[strongSwan] Help with StrongSwan 4.3.4 and NAT-T

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 24 12:03:21 CET 2010 

Hello Bob,

why don't you just switch to IKEv2 (keyexchange=ikev2) which
is a much more stable and robust protocol? You won't need
the directives

   nat_traversal=yes
   leftsourceip=192.168.21.1
   leftnexthop=192.168.88.222

since the IKEv2 charon daemon does all this automatically.

Don't use the deprecated directive

    interfaces="ipsec0=eth0"

and disable pluto

    plutostart = no


Regards

Andreas

On 24.03.2010 11:47, Bob McChesney wrote:
> Hello,
>
> First, I'm no expert at StrongSwan and IPsec, so this is probably a
> configuration error on my part, so on that understanding I would
> appreciate any help or advice you can offer on this problem...
>
> Two OpenSUSE (11.2 x86_64) servers forming tunnel, one behind nat.
> Tunnel established ok, but if one of the servers is restarted or
> reloaded then tunnel goes down. Tunnel won't come back up until the
> other server is restarted or reloaded. It looks to me like both
> endpoints elevate the status to NAT-T and thereafter expect all
> communication to come over port 4500. If one is restarted, only one
> knows to use 4500, and thereafter both refuse to take each other's
> messages.
>
> Overview: (All subnets are /24, and the 192.168.88.0/24 is my
> imaginary public internet.)
>
> eth1 - 192.168.21.1
> -----------
> |  VPN1   |
> -----------
> eth0 - 192.168.88.221
>      |
>      |
> eth0 - 192.168.88.222
> -----------
> |  NAT    |(Port forwarding UDP500 and UDP4500 to 192.168.20.2)
> -----------
> eth1 - 192.168.20.1
>      |
>      |
> eth0 - 192.168.20.2
> -----------
> |  VPN2   |
> -----------
> eth1 - 192.168.22.1
>
> Configuration:
>
> ipsec.secrets (same on both machines):
> 192.168.88.221 192.168.88.222: PSK "test"
>
> ipsec.conf (VPN1):
> config setup
> 	nat_traversal=yes
> 	charonstart=yes
> 	plutostart=yes
> 	interfaces="ipsec0=eth0"
>
> conn %default
> 	left=192.168.88.221
> 	leftsourceip=192.168.21.1
> 	leftsubnet=192.168.21.0/24
> 	leftnexthop=192.168.88.222
>
> conn vpn2
> 	type=tunnel
> 	authby=psk
> 	right=192.168.88.222
> 	rightsubnet=192.168.22.0/24
> 	keyexchange=ikev1
> 	auto=start
>
> ipsec.conf (VPN2):
> config setup
> 	nat_traversal=yes
> 	charonstart=yes
> 	plutostart=yes
> 	interfaces="ipsec0=eth0"
>
> conn %default
> 	left=192.168.20.2
> 	leftid=192.168.88.222
> 	leftsourceip=192.168.22.1
> 	leftsubnet=192.168.22.0/24
> 	leftnexthop=192.168.20.1
>
> conn vpn1
> 	type=tunnel
> 	authby=psk
> 	right=192.168.88.221
> 	rightsubnet=192.168.21.0/24
> 	keyexchange=ikev1
> 	auto=start
>
> Symptoms:
> When the tunnel comes up, ipsec status looks like this:
> VPN1:~ # ipsec status
> 000 "vpn2": 192.168.21.0/24===192.168.88.221:4500...192.168.88.222:4500===192.168.22.0/24;
> erouted; eroute owner: #40
> 000 "vpn2":   newest ISAKMP SA: #37; newest IPsec SA: #40;
> 000
> 000 #39: "vpn2" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3315s
> 000 #39: "vpn2" esp.70cc09c1 at 192.168.88.222 (84 bytes)
> esp.c065c2ef at 192.168.88.221 (84 bytes); tunnel
> 000 #38: "vpn2" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_REPLACE in 10515s
> 000 #40: "vpn2" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 2953s; newest IPSEC; eroute owner
> 000 #40: "vpn2" esp.86f90f22 at 192.168.88.222 (0 bytes)
> esp.ec6afedf at 192.168.88.221 (0 bytes); tunnel
> 000 #37: "vpn2" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 9766s; newest ISAKMP
> 000
> Security Associations:
>    None
> VPN2:~ # ipsec status
> 000 "vpn1": 192.168.22.0/24===192.168.20.2:4500[192.168.88.222]---192.168.88.20.1...192.168.88.221:4500===192.168.21.0/24;
> erouted; eroute owner: #40
> 000 "vpn1":   newest ISAKMP SA: #39; newest IPsec SA: #40;
> 000
> 000 #40: "vpn1" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 2725s; newest IPSEC; eroute owner
> 000 #40: "vpn1" esp.c065c2ef at 192.168.88.221 (84 bytes)
> esp.70cc09c1 at 192.168.88.222 (84 bytes); tunnel
> 000 #39: "vpn1" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 9802s; newest ISAKMP
> 000
> Security Associations:
>    None
>
> After ipsec reload on VPN1:
> VPN1:~ # ipsec status
> 000 "vpn2": 192.168.21.0/24===192.168.88.221...192.168.88.222===192.168.22.0/24;
> unrouted; eroute owner: #0
> 000 "vpn2":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000 #41: "vpn2" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 9s
> 000 #41: pending Phase 2 for "vpn2" replacing #0
> 000
> Security Associations:
>    None
> VPN2:~ # ipsec status
> 000 "vpn1": 192.168.22.0/24===192.168.20.2:4500[192.168.88.222]---192.168.20.1...192.168.88.221:4500===192.168.21.0/24;
> prospective erouted; erouted owner: #0
> 000 "vpn1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000 #43: "vpn1" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 16s
> 000 #43: pending Phase 2 for "vpn1" replacing #0
> 000
> Security Associations:
>    None
>
> Can anyone suggest anything or spot any mistakes in my configuration?
> This is set up as a test environment so I can change anything that is
> suggested without hesitation.
>
> Regards,
> Bob McChesney

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list