Android setup on strongSwan

[thepra]

I did run the scripts but still I'm not able to use the VPN, how do configure the IPsec PSK on strongSwan, I didn't find where to put that code.

[hwdsl2]

@thepra Hello! The strongSwan Android client only supports IKEv2. See [1] for how to set up IKEv2.

You may also use the native Android VPN client (in Settings, network, VPN) to connect using IPsec/L2TP or IPsec/XAuth mode.

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md

[thepra]

There's a way to accomplish the connection without going through the certificate generation?

[hwdsl2]

@thepra For IKEv2, the certificate generation steps are required because Libreswan does not yet support EAP in IKEv2.

However you may use the native Android client as mentioned above. See [1] [2].

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md [2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients-xauth.md

[thepra]

Tried with the native client without success, also I checked out ipsec verify, and there's: Pluto listening for IKE on udp 500 [FAILED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]

May this be the cause?

[hwdsl2]

@thepra Try these troubleshooting steps [1], restart the services and check server logs for errors [2].

[1] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#android-6-and-above [2] https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#additional-steps

[thepra]

Nov  2 15:45:45 raspberrypi pluto[1812]: Initializing NSS
Nov  2 15:45:45 raspberrypi pluto[1812]: Opening NSS database "sql:/etc/ipsec.d" read-only
Nov  2 15:45:46 raspberrypi pluto[1812]: NSS initialized
Nov  2 15:45:46 raspberrypi pluto[1812]: NSS crypto library initialized
Nov  2 15:45:46 raspberrypi pluto[1812]: FIPS HMAC integrity support [disabled]
Nov  2 15:45:46 raspberrypi pluto[1812]: libcap-ng support [enabled]
Nov  2 15:45:46 raspberrypi pluto[1812]: Linux audit support [disabled]
Nov  2 15:45:46 raspberrypi pluto[1812]: Starting Pluto (Libreswan Version 3.27 XFRM(netkey) KLIPS FORK PTHREAD_SETSCHEDPRIO NSS SYSTEMD_WATCHDOG LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:1812
Nov  2 15:45:46 raspberrypi pluto[1812]: core dump dir: /run/pluto
Nov  2 15:45:46 raspberrypi pluto[1812]: secrets file: /etc/ipsec.secrets
Nov  2 15:45:46 raspberrypi pluto[1812]: leak-detective enabled
Nov  2 15:45:46 raspberrypi pluto[1812]: NSS crypto [enabled]
Nov  2 15:45:46 raspberrypi pluto[1812]: XAUTH PAM support [enabled]
Nov  2 15:45:46 raspberrypi pluto[1812]: NAT-Traversal support  [enabled]
Nov  2 15:45:46 raspberrypi pluto[1812]: Initializing libevent in pthreads mode: headers: 2.0.21-stable (2001500); library: 2.0.21-stable (2001500)
Nov  2 15:45:46 raspberrypi pluto[1812]: Encryption algorithms:
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_CCM_16              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm, aes_ccm_c
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_CCM_12              IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_b
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_CCM_8               IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  aes_ccm_a
Nov  2 15:45:46 raspberrypi pluto[1812]:   3DES_CBC                IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  3des
Nov  2 15:45:46 raspberrypi pluto[1812]:   CAMELLIA_CTR            IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}
Nov  2 15:45:46 raspberrypi pluto[1812]:   CAMELLIA_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  camellia
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_GCM_16              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm, aes_gcm_c
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_GCM_12              IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_b
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_GCM_8               IKEv1:     ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes_gcm_a
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_CTR                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aesctr
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_CBC                 IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  aes
Nov  2 15:45:46 raspberrypi pluto[1812]:   SERPENT_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  serpent
Nov  2 15:45:46 raspberrypi pluto[1812]:   TWOFISH_CBC             IKEv1: IKE ESP     IKEv2: IKE ESP           {256,192,*128}  twofish
Nov  2 15:45:46 raspberrypi pluto[1812]:   TWOFISH_SSH             IKEv1: IKE         IKEv2: IKE ESP           {256,192,*128}  twofish_cbc_ssh
Nov  2 15:45:46 raspberrypi pluto[1812]:   NULL_AUTH_AES_GMAC      IKEv1:     ESP     IKEv2:     ESP           {256,192,*128}  aes_gmac
Nov  2 15:45:46 raspberrypi pluto[1812]:   NULL                    IKEv1:     ESP     IKEv2:     ESP           []
Nov  2 15:45:46 raspberrypi pluto[1812]:   CHACHA20_POLY1305       IKEv1:             IKEv2: IKE ESP           [*256]  chacha20poly1305
Nov  2 15:45:46 raspberrypi pluto[1812]: Hash algorithms:
Nov  2 15:45:46 raspberrypi pluto[1812]:   MD5                     IKEv1: IKE         IKEv2:
Nov  2 15:45:46 raspberrypi pluto[1812]:   SHA1                    IKEv1: IKE         IKEv2:             FIPS  sha
Nov  2 15:45:46 raspberrypi pluto[1812]:   SHA2_256                IKEv1: IKE         IKEv2:             FIPS  sha2, sha256
Nov  2 15:45:46 raspberrypi pluto[1812]:   SHA2_384                IKEv1: IKE         IKEv2:             FIPS  sha384
Nov  2 15:45:46 raspberrypi pluto[1812]:   SHA2_512                IKEv1: IKE         IKEv2:             FIPS  sha512
Nov  2 15:45:46 raspberrypi pluto[1812]: PRF algorithms:
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_MD5                IKEv1: IKE         IKEv2: IKE               md5
