFG] reached self-signed root ca with a path length of 1
11-18 16:50:30.822 30845 31075 I charon : 05[IKE] authentication of 'OU=Domain Control Validated, CN=*.xxxxxxxxxx.com' with RSA_EMSA_PKCS1_SHA2_256 successful
11-18 16:50:30.822 30845 31075 I charon : 05[LIB] crl from Sep 10 01:07:51 2020 is not newer - existing crl from Sep 10 01:07:51 2020 retained
11-18 16:50:30.823 30845 31075 I charon : 05[IKE] server requested EAP_IDENTITY (id 0x00), sending '1-224015461'
11-18 16:50:30.823 30845 31075 I charon : 05[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
11-18 16:50:30.823 30845 31075 I charon : 05[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (96 bytes)
11-18 16:50:31.003 30845 31079 I charon : 08[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (96 bytes)
11-18 16:50:31.004 30845 31079 I charon : 08[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
11-18 16:50:31.004 30845 31079 I charon : 08[IKE] server requested EAP_MD5 authentication (id 0x24)
11-18 16:50:31.004 30845 31079 I charon : 08[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
11-18 16:50:31.004 30845 31079 I charon : 08[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (96 bytes)
11-18 16:50:31.167 30845 31077 I charon : 07[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (80 bytes)
11-18 16:50:31.167 30845 31077 I charon : 07[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
11-18 16:50:31.167 30845 31077 I charon : 07[IKE] EAP method EAP_MD5 succeeded, no MSK established
11-18 16:50:31.167 30845 31077 I charon : 07[IKE] authentication of '1-224015461' (myself) with EAP
11-18 16:50:31.168 30845 31077 I charon : 07[ENC] generating IKE_AUTH request 4 [ AUTH ]
11-18 16:50:31.168 30845 31077 I charon : 07[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (96 bytes)
11-18 16:50:31.342 30845 31082 I charon : 11[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (336 bytes)
11-18 16:50:31.342 30845 31082 I charon : 11[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
11-18 16:50:31.342 30845 31082 I charon : 11[IKE] authentication of 'OU=Domain Control Validated, CN=*.xxxxxxxxxx.com' with EAP successful
11-18 16:50:31.342 30845 31082 I charon : 11[IKE] IKE_SA android2 established between 10.0.0.2[1-224015461]...54.209.21.19[OU=Domain Control Validated, CN=*.xxxxxxxxxx.com]
11-18 16:50:31.343 30845 31082 I charon : 11[IKE] scheduling rekeying in 35941s
11-18 16:50:31.344 30845 31082 I charon : 11[IKE] maximum IKE_SA lifetime 37741s
11-18 16:50:31.344 30845 31082 I charon : 11[IKE] installing DNS server 8.8.8.8
11-18 16:50:31.344 30845 31082 I charon : 11[IKE] installing new virtual IP 10.2.0.1
11-18 16:50:31.344 30845 31082 I charon : 11[IKE] installing new virtual IP fec1::1
11-18 16:50:31.344 30845 31082 I charon : 11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
11-18 16:50:31.345 30845 31082 I charon : 11[IKE] CHILD_SA android{2} established with SPIs 6f22d178_i c0eacfc9_o and TS 10.2.0.1/32 fec1::1/128 === 0.0.0.0/0 ::/0
11-18 16:50:31.345 30845 31082 I charon : 11[DMN] setting up TUN device for CHILD_SA android{2}
11-18 16:50:31.414 30845 31082 I charon : 11[DMN] successfully created TUN device
11-18 16:50:31.415 30845 31082 I charon : 11[IKE] received AUTH_LIFETIME of 10032s, scheduling reauthentication in 8232s
11-18 16:50:31.416 30845 31082 I charon : 11[IKE] peer supports MOBIKE

