<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div>Hi Everyone,</div><div><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">I appreciate if someone can help me with some configuration issue that I am facing with.</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">I have a Linux machine running Strongswan 5.0.4-1 . That machine gets connected to the internet via a modem ( 3g GSM AT@T)and it gets different IP address every time it connects( like 10.227.110.112) .Of course this not the public address and it is behind the AT@T
firewall/NAT.</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">I want to connect my machine to my remote server which has a public IP address. ( host -to -host).</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Since my letf ip address keeps changing can I use %any for left ?</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color:
transparent; font-style: normal;">I used the following ipsec,conf:( ipsec start ran without error)</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="background-color: transparent;">version 2</div><div style="background-color: transparent;">config setup</div><div style="background-color: transparent;"> charondebug = "ike 2,knl 2"</div><div style="background-color: transparent;"><br></div><div style="background-color: transparent;">conn 1</div><div style="background-color: transparent;"> keylife=60m</div><div style="background-color: transparent;"> rekeymargin=9m</div><div style="background-color: transparent;"> keyingtries=1</div><div style="background-color: transparent;">
keyexchange=ikev1</div><div style="background-color: transparent;"> left=%any</div><div style="background-color: transparent;"> right=216.177.93.234</div><div style="background-color: transparent;"> authby=secret</div><div style="background-color: transparent;"> auto=add</div><div style="background-color: transparent;"> leftid="@lmu55"</div><div style="background-color: transparent;"> rightid="@lmudiag"</div><div style="background-color: transparent;"> leftfirewall=yes</div><div style="background-color: transparent;"> type=tunnel</div><div><br></div><div><br></div><div>When I try to connect I can see the IKE_SA 1 established between two machines:</div><div><div><br></div><div>IKE_SA 1[1] established between
10.227.110.112[lmu55]...216.177.93.234[lmudiag]</div><div><br></div></div><div><br></div><div>but after that it keeps re transmitting keepalive packets to remote machine port 4500 and after 5 retires it fails with following error:</div><div><br></div><div style="background-color: transparent;">sending keep alive to 216.177.93.234[4500]</div><div style="background-color: transparent;">giving up after 5 retransmits</div><div style="background-color: transparent;">unable to delete SAD entry with SPI c027d68a: No such process (3)</div><div style="background-color: transparent;">establishing connection '1' failed</div><div><br></div><div><br></div><div>At the end I put the whole data captured from my machine for your review.</div><div><br></div><div><br></div><div>I truly appreciate if someone can help me with this.</div><div> </div><div>The other end run Openswan on a Centos 5.8 machine. Is there any strongswan package available
for Centos?<br></div><div>Other end is also behind firewall/NAT and its eth0 address is 10.0.12.34 which never changes.</div><div><br></div><div>Just to mention in ipsec.conf in strongswan machine if put the current IP address in left= instead of %any I get the same result.</div><div><br></div><div>Thanks,</div><div>Farid</div><div><br></div><div><br></div><div><br></div><div><div>root@LMU5k:~# ipsec up 1</div><div>initiating Main Mode IKE_SA 1[1] to 216.177.93.234</div><div>generating ID_PROT request 0 [ SA V V V V ]</div><div>sending packet: from 10.227.110.112[500] to 216.177.93.234[500] (224 bytes)</div><div>received packet: from 216.177.93.234[500] to 10.227.110.112[500] (140 bytes)</div><div>parsed ID_PROT response 0 [ SA V V V ]</div><div>received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61</div><div>received DPD vendor ID</div><div>received NAT-T (RFC 3947) vendor ID</div><div>generating ID_PROT request 0
[ KE No NAT-D NAT-D ]</div><div>sending packet: from 10.227.110.112[500] to 216.177.93.234[500] (372 bytes)</div><div>received packet: from 216.177.93.234[500] to 10.227.110.112[500] (356 bytes)</div><div>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]</div><div>local host is behind NAT, sending keep alives</div><div>remote host is behind NAT</div><div>generating ID_PROT request 0 [ ID HASH ]</div><div>sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (76 bytes)</div><div>received packet: from 216.177.93.234[4500] to 10.227.110.112[4500] (76 bytes)</div><div>parsed ID_PROT response 0 [ ID HASH V ]</div><div>IKE_SA 1[1] established between 10.227.110.112[lmu55]...216.177.93.234[lmudiag]</div><div>scheduling reauthentication in 10233s</div><div>maximum IKE_SA lifetime 10773s</div><div>generating QUICK_MODE request 1438687057 [ HASH SA No ]</div><div>sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204
bytes)</div><div>sending retransmit 1 of request message ID 1438687057, seq 4</div><div>sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)</div><div>sending retransmit 2 of request message ID 1438687057, seq 4</div><div>sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)</div><div>sending retransmit 3 of request message ID 1438687057, seq 4</div><div>sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)</div><div>sending keep alive to 216.177.93.234[4500]</div><div>sending retransmit 4 of request message ID 1438687057, seq 4</div><div>sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)</div><div>sending keep alive to 216.177.93.234[4500]</div><div>sending keep alive to 216.177.93.234[4500]</div><div>sending retransmit 5 of request message ID 1438687057, seq 4</div><div>sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204
bytes)</div><div>sending keep alive to 216.177.93.234[4500]</div><div>sending keep alive to 216.177.93.234[4500]</div><div>sending keep alive to 216.177.93.234[4500]</div><div>giving up after 5 retransmits</div><div>unable to delete SAD entry with SPI c027d68a: No such process (3)</div><div>establishing connection '1' failed</div><div><br></div></div><div><br></div><div><br></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"> </div></div></body></html>