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA1               IKEv1: IKE         IKEv2: IKE         FIPS  sha, sha1
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA2_256           IKEv1: IKE         IKEv2: IKE         FIPS  sha2, sha256, sha2_256
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA2_384           IKEv1: IKE         IKEv2: IKE         FIPS  sha384, sha2_384
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA2_512           IKEv1: IKE         IKEv2: IKE         FIPS  sha512, sha2_512
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_XCBC                IKEv1:             IKEv2: IKE         FIPS  aes128_xcbc
Nov  2 15:45:46 raspberrypi pluto[1812]: Integrity algorithms:
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_MD5_96             IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        md5, hmac_md5
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA1_96            IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha, sha1, sha1_96, hmac_sha1
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA2_512_256       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha512, sha2_512, hmac_sha2_512
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA2_384_192       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha384, sha2_384, hmac_sha2_384
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA2_256_128       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  sha2, sha256, sha2_256, hmac_sha2_256
Nov  2 15:45:46 raspberrypi pluto[1812]:   HMAC_SHA2_256_TRUNCBUG  IKEv1:     ESP AH  IKEv2:         AH
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_XCBC_96             IKEv1:     ESP AH  IKEv2: IKE ESP AH  FIPS  aes_xcbc, aes128_xcbc, aes128_xcbc_96
Nov  2 15:45:46 raspberrypi pluto[1812]:   AES_CMAC_96             IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  aes_cmac
Nov  2 15:45:46 raspberrypi pluto[1812]:   NONE                    IKEv1:     ESP     IKEv2:     ESP     FIPS  null
Nov  2 15:45:46 raspberrypi pluto[1812]: DH algorithms:
Nov  2 15:45:46 raspberrypi pluto[1812]:   NONE                    IKEv1:             IKEv2: IKE ESP AH  FIPS  null, dh0
Nov  2 15:45:46 raspberrypi pluto[1812]:   MODP1024                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh2
Nov  2 15:45:46 raspberrypi pluto[1812]:   MODP1536                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh5
Nov  2 15:45:46 raspberrypi pluto[1812]:   MODP2048                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh14
Nov  2 15:45:46 raspberrypi pluto[1812]:   MODP3072                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh15
Nov  2 15:45:46 raspberrypi pluto[1812]:   MODP4096                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh16
Nov  2 15:45:46 raspberrypi pluto[1812]:   MODP6144                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh17
Nov  2 15:45:46 raspberrypi pluto[1812]:   MODP8192                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh18
Nov  2 15:45:46 raspberrypi pluto[1812]:   DH19                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_256
Nov  2 15:45:46 raspberrypi pluto[1812]:   DH20                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_384
Nov  2 15:45:46 raspberrypi pluto[1812]:   DH21                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_521
Nov  2 15:45:46 raspberrypi pluto[1812]: starting up 3 crypto helpers
Nov  2 15:45:46 raspberrypi pluto[1812]: started thread for crypto helper 0
Nov  2 15:45:46 raspberrypi pluto[1812]: seccomp security for crypto helper not supported
Nov  2 15:45:46 raspberrypi pluto[1812]: started thread for crypto helper 1
Nov  2 15:45:46 raspberrypi pluto[1812]: started thread for crypto helper 2
Nov  2 15:45:46 raspberrypi pluto[1812]: seccomp security for crypto helper not supported
Nov  2 15:45:46 raspberrypi pluto[1812]: seccomp security for crypto helper not supported
Nov  2 15:45:46 raspberrypi pluto[1812]: Using Linux XFRM/NETKEY IPsec interface code on 4.14.71-v7+
Nov  2 15:45:46 raspberrypi pluto[1812]: | selinux support is NOT enabled.
Nov  2 15:45:46 raspberrypi pluto[1812]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Nov  2 15:45:46 raspberrypi pluto[1812]: watchdog: sending probes every 100 secs
Nov  2 15:45:46 raspberrypi pluto[1812]: seccomp security not supported
Nov  2 15:45:46 raspberrypi pluto[1812]: added connection description "l2tp-psk"
Nov  2 15:45:46 raspberrypi pluto[1812]: added connection description "xauth-psk"
Nov  2 15:45:46 raspberrypi pluto[1812]: listening for IKE messages
Nov  2 15:45:46 raspberrypi pluto[1812]: adding interface eth0/eth0 192.168.1.226:500
Nov  2 15:45:46 raspberrypi pluto[1812]: adding interface eth0/eth0 192.168.1.226:4500
Nov  2 15:45:46 raspberrypi pluto[1812]: adding interface lo/lo 127.0.0.1:500
Nov  2 15:45:46 raspberrypi pluto[1812]: adding interface lo/lo 127.0.0.1:4500
Nov  2 15:45:46 raspberrypi pluto[1812]: adding interface eth0/eth0 2001:b07:644c:4284:6fe5:aea3:a905:47d0:500
Nov  2 15:45:46 raspberrypi pluto[1812]: adding interface lo/lo ::1:500
Nov  2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface lo:500 fd 20
Nov  2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface eth0:500 fd 19
Nov  2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface lo:4500 fd 18
Nov  2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface lo:500 fd 17
Nov  2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface eth0:4500 fd 16
Nov  2 15:45:46 raspberrypi pluto[1812]: | setup callback for interface eth0:500 fd 15
Nov  2 15:45:46 raspberrypi pluto[1812]: loading secrets from "/etc/ipsec.secrets"

