<div dir="ltr">Andreas, <div><br></div><div>Thank you very much. I am new with StrongSwan config.</div><div style>I am using the strongswan that came with Ubuntu (4.5.2) in the lab and CentOS (4.64) in rackspace.</div><div style>
<br></div><div style>I had to tweak the configs a little since 4.5/4.6 does not support rightauthby/leftauthby</div><div style>I am now able to authenticate, but now I get an "inacceptable" error now.</div><div style>
<br></div><div style>Below the servers are:</div><div style><div>198.101.XXX.XXX [rackspace]...</div><div>199.192.YYY.YYY [lab] public ip of the NAT router</div><div style>10.3.3.172 private ip address of client behind the NAT.</div>
<div><br></div><div style>Server Log:</div><div>May 8 04:46:28 dcook-centos-6 charon: 16[IKE] IKE_SA lab-rackspace[2] state change: CONNECTING => ESTABLISHED</div><div>May 8 04:46:28 dcook-centos-6 charon: 16[IKE] scheduling reauthentication in 3384s</div>
<div>May 8 04:46:28 dcook-centos-6 charon: 16[IKE] maximum IKE_SA lifetime 3564s</div><div>May 8 04:46:28 dcook-centos-6 charon: 16[CFG] looking for a child config for 198.101.XXX.XXX/32[tcp] === <a href="http://10.3.3.172/32[tcp]">10.3.3.172/32[tcp]</a></div>
<div>May 8 04:46:28 dcook-centos-6 charon: 16[CFG] proposing traffic selectors for us:</div><div>May 8 04:46:28 dcook-centos-6 charon: 16[CFG] 198.101.XXX.XXX/32[tcp] (derived from dynamic[tcp])</div><div>May 8 04:46:28 dcook-centos-6 charon: 16[CFG] proposing traffic selectors for other:</div>
<div>May 8 04:46:28 dcook-centos-6 charon: 16[CFG] 199.192.YYY.YYY/32[tcp] (derived from dynamic[tcp])</div><div>May 8 04:46:28 dcook-centos-6 charon: 16[IKE] traffic selectors 198.101.XXX.XXX/32[tcp] === <a href="http://10.3.3.172/32[tcp]">10.3.3.172/32[tcp]</a> inacceptable</div>
<div>May 8 04:46:28 dcook-centos-6 charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA</div><div>May 8 04:46:28 dcook-centos-6 charon: 16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]</div>
<div>May 8 04:46:28 dcook-centos-6 charon: 16[NET] sending packet: from 198.101.XXX.XXX[4500] to 199.192.YYY.YYY[4500]</div></div><div style><br></div><div style>Dan</div><div style><br></div><div style><br></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Tue, May 7, 2013 at 8:56 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Dan,<br>
<br>
with NAT in place you must not bind PSKs to IP addresses.<br>
Just use a static label for right|leftid:<br>
<br>
Client ipsec.conf<br>
<div class="im"><br>
conn lab-rackspace<br>
leftauthby=secret<br>
rightauthby=secret<br>
left=10.3.3.172<br>
</div> leftid=lab<br>
<div class="im"> leftprotoport=tcp<br>
right=YYY.YYY.YYY.YYY <public ip of server in rackspace><br>
</div> rightid=rackspace<br>
<div class="im"> rightprotoport=tcp<br>
type=transport<br>
auto=add<br>
<br>
Client ipsec.secrets:<br>
</div>rackspace lab : PSK "foobar"<br>
<br>
Server ipsec.conf<br>
<div class="im"><br>
conn lab-rackspace<br>
leftauthby=secret<br>
rightauthby=secret<br>
left=XXX.XXX.XXX.XXX < public ip of NAT router ><br>
</div> leftid=rackspace<br>
leftprotoport=tcp<br>
right=YYY.YYY.YYY.YYY<br>
rightid=lab<br>
<div class="im"> rightprotoport=tcp<br>
type=transport<br>
auto=add<br>
<br>
Server ipsec.secret:<br>
</div>lab rackspace : PSK "foobar"<br>
<br>
Regards<br>
<br>
Andreas<br>
<div><div class="h5"><br>
On 05/07/2013 11:27 PM, Dan Cook wrote:<br>
> I am trying to setup a simple host-host test connection using<br>
> shared-secret through a NAT.<br>
><br>
> The client is behind the NAT and the server is on a static IP (but might<br>
> be a NAT in the future).<br>
><br>
> From the logs on the server it looks to be trying to make an association<br>
> between the client public ip address and the client internal nat ip<br>
> address and it can't find it.<br>
><br>
> I have looked at the sample configurations, but none seem to cover this<br>
> case.<br>
><br>
> It looks like a simple config or secrets error, but I can't see it. I<br>