And from the server:
Nov 18 14:37:52 05[NET] <504> sending packet: from 172.30.3.115500 to 147.161.9.25514347 (305 bytes)
Nov 18 14:37:52 13[NET] <504> received packet: from 147.161.9.25514353 to 172.30.3.1154500 (676 bytes)
Nov 18 14:37:54 06[NET] <504> received packet: from 147.161.9.25514353 to 172.30.3.1154500 (676 bytes)
Nov 18 14:37:55 05[IKE] <499> sending keep alive to 147.161.9.25514348
Nov 18 14:37:57 16[NET] <504> received packet: from 147.161.9.25514353 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:02 16[NET] <504> received packet: from 147.161.9.25514353 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:05 12[JOB] <499> deleting half open IKE_SA with 147.161.9.255 after timeout
Nov 18 14:38:07 03[NET] sending packet: from 172.30.3.115500 to 147.161.9.25514347 (60 bytes)
Nov 18 14:38:08 15[NET] <513> received packet: from 147.161.9.25514347 to 172.30.3.115500 (748 bytes)
Nov 18 14:38:08 15[IKE] <513> 147.161.9.255 is initiating an IKE_SA
Nov 18 14:38:08 15[NET] <513> sending packet: from 172.30.3.115500 to 147.161.9.25514347 (38 bytes)
Nov 18 14:38:08 08[NET] <514> received packet: from 147.161.9.25514347 to 172.30.3.115500 (716 bytes)
Nov 18 14:38:08 08[IKE] <514> 147.161.9.255 is initiating an IKE_SA
Nov 18 14:38:08 08[NET] <514> sending packet: from 172.30.3.115500 to 147.161.9.25514347 (305 bytes)
Nov 18 14:38:08 10[NET] <514> received packet: from 147.161.9.25514348 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:10 14[NET] <514> received packet: from 147.161.9.25514348 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:12 10[IKE] <504> sending keep alive to 147.161.9.25514353
Nov 18 14:38:13 05[NET] <514> received packet: from 147.161.9.25514348 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:18 14[NET] <514> received packet: from 147.161.9.25514348 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:22 06[JOB] <504> deleting half open IKE_SA with 147.161.9.255 after timeout
Nov 18 14:38:24 03[NET] sending packet: from 172.30.3.115500 to 147.161.9.25514355 (60 bytes)
Nov 18 14:38:24 07[NET] <525> received packet: from 147.161.9.25514355 to 172.30.3.115500 (748 bytes)
Nov 18 14:38:24 07[IKE] <525> 147.161.9.255 is initiating an IKE_SA
Nov 18 14:38:24 07[NET] <525> sending packet: from 172.30.3.115500 to 147.161.9.25514355 (38 bytes)
Nov 18 14:38:24 12[NET] <526> received packet: from 147.161.9.25514355 to 172.30.3.115500 (716 bytes)
Nov 18 14:38:24 12[IKE] <526> 147.161.9.255 is initiating an IKE_SA
Nov 18 14:38:24 12[NET] <526> sending packet: from 172.30.3.115500 to 147.161.9.25514355 (305 bytes)
Nov 18 14:38:24 06[NET] <526> received packet: from 147.161.9.25514356 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:26 05[NET] <526> received packet: from 147.161.9.25514356 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:28 08[IKE] <514> sending keep alive to 147.161.9.25514348
Nov 18 14:38:29 11[NET] <526> received packet: from 147.161.9.25514356 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:34 11[NET] <526> received packet: from 147.161.9.25514356 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:38 05[JOB] <514> deleting half open IKE_SA with 147.161.9.255 after timeout
Nov 18 14:38:40 03[NET] sending packet: from 172.30.3.115500 to 147.161.9.25514348 (60 bytes)
Nov 18 14:38:40 16[NET] <535> received packet: from 147.161.9.25514348 to 172.30.3.115500 (748 bytes)
Nov 18 14:38:40 16[IKE] <535> 147.161.9.255 is initiating an IKE_SA
Nov 18 14:38:40 16[NET] <535> sending packet: from 172.30.3.115500 to 147.161.9.25514348 (38 bytes)
Nov 18 14:38:40 06[NET] <536> received packet: from 147.161.9.25514348 to 172.30.3.115500 (716 bytes)
Nov 18 14:38:40 06[IKE] <536> 147.161.9.255 is initiating an IKE_SA
Nov 18 14:38:40 06[NET] <536> sending packet: from 172.30.3.115500 to 147.161.9.25514348 (305 bytes)
Nov 18 14:38:41 15[NET] <536> received packet: from 147.161.9.25514358 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:43 11[NET] <536> received packet: from 147.161.9.25514358 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:44 14[IKE] <526> sending keep alive to 147.161.9.25514356
Nov 18 14:38:45 08[NET] <536> received packet: from 147.161.9.25514358 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:50 07[NET] <536> received packet: from 147.161.9.25514358 to 172.30.3.1154500 (676 bytes)
Nov 18 14:38:54 16[JOB] <526> deleting half open IKE_SA with 147.161.9.255 after timeout
Nov 18 14:38:56 03[NET] sending packet: from 172.30.3.115500 to 147.161.9.25514349 (60 bytes)
Nov 18 14:38:56 10[NET] <542> received packet: from 147.161.9.25514349 to 172.30.3.115500 (748 bytes)
Nov 18 14:38:56 10[IKE] <542> 147.161.9.255 is initiating an IKE_SA