Nothing unusual seems from logs

[hwdsl2]

@thepra Your logs do not show connection attempts, which means they did not reach your server. For Raspberry Pi’s, you must set up port forwarding on your home router for both UDP ports 500 and 4500 to your Raspberry Pi’s local IP (192.168.1.226). It is also recommended to reserve a static DHCP IP on your home router for the RPi, so that it does not change. See example at: https://blog.elasticbyte.net/setting-up-a-native-cisco-ipsec-vpn-server-using-a-raspberry-pi/

[thepra]

Portforwarding done on 192.168.1.226 on UDP range 500 - 4500 outer and inner. Restarted the Raspberry also. But nothing seems to work on the smartphone Android 8.1(which doesn't have the "Backward compatible mode") with native VPN setted up as L2TP/IPSec PSK. And at ipsec verify those last messages remain the same: Pluto listening for IKE on udp 500 [FAILED] Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]

[hwdsl2]

@thepra Only UDP ports 500 and 4500 (two ports) need to be forwarded. The “ipsec verify” result in Raspberry Pi is inaccurate, please ignore that output. Connect the VPN again and then check the IPsec logs again, if you see your latest connection attempt, that means the connection attempt did reach your server. If so, edit /etc/ipsec.conf and replace sha2-truncbug=yes with sha2-truncbug=no, then run “service ipsec restart”. Then try reconnecting.

If still not working, please post your latest logs with your IP redacted.

[thepra]

@hwdsl2 Ok, deleted that range and put in place only those 2 UDP ports. Restarted the pi. Tried to connect, checked the log, nothing new. It's so weird this issue ._.

[hwdsl2]

@thepra Check that your Raspberry Pi’s local IP still matches what you put in for port forwarding (192.168.1.226) after reboot. If not, port forward the correct IP. Also, use the correct public IP (of your home router) in your VPN clients.

You’ll need to troubleshoot this further yourself until you can see the connection attempts in the logs.

[thepra]

@hwdsl2 Still matches the public IP. Here's an output of the local raspberry pi ifconfig:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.226  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 2001:b07:644c:4284:6fe5:aea3:a905:47d0  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::61d:9e8b:31ac:cdc9  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:8f:20:c5  txqueuelen 1000  (Ethernet)
        RX packets 9498  bytes 7441747 (7.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6447  bytes 537904 (525.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

On the router webconfiguration:

My public IP was automatically given at the end of the script run, which is still the same.

Can you help me troubleshoot? I'll give you whatever information is necessary.

