[strongSwan] Fw: IKEv2 NAT issue
Dennis Frett
frett at us.ibm.com
Tue Apr 5 20:32:26 CEST 2011
Sorry for not first tryign the latest version of strongswan before posting
this. After loading 4.5.1 the issue appears to be solved.
Sending delete after IKE_AUTH reply worked, as well as pings from
strongswan.
Apr 4 23:41:04 blackthumb charon: 11[NET] received packet: from
10.10.110.204[500] to 9.5.149.53[500]
Apr 4 23:41:04 blackthumb charon: 11[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 4 23:41:04 blackthumb charon: 11[IKE] 10.10.110.204 is initiating an
IKE_SA
Apr 4 23:41:04 blackthumb charon: 11[IKE] local host is behind NAT,
sending keep alives
Apr 4 23:41:04 blackthumb charon: 11[IKE] sending cert request for "C=US,
O=IBM, CN=BlackthumbCA"
Apr 4 23:41:04 blackthumb charon: 11[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 4 23:41:04 blackthumb charon: 11[NET] sending packet: from
9.5.149.53[500] to 10.10.110.204[500]
Apr 4 23:41:06 blackthumb charon: 02[NET] received packet: from
10.10.110.204[4500] to 9.5.149.53[4500]
Apr 4 23:41:06 blackthumb charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi
AUTH SA TSi TSr ]
Apr 4 23:41:06 blackthumb charon: 02[CFG] looking for peer configs
matching 9.5.149.53[%any]...10.10.110.204[10.10.110.204]
Apr 4 23:41:06 blackthumb charon: 02[CFG] selected peer config
'strongswan-remotehost'
Apr 4 23:41:06 blackthumb charon: 02[IKE] authentication of
'10.10.110.204' with pre-shared key successful
Apr 4 23:41:06 blackthumb charon: 02[IKE] authentication of '9.5.149.53'
(myself) with pre-shared key
Apr 4 23:41:06 blackthumb charon: 02[IKE] IKE_SA strongswan-remotehost[1]
established between 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr 4 23:41:06 blackthumb charon: 02[IKE] scheduling reauthentication in
9861s
Apr 4 23:41:06 blackthumb charon: 02[IKE] maximum IKE_SA lifetime 10401s
Apr 4 23:41:06 blackthumb charon: 02[IKE] CHILD_SA
strongswan-remotehost{1} established with SPIs cb493f1f_i 0b1c2781_o and
TS 9.5.149.53/32 === 10.10.110.204/32
Apr 4 23:41:06 blackthumb charon: 02[ENC] generating IKE_AUTH response 1
[ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Apr 4 23:41:06 blackthumb charon: 02[NET] sending packet: from
9.5.149.53[4500] to 10.10.110.204[4500]
Apr 4 23:41:19 blackthumb charon: 10[CFG] received stroke: terminate
'strongswan-remotehost'
Apr 4 23:41:19 blackthumb charon: 14[IKE] deleting IKE_SA
strongswan-remotehost[1] between
9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr 4 23:41:19 blackthumb charon: 14[IKE] sending DELETE for IKE_SA
strongswan-remotehost[1]
Apr 4 23:41:19 blackthumb charon: 14[ENC] generating INFORMATIONAL
request 0 [ D ]
Apr 4 23:41:19 blackthumb charon: 14[NET] sending packet: from
9.5.149.53[4500] to 10.10.110.204[4500]
Apr 4 23:41:20 blackthumb charon: 15[NET] received packet: from
10.10.110.204[4500] to 9.5.149.53[4500]
Apr 4 23:41:20 blackthumb charon: 15[ENC] parsed INFORMATIONAL response 0
[ ]
Apr 4 23:41:20 blackthumb charon: 15[IKE] IKE_SA deleted
Dennis Frett
IBM i VPN Development
Dept MR6; Rochester, MN
phone: t/l 623-8596; extenal: 612-397-2773
email: frett at us.ibm.com
----- Forwarded by Dennis Frett/Rochester/IBM on 04/05/2011 01:27 PM -----
From: Dennis Frett/Rochester/IBM
To: users at lists.strongswan.org
Date: 04/04/2011 03:48 PM
Subject: IKEv2 NAT issue
I'm running an IKEv2 NAT-T test with Strongswan 4.5.0 behind a NAT
Linux ------- NAT| -------- initiator
The IKE_SA_INIT and IKE_AUTH are sent and received from the linux just
fine.