----
and this is the log when we activate the wifi and the connection was established:
11-18 16:50:28.986 30845 30954 I charon : 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
11-18 16:50:28.986 30845 30954 I charon : 00[JOB] spawning 16 worker threads
11-18 16:50:28.996 30845 31075 I charon : 05[IKE] initiating IKE_SA android2 to 54.209.21.19
11-18 16:50:28.997 30845 31075 I charon : 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11-18 16:50:28.997 30845 31075 I charon : 05[NET] sending packet: from 10.118.199.23648806 to 54.209.21.19500 (716 bytes)
11-18 16:50:29.208 30845 31074 I charon : 06[NET] received packet: from 54.209.21.19500 to 10.118.199.23648806 (60 bytes)
11-18 16:50:29.209 30845 31074 I charon : 06[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
11-18 16:50:29.209 30845 31074 I charon : 06[IKE] initiating IKE_SA android2 to 54.209.21.19
11-18 16:50:29.209 30845 31074 I charon : 06[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11-18 16:50:29.209 30845 31074 I charon : 06[NET] sending packet: from 10.118.199.23648806 to 54.209.21.19500 (748 bytes)
11-18 16:50:29.218 30845 31077 I charon : 07[IKE] old path is not available anymore, try to find another
11-18 16:50:29.218 30845 31077 I charon : 07[IKE] looking for a route to 54.209.21.19 ...
11-18 16:50:29.219 30845 31077 I charon : 07[IKE] reauthenticating IKE_SA due to address change
11-18 16:50:29.332 30845 31077 I charon : 07[IKE] reinitiating IKE_SA android2
11-18 16:50:29.332 30845 31077 I charon : 07[IKE] initiating IKE_SA android2 to 54.209.21.19
11-18 16:50:29.333 30845 31077 I charon : 07[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11-18 16:50:29.333 30845 31077 I charon : 07[NET] sending packet: from 10.0.0.248806 to 54.209.21.19500 (748 bytes)
11-18 16:50:29.569 30845 31080 I charon : 10[NET] received packet: from 54.209.21.19500 to 10.0.0.248806 (60 bytes)
11-18 16:50:29.569 30845 31080 I charon : 10[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
11-18 16:50:29.569 30845 31080 I charon : 10[IKE] initiating IKE_SA android2 to 54.209.21.19
11-18 16:50:29.570 30845 31080 I charon : 10[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11-18 16:50:29.570 30845 31080 I charon : 10[NET] sending packet: from 10.0.0.248806 to 54.209.21.19500 (748 bytes)
11-18 16:50:29.734 30845 31082 I charon : 11[NET] received packet: from 54.209.21.19500 to 10.0.0.248806 (38 bytes)
11-18 16:50:29.734 30845 31082 I charon : 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
11-18 16:50:29.734 30845 31082 I charon : 11[IKE] peer didn't accept DH group ECP_256, it requested CURVE_25519
11-18 16:50:29.734 30845 31082 I charon : 11[IKE] initiating IKE_SA android2 to 54.209.21.19
11-18 16:50:29.735 30845 31082 I charon : 11[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11-18 16:50:29.735 30845 31082 I charon : 11[NET] sending packet: from 10.0.0.248806 to 54.209.21.19500 (716 bytes)
11-18 16:50:29.939 30845 31078 I charon : 12[NET] received packet: from 54.209.21.19500 to 10.0.0.248806 (305 bytes)
11-18 16:50:29.939 30845 31078 I charon : 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
11-18 16:50:29.939 30845 31078 I charon : 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
11-18 16:50:29.939 30845 31078 I charon : 12[IKE] local host is behind NAT, sending keep alives
11-18 16:50:29.943 30845 31078 I charon : 12[IKE] remote host is behind NAT
11-18 16:50:29.943 30845 31078 I charon : 12[CFG] loaded crl issued by 'C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2'
11-18 16:50:29.946 30845 31078 I charon : 12[CFG] loaded crl issued by 'C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2'
11-18 16:50:30.060 30845 31078 I charon : 12[IKE] received 3 cert requests for an unknown ca
11-18 16:50:30.060 30845 31078 I charon : 12[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E="
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority ECC"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=FR, O=Dhimyotis, OU=0002 48146308100036, CN=Certigna Root CA"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-1"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "OU=GlobalSign Root CA - R6, O=GlobalSign, CN=GlobalSign"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R1"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