[hwdsl2]

@thepra Unfortunately I don’t see any issue in your configuration above. Check your home router’s status page to see what public IP is displayed there. If it does not match the public IP shown at the end of the script run (or from https://ipv4.icanhazip.com), then your ISP may be using carrier-grade NAT which blocks connections from the Internet to your home router.

You may verify that the VPN server is running properly by connecting from another device on your home network, for example, the Android 8.1 device you mentioned earlier, and just put 192.168.1.226 as the server IP. This is for testing purpose only.

Other than those above, unfortunately I am not sure and you’ll need to troubleshoot further yourself.

[thepra]

@hwdsl2 93.40.185.177 is my public IP, and it's still the same. I've tried to change the connection on my android(with home wifi connected) to 192.168.1.226. Still no logs of an attempt. But in the logs I found this:

Nov  3 04:34:29 raspberrypi pluto[1315]: watchdog: sending probes every 100 secs
Nov  3 04:34:29 raspberrypi pluto[1315]: seccomp security not supported
Nov  3 04:34:29 raspberrypi pluto[1315]: seccomp security for crypto helper not supported
Nov  3 04:34:29 raspberrypi pluto[1315]: connection l2tp-psk must specify host IP address for our side
Nov  3 04:34:29 raspberrypi pluto[1315]: Failed to load connection "l2tp-psk": attempt to load incomplete connection
Nov  3 04:34:29 raspberrypi pluto[1315]: connection xauth-psk must specify host IP address for our side
Nov  3 04:34:29 raspberrypi pluto[1315]: Failed to load connection "xauth-psk": attempt to load incomplete connection

Which is an indication of something not working properly on the raspberry pi side. Right?

[hwdsl2]

@thepra Edit /etc/ipsec.conf and replace “left=%defaultroute” with “left=192.168.1.226”, save the file and run “service ipsec restart”. Note that all lines below a conn section must be indented by two spaces. That should fix the issue.

What I don’t understand is that in the previous log you posted, the connections loaded just fine, but not in the log you posted just now. Did you change any configuration on the server?

[thepra]

@hwdsl2 Ok, right now the connection worked on the local wifi, logs show it, and it's shown enstrablished on the smartphone and functioning, but after that, switching to the public IP on Android seems to fail connection again(both on wifi and carrier LTE).

Nope, I'm following the actions along with you, so I didn't touched any settings that you didn't say so.

Here's the log after the connection enstablishes:

Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: responding to Main Mode from unknown peer 192.168.1.96 on port 500
Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: WARNING: connection l2tp-psk PSK length of 20 bytes is too short for sha2_384 PRF in FIPS mode (24 bytes required)
Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: Oakley Transform [AES_CBC (256), HMAC_SHA2_384, MODP1024] refused
Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: STATE_MAIN_R1: sent MR1, expecting MI2
Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: STATE_MAIN_R2: sent MR2, expecting MI3
Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: Peer ID is ID_IPV4_ADDR: '192.168.1.96'
Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1024}
Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Nov  3 08:43:59 raspberrypi pluto[3885]: | ISAKMP Notification Payload
Nov  3 08:43:59 raspberrypi pluto[3885]: |   00 00 00 1c  00 00 00 01  01 10 60 02
Nov  3 08:43:59 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: received and ignored notification payload: IPSEC_INITIAL_CONTACT
Nov  3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #3: the peer proposed: 192.168.1.226/32:17/1701 -> 192.168.1.96/32:17/0
Nov  3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4: responding to Quick Mode proposal {msgid:94c7a2e5}
Nov  3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4:     us: 192.168.1.226<192.168.1.226>[93.40.185.177]:17/1701
Nov  3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4:   them: 192.168.1.96:17/0
Nov  3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x07531e12 <0x9d40ccdd xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=192.168.1.96:4500 DPD=active}
Nov  3 08:44:00 raspberrypi pluto[3885]: "l2tp-psk"[2] 192.168.1.96 #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x07531e12 <0x9d40ccdd xfrm=AES_CBC_256-HMAC_SHA1_96 NATOA=none NATD=192.168.1.96:4500 DPD=active}

[hwdsl2]

@thepra It is good that the connection now works locally. That means your VPN server is running fine.

For external connections using your public IP, unfortunately I can’t help because I am not familiar with your ISP or home router configuration. You’ll need to troubleshoot further yourself.

[thepra]

If I was behind a carrier NAT, is there any chance to make it work?

[hwdsl2]

@thepra No I don’t think so. Typically, ISPs with carrier-grade NAT let many user share the same public IP, therefore they cannot forward external connections to that public IP to a particular user.