Clients unable to connect to StrongSwan IKEv2 VPN Server using modems

Question

I have a StrongSwan vpn server running on an ubuntu 18 machine. Everything is fine as long as clients connect using their mobile data. But when they try to connect from a modem (Either using a cable or wifi) they end up receiving connection errors.
Client log:

00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 9 - FIG-LA1 9.1.0.171(C185E6R1P5)/2020-01-01, FIG-LA1 - HUAWEI/FIG-LA1/HUAWEI, Linux 4.9.148, aarch64)
00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
00[JOB] spawning 16 worker threads
08[IKE] initiating IKE_SA android[5] to x.x.x.x
08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08[NET] sending packet: from 192.168.2.2[38856] to x.x.x.x[500] (716 bytes)
10[NET] received packet: from x.x.x.x[500] to 192.168.2.2[38856] (270 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] establishing CHILD_SA android{5}
10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
10[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
12[IKE] retransmit 1 of request with message ID 1
12[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
13[IKE] retransmit 2 of request with message ID 1
13[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
14[IKE] retransmit 3 of request with message ID 1
14[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
01[IKE] giving up after 3 retransmits
01[IKE] establishing IKE_SA failed, peer not responding
08[IKE] unable to terminate IKE_SA: ID 5 not found

And server log:

11[NET] received packet: from y.y.y.y[56945] to x.x.x.x[500] (716 bytes)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11[IKE] y.y.y.y is initiating an IKE_SA
11[IKE] remote host is behind NAT
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
11[NET] sending packet: from x.x.x.x[500] to y.y.y.y[56945] (270 bytes)

where x.x.x.x is my server public IP and y.y.y.y is my client's modem IP.
As you can see, the client is unable to receive the response. I've noticed that the client port (38856 or 55032 in this case) is different from the port to which the server is responding (56945) (Is this a NAT issue? Is this a problem at all?)
Another thing is the client thinks that the server is behind NAT, which is not, I'm using a public IP to connect to the server. However, the successful clients (who connect using their mobile data) also think that the server is behind NAT.

I don't need an answer which requires modification in client side. Because my clients are some normal people who are not familiar with advanced workarounds (such as Port Forwarding). (Yet, reading such answers would be helpful.)

Update:
Successful connection client log:

Feb 19 13:21:59 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 19 13:21:59 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 9 - FIG-LA1 9.1.0.171(C185E6R1P5)/2020-01-01, FIG-LA1 - HUAWEI/FIG-LA1/HUAWEI, Linux 4.9.148, aarch64)
Feb 19 13:21:59 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 13:21:59 00[JOB] spawning 16 worker threads
Feb 19 13:21:59 07[IKE] initiating IKE_SA android[1] to x.x.x.x
Feb 19 13:21:59 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 13:21:59 07[NET] sending packet: from z.z.z.z[44087] to x.x.x.x[500] (716 bytes)
Feb 19 13:22:00 09[NET] received packet: from x.x.x.x[500] to z.z.z.z[44087] (270 bytes)
Feb 19 13:22:00 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 13:22:00 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Feb 19 13:22:00 09[IKE] local host is behind NAT, sending keep alives
Feb 19 13:22:00 09[IKE] remote host is behind NAT
Feb 19 13:22:00 09[IKE] establishing CHILD_SA android{1}
Feb 19 13:22:00 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 13:22:00 09[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 13:22:00 15[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (1236 bytes)
Feb 19 13:22:00 15[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 13:22:00 15[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 13:22:00 12[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (788 bytes)
Feb 19 13:22:00 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 13:22:00 12[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1952 bytes)
Feb 19 13:22:00 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 13:22:00 12[IKE] received end entity cert "CN=x.x.x.x"
Feb 19 13:22:00 12[CFG] no issuer certificate found for "CN=x.x.x.x"
Feb 19 13:22:00 12[CFG]   issuer is "CN=VPN root CA"
Feb 19 13:22:00 12[CFG]   using trusted certificate "CN=x.x.x.x"
Feb 19 13:22:00 12[IKE] authentication of 'x.x.x.x' with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 13:22:00 12[IKE] server requested EAP_MSCHAPV2 authentication (id 0xB1)
Feb 19 13:22:00 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 13:22:00 12[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (144 bytes)
Feb 19 13:22:00 16[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (144 bytes)
Feb 19 13:22:00 16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 13:22:00 16[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Feb 19 13:22:00 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 13:22:00 16[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (80 bytes)
Feb 19 13:22:01 13[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (80 bytes)
Feb 19 13:22:01 13[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 13:22:01 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 13:22:01 13[IKE] authentication of 'username' (myself) with EAP
Feb 19 13:22:01 13[ENC] generating IKE_AUTH request 4 [ AUTH ]
Feb 19 13:22:01 13[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (96 bytes)
Feb 19 13:22:01 14[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (288 bytes)
Feb 19 13:22:01 14[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 13:22:01 14[IKE] authentication of 'x.x.x.x' with EAP successful
Feb 19 13:22:01 14[IKE] IKE_SA android[1] established between z.z.z.z[username]...x.x.x.x[x.x.x.x]
Feb 19 13:22:01 14[IKE] scheduling rekeying in 35953s
Feb 19 13:22:01 14[IKE] maximum IKE_SA lifetime 36553s
Feb 19 13:22:01 14[IKE] installing DNS server 8.8.8.8
Feb 19 13:22:01 14[IKE] installing new virtual IP 10.10.10.2
Feb 19 13:22:01 14[IKE] CHILD_SA android{1} established with SPIs 8fdeb5a5_i c034c489_o and TS 10.10.10.2/32 === 0.0.0.0/0
Feb 19 13:22:01 14[DMN] setting up TUN device for CHILD_SA android{1}
Feb 19 13:22:01 14[DMN] successfully created TUN device
Feb 19 13:22:01 14[IKE] peer supports MOBIKE

Successful connection server log:

Feb 19 09:51:19 fsra charon: 11[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:19 fsra charon: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
Feb 19 09:51:19 fsra charon: 11[IKE] received DELETE for IKE_SA ikev2-vpn[155]
Feb 19 09:51:19 fsra charon: 11[IKE] deleting IKE_SA ikev2-vpn[155] between x.x.x.x[x.x.x.x]...y.y.y.y
[username]
Feb 19 09:51:19 fsra charon: 11[IKE] IKE_SA deleted
Feb 19 09:51:19 fsra charon: 11[ENC] generating INFORMATIONAL response 5 [ ]
Feb 19 09:51:19 fsra charon: 11[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra charon: 05[NET] received packet: from y.y.y.y[44087] to x.x.x.x[500] (716 bytes)
Feb 19 09:51:40 fsra charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG
) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra charon: 05[IKE] y.y.y.y is initiating an IKE_SA
Feb 19 09:51:40 fsra charon: 05[IKE] remote host is behind NAT
Feb 19 09:51:40 fsra charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(MULT_AUTH) ]
Feb 19 09:51:40 fsra charon: 05[NET] sending packet: from x.x.x.x[500] to y.y.y.y[44087] (270 bytes)
Feb 19 09:51:40 fsra charon: 13[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 15[IKE] received retransmit of request with ID 0, retransmitting response
Feb 19 09:51:40 fsra ipsec[9456]: 15[NET] sending packet: from x.x.x.x[500] to y.y.y.y[59365] (270 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC
_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] initiating EAP_MSCHAPV2 method (id 0xA1)
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] peer supports MOBIKE
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] authentication of 'x.x.x.x' (myself) with RSA_EMSA_PKCS1_SHA2_384 successfu
l
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] sending end entity cert "CN=x.x.x.x"
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] splitting IKE message with length of 1952 bytes into 2 fragments
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (1236 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (788 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 08[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (144 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 08[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 08[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (144 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 16[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 16[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 09:51:40 fsra ipsec[9456]: 16[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 09:51:40 fsra ipsec[9456]: 16[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_
N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (96 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 10[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] authentication of 'username' with EAP successful
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] authentication of 'x.x.x.x' (myself) with EAP
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] IKE_SA ikev2-vpn[155] established between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] peer requested virtual IP %any
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] assigning virtual IP 10.10.10.2 to peer 'username'
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] peer requested virtual IP %any6
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] no virtual IP found for %any6 requested by 'username'
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] CHILD_SA ikev2-vpn{49} established with SPIs c79b0579_i daec5f8d_o and TS 0.0.0.0/0
 === 10.10.10.2/32
Feb 19 09:51:40 fsra ipsec[9456]: 10[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N
(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (288 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 11[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] received DELETE for IKE_SA ikev2-vpn[155]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] deleting IKE_SA ikev2-vpn[155] between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] IKE_SA deleted
Feb 19 09:51:40 fsra ipsec[9456]: 11[ENC] generating INFORMATIONAL response 5 [ ]
Feb 19 09:51:40 fsra ipsec[9456]: 11[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 05[NET] received packet: from y.y.y.y[44087] to x.x.x.x[500] (716 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 05[IKE] y.y.y.y is initiating an IKE_SA
Feb 19 09:51:40 fsra ipsec[9456]: 05[IKE] remote host is behind NAT
Feb 19 09:51:40 fsra ipsec[9456]: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 09:51:40 fsra ipsec[9456]: 05[NET] sending packet: from x.x.x.x[500] to y.y.y.y[44087] (270 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 13[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra charon: 13[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC
_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 13[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 13[IKE] initiating EAP_MSCHAPV2 method (id 0xB1)
Feb 19 09:51:40 fsra charon: 13[IKE] initiating EAP_MSCHAPV2 method (id 0xB1)
Feb 19 09:51:40 fsra charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 19 09:51:40 fsra charon: 13[IKE] peer supports MOBIKE
Feb 19 09:51:40 fsra charon: 13[IKE] authentication of 'x.x.x.x' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 09:51:40 fsra charon: 13[IKE] sending end entity cert "CN=x.x.x.x"
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra charon: 13[ENC] splitting IKE message with length of 1952 bytes into 2 fragments
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 09:51:40 fsra charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (1236 bytes)
Feb 19 09:51:40 fsra charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (788 bytes)
Feb 19 09:51:41 fsra charon: 09[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (144 bytes)
Feb 19 09:51:41 fsra charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 09[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (144 bytes)
Feb 19 09:51:41 fsra charon: 03[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:41 fsra charon: 03[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 03[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 09:51:41 fsra charon: 03[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 09:51:41 fsra charon: 03[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (80 bytes)
Feb 19 09:51:41 fsra charon: 15[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (96 bytes)
Feb 19 09:51:41 fsra charon: 15[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Feb 19 09:51:41 fsra charon: 15[IKE] authentication of 'username' with EAP successful
Feb 19 09:51:41 fsra charon: 15[IKE] authentication of 'x.x.x.x' (myself) with EAP
Feb 19 09:51:41 fsra charon: 15[IKE] IKE_SA ikev2-vpn[156] established between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:41 fsra charon: 15[IKE] peer requested virtual IP %any
Feb 19 09:51:41 fsra charon: 15[IKE] assigning virtual IP 10.10.10.2 to peer 'username'
Feb 19 09:51:41 fsra charon: 15[IKE] peer requested virtual IP %any6
Feb 19 09:51:41 fsra charon: 15[IKE] no virtual IP found for %any6 requested by 'username'
Feb 19 09:51:41 fsra charon: 15[IKE] CHILD_SA ikev2-vpn{50} established with SPIs c034c489_i 8fdeb5a5_o and TS 0.0.0.0/0 ===
10.10.10.2/32
Feb 19 09:51:41 fsra charon: 15[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_
4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 09:51:41 fsra charon: 15[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (288 bytes)