11-18 16:50:30.061 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=TW, O=Government Root Certification Authority"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=CN, O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD., CN=GDCA TrustAUTH R5 ROOT"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 2"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R3"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GC CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 1"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=CN, O=UniTrust, CN=UCA Global G2 Root"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 3"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R4"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA"
11-18 16:50:30.062 30845 31078 I charon : 12[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 4"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority RSA R2"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=CN, O=UniTrust, CN=UCA Extended Validation Root"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor ECA-1"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3"
11-18 16:50:30.063 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
11-18 16:50:30.064 30845 31078 I charon : 12[IKE] establishing CHILD_SA android{2}
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] splitting IKE message (3264 bytes) into 3 fragments
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:50:30.065 30845 31078 I charon : 12[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (1364 bytes)
11-18 16:50:30.065 30845 31078 I charon : 12[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (1364 bytes)
11-18 16:50:30.065 30845 31078 I charon : 12[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (676 bytes)
11-18 16:50:30.246 30845 31083 I charon : 13[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (1236 bytes)
11-18 16:50:30.247 30845 31083 I charon : 13[ENC] parsed IKE_AUTH response 1 [ EF ]
11-18 16:50:30.247 30845 31083 I charon : 13[ENC] received fragment #1 of 3, waiting for complete IKE message
11-18 16:50:30.247 30845 31084 I charon : 14[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (948 bytes)
11-18 16:50:30.247 30845 31084 I charon : 14[ENC] parsed IKE_AUTH response 1 [ EF ]
11-18 16:50:30.247 30845 31084 I charon : 14[ENC] received fragment #3 of 3, waiting for complete IKE message
11-18 16:50:30.247 30845 31075 I charon : 05[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (1236 bytes)
11-18 16:50:30.247 30845 31075 I charon : 05[ENC] parsed IKE_AUTH response 1 [ EF ]
11-18 16:50:30.247 30845 31075 I charon : 05[ENC] received fragment #2 of 3, reassembled fragmented IKE message (3280 bytes)
11-18 16:50:30.247 30845 31075 I charon : 05[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
11-18 16:50:30.248 30845 31075 I charon : 05[IKE] received end entity cert "OU=Domain Control Validated, CN=*.xxxxxxxxxx.com"
11-18 16:50:30.248 30845 31075 I charon : 05[IKE] received issuer cert "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
11-18 16:50:30.254 30845 31075 I charon : 05[CFG] using certificate "OU=Domain Control Validated, CN=*.xxxxxxxxxx.com"
11-18 16:50:30.256 30845 31075 I charon : 05[CFG] using untrusted intermediate certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
11-18 16:50:30.256 30845 31075 I charon : 05[CFG] checking certificate status of "OU=Domain Control Validated, CN=*.xxxxxxxxxx.com"
11-18 16:50:30.256 30845 31075 I charon : 05[CFG] requesting ocsp status from 'http://ocsp.godaddy.com/' ...
11-18 16:50:30.513 30845 31075 I charon : 05[LIB] ocsp response status: unauthorized
11-18 16:50:30.513 30845 31075 I charon : 05[LIB] building CRED_CERTIFICATE - OCSP_RESPONSE failed, tried 2 builders
11-18 16:50:30.513 30845 31075 I charon : 05[CFG] parsing ocsp response failed
11-18 16:50:30.513 30845 31075 I charon : 05[CFG] ocsp check failed, fallback to crl
11-18 16:50:30.515 30845 31075 I charon : 05[CFG] using certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
11-18 16:50:30.516 30845 31075 I charon : 05[CFG] using trusted ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.516 30845 31075 I charon : 05[CFG] reached self-signed root ca with a path length of 0
11-18 16:50:30.516 30845 31075 I charon : 05[CFG] crl correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
11-18 16:50:30.517 30845 31075 I charon : 05[CFG] crl is valid: until Nov 24 20:54:10 2020
11-18 16:50:30.517 30845 31075 I charon : 05[CFG] using cached crl
11-18 16:50:30.517 30845 31075 I charon : 05[CFG] certificate status is good
