[strongSwan] NAT + RoadWarrior: cannot create IPsec SA, ISAKMP ok

Richard Chan rspchan at starhub.net.sg
Sun Feb 13 09:19:55 CET 2011 

Thank you very much! All 3 options are working in my testbed now.

Regards
Richard

On Sun, Feb 13, 2011 at 3:43 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hello,
>
> because of the NAT situation you must define
>
> rightsubnet=10.10.124.14/32
>
> on the VPN hub or if you have several clients with addresses in
> the 10.10.0.0/16 network
>
> rightsubnetwithin=10.10.0.0/16
>
> The third and best alternative would be for the VPN hub
> to assign a virtual IP address to each RA client:
>
> On the VPN hub
>
> rightsourceip=10.0.3.0/24 # choose any pool you like
>
> and on the RA client
>
> leftsourceip=%config
>
> Regards
>
> Andreas
>
> On 02/13/2011 08:28 AM, Richard Chan wrote:
> > Hello,
> >
> > I am testing out the Remote access (RA) +PSK  configuration. It is
> > working if the
> > two devices are routed. But the if RA is behind NAT, IKE Phase I
> > succeeds, Phase II fails.
> >
> > From auth.log below, I can see that IKE Phase I succeeds, but then I
> > cannot create the Phase II
> > SA. Any suggestions?
> >
> > moon (the VPN hub)
> >
> > ipsec.secrets
> >
> > 192.168.123.12 %any : PSK "secret"
> >
> > ipsec.conf
> >
> > conn hub
> > left=192.168.123.12
> > leftsubnet=172.25.12.0/24 <http://172.25.12.0/24>
> > right=%any
> > authby=secret
> > auto=add
> >
> > carol (the RA client, behind NAT)
> >
> > ipsec.secrets
> >
> > 10.10.124.14 192.168.123.12 : PSK "secret"
> >
> > ipsec.conf
> >
> > conn rw
> > left=%defaultroute
> > right=192.168.123.12
> > rightsubnet=172.25.12.0/24 <http://172.25.12.0/24>
> > authby=secret
> > auto=add
> >
> >
> > auth.log on moon:
> >
> > Feb 13 15:18:33 vm01 pluto[6774]: | *received 268 bytes from
> > 192.168.123.1:1031 <http://192.168.123.1:1031> on eth0
> > Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> > <http://192.168.123.1:1031>: received Vendor ID payload [strongSwan]
> > Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> > <http://192.168.123.1:1031>: received Vendor ID payload [XAUTH]
> > Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> > <http://192.168.123.1:1031>: received Vendor ID payload [Dead Peer
> > Detection]
> > Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> > <http://192.168.123.1:1031>: received Vendor ID payload [RFC 3947]
> > Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> > <http://192.168.123.1:1031>: ignoring Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-03]
> > Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> > <http://192.168.123.1:1031>: ignoring Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02]
> > Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> > <http://192.168.123.1:1031>: ignoring Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02_n]
> > Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> > <http://192.168.123.1:1031>: ignoring Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-00]
> > Feb 13 15:18:33 vm01 pluto[6774]: | preparse_isakmp_policy: peer
> > requests PSK authentication
> > Feb 13 15:18:33 vm01 pluto[6774]: | instantiated "hub" for 192.168.123.1
> > Feb 13 15:18:33 vm01 pluto[6774]: | creating state object #1 at
> > 0x7fe4f2b2db20
> > Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> > Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> > Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> > Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> > Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_SO_DISCARD,
> > timeout in 0 seconds for #1
> > Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031
> > <http://192.168.123.1:1031> #1: responding to Main Mode from unknown
> > peer 192.168.123.1:1031 <http://192.168.123.1:1031>
> > Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_RETRANSMIT,
> > timeout in 10 seconds for #1
> > Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_RETRANSMIT in 10
> > seconds for #1
> > Feb 13 15:18:33 vm01 pluto[6774]: |
> > Feb 13 15:18:33 vm01 pluto[6774]: | *received 356 bytes from
> > 192.168.123.1:1031 <http://192.168.123.1:1031> on eth0
> > Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> > Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> > Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> > Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> > Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in
> STATE_MAIN_R1
> > Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031
> > <http://192.168.123.1:1031> #1: NAT-Traversal: Result using RFC 3947:
> > peer is NATed
> > Feb 13 15:18:33 vm01 pluto[6774]: | inserting event
> > EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
> > Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_RETRANSMIT,
> > timeout in 10 seconds for #1
> > Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_RETRANSMIT in 10
> > seconds for #1
> > Feb 13 15:18:33 vm01 pluto[6774]: |
> > Feb 13 15:18:33 vm01 pluto[6774]: | *received 76 bytes from
> > 192.168.123.1:4500 <http://192.168.123.1:4500> on eth0
> > Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> > Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> > Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> > Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> > Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in
> STATE_MAIN_R2
> > Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031
> > <http://192.168.123.1:1031> #1: Peer ID is ID_IPV4_ADDR: '10.10.124.14'
> > Feb 13 15:18:33 vm01 pluto[6774]: | peer CA:      %none
> > Feb 13 15:18:33 vm01 pluto[6774]: | offered CA:   %none
> > Feb 13 15:18:33 vm01 pluto[6774]: | switched from "hub" to "hub"
> > Feb 13 15:18:33 vm01 pluto[6774]: | instantiated "hub" for 192.168.123.1
> > Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:1031
> > <http://192.168.123.1:1031> #1: deleting connection "hub" instance with
> > peer 192.168.123.1 {isakmp=#0/ipsec=#0}
> > Feb 13 15:18:33 vm01 pluto[6774]: | NAT-T: new mapping
> > 192.168.123.1:1031/4500 <http://192.168.123.1:1031/4500>)
> > Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_SA_REPLACE,
> > timeout in 10530 seconds for #1
> > Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:4500
> > <http://192.168.123.1:4500> #1: sent MR3, ISAKMP SA established
> > Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_NAT_T_KEEPALIVE in
> > 20 seconds
> > Feb 13 15:18:33 vm01 pluto[6774]: |
> > Feb 13 15:18:33 vm01 pluto[6774]: | *received 444 bytes from
> > 192.168.123.1:4500 <http://192.168.123.1:4500> on eth0
> > Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> > Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> > Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> > Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> > Feb 13 15:18:33 vm01 pluto[6774]: | state object not found
> > Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> > Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> > Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> > Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> > Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in
> STATE_MAIN_R3
> > Feb 13 15:18:33 vm01 pluto[6774]: | peer client is 10.10.124.14
> > Feb 13 15:18:33 vm01 pluto[6774]: | peer client protocol/port is 0/0
> > Feb 13 15:18:33 vm01 pluto[6774]: | our client is subnet 172.25.12.0/24
> > <http://172.25.12.0/24>
> > Feb 13 15:18:33 vm01 pluto[6774]: | our client protocol/port is 0/0
> > Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:4500
> > <http://192.168.123.1:4500> #1: cannot respond to IPsec SA request
> > because no connection is known for
> >
> 172.25.12.0/24===192.168.123.12:4500[192.168.123.12]...192.168.123.1:4500[10.10.124.14]===10.10.124.14/32
> > <
> http://172.25.12.0/24===192.168.123.12:4500[192.168.123.12]...192.168.123.1:4500[10.10.124.14]===10.10.124.14/32
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110213/220e8db0/attachment.html>

More information about the Users mailing list