[strongSwan] Help with StrongSwan 4.3.4 and NAT-T

Wed Mar 24 11:47:49 CET 2010

Hello,

First, I'm no expert at StrongSwan and IPsec, so this is probably a
configuration error on my part, so on that understanding I would
appreciate any help or advice you can offer on this problem...

Two OpenSUSE (11.2 x86_64) servers forming tunnel, one behind nat.
Tunnel established ok, but if one of the servers is restarted or
reloaded then tunnel goes down. Tunnel won't come back up until the
other server is restarted or reloaded. It looks to me like both
endpoints elevate the status to NAT-T and thereafter expect all
communication to come over port 4500. If one is restarted, only one
knows to use 4500, and thereafter both refuse to take each other's
messages.

Overview: (All subnets are /24, and the 192.168.88.0/24 is my
imaginary public internet.)

eth1 - 192.168.21.1
-----------
|  VPN1   |
-----------
eth0 - 192.168.88.221
    |
    |
eth0 - 192.168.88.222
-----------
|  NAT    |(Port forwarding UDP500 and UDP4500 to 192.168.20.2)
-----------
eth1 - 192.168.20.1
    |
    |
eth0 - 192.168.20.2
-----------
|  VPN2   |
-----------
eth1 - 192.168.22.1

Configuration:

ipsec.secrets (same on both machines):
192.168.88.221 192.168.88.222: PSK "test"

ipsec.conf (VPN1):
config setup
	nat_traversal=yes
	charonstart=yes
	plutostart=yes
	interfaces="ipsec0=eth0"

conn %default
	left=192.168.88.221
	leftsourceip=192.168.21.1
	leftsubnet=192.168.21.0/24
	leftnexthop=192.168.88.222

conn vpn2
	type=tunnel
	authby=psk
	right=192.168.88.222
	rightsubnet=192.168.22.0/24
	keyexchange=ikev1
	auto=start

ipsec.conf (VPN2):
config setup
	nat_traversal=yes
	charonstart=yes
	plutostart=yes
	interfaces="ipsec0=eth0"

conn %default
	left=192.168.20.2
	leftid=192.168.88.222
	leftsourceip=192.168.22.1
	leftsubnet=192.168.22.0/24
	leftnexthop=192.168.20.1

conn vpn1
	type=tunnel
	authby=psk
	right=192.168.88.221
	rightsubnet=192.168.21.0/24
	keyexchange=ikev1
	auto=start

Symptoms:
When the tunnel comes up, ipsec status looks like this:
VPN1:~ # ipsec status
000 "vpn2": 192.168.21.0/24===192.168.88.221:4500...192.168.88.222:4500===192.168.22.0/24;
erouted; eroute owner: #40
000 "vpn2":   newest ISAKMP SA: #37; newest IPsec SA: #40;
000
000 #39: "vpn2" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3315s
000 #39: "vpn2" esp.70cc09c1 at 192.168.88.222 (84 bytes)
esp.c065c2ef at 192.168.88.221 (84 bytes); tunnel
000 #38: "vpn2" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 10515s
000 #40: "vpn2" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2953s; newest IPSEC; eroute owner
000 #40: "vpn2" esp.86f90f22 at 192.168.88.222 (0 bytes)
esp.ec6afedf at 192.168.88.221 (0 bytes); tunnel
000 #37: "vpn2" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 9766s; newest ISAKMP
000
Security Associations:
  None
VPN2:~ # ipsec status
000 "vpn1": 192.168.22.0/24===192.168.20.2:4500[192.168.88.222]---192.168.88.20.1...192.168.88.221:4500===192.168.21.0/24;
erouted; eroute owner: #40
000 "vpn1":   newest ISAKMP SA: #39; newest IPsec SA: #40;
000
000 #40: "vpn1" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2725s; newest IPSEC; eroute owner
000 #40: "vpn1" esp.c065c2ef at 192.168.88.221 (84 bytes)
esp.70cc09c1 at 192.168.88.222 (84 bytes); tunnel
000 #39: "vpn1" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 9802s; newest ISAKMP
000
Security Associations:
  None

After ipsec reload on VPN1:
VPN1:~ # ipsec status
000 "vpn2": 192.168.21.0/24===192.168.88.221...192.168.88.222===192.168.22.0/24;
unrouted; eroute owner: #0
000 "vpn2":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #41: "vpn2" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 9s
000 #41: pending Phase 2 for "vpn2" replacing #0
000
Security Associations:
  None
VPN2:~ # ipsec status
000 "vpn1": 192.168.22.0/24===192.168.20.2:4500[192.168.88.222]---192.168.20.1...192.168.88.221:4500===192.168.21.0/24;
prospective erouted; erouted owner: #0
000 "vpn1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #43: "vpn1" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 16s
000 #43: pending Phase 2 for "vpn1" replacing #0
000
Security Associations:
  None

Can anyone suggest anything or spot any mistakes in my configuration?
This is set up as a test environment so I can change anything that is
suggested without hesitation.

Regards,
Bob McChesney