11-18 16:50:30.518 30845 31075 I charon : 05[CFG] using trusted ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.518 30845 31075 I charon : 05[CFG] checking certificate status of "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2"
11-18 16:50:30.518 30845 31075 I charon : 05[CFG] requesting ocsp status from 'http://ocsp.godaddy.com/' ...
11-18 16:50:30.616 30845 31075 I charon : 05[CFG] nonce in ocsp response doesn't match
11-18 16:50:30.617 30845 31075 I charon : 05[CFG] ocsp check failed, fallback to crl
11-18 16:50:30.617 30845 31075 I charon : 05[CFG] fetching crl from 'http://crl.godaddy.com/gdroot-g2.crl' ...
11-18 16:50:30.821 30845 31075 I charon : 05[CFG] using trusted certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.822 30845 31075 I charon : 05[CFG] crl correctly signed by "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:50:30.822 30845 31075 I charon : 05[CFG] crl is valid: until Sep 10 01:07:51 2021
11-18 16:50:30.822 30845 31075 I charon : 05[CFG] certificate status is good
11-18 16:50:30.822 30845 31075 I charon : 05[CFG] reached self-signed root ca with a path length of 1
11-18 16:50:30.822 30845 31075 I charon : 05[IKE] authentication of 'OU=Domain Control Validated, CN=*.xxxxxxxxxx.com' with RSA_EMSA_PKCS1_SHA2_256 successful
11-18 16:50:30.822 30845 31075 I charon : 05[LIB] crl from Sep 10 01:07:51 2020 is not newer - existing crl from Sep 10 01:07:51 2020 retained
11-18 16:50:30.823 30845 31075 I charon : 05[IKE] server requested EAP_IDENTITY (id 0x00), sending '1-224015461'
11-18 16:50:30.823 30845 31075 I charon : 05[ENC] generating IKE_AUTH request 2 [ EAP/RES/ID ]
11-18 16:50:30.823 30845 31075 I charon : 05[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (96 bytes)
11-18 16:50:31.003 30845 31079 I charon : 08[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (96 bytes)
11-18 16:50:31.004 30845 31079 I charon : 08[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MD5 ]
11-18 16:50:31.004 30845 31079 I charon : 08[IKE] server requested EAP_MD5 authentication (id 0x24)
11-18 16:50:31.004 30845 31079 I charon : 08[ENC] generating IKE_AUTH request 3 [ EAP/RES/MD5 ]
11-18 16:50:31.004 30845 31079 I charon : 08[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (96 bytes)
11-18 16:50:31.167 30845 31077 I charon : 07[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (80 bytes)
11-18 16:50:31.167 30845 31077 I charon : 07[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
11-18 16:50:31.167 30845 31077 I charon : 07[IKE] EAP method EAP_MD5 succeeded, no MSK established
11-18 16:50:31.167 30845 31077 I charon : 07[IKE] authentication of '1-224015461' (myself) with EAP
11-18 16:50:31.168 30845 31077 I charon : 07[ENC] generating IKE_AUTH request 4 [ AUTH ]
11-18 16:50:31.168 30845 31077 I charon : 07[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (96 bytes)
11-18 16:50:31.342 30845 31082 I charon : 11[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (336 bytes)
11-18 16:50:31.342 30845 31082 I charon : 11[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
11-18 16:50:31.342 30845 31082 I charon : 11[IKE] authentication of 'OU=Domain Control Validated, CN=*.xxxxxxxxxx.com' with EAP successful
11-18 16:50:31.342 30845 31082 I charon : 11[IKE] IKE_SA android2 established between 10.0.0.2[1-224015461]...54.209.21.19[OU=Domain Control Validated, CN=*.xxxxxxxxxx.com]
11-18 16:50:31.343 30845 31082 I charon : 11[IKE] scheduling rekeying in 35941s
11-18 16:50:31.344 30845 31082 I charon : 11[IKE] maximum IKE_SA lifetime 37741s
11-18 16:50:31.344 30845 31082 I charon : 11[IKE] installing DNS server 8.8.8.8
11-18 16:50:31.344 30845 31082 I charon : 11[IKE] installing new virtual IP 10.2.0.1
11-18 16:50:31.344 30845 31082 I charon : 11[IKE] installing new virtual IP fec1::1
11-18 16:50:31.344 30845 31082 I charon : 11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
11-18 16:50:31.345 30845 31082 I charon : 11[IKE] CHILD_SA android{2} established with SPIs 6f22d178_i c0eacfc9_o and TS 10.2.0.1/32 fec1::1/128 === 0.0.0.0/0 ::/0
11-18 16:50:31.345 30845 31082 I charon : 11[DMN] setting up TUN device for CHILD_SA android{2}
11-18 16:50:31.414 30845 31082 I charon : 11[DMN] successfully created TUN device
11-18 16:50:31.415 30845 31082 I charon : 11[IKE] received AUTH_LIFETIME of 10032s, scheduling reauthentication in 8232s
11-18 16:50:31.416 30845 31082 I charon : 11[IKE] peer supports MOBIKE

