Jump to content
Как правильно добавить self-test и прочую отладку в тему
Где взять тестовые сборки
  • 0

Android 13 IKEv2/IPSec ощибка "received retransmit of request with ID 1, retransmitting response"

vasek00

Asked by vasek00,

 Share

Question

vasek00 Honored Flooder

vasek00

Posted
Posted (edited)

Глюк или не глюк, ПО 4.0.17

Мобильный телефон (Android 13) вчера через MTS работал как удаленный клиент VPN сервера на роутере "IKEv2/IPsec VPN".

На смартфоне встроенный клиент и настройки :

- тип = IKEv2/IPSec MSCHAPv2

- адрес сервера = 2хх.ххх.ххх.хх1

- сертификат ЦС IPSec = "не проверять сервер"

- сертификат сервера IPsec = "получение от сервера"

- user/пароль = ****/****

MTS - работал (вчера)

Скрытый текст 
[I] Apr 14 16:45:49 ipsec: 12[IKE] ххх.ххх.ххх.хх3 is initiating an IKE_SA 
[I] Apr 14 16:45:49 ipsec: 12[CFG] received proposals: IKE:AES_CBC=256/AES_CBC=128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048_256/ECP_384/ECP_256/MODP_2048/MODP_1536, IKE:AES_GCM_16=256/AES_GCM_16=128/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048_256/ECP_384/ECP_256/MODP_2048/MODP_1536 
[I] Apr 14 16:45:49 ipsec: 12[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 
[I] Apr 14 16:45:49 ipsec: 12[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
[I] Apr 14 16:45:49 ipsec: 12[IKE] remote host is behind NAT 
[I] Apr 14 16:45:49 ipsec: 12[IKE] DH group MODP_2048_256 unacceptable, requesting MODP_2048 
[I] Apr 14 16:45:49 ipsec: 13[IKE] ххх.ххх.ххх.хх3 is initiating an IKE_SA 
[I] Apr 14 16:45:49 ipsec: 13[CFG] received proposals: IKE:AES_CBC=256/AES_CBC=128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_2048_256/ECP_384/ECP_256/MODP_1536, IKE:AES_GCM_16=256/AES_GCM_16=128/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_2048_256/ECP_384/ECP_256/MODP_1536 
[I] Apr 14 16:45:49 ipsec: 13[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256 
[I] Apr 14 16:45:49 ipsec: 13[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 
[I] Apr 14 16:45:49 ipsec: 13[IKE] remote host is behind NAT 
[I] Apr 14 16:45:49 ipsec: 07[CFG] looking for peer configs matching 1хх.ххх.ххх.хх1[%any]...ххх.ххх.ххх.хх3[rsa_key] 
[I] Apr 14 16:45:49 ipsec: 07[CFG] selected peer config 'VirtualIPServerIKE2' 
[I] Apr 14 16:45:49 ipsec: 07[IKE] initiating EAP_IDENTITY method (id 0x00) 
[I] Apr 14 16:45:49 ipsec: 07[IKE] peer supports MOBIKE, but disabled in config 
[I] Apr 14 16:45:49 ipsec: 07[IKE] authentication of 'ххх-ххх-ххх.keenetic.pro' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful 
[I] Apr 14 16:45:49 ipsec: 07[IKE] sending end entity cert "CN=ххх-ххх-ххх.keenetic.pro" 
[I] Apr 14 16:45:49 ipsec: 07[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3" 
[I] Apr 14 16:45:49 ipsec: 07[IKE] sending issuer cert "C=US, O=Internet Security Research Group, CN=ISRG Root X1" 
[I] Apr 14 16:45:49 ipsec: 03[IKE] received EAP identity 'U******N' 
[I] Apr 14 16:45:49 ipsec: 03[IKE] initiating EAP_MSCHAPV2 method (id 0xEB) 
[I] Apr 14 16:45:49 ipsec: 09[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established 
[I] Apr 14 16:45:49 ipsec: 10[IKE] authentication of 'rsa_key' with EAP successful 
[I] Apr 14 16:45:49 ipsec: 10[IKE] authentication of 'ххх-ххх-ххх.keenetic.pro' (myself) with EAP 
[I] Apr 14 16:45:49 ipsec: 10[IKE] IKE_SA VirtualIPServerIKE2[10] established between 1хх.ххх.ххх.хх1[ххх-ххх-ххх.keenetic.pro]...ххх.ххх.ххх.хх3[rsa_key] 
[I] Apr 14 16:45:49 ipsec: 10[IKE] peer requested virtual IP %any 
[I] Apr 14 16:45:49 ndm: IpSec::CryptoMapInfo: "VirtualIPServerIKE2": allocated address "172.18.2.41" for user "UserVPN" @ "rsa_key" from "ххх.ххх.ххх.хх3". 
[I] Apr 14 16:45:49 ipsec: 10[IKE] assigning virtual IP 172.18.2.41 to peer 'U*****'

