[strongSwan] shrew -> NAT(linux)-> strongswan = disconnected

sftf sftf-misc at mail.ru
Fri Jun 25 08:30:20 CEST 2010


I don't figure out: is it my strongswan misconfiguration or something else?
If I disable manual ipsec policy at Shrew client and check "Obtain Topology Automatically"
pluto log

cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===195.162.66.178:4500...195.162.66.179:4500===192.168.255.2/32

I'm trying to make the connection between roadwarrior and the network behind the gateway 195.162.66.178.
And I would like to advertise network 192.168.0.0/24 behind the gateway 195.162.66.178 to roadwarriors.

What should I do?

==========
config setup
        plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        nat_traversal=yes
        charonstart=no
        plutostart=yes

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    left=195.162.66.178
    leftsubnet=192.168.0.0/24
    leftcert=gw.openorgan.ru-cert.pem
    keyexchange=ikev1
    type=tunnel
    pfs=yes
    pfsgroup=modp1024
    ike=aes256-sha1-modp1024
    xauth=server
    dpdaction=clear
    dpddelay=10

conn rw2
    right=%any
    rightsourceip=192.168.255.2
    rightsubnet=192.168.255.0/24
    rightid="C=RU, ST=Tomsk region, O=organ, OU=Central Office, CN=rw2, E=rw2 at openorgan.ru"
    auto=add
    authby=xauthrsasig
    #authby=rsasig

AS> I rather suspect that adding the IPsec policies

AS> 10/06/23 09:38:51 ii : creating IPSEC INBOUND policy
AS> ANY:192.168.0.0/24:* -> ANY:192.168.255.2:*
AS> 10/06/23 09:38:51 DB : policy added ( obj count = 4 )
10/06/23 09:38:51 K>> : send pfkey X_SPDADD UNSPEC message
AS> 10/06/23 09:38:51 K< : recv pfkey X_SPDADD UNSPEC message
AS> 10/06/23 09:38:51 DB : policy found
AS> 10/06/23 09:38:51 ii : creating IPSEC OUTBOUND policy
AS> ANY:192.168.255.2:* -> ANY:192.168.0.0/24:*
AS> 10/06/23 09:38:52 ii : created IPSEC policy route for 192.168.0.0/24
AS> 10/06/23 09:38:52 DB : policy added ( obj count = 5 )
10/06/23 09:38:52 K>> : send pfkey X_SPDADD UNSPEC message
AS> 10/06/23 09:38:52 ii : creating IPSEC INBOUND policy
AS> ANY:195.162.56.224/29:* -> ANY:192.168.255.2:*
AS> 10/06/23 09:38:52 DB : policy added ( obj count = 6 )
10/06/23 09:38:52 K>> : send pfkey X_SPDADD UNSPEC message
AS> 10/06/23 09:38:52 ii : creating IPSEC OUTBOUND policy
AS> ANY:192.168.255.2:* -> ANY:195.162.56.224/29:*
AS> 10/06/23 09:38:52 ii : created IPSEC policy route for 195.162.56.224/29

AS> prevents somehow strongSwan of receiving any further IKE packets
AS> in the NAT case.






More information about the Users mailing list