Any idea what can cause this?

Thanks,

Roy

History

#1 Updated by Royi Cohen 5 months ago

Sorry, the first log, from the client application when the connection is not established is this:
11-18 16:40:32.949 26223 26318 I charon : 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
11-18 16:40:32.950 26223 26318 I charon : 00[JOB] spawning 16 worker threads
11-18 16:40:32.968 26223 28465 I charon : 04[IKE] initiating IKE_SA android31 to 54.209.21.19
11-18 16:40:32.969 26223 28465 I charon : 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11-18 16:40:32.969 26223 28465 I charon : 04[NET] sending packet: from 10.118.199.23638868 to 54.209.21.19500 (716 bytes)
11-18 16:40:33.142 26223 28470 I charon : 08[NET] received packet: from 54.209.21.19500 to 10.118.199.23638868 (60 bytes)
11-18 16:40:33.142 26223 28470 I charon : 08[ENC] parsed IKE_SA_INIT response 0 [ N(COOKIE) ]
11-18 16:40:33.142 26223 28470 I charon : 08[IKE] initiating IKE_SA android31 to 54.209.21.19
11-18 16:40:33.142 26223 28470 I charon : 08[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11-18 16:40:33.142 26223 28470 I charon : 08[NET] sending packet: from 10.118.199.23638868 to 54.209.21.19500 (748 bytes)
11-18 16:40:33.345 26223 28467 I charon : 06[NET] received packet: from 54.209.21.19500 to 10.118.199.23638868 (38 bytes)
11-18 16:40:33.345 26223 28467 I charon : 06[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
11-18 16:40:33.345 26223 28467 I charon : 06[IKE] peer didn't accept DH group ECP_256, it requested CURVE_25519
11-18 16:40:33.345 26223 28467 I charon : 06[IKE] initiating IKE_SA android31 to 54.209.21.19
11-18 16:40:33.346 26223 28467 I charon : 06[ENC] generating IKE_SA_INIT request 0 [ N(COOKIE) SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11-18 16:40:33.346 26223 28467 I charon : 06[NET] sending packet: from 10.118.199.23638868 to 54.209.21.19500 (716 bytes)
11-18 16:40:33.546 26223 28471 I charon : 09[NET] received packet: from 54.209.21.19500 to 10.118.199.23638868 (305 bytes)
11-18 16:40:33.546 26223 28471 I charon : 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
11-18 16:40:33.546 26223 28471 I charon : 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
11-18 16:40:33.547 26223 28471 I charon : 09[IKE] local host is behind NAT, sending keep alives
11-18 16:40:33.549 26223 28471 I charon : 09[IKE] remote host is behind NAT
11-18 16:40:33.550 26223 28471 I charon : 09[CFG] loaded crl issued by 'C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2'
11-18 16:40:33.552 26223 28471 I charon : 09[CFG] loaded crl issued by 'C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2'
11-18 16:40:33.660 26223 28471 I charon : 09[IKE] received 3 cert requests for an unknown ca
11-18 16:40:33.660 26223 28471 I charon : 09[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E="
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-2"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority ECC"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R2"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=FR, O=Dhimyotis, OU=0002 48146308100036, CN=Certigna Root CA"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-1"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "OU=GlobalSign Root CA - R6, O=GlobalSign, CN=GlobalSign"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R1"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com Root Certification Authority RSA"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
11-18 16:40:33.661 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=TW, O=Government Root Certification Authority"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=CN, O=GUANG DONG CERTIFICATE AUTHORITY CO.,LTD., CN=GDCA TrustAUTH R5 ROOT"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 2"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R3"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GC CA"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 1"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=CN, O=UniTrust, CN=UCA Global G2 Root"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 3"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
11-18 16:40:33.662 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R4"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 4"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority ECC"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com EV Root Certification Authority RSA R2"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=CN, O=UniTrust, CN=UCA Extended Validation Root"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor ECA-1"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
11-18 16:40:33.663 26223 28471 I charon : 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
11-18 16:40:33.664 26223 28471 I charon : 09[IKE] establishing CHILD_SA android{31}
11-18 16:40:33.664 26223 28471 I charon : 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
11-18 16:40:33.664 26223 28471 I charon : 09[ENC] splitting IKE message (3264 bytes) into 3 fragments
11-18 16:40:33.664 26223 28471 I charon : 09[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:40:33.664 26223 28471 I charon : 09[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:40:33.665 26223 28471 I charon : 09[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:40:33.665 26223 28471 I charon : 09[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:33.665 26223 28471 I charon : 09[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:33.665 26223 28471 I charon : 09[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (676 bytes)
11-18 16:40:35.666 26223 28472 I charon : 10[IKE] retransmit 1 of request with message ID 1
11-18 16:40:35.666 26223 28472 I charon : 10[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:35.666 26223 28472 I charon : 10[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:35.666 26223 28472 I charon : 10[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (676 bytes)
11-18 16:40:38.468 26223 28465 I charon : 04[IKE] retransmit 2 of request with message ID 1
11-18 16:40:38.468 26223 28465 I charon : 04[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:38.468 26223 28465 I charon : 04[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:38.468 26223 28465 I charon : 04[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (676 bytes)
11-18 16:40:43.478 26223 28468 I charon : 07[IKE] retransmit 3 of request with message ID 1
11-18 16:40:43.478 26223 28468 I charon : 07[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:43.478 26223 28468 I charon : 07[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:43.478 26223 28468 I charon : 07[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (676 bytes)
11-18 16:40:48.974 26223 28466 I charon : 05[IKE] giving up after 3 retransmits
11-18 16:40:48.975 26223 28466 I charon : 05[IKE] establishing IKE_SA failed, peer not responding
11-18 16:40:48.975 26223 28467 I charon : 06[IKE] unable to terminate IKE_SA: ID 31 not found