Strongswan detects the NAT in front of itself and also returns the
IKE_AUTH on src port 4500; dst port 4500 just fine.
However, after that everything that's sent from strongswan is w/ srcport
4500; dstport 500.
That includes:
- delete child_sa informational
- any ESP packets that are sent in UDP encap
- any create_child_sa requests.
If i take the same configuration and initiate from strongswan the entire
NAT exchange works including whatever is sent after IKE_AUTH exchange.
I'm not seeing where this is a configuration issue, but might be missing
something.
traces from strongswan:
Apr 4 01:55:59 blackthumb charon: 16[NET] received packet: from
10.10.110.204[500] to 9.5.149.53[500]
Apr 4 01:55:59 blackthumb charon: 16[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 4 01:55:59 blackthumb charon: 16[IKE] 10.10.110.204 is initiating an
IKE_SA
Apr 4 01:55:59 blackthumb charon: 16[IKE] local host is behind NAT,
sending keep alives
Apr 4 01:55:59 blackthumb charon: 16[IKE] sending cert request for "C=US,
O=IBM, CN=BlackthumbCA"
Apr 4 01:55:59 blackthumb charon: 16[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 4 01:55:59 blackthumb charon: 16[NET] sending packet: from
9.5.149.53[500] to 10.10.110.204[500]
Apr 4 01:56:01 blackthumb charon: 01[NET] received packet: from
10.10.110.204[4500] to 9.5.149.53[4500]
Apr 4 01:56:01 blackthumb charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi
AUTH SA TSi TSr ]
Apr 4 01:56:01 blackthumb charon: 01[CFG] looking for peer configs
matching 9.5.149.53[%any]...10.10.110.204[10.10.110.204]
Apr 4 01:56:01 blackthumb charon: 01[CFG] selected peer config
'strongswan-remotehost'
Apr 4 01:56:01 blackthumb charon: 01[IKE] authentication of
'10.10.110.204' with pre-shared key successful
Apr 4 01:56:01 blackthumb charon: 01[IKE] authentication of '9.5.149.53'
(myself) with pre-shared key
Apr 4 01:56:01 blackthumb charon: 01[IKE] IKE_SA strongswan-remotehost[1]
established between 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr 4 01:56:01 blackthumb charon: 01[IKE] scheduling reauthentication in
10181s
Apr 4 01:56:01 blackthumb charon: 01[IKE] maximum IKE_SA lifetime 10721s
Apr 4 01:56:01 blackthumb charon: 01[IKE] CHILD_SA
strongswan-remotehost{1} established with SPIs ce28fab5_i 58db4f08_o and
TS 9.5.149.53/32 === 10.10.110.204/32
Apr 4 01:56:01 blackthumb charon: 01[ENC] generating IKE_AUTH response 1
[ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Apr 4 01:56:01 blackthumb charon: 01[NET] sending packet: from
9.5.149.53[4500] to 10.10.110.204[4500]
Apr 4 01:56:12 blackthumb charon: 00[DMN] signal of type SIGINT received.
Shutting down
Apr 4 01:56:12 blackthumb charon: 00[IKE] deleting IKE_SA
strongswan-remotehost[1] between
9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr 4 01:56:12 blackthumb charon: 00[IKE] sending DELETE for IKE_SA
strongswan-remotehost[1]
Apr 4 01:56:12 blackthumb charon: 00[ENC] generating INFORMATIONAL
request 0 [ D ]
Apr 4 01:56:12 blackthumb charon: 00[NET] sending packet: from
9.5.149.53[4500] to 10.10.110.204[500]
Dennis Frett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110405/71bd25f1/attachment.html>
More information about the Users
mailing list