 

MTS сегодня не работает

Скрытый текст 
Апр 15 14:27:25 ipsec 11[IKE] ххх.ххх.ххх.хх7 is initiating an IKE_SA
Апр 15 14:27:25 ipsec 11[CFG] received proposals: IKE:AES_CBC=256/AES_CBC=128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048_256/ECP_384/ECP_256/MODP_2048/MODP_1536, IKE:AES_GCM_16=256/AES_GCM_16=128/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048_256/ECP_384/ECP_256/MODP_2048/MODP_1536
Апр 15 14:27:25 ipsec 11[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
Апр 15 14:27:25 ipsec 11[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Апр 15 14:27:25 ipsec 11[IKE] remote host is behind NAT
Апр 15 14:27:25 ipsec 11[IKE] DH group MODP_2048_256 unacceptable, requesting MODP_2048
Апр 15 14:27:25 ipsec 14[IKE] ххх.ххх.ххх.хх7 is initiating an IKE_SA
Апр 15 14:27:25 ipsec 14[CFG] received proposals: IKE:AES_CBC=256/AES_CBC=128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/HMAC_SHA1_96/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_2048_256/ECP_384/ECP_256/MODP_1536, IKE:AES_GCM_16=256/AES_GCM_16=128/PRF_HMAC_SHA2_512/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/MODP_2048/MODP_2048_256/ECP_384/ECP_256/MODP_1536
Апр 15 14:27:25 ipsec 14[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256
Апр 15 14:27:25 ipsec 14[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Апр 15 14:27:25 ipsec 14[IKE] remote host is behind NAT
Апр 15 14:27:25 ipsec 10[CFG] looking for peer configs matching 1хх.ххх.ххх.хх1[%any]...2ххх.ххх.ххх.хх7[ikev2]
Апр 15 14:27:25 ipsec 10[CFG] selected peer config 'VirtualIPServerIKE2'
Апр 15 14:27:25 ipsec 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Апр 15 14:27:25 ipsec 10[IKE] peer supports MOBIKE, but disabled in config
Апр 15 14:27:25 ipsec 10[IKE] authentication of 'ххх-ххх-ххх.keenetic.pro' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Апр 15 14:27:25 ipsec 10[IKE] sending end entity cert "CN=ххх-ххх-ххх.keenetic.pro"
Апр 15 14:27:25 ipsec 10[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
Апр 15 14:27:25 ipsec 10[IKE] sending issuer cert "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Апр 15 14:27:26 ipsec 06[IKE] received retransmit of request with ID 1, retransmitting response
Апр 15 14:27:28 ipsec 05[IKE] received retransmit of request with ID 1, retransmitting response
Апр 15 14:27:31 ipsec 15[IKE] received retransmit of request with ID 1, retransmitting response 
Апр 15 14:27:37 ipsec 06[IKE] received retransmit of request with ID 1, retransmitting response
Апр 15 14:27:47 ipsec 15[IKE] received retransmit of request with ID 1, retransmitting response
Апр 15 14:27:55 ipsec 07[JOB] deleting half open IKE_SA with ххх.ххх.ххх.хх7 after timeout