#2 Updated by Tobias Brunner 5 months ago

  • Category set to network / firewall
  • Status changed from New to Feedback

Either a firewall (i.e. port 4500 blocked) or more likely IP fragmentation issue (i.e. the IKEv2 fragments still too large). Try lowering the fragment size (MTU in the Android app).

#3 Updated by Royi Cohen 5 months ago

it looks like that the client is sending IKE_AUTH request and it splitting it into 3 fragments, and no packet is receiving from the server.
11-18 16:40:33.664 26223 28471 I charon : 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
11-18 16:40:33.664 26223 28471 I charon : 09[ENC] splitting IKE message (3264 bytes) into 3 fragments
11-18 16:40:33.664 26223 28471 I charon : 09[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:40:33.664 26223 28471 I charon : 09[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:40:33.665 26223 28471 I charon : 09[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:40:33.665 26223 28471 I charon : 09[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:33.665 26223 28471 I charon : 09[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:33.665 26223 28471 I charon : 09[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (676 bytes)
11-18 16:40:35.666 26223 28472 I charon : 10[IKE] retransmit 1 of request with message ID 1
11-18 16:40:35.666 26223 28472 I charon : 10[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:35.666 26223 28472 I charon : 10[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:35.666 26223 28472 I charon : 10[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (676 bytes)
11-18 16:40:38.468 26223 28465 I charon : 04[IKE] retransmit 2 of request with message ID 1
11-18 16:40:38.468 26223 28465 I charon : 04[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:38.468 26223 28465 I charon : 04[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:38.468 26223 28465 I charon : 04[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (676 bytes)
11-18 16:40:43.478 26223 28468 I charon : 07[IKE] retransmit 3 of request with message ID 1
11-18 16:40:43.478 26223 28468 I charon : 07[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:43.478 26223 28468 I charon : 07[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (1364 bytes)
11-18 16:40:43.478 26223 28468 I charon : 07[NET] sending packet: from 10.118.199.23641388 to 54.209.21.194500 (676 bytes)
11-18 16:40:48.974 26223 28466 I charon : 05[IKE] giving up after 3 retransmits
11-18 16:40:48.975 26223 28466 I charon : 05[IKE] establishing IKE_SA failed, peer not responding

