<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p>I have a WORKING system that includes a Linux machine running OpenSwan as a client connecting to a Zyxel USG-20W router. I want to upgrade the Linux distribution and that appears to require switching from OpenSwan to StrongSwan. I'm not able to make this
work so far. I found this thread in the archives where a user (Tom Jackson) apparently had similar trouble, but he ended up going the other way, from StrongSwan to OpenSwan so the resolution is no help. Like Jackson's post, this is part of a larger system
that already supports Windows machines with no apparent problems.</p>
<p><br>
</p>
<p>I did reproduce Tom Jackson's apparent problem. I found additional log messages, however, that seem to indicate that there is an issue with the way that NAT-T is handled between StrongSwan and the Zyxel. The relevant portions are below. The client has
10.0.0.66 on its local network. I replaced the public IPs with placeholders.</p>
<p><br>
</p>
<p>---- FAILED attempt from StrongSwan Linux client to Zyxel in the Zyxel logs -----</p>
<p>Message: Authentication failed (24)</p>
<p>Remove IKE peer <StrongSwan Pubic IP>:500 ID (null)</p>
<p>Local IKE peer <Zyxel Public IP>:500 ID (null)</p>
<p>----</p>
<p><br>
</p>
<p>---- SUCCESSFUL attempt from OpenSwan Linux client to Zyxel in the Zyxel logs ----</p>
<p>Remove IKE peer <OpenSwan Public IP>:4500 ID 10.0.0.66</p>
<p>Local IKE peer <Zyxel Public IP>:4500 ID 0.0.0.0 (ipv4)</p>
<p>... (Snipped bits where it complete negotiation of algorithms)</p>
<p>Remote Authentication Method: Pre-Shared key</p>
<p>Local Authentication Method: Pre-Shared key</p>
<p>IKEv1 SA [Responder, NAT-T] negotiation complete</p>
<p>It is recommended to use non-IP identities with NAT-T to avoid ID collisions</p>
<p>NAT-T initial contact notification with IP identity 1.0.0.66 (ip4)</p>
<p>IKE auth method Pre-shared keys, SA lifetime 3600</p>
<p>----</p>
<p><br>
</p>
<p>In the successful attempt, it's clear from the logs that the NAT situation was detected and handled. It appears in the failed attempt that the NAT is not recognized. In the (successful) OpenSwan case, I can explicitly configure "nat_traversal=yes" and
that does the trick. My understanding from the docs is that StrongSwan does not support that config option anymore and that charon is supposed to handle this automatically and internally.</p>
<p><br>
</p>
<p>Any suggestions?</p>
<p><br>
</p>
</div>
</body>
</html>