и аналогично не работает 

Апр 15 14:52:08 ipsec 15[CFG] looking for peer configs matching 1хх.ххх.ххх.хх1[%any]...ххх.ххх.ххх.хх2[rsa_key]
Апр 15 14:52:08 ipsec 15[CFG] selected peer config 'VirtualIPServerIKE2'
Апр 15 14:52:08 ipsec 15[IKE] initiating EAP_IDENTITY method (id 0x00)
Апр 15 14:52:08 ipsec 15[IKE] peer supports MOBIKE, but disabled in config
Апр 15 14:52:08 ipsec 15[IKE] authentication of 'ххх-ххх-ххх.keenetic.pro' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Апр 15 14:52:08 ipsec 15[IKE] sending end entity cert "CN=ххх-ххх-ххх.keenetic.pro"
Апр 15 14:52:08 ipsec 15[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
Апр 15 14:52:08 ipsec 15[IKE] sending issuer cert "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Апр 15 14:52:09 ipsec 08[IKE] received retransmit of request with ID 1, retransmitting response
Апр 15 14:52:10 ipsec 14[IKE] received retransmit of request with ID 1, retransmitting response
Апр 15 14:52:14 ipsec 12[IKE] received retransmit of request with ID 1, retransmitting response
Апр 15 14:52:20 ipsec 10[IKE] received retransmit of request with ID 1, retransmitting response
Апр 15 14:52:30 ipsec 13[IKE] received retransmit of request with ID 1, retransmitting response

 

По Tele2 при тех же настройках все ОК.

Скрытый текст 
...
Апр 15 14:55:27 ipsec 08[CFG] looking for peer configs matching 1хх.ххх.ххх.хх1[%any]...х.хх.хх.хх8[rsa_key]
Апр 15 14:55:27 ipsec 08[CFG] selected peer config 'VirtualIPServerIKE2'
Апр 15 14:55:27 ipsec 08[IKE] initiating EAP_IDENTITY method (id 0x00)
Апр 15 14:55:27 ipsec 08[IKE] peer supports MOBIKE, but disabled in config
Апр 15 14:55:27 ipsec 08[IKE] authentication of 'ххх-ххх-ххх.keenetic.pro' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Апр 15 14:55:27 ipsec 08[IKE] sending end entity cert "CN=ххх-ххх-ххх.keenetic.pro"
Апр 15 14:55:27 ipsec 08[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=R3"
Апр 15 14:55:27 ipsec 08[IKE] sending issuer cert "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Апр 15 14:55:28 ipsec 12[IKE] received EAP identity 'U****'
Апр 15 14:55:28 ipsec 12[IKE] initiating EAP_MSCHAPV2 method (id 0x5E)
Апр 15 14:55:28 ipsec 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Апр 15 14:55:28 ipsec 07[IKE] authentication of 'rsa_key' with EAP successful
Апр 15 14:55:28 ipsec 07[IKE] authentication of 'ххх-ххх-ххх.keenetic.pro' (myself) with EAP
Апр 15 14:55:28 ipsec 07[IKE] IKE_SA VirtualIPServerIKE2[24] established between 1хх.ххх.ххх.хх1[ххх-ххх-ххх.keenetic.pro]...х.хх.хх.хх8[rsa_key]
Апр 15 14:55:28 ipsec 07[IKE] peer requested virtual IP %any  
...

 

Что могло случиться за ночь через MTS или это бзик который может завтра/после завтра пройти.

 

Edited by vasek00
Link to comment
Share on other sites

5 answers to this question

Recommended Posts

  • 0
krass Honored Flooder

krass

Posted
Posted
21 минуту назад, vasek00 сказал:

Мобильный телефон

Не рассматривали вариант блокировки ОПСОСом ? 

Link to comment
Share on other sites
  • 0
vasek00 Honored Flooder

vasek00

Posted
  • Author
Posted
29 минут назад, krass сказал:

Не рассматривали вариант блокировки ОПСОСом ? 

Да нет, просто сегодня нужно было и такой "прикол", включил Tele2 и он работал. По позже MTS на Android 12 проверю.

Link to comment
Share on other sites
  • 0
vasek00 Honored Flooder

vasek00

Posted
  • Author
Posted
43 минуты назад, ANDYBOND сказал:

https://help.keenetic.com/hc/ru/articles/360000581969-Подключение-к-VPN-серверу-L2TP-IPSec-из-Windows

https://wiki.strongswan.org/issues/1548

https://serverfault.com/questions/956674/strongswan-with-letsencrypt-certificates-ikev2-eap

Это к чему?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...