[strongSwan] net-to-net with one gateway behind NAT

Alexis Salinas alexis.salinas at inmotiontechnology.com
Wed Nov 10 21:38:17 CET 2010 

Hi all,
I tested this configuration successfully many times without the NAT. This time I connected one of the GW behind a NAT/FIREWALL device and although the tunnel comes up I get an error message regarding routes (you can see almost at the bottom of the log). Have you seen this before?. Thanks in advance for your help
Cheers,
Alexis

My setup:
172.22.0.0/28--GW1--Internet--(24.207.4.81)NAT_DEVICE--(192.168.21.100)GW2--10.0.0.0/24--OTHER_ROUTERS

My configuration (full tunnel)
GW1(Linux strongSwan U4.3.5/K2.6.30-310):
config setup
        cachecrls=no
        charonstart=yes
        crlcheckinterval=0
        plutostart=yes
        strictcrlpolicy=no
        nat_traversal=yes
        plutodebug=none
        charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, enc 0, lib 0"

conn net-to-net
        left=%defaultroute
        leftid=@GW1
        leftsubnet=172.22.0.0/28
        leftfirewall=yes
        right=24.207.4.81
        rightid=@GW2
        rightsubnet=0.0.0.0/0
        keyexchange=ikev2
        mobike=yes
        ikelifetime=60m
        keylife=20m
        compress=no
        authby=secret
        dpdaction=restart
        dpddelay=10
        dpdtimeout=30
        auto=add
        keyingtries=1
        rekeymargin=3m
        forceencaps=no 


GW2 (Linux strongSwan U4.3.2/K2.6.31-1)
config setup
        charonstart=yes
        nat_traversal=yes
        charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 2, net 0, enc 0, lib 0"

conn net2net
        left=192.168.21.100
        leftid=@GW2
        right=%any
        rightid=@GW1
        rekey=no
        leftsubnet=0.0.0.0/0
        rightsubnet=172.22.0.0/28
        ike=aes128-md5-modp1536!
        ikelifetime=3600s
        keyexchange=ikev2
        mobike=yes
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=clear
        esp=aes128-md5!
        keylife=1200s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        compress=no
        authby=secret
        auto=add

GW2 logs (I cut removed some part for brevity, let me now if you need the whole thing)
Nov  9 10:56:46 GW2 charon: 09[IKE] 174.90.242.85 is initiating an IKE_SA
Nov  9 10:56:46 GW2 charon: 09[IKE] 174.90.242.85 is initiating an IKE_SA
Nov  9 10:56:46 GW2 charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Nov  9 10:56:46 GW2 charon: 09[IKE] local host is behind NAT, sending keep alives
Nov  9 10:56:46 GW2 charon: 08[IKE] authentication of 'GW1' with pre-shared key successful
Nov  9 10:56:46 GW2 charon: 08[IKE] peer supports MOBIKE
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 172.22.0.1
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 172.22.1.1
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 172.22.2.1
Nov  9 10:56:46 GW2 charon: 08[IKE] authentication of 'GW2' (myself) with pre-shared key
Nov  9 10:56:46 GW2 charon: 08[IKE] successfully created shared key MAC
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] state change: CONNECTING => ESTABLISHED
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] established between 192.168.21.100[GW2]...174.90.242.85[GW1]
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] established between 192.168.21.100[GW2]...174.90.242.85[GW1]
Nov  9 10:56:46 GW2 charon: 08[KNL] getting SPI for reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_ALLOCSPI: => 244 bytes @ 0xb38adc68
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: F4 00 00 00 16 00 01 00 C9 00 00 00 14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF CF                                      ....
Nov  9 10:56:46 GW2 charon: 08[KNL] got SPI ccbe182c for reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL] adding SAD entry with SPI ccbe182c and reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL]   using integrity algorithm HMAC_MD5_96 with key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_UPDSA: => 440 bytes @ 0xb38adbc4
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: B8 01 00 00 1A 00 05 00 CA 00 00 00 14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  432: 00 00 00 00 00 00 00 00                          ........
Nov  9 10:56:46 GW2 charon: 08[KNL] adding SAD entry with SPI c94ea202 and reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL]   using encryption algorithm AES_CBC with key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL]   using integrity algorithm HMAC_MD5_96 with key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWSA: => 440 bytes @ 0xb38adbc4
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: B8 01 00 00 10 00 05 00 CB 00 00 00 14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  432: 00 00 00 00 00 00 00 00                          ........
Nov  9 10:56:46 GW2 charon: 08[KNL] adding policy 0.0.0.0/0 === 172.22.0.0/28 out
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWPOLICY: => 248 bytes @ 0xb38adc3c
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: F8 00 00 00 13 00 05 00 CC 00 00 00 14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF FF FF FF FF FF                          ........
Nov  9 10:56:46 GW2 charon: 08[KNL] adding policy 172.22.0.0/28 === 0.0.0.0/0 in
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWPOLICY: => 248 bytes @ 0xb38adc3c
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: F8 00 00 00 13 00 05 00 CD 00 00 00 14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF FF FF FF FF FF                          ........
Nov  9 10:56:46 GW2 charon: 08[KNL] adding policy 172.22.0.0/28 === 0.0.0.0/0 fwd
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWPOLICY: => 248 bytes @ 0xb38adc3c
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: F8 00 00 00 13 00 05 00 CE 00 00 00 14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF FF FF FF FF FF                          ........
Nov  9 10:56:46 GW2 charon: 08[KNL] getting a local address in traffic selector 0.0.0.0/0
Nov  9 10:56:46 GW2 charon: 08[KNL] using host %any
Nov  9 10:56:46 GW2 charon: 08[KNL] getting address to reach 174.90.242.85
Nov  9 10:56:46 GW2 charon: 08[KNL] getting interface name for 192.168.21.100
Nov  9 10:56:46 GW2 charon: 08[KNL] 192.168.21.100 is on interface eth0
Nov  9 10:56:46 GW2 charon: 08[KNL] getting iface index for eth0
Nov  9 10:56:46 GW2 charon: 08[KNL] received netlink error: No such process (3)
Nov  9 10:56:46 GW2 charon: 08[KNL] unable to install source route for %any
Nov  9 10:56:46 GW2 charon: 08[IKE] CHILD_SA net2net{1} established with SPIs ccbe182c_i c94ea202_o and TS 0.0.0.0/0 === 172.22.0.0/28
Nov  9 10:56:46 GW2 charon: 08[IKE] CHILD_SA net2net{1} established with SPIs ccbe182c_i c94ea202_o and TS 0.0.0.0/0 === 172.22.0.0/28
Nov  9 10:57:06 GW2 charon: 10[KNL] querying policy 0.0.0.0/0 === 172.22.0.0/28 out
Nov  9 10:57:06 GW2 charon: 10[KNL] sending XFRM_MSG_GETPOLICY: => 80 bytes @ 0xb28ade2c
Nov  9 10:57:06 GW2 charon: 10[KNL]    0: 50 00 00 00 15 00 01 00 CF 00 00 00 14 42 00 00  P............B..

More information about the Users mailing list