[strongSwan-dev] Tunnel mode failed for a NATted desktop client at IKE phase2 negotiation.
bzhu at marblesecurity.com
Mon Jul 8 09:12:52 CEST 2013
correct a typo for my previous email:
Tunnel mode failed for a NATted desktop client at IKE phase2 negotiation.
From: dev-bounces+bzhu=marblesecurity.com at lists.strongswan.org [dev-bounces+bzhu=marblesecurity.com at lists.strongswan.org] on behalf of Ben Zhu [bzhu at marblesecurity.com]
Sent: Monday, July 08, 2013 12:08 AM
To: dev at lists.strongswan.org
Cc: Vincent Jardin
Subject: [strongSwan-dev] Tunnel mode failed for a NATted desktop client at phase1
Hi Andreas and others,
I am testing my VPN with a NATed Client and a server.
Here are settings:
1. Server side:
The server is installed with Strongswan 4.6.4 and its IP address is 192.155.8167.
# server ipsec.conf
2. Client side:
Client is a linux guest VM. Its IP addess is 10.0.2.15 and NATted to its Windows host.
The guest VM is installed with Strongswan 5.0.4 and has the following ipsec settings:
# client ipsec.conf
My issue is:
The IKE negotiation was passed phase 1 but failed at phase 2 - Quick Mode INIT.
Here are log messages I got:
peer client is 10.1.0.1
| peer client protocol/port is 0/0
| our client is 22.214.171.124
| our client protocol/port is 0/0
| no valid attribute cert found
| find_client_connection starting with nat-desktop
| looking for 126.96.36.199/32:0/0 -> 10.1.0.1/32:0/0
| concrete checking against sr#0 192.0.0.0/8 -> 10.1.0.1/32
| fc_try trying nat-desktop:188.8.131.52/32:0/0 -> 10.1.0.1/32:0/0 vs nat-desktop:192.0.0.0/8:0/0 -> 10.1.0.1/32:0/0
| fc_try concluding with none 
| fc_try nat-desktop gives none
| checking hostpair 192.0.0.0/8 -> 10.1.0.1/32 is found
| fc_try trying nat-desktop:184.108.40.206/32:0/0 -> 10.1.0.1/32:0/0 vs nat-desktop:192.0.0.0/8:0/0 -> 10.1.0.0/32:0/0
| fc_try concluding with none 
| fc_try_oppo trying nat-desktop:220.127.116.11/32 -> 10.1.0.1/32 vs nat-desktop:192.0.0.0/8 -> 10.1.0.0/32
| fc_try_oppo concluding with none 
| concluding with d = none
"nat-desktop" 18.104.22.168:58646 #1: cannot respond to IPsec SA request because no connection is known for 22.214.171.124:4500[server]...126.96.36.199:58646[client]===10.1.0.1/32
"nat-desktop" 188.8.131.52:58646 #1: sending encrypted notification INVALID_ID_INFORMATION to 184.108.40.206:58646
I have noticed:
at server side, the packages show the server directly talked to a machine with IP address 220.127.116.11 at port 58646 instead of the real client 10.0.2.15 at 500/4500.
at client side, the packages show the client talked to the server (18.104.22.168) at port 500/4500.
It seems the machine 22.214.171.124 is viewed as the real client and it intercepted IKE negotiation between the client and the server.
the other thing is the log messages show the network masks are different from what I set in ipsec.con file.
My questions are:
1. if my settings correct for a NATted connection?
2. if yes, what can cause this issue?
3. if not, how I can fix this issue?
Thanks a lot,
Dev mailing list
Dev at lists.strongswan.org
More information about the Dev