But when the device is connect to the wifi:
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] splitting IKE message (3264 bytes) into 3 fragments
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:50:30.064 30845 31078 I charon : 12[ENC] generating IKE_AUTH request 1 [ EF ]
11-18 16:50:30.065 30845 31078 I charon : 12[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (1364 bytes)
11-18 16:50:30.065 30845 31078 I charon : 12[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (1364 bytes)
11-18 16:50:30.065 30845 31078 I charon : 12[NET] sending packet: from 10.0.0.244584 to 54.209.21.194500 (676 bytes)
11-18 16:50:30.246 30845 31083 I charon : 13[NET] received packet: from 54.209.21.194500 to 10.0.0.244584 (1236 bytes)

what can be the cause for that ?

#4 Updated by Royi Cohen 5 months ago

Tobias Brunner wrote:

Either a firewall (i.e. port 4500 blocked) or more likely IP fragmentation issue (i.e. the IKEv2 fragments still too large). Try lowering the fragment size (MTU in the Android app).

This is a good idea to check, what is the best way to set the MTU in the Android app?

#5 Updated by Tobias Brunner 5 months ago

what is the best way to set the MTU in the Android app?

You can specify the MTU in the advanced profile settings.

#6 Updated by Royi Cohen 5 months ago

Thank you, the problem was that the fragment size was bigger for the minimal MTU of the network interfaces on the device.
Our solution is to check the minimal MTU size of all the network interfaces in the Android device and to set the value in the advanced profile settings.

#7 Updated by Tobias Brunner 5 months ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Our solution is to check the minimal MTU size of all the network interfaces in the Android device and to set the value in the advanced profile settings.

Note that the MTU of an interface might not accurately represent the MTU of the path(s) the packets take if sent via that interface (and routes can have individual MTUs on Linux).

#8 Updated by Royi Cohen 5 months ago

Some update:
we change the mtu by changing the line in the run method of CharonVpnService object in the Java code:
from :
writer.setValue( "global.mtu", mCurrentProfile.getMTU() );
to:
writer.setValue( "global.mtu", 1300 );

As a result, the VPN connection was established. But with further testing, we are facing some surfing issues to some websites like cnn.com that we cannot get the page in the browser while surfing to other websites are working ok.

Do we need to do something on the server-side?

#9 Updated by Noel Kuntze 5 months ago

You know that you could just change the interface MTU in the tunnel settings in the app?

The next problem is probably related to the MSS. See the ForwardingAndSplitTunneling article for details.

#10 Updated by Royi Cohen 5 months ago

Noel Kuntze wrote:

You know that you could just change the interface MTU in the tunnel settings in the app?

The next problem is probably related to the MSS. See the ForwardingAndSplitTunneling article for details.

Thanks for the suggestion, how can we debug and understanding if it related to MSS ? in the debug we can see the information about the establishment of the tunneling but after that, we cannot see any debug information regarding the traffic in the tunnel.
Is it possible to see it? or do you have another suggestion on how we can analyze this issue?

Thanks,

Royi

#11 Updated by Royi Cohen 5 months ago

Noel Kuntze wrote:

You know that you could just change the interface MTU in the tunnel settings in the app?

The next problem is probably related to the MSS. See the ForwardingAndSplitTunneling article for details.

based on the link above, we set the MTU in the client apk to 1300 and in the server we run the following command to set the MSS values, but still see the same surfing issues with web site like cnn.com after the VPN was established:
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1261:1536 -j TCPMSS --set-mss 1260
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1261:1536 -j TCPMSS --set-mss 1260

Also available in: Atom PDF