I am trying to implement roadwarrior case using strongswan. In this case, VPN client is sending request to gateway but gateway simply drops the packet. I have made sure that only charon-systemd is running. Basically I remove other packages using
sudo apt install -y strongswan charon-systemd strongswan-swanctl strongswan-pki libstrongswan-extra-plugins libtss2-tcti-tabrmd0
sudo apt remove -y strongswan-starter strongswan-charon
Even in ss -tunlp on gateway we can see charon-systemd is listening to ports
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=1265,fd=19))
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=1265,fd=17))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("charon-systemd",pid=1420,fd=22))
udp UNCONN 0 0 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=1264,fd=5),("systemd",pid=1,fd=37))
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* users:(("chronyd",pid=1382,fd=5))
udp UNCONN 0 0 0.0.0.0:500 0.0.0.0:* users:(("charon-systemd",pid=1420,fd=15))
udp UNCONN 0 0 0.0.0.0:4500 0.0.0.0:* users:(("charon-systemd",pid=1420,fd=16))
udp UNCONN 0 0 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=1265,fd=11))
udp UNCONN 0 0 [::]:111 [::]:* users:(("rpcbind",pid=1264,fd=7),("systemd",pid=1,fd=39))
udp UNCONN 0 0 [::1]:323 [::]:* users:(("chronyd",pid=1382,fd=6))
udp UNCONN 0 0 [::]:500 [::]:* users:(("charon-systemd",pid=1420,fd=13))
udp UNCONN 0 0 [::]:4500 [::]:* users:(("charon-systemd",pid=1420,fd=14))
udp UNCONN 0 0 [::]:5355 [::]:* users:(("systemd-resolve",pid=1265,fd=13))
tcp LISTEN 0 20 127.0.0.1:25 0.0.0.0:* users:(("exim4",pid=1864,fd=4))
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:* users:(("systemd-resolve",pid=1265,fd=20))
tcp LISTEN 0 4096 0.0.0.0:5355 0.0.0.0:* users:(("systemd-resolve",pid=1265,fd=12))
tcp LISTEN 0 4096 0.0.0.0:3128 0.0.0.0:* users:(("spiceproxy work",pid=1923,fd=6),("spiceproxy",pid=1922,fd=6))
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1387,fd=3))
tcp LISTEN 0 4096 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=1264,fd=4),("systemd",pid=1,fd=36))
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=1265,fd=18))
tcp LISTEN 0 4096 [::]:5355 [::]:* users:(("systemd-resolve",pid=1265,fd=14))
tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=1387,fd=4))
tcp LISTEN 0 4096 [::]:111 [::]:* users:(("rpcbind",pid=1264,fd=6),("systemd",pid=1,fd=38))
tcp LISTEN 0 20 [::1]:25 [::]:* users:(("exim4",pid=1864,fd=5))
Client tries to initiate request but does not receives any response from gateway
Nov 21 20:32:40 client-node charon-systemd[3938]: retransmit 1 of request with message ID 0
Nov 21 20:32:40 client-node charon-systemd[3938]: sending packet: from <REDACTED>[500] to <REDACTED>[500] (1048 bytes)
Nov 21 20:32:48 client-node charon-systemd[3938]: retransmit 2 of request with message ID 0
Nov 21 20:32:48 client-node charon-systemd[3938]: sending packet: from <REDACTED>[500] to <REDACTED>[500] (1048 bytes)
Nov 21 20:33:00 client-node charon-systemd[3938]: retransmit 3 of request with message ID 0
Nov 21 20:33:00 client-node charon-systemd[3938]: sending packet: from <REDACTED>[500] to <REDACTED>[500] (1048 bytes)
Nov 21 20:33:24 client-node charon-systemd[3938]: retransmit 4 of request with message ID 0
Nov 21 20:33:24 client-node charon-systemd[3938]: sending packet: from <REDACTED>[500] to <REDACTED>[500] (1048 bytes)
Nov 21 20:34:06 client-node charon-systemd[3938]: retransmit 5 of request with message ID 0
Nov 21 20:34:06 client-node charon-systemd[3938]: sending packet: from <REDACTED>[500] to <REDACTED>[500] (1048 bytes)
Nov 21 20:35:21 client-node charon-systemd[3938]: giving up after 5 retransmits
Nov 21 20:35:21 client-node charon-systemd[3938]: establishing IKE_SA failed, peer not responding
In the gateway, using tcpdump we can see the request coming from client but gateway does not replies
20:32:48.050763 eno2np1 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:32:48.050763 bond0 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:32:48.050763 bond0.7 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:33:01.011245 eno2np1 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:33:01.011245 bond0 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:33:01.011245 bond0.7 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:33:24.339522 eno2np1 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:33:24.339522 bond0 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:33:24.339522 bond0.7 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:34:06.329906 eno2np1 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:34:06.329906 bond0 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]
20:34:06.329906 bond0.7 In IP <REDACTED>.isakmp > <REDACTED>.maas.isakmp: isakmp: parent_sa ikev2_init[I]