> have included the client and the server config and the server logs.<br>
><br>
> Regards,<br>
> Dan<br>
><br>
> I don't want to give out public IPS so XXX.XXX.XXX.XXX is the public Ip<br>
> of the NAT router and YYY.YYY.YYY.YYY is public ip of the server in<br>
> rackspace.<br>
><br>
> Client ipsec.conf<br>
> conn %default<br>
> ikelifetime=60m<br>
> keylife=20m<br>
> rekeymargin=3m<br>
> keyingtries=1<br>
> mobike=no<br>
> keyexchange=ikev2<br>
><br>
> conn lab-rackspace<br>
> leftauthby=secret<br>
> rightauthby=secret<br>
> left=10.3.3.172<br>
> leftprotoport=tcp<br>
> right=YYY.YYY.YYY.YYY <public ip of server in rackspace><br>
> rightprotoport=tcp<br>
> type=transport<br>
> auto=add<br>
><br>
> Client ipsec.secrets:<br>
> YYY.YYY.YYY.YYY 10.3.3.172 : PSK "foobar"<br>
><br>
> Server ipsec.conf<br>
><br>
> conn %default<br>
> ikelifetime=60m<br>
> keylife=20m<br>
> rekeymargin=3m<br>
> keyingtries=1<br>
> mobike=no<br>
> keyexchange=ikev2<br>
><br>
> conn lab-rackspace<br>
> leftauthby=secret<br>
> rightauthby=secret<br>
> left=XXX.XXX.XXX.XXX < public ip of NAT router ><br>
> leftprotoport=tcp<br>
> right=YYY.YYY.YYY.YYY<br>
> rightprotoport=tcp<br>
> type=transport<br>
> auto=add<br>
><br>
> Server ipsec.secret:<br>
> YYY.YYY.YYY.YYY XXX.XXX.XXX.XXX : PSK "foobar"<br>
><br>
> Client IPSec Up command:<br>
> lab# ipsec up lab-rackspace<br>
> initiating IKE_SA lab-rackspace[18] to YYY.YYY.YYY.YYY<br>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> sending packet: from 10.3.3.172[500] to YYY.YYY.YYY.YYY[500]<br>
> received packet: from YYY.YYY.YYY.YYY[500] to 10.3.3.172[500]<br>
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)<br>
> N(MULT_AUTH) ]<br>
> local host is behind NAT, sending keep alives<br>
> authentication of '10.3.3.172' (myself) with pre-shared key<br>
> establishing CHILD_SA lab-rackspace<br>
> not using transport mode, connection NATed<br>
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr<br>
> N(MULT_AUTH) N(EAP_ONLY) ]<br>
> sending packet: from 10.3.3.172[4500] to YYY.YYY.YYY.YYY[4500]<br>
> received packet: from YYY.YYY.YYY.YYY[4500] to 10.3.3.172[4500]<br>
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
> received AUTHENTICATION_FAILED notify error<br>
><br>
> Server Log:<br>
> May 7 20:45:39 centos-6 charon: 12[NET] received packet: from<br>
> XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]<br>
> May 7 20:45:39 centos-6 charon: 12[ENC] parsed IKE_SA_INIT request 0 [<br>
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> May 7 20:45:39 centos-6 charon: 12[IKE] XXX.XXX.XXX.XXX is initiating<br>
> an IKE_SA<br>
> May 7 20:45:39 centos-6 charon: 12[IKE] remote host is behind NAT<br>
> May 7 20:45:39 centos-6 charon: 12[ENC] generating IKE_SA_INIT response<br>
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
> May 7 20:45:39 centos-6 charon: 12[NET] sending packet: from<br>
> YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]<br>
> May 7 20:45:39 centos-6 charon: 15[NET] received packet: from<br>
> XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500]<br>
> May 7 20:45:39 centos-6 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi<br>
> N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
> May 7 20:45:39 centos-6 charon: 15[CFG] looking for peer configs<br>
> matching YYY.YYY.YYY.YYY[YYY.YYY.YYY.YYY]...XXX.XXX.XXX.XXX[10.3.3.172]<br>
> May 7 20:45:39 centos-6 charon: 15[CFG] no matching peer config found<br>
> May 7 20:45:39 centos-6 charon: 15[ENC] generating IKE_AUTH response 1<br>
> [ N(AUTH_FAILED) ]<br>
> May 7 20:45:39 centos-6 charon: 15[NET] sending packet: from<br>
> YYY.YYY.YYY.YYY[4500] to XXX.XXX.XXX.XXX[4500]<br>
><br>
><br>
><br>
><br>
</div></div><div class="im">> _______________________________________________<br>
> Users mailing list<br>
> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
</div>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</font></span></blockquote></div><br></div>