[strongSwan] IPAD via NATed firewall doesn't work

Martin Kellermann kellermann at sk-datentechnik.com
Mon Apr 4 12:23:12 CEST 2011 

hello andreas,

yes, you are right, but this still doesn't solve the problem. i am still 
stuck...

reading some current posts on APPLEs discussion forum
(for ex: http://discussions.apple.com/thread.jspa?threadID=2778039)
maybe this is a general problem with iOS > 4.3 ?

so i'm very interested if anyone has managed to get the iPad 2 (iOS 4.3.1)
connect to strongswan with one or both sides being NATed?

or maybe someone has managed to connect to open-/freeSWAN ?
(server is on debian 6)

any help is really appreciated!

thank you

Martin

Am 30.03.2011 12:37, schrieb Andreas Steffen:
> Hello Martin,
>
> because the responder is NAT-ed you don't have to set
> rightsubnetwithin but
>
>    leftsubnetwithin=0.0.0.0/0
>
> Regards
>
> Andreas
>
> On 30.03.2011 09:57, Martin Kellermann wrote:
>> hi,
>>
>> is there still no solution for this?
>>
>> i ran into the same situation like Uli getting the
>> "cannot respond to IPsec SA request because no connection is known"
>> error.
>>
>> i want the following setup:
>>
>> iPad<-- NOT NATed -->  internet<-- DSL router -->  strongswan (NATed)
>>
>> so just the strongswan server's side is NATed
>>
>> i recompiled strongswan (on debian) with NAT-T patch enabled and auth.log
>> tells: "including NAT-Traversal patch (Version 0.6c)"
>>
>> ipsec.conf:
>> config setup
>>      nat_traversal=yes
>>      charonstart=yes
>>      plutostart=yes
>> conn ipads
>>      authby=psk
>>      pfs=no
>>      rekey=no
>>      type=tunnel
>>      forceencaps=yes
>>      esp=aes128-sha1
>>      ike=aes128-sha-modp1024
>>      left=%defaultroute
>>      leftprotoport=17/1701
>>      right=%any
>>      rightprotoport=17/%any
>>      rightsubnetwithin=0.0.0.0/0
>>      auto=add
>>
>> ipsec.secrets:
>> 192.168.0.251 %any : PSK "xxxxxxxxxx"
>>
>> auth.log:
>> Mar 29 16:39:45 vpn pluto[28437]:   loaded PSK secret for 192.168.0.251 %any
>> Mar 29 16:39:45 vpn ipsec_starter[28436]: charon (28444) started after 40 ms
>> Mar 29 16:39:45 vpn pluto[28437]: added connection description "ipads"
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> received Vendor ID payload [RFC 3947]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>> received Vendor ID payload [Dead Peer Detection]
>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1:
>> responding to Main Mode from unknown peer 2.206.202.168
>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1:
>> NAT-Traversal: Result using RFC 3947: i am NATed
>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: ignoring
>> informational payload, type IPSEC_INITIAL_CONTACT
>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: Peer ID
>> is ID_IPV4_ADDR: '2.206.202.168'
>> Mar 29 16:39:51 vpn pluto[28437]: | NAT-T: new mapping
>> 2.206.202.168:500/4500)
>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: sent
>> MR3, ISAKMP SA established
>> Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> cannot respond to IPsec SA request because no connection is known for
>> 188.101.67.77/32===192.168.0.251:4500[192.168.0.251]:17/1701...2.206.202.168:4500[2.206.202.168]:17/%any
>> Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_ID_INFORMATION to 2.206.202.168:4500
>> Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> Quick Mode I1 message is unacceptable because it uses a previously used
>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>> received Delete SA payload: deleting ISAKMP State #1
>> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500:
>> deleting connection "ipads" instance with peer 2.206.202.168
>> {isakmp=#0/ipsec=#0}
>> Mar 29 16:40:23 vpn pluto[28437]: ERROR: asynchronous network error
>> report on eth0 for message to 2.206.202.168 port 4500, complainant
>> 2.206.202.168: Connection refused [errno 111, origin ICMP type 3 code 3
>> (not authenticated)]
>>
>> any ideas?
>>
>> regards
>>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list