where x.x.x.x is my server public IP and y.y.y.y is my client's mobile data IP and z.z.z.z is some IP from Sudan (A country in africa) that I don't know why is there. (The phone introduces itself as z.z.z.z in its log (some IP from far far away) but the actual IP is y.y.y.y)
However there seem to be no problem for the server to contact the client and as mentioned above, both sides think that the other side is behind NAT. (I have two different timezones for my client and server, that's why the logged times don't match.)
Another noticable thing in the logs is: the port 46299 and 44087 are logged in both sides. (It seems they were opened in clients device, bound to z.z.z.z and the server is communicating with the ports with y.y.y.y IP.) (I may be wrong to pay attention to these details due to lack of knowledge about how StrongSwan system works.)
Maybe you find it useful to know that if I use Mobile Hotspot to connect to a client who can connect to the VPN, I can still connect to the VPN in my new client device.

Update:
So I set charon.fragment_size in stronswan.conf to zero (as is recommended in the docs) and to 1360 among with setting:

iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

(Also tested 1400 according to this) but it's all the same. The mobile data clients can connect and the modem users can not.
I also tried to change mtu and mss values using plugins section in strongswan.conf:

kernel-netlink
{
    mss = 1140; #I tried the numbers above too
    mtu = 1280; #I tried the numbers above too
}

Can you show the beginning of a succesful connection from client log and server log, just as with the failed connection? — Gerrit, Feb 19 '20 at 09:02
@Gerrit I wrote new logs and some information as an update. Thanks. — Bamdad, Feb 19 '20 at 11:26
In the succesful log, are the y.y.y.y addresses actually all the same or different addresses? In the router/modem situation are there multiple inside VPN clients to the same VPN responder? — Gerrit, Feb 19 '20 at 12:48
The most likely explanation seems that the UDP packet generated by the client for an IKE_AUTH message to the VPN server on port 4500 does not in fact reach the VPN server when sent behind the modem/wifi point. However it would seem strange that this happens with all modems/wifi points. Unless of course all these modems are in fact configured the same and the wifi points are all behind these identical modems. — Gerrit, Feb 19 '20 at 14:32
Does the server really not receive the IKE_AUTH request? Or did you not post the complete server log of the unsuccessful case? Because it's possible that the IKE_AUTH response is the message that does not get through to the client (due to IP fragmentation). If that's the case, you could try reducing the IKE fragment size on the server (_charon.fragment_size_ in strongswan.conf). — ecdsa, Feb 19 '20 at 14:43
@ecdsa I posted the complete log. I will update my question in minutes to let you know what happened. — Bamdad, Feb 20 '20 at 00:24
@Gerrit Yes, as you can see the y.y.y.y addresses are all the same. — Bamdad, Feb 20 '20 at 00:25
Can you post some more configs, please? ipsec.conf (especially interested in left, leftsubnet, leftfirewall and if you got type=transport set there), charon.conf (if there are any changes there), strongswan.conf (if any changes) & iptables rules (you should try disabling firewall on the server when running tests) — Anubioz, Feb 20 '20 at 02:25
@Bamdad, if y.y.y.y are all the same then you have three separate clients in the successful log. But I still think that these modems you mention are somewhat the same and block standard ipsec vpn. — Gerrit, Feb 20 '20 at 07:47
Your unsuccessful log is definitely not complete, there is at least a message about deleting the half-open IKE_SA missing. Anyway, you could try to configure 4500 as custom server port on the client to check if it works if the initial message is sent to that port. — ecdsa, Feb 20 '20 at 08:50

Clients unable to connect to StrongSwan IKEv2 VPN Server using modems

0 Answers0