[strongSwan] Fw: IKEv2 NAT issue

Dennis Frett frett at us.ibm.com
Tue Apr 5 20:32:26 CEST 2011


Sorry for not first tryign the latest version of strongswan before posting 
this.   After loading 4.5.1 the issue appears to be solved.

Sending delete after IKE_AUTH reply worked, as well as pings from 
strongswan. 

Apr  4 23:41:04 blackthumb charon: 11[NET] received packet: from 
10.10.110.204[500] to 9.5.149.53[500]
Apr  4 23:41:04 blackthumb charon: 11[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr  4 23:41:04 blackthumb charon: 11[IKE] 10.10.110.204 is initiating an 
IKE_SA
Apr  4 23:41:04 blackthumb charon: 11[IKE] local host is behind NAT, 
sending keep alives
Apr  4 23:41:04 blackthumb charon: 11[IKE] sending cert request for "C=US, 
O=IBM, CN=BlackthumbCA"
Apr  4 23:41:04 blackthumb charon: 11[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr  4 23:41:04 blackthumb charon: 11[NET] sending packet: from 
9.5.149.53[500] to 10.10.110.204[500]
Apr  4 23:41:06 blackthumb charon: 02[NET] received packet: from 
10.10.110.204[4500] to 9.5.149.53[4500]
Apr  4 23:41:06 blackthumb charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi 
AUTH SA TSi TSr ]
Apr  4 23:41:06 blackthumb charon: 02[CFG] looking for peer configs 
matching 9.5.149.53[%any]...10.10.110.204[10.10.110.204]
Apr  4 23:41:06 blackthumb charon: 02[CFG] selected peer config 
'strongswan-remotehost'
Apr  4 23:41:06 blackthumb charon: 02[IKE] authentication of 
'10.10.110.204' with pre-shared key successful
Apr  4 23:41:06 blackthumb charon: 02[IKE] authentication of '9.5.149.53' 
(myself) with pre-shared key
Apr  4 23:41:06 blackthumb charon: 02[IKE] IKE_SA strongswan-remotehost[1] 
established between 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr  4 23:41:06 blackthumb charon: 02[IKE] scheduling reauthentication in 
9861s
Apr  4 23:41:06 blackthumb charon: 02[IKE] maximum IKE_SA lifetime 10401s
Apr  4 23:41:06 blackthumb charon: 02[IKE] CHILD_SA 
strongswan-remotehost{1} established with SPIs cb493f1f_i 0b1c2781_o and 
TS 9.5.149.53/32 === 10.10.110.204/32 
Apr  4 23:41:06 blackthumb charon: 02[ENC] generating IKE_AUTH response 1 
[ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Apr  4 23:41:06 blackthumb charon: 02[NET] sending packet: from 
9.5.149.53[4500] to 10.10.110.204[4500]
Apr  4 23:41:19 blackthumb charon: 10[CFG] received stroke: terminate 
'strongswan-remotehost'
Apr  4 23:41:19 blackthumb charon: 14[IKE] deleting IKE_SA 
strongswan-remotehost[1] between 
9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr  4 23:41:19 blackthumb charon: 14[IKE] sending DELETE for IKE_SA 
strongswan-remotehost[1]
Apr  4 23:41:19 blackthumb charon: 14[ENC] generating INFORMATIONAL 
request 0 [ D ]
Apr  4 23:41:19 blackthumb charon: 14[NET] sending packet: from 
9.5.149.53[4500] to 10.10.110.204[4500]
Apr  4 23:41:20 blackthumb charon: 15[NET] received packet: from 
10.10.110.204[4500] to 9.5.149.53[4500]
Apr  4 23:41:20 blackthumb charon: 15[ENC] parsed INFORMATIONAL response 0 
[ ]
Apr  4 23:41:20 blackthumb charon: 15[IKE] IKE_SA deleted


Dennis Frett
IBM i VPN Development
Dept MR6; Rochester, MN
phone:  t/l 623-8596;  extenal: 612-397-2773
email:   frett at us.ibm.com
----- Forwarded by Dennis Frett/Rochester/IBM on 04/05/2011 01:27 PM -----

From:   Dennis Frett/Rochester/IBM
To:     users at lists.strongswan.org
Date:   04/04/2011 03:48 PM
Subject:        IKEv2 NAT issue


I'm running an IKEv2 NAT-T test with Strongswan 4.5.0 behind a NAT


Linux  -------    NAT|  --------  initiator



The IKE_SA_INIT and IKE_AUTH are sent and received from the linux just 
fine. 
Strongswan detects the NAT in front of itself and also returns the 
IKE_AUTH on src port 4500;  dst port 4500 just fine.

