Hi,<br> It seems , dynamic update of the other ends IP address in NAT traversal is not supported in StrongSwan. <br>According to rfc4306, it should be supported as part of NAT traversal. Please find the topology and issue I m facing out of this.<br>
<br><br>Cisco <br>VPN client -------------- Router1 ------------------------------------- VPN Sever(Strongswan)<br><br>20.1.1.1 20.1.1.2 50.1.1.226 50.1.1.227<br> (eth1)<br>
Iptables<br>++++++<br>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE.<br><br>I have established a VPN connection between VPN client and VPN server with the natted IP 50.1.1.226 to 50.1.1.227.<br>After some time , eth1 interface IP address have got changed as 50.1.1.228 in eth1 of router 1, and tunnel gets disturbed by throwing the following error.<br>
<br><br>Mar 30 14:52:54 uxcasxxx pluto[26817]: "cisco-vpn"[10] <a href="http://50.1.1.226:1797">50.1.1.226:1797</a> #17: nat_traversal_new_mapping: address change currently not supported [<a href="http://50.1.1.226:1797">50.1.1.226:1797</a>,<a href="http://50.1.1.228:1797">50.1.1.228:1797</a>]<br>
Mar 30 14:52:56 uxcasxxx pluto[26817]: "cisco-vpn"[10] <a href="http://50.1.1.226:1797">50.1.1.226:1797</a> #17: nat_traversal_new_mapping: address change currently not supported [<a href="http://50.1.1.226:1797">50.1.1.226:1797</a>,<a href="http://50.1.1.228:1797">50.1.1.228:1797</a>]<br>
Mar 30 14:52:59 uxcasxxx pluto[26817]: packet from <a href="http://50.1.1.228:1797">50.1.1.228:1797</a>: Informational Exchange is for an unknown (expired?) SA<br>Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error report on eth0 for message to 50.1.1.226 port 1797, complainant <a href="http://50.1.1.227">50.1.1.227</a>: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]<br>
Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error report on eth0 for message to 50.1.1.226 port 1797, complainant <a href="http://50.1.1.227">50.1.1.227</a>: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]<br>
Mar 30 14:53:04 uxcasxxx pluto[26817]: packet from <a href="http://50.1.1.228:1797">50.1.1.228:1797</a>: Informational Exchange is for an unknown (expired?) SA<br>Mar 30 14:53:09 uxcasxxx pluto[26817]: packet from <a href="http://50.1.1.228:1797">50.1.1.228:1797</a>: Informational Exchange is for an unknown (expired?) SA<br>
Mar 30 14:53:14 uxcasxxx pluto[26817]: packet from <a href="http://50.1.1.228:1797">50.1.1.228:1797</a>: Informational Exchange is for an unknown (expired?) SA<br>Mar 30 14:53:19 uxcasxxx pluto[26817]: packet from <a href="http://50.1.1.228:1797">50.1.1.228:1797</a>: Informational Exchange is for an unknown (expired?) SA<br>
<br>Do Strongswan have planned to implement dynamic IP address update feature in NAT-T ??<br><br><br><br>/etc/ipsec.conf<br>++++++++++++<br>ca vpnca<br> cacert=caCert.pem<br> #crluri=crl.pem<br> auto=add<br>
<br>config setup<br> plutostart=yes<br> #plutodebug=control<br> charonstart=no<br> charondebug="net 0"<br> nat_traversal=yes<br> crlcheckinterval=10m<br> strictcrlpolicy=no<br>
<br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> keyexchange=ikev1<br> rekeymargin=3m<br> keyingtries=1<br> #leftupdown="sudo -E ipsec _updown"<br><br># Add connections here.<br>
conn cisco-vpn<br> type=tunnel<br> ike=aes256-sha1-modp1536!<br> esp=aes256-sha1!<br> #keyexchange=ikev2<br> dpdaction=clear<br> dpddelay=300s<br> rekeymargin=3m<br>
keyingtries=1<br> left=%defaultroute<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> #leftsubnetwithin=<a href="http://10.3.1.1/24">10.3.1.1/24</a><br> leftcert=dutCert.pem<br>
leftid="C=CH, O=strongSwan, CN=strongswan"<br> right=%any<br> #rightsourceip=%abcd<br> leftfirewall=yes<br> rightsourceip=<a href="http://30.1.1.1/24">30.1.1.1/24</a><br>
#rightsubnet=<a href="http://30.1.1.1/24">30.1.1.1/24</a><br> pfs=no<br> authby=xauthrsasig<br> xauth=server<br> <br>
ipsec.secrets<br>+++++++++++<br>: RSA dutKey.pem<br>tester : XAUTH "tester"<br><br><br>Regards,<br>Saravanan N<br>