However, after that everything that's sent from strongswan is w/ srcport 
4500; dstport 500.
That includes:
- delete child_sa informational 
- any ESP packets that are sent in UDP encap
- any create_child_sa requests.


If i take the same configuration and initiate from strongswan the entire 
NAT exchange works including whatever is sent after IKE_AUTH exchange. 


I'm not seeing where this is a configuration issue, but might be missing 
something. 



traces from strongswan:
Apr  4 01:55:59 blackthumb charon: 16[NET] received packet: from 
10.10.110.204[500] to 9.5.149.53[500]
Apr  4 01:55:59 blackthumb charon: 16[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr  4 01:55:59 blackthumb charon: 16[IKE] 10.10.110.204 is initiating an 
IKE_SA
Apr  4 01:55:59 blackthumb charon: 16[IKE] local host is behind NAT, 
sending keep alives
Apr  4 01:55:59 blackthumb charon: 16[IKE] sending cert request for "C=US, 
O=IBM, CN=BlackthumbCA"
Apr  4 01:55:59 blackthumb charon: 16[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr  4 01:55:59 blackthumb charon: 16[NET] sending packet: from 
9.5.149.53[500] to 10.10.110.204[500]
Apr  4 01:56:01 blackthumb charon: 01[NET] received packet: from 
10.10.110.204[4500] to 9.5.149.53[4500]
Apr  4 01:56:01 blackthumb charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi 
AUTH SA TSi TSr ]
Apr  4 01:56:01 blackthumb charon: 01[CFG] looking for peer configs 
matching 9.5.149.53[%any]...10.10.110.204[10.10.110.204]
Apr  4 01:56:01 blackthumb charon: 01[CFG] selected peer config 
'strongswan-remotehost'
Apr  4 01:56:01 blackthumb charon: 01[IKE] authentication of 
'10.10.110.204' with pre-shared key successful
Apr  4 01:56:01 blackthumb charon: 01[IKE] authentication of '9.5.149.53' 
(myself) with pre-shared key
Apr  4 01:56:01 blackthumb charon: 01[IKE] IKE_SA strongswan-remotehost[1] 
established between 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr  4 01:56:01 blackthumb charon: 01[IKE] scheduling reauthentication in 
10181s
Apr  4 01:56:01 blackthumb charon: 01[IKE] maximum IKE_SA lifetime 10721s
Apr  4 01:56:01 blackthumb charon: 01[IKE] CHILD_SA 
strongswan-remotehost{1} established with SPIs ce28fab5_i 58db4f08_o and 
TS 9.5.149.53/32 === 10.10.110.204/32 
Apr  4 01:56:01 blackthumb charon: 01[ENC] generating IKE_AUTH response 1 
[ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Apr  4 01:56:01 blackthumb charon: 01[NET] sending packet: from 
9.5.149.53[4500] to 10.10.110.204[4500]
Apr  4 01:56:12 blackthumb charon: 00[DMN] signal of type SIGINT received. 
Shutting down
Apr  4 01:56:12 blackthumb charon: 00[IKE] deleting IKE_SA 
strongswan-remotehost[1] between 
9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr  4 01:56:12 blackthumb charon: 00[IKE] sending DELETE for IKE_SA 
strongswan-remotehost[1]
Apr  4 01:56:12 blackthumb charon: 00[ENC] generating INFORMATIONAL 
request 0 [ D ]
Apr  4 01:56:12 blackthumb charon: 00[NET] sending packet: from 
9.5.149.53[4500] to 10.10.110.204[500]



Dennis Frett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110405/71bd25f1/attachment.html>


More information about the Users mailing list