[strongSwan] IPAD via NATed firewall doesn't work
Uli Joergens
uli.joergens at wanadoo.fr
Wed Apr 6 11:51:48 CEST 2011
Hello Martin
I think there is a missunderstanding.
The only NATed szenario that worked included a NATed VM with strongswan on it.
The VM therefore had a LAN IP-adress, no dynamic IP nor dyndns.
I switched the VM to bridged mode, so I'm afraid I cannot reproduce the configuration and I don't have the ipsec.conf any longer either. Anyway, that config doesn't really make sense. It is no dofferent from an internet gateway with a VPN gateway except that ther is no real network behind it to route into.
Cheers
Uli
On 06.04.2011, at 10:50, Martin Kellermann <kellermann at sk-datentechnik.com> wrote:
> Am 05.04.2011 22:35, schrieb Uli Joergens:
>> Concerning the single nated config I followed the following receipe:
>> http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
> but the config on that page is:
>
> conn L2TP
> authby=psk
> pfs=no
> rekey=no
> type=tunnel
> esp=aes128-sha1
> ike=aes128-sha-modp1024
> left=your.ip.goes.here
> leftnexthop=%defaultroute
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/%any
> rightsubnetwithin=0.0.0.0/0
> auto=add
>
> correct me, if i'm wrong, but this doesn't make sense, since
> left (=server) is NATed and right(=iPad) is not NATed, so the
> rightsubnetwithin should be changed to leftsubnetwithin, as
> Andreas stated.
> and, what to put into "left=your.ip.goes.here"?
> since the IP is not fixed, simple put the dyndns name
> (xxx.dyndns.org) there? or set left=%defaultroute?
>
> can you show me your really working configs for this scenario:
> iPad2 ---> internet ---> dyndns/router (NAT) ---> strongswan
>
> thankyou very much!
>
> regards
>
> Martin
>
>> For the records: I forwarded the following ports
>> - 1701
>> - 4500
>> - 500
>> - 50
>> - 51
>>
>> Basically, whenever I noticed any chatting going on on a port I opened and forwarded it. Not necessary suitable for a production environment.
>> From that point of view one may ask whether VPN really improves security...
>> ... but lets cross the bridge when we get there.
>>
>> Cheers
>> Uli
>>
>> On 05.04.2011, at 16:51, Martin Kellermann<kellermann at sk-datentechnik.com> wrote:
>>
>>> Am 05.04.2011 12:47, schrieb Uli Joergens:
>>>> Hi there
>>>>
>>>> I tried it with older iOS version and it didn't work either.
>>> ah... ok. it was just a thought.
>>>> I did manage to establish a local connection to a NATed virtual machine, so single NAT works fine.
>>> really? this doesn't work for me. can you show me your configs? or give some more hints...
>>> which side was NATed on your working connection?
>>>> I tried Andreas' suggestion to set leftsubnetwithin but I get the same error.
>>>> My configuration:
>>>>
>>>> ipad -- nated mobile provider -- orange -- dr855 nated gw / firewall -- VPN gateway
>>>>
>>>> ports are forwarded to the VPN gateway.
>>> just for the records: udp 500 and udp 4500 ?
>>>> Any ideas how to make that work?
>>>> Cheers
>>>> Uli
>>>>
>>>>
>>>> On 05.04.2011, at 12:00, users-request at lists.strongswan.org wrote:
>>>>
>>>>> hello andreas,
>>>>>
>>>>> yes, you are right, but this still doesn't solve the problem. i am still
>>>>> stuck...
>>>>>
>>>>> reading some current posts on APPLEs discussion forum
>>>>> (for ex: http://discussions.apple.com/thread.jspa?threadID=2778039)
>>>>> maybe this is a general problem with iOS> 4.3 ?
>>>>>
>>>>> so i'm very interested if anyone has managed to get the iPad 2 (iOS 4.3.1)
>>>>> connect to strongswan with one or both sides being NATed?
>>>>>
>>>>> or maybe someone has managed to connect to open-/freeSWAN ?
>>>>> (server is on debian 6)
>>>>>
>>>>> any help is really appreciated!
>>>>>
>>>>> thank you
>>>>>
>>>>> Martin
>>>>>
>>>>> Am 30.03.2011 12:37, schrieb Andreas Steffen:
>>>>>> Hello Martin,
>>>>>>
>>>>>> because the responder is NAT-ed you don't have to set
>>>>>> rightsubnetwithin but
>>>>>>
>>>>>> leftsubnetwithin=0.0.0.0/0
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Andreas
>>>>>>
>>>>>> On 30.03.2011 09:57, Martin Kellermann wrote:
>>>>>>> hi,
>>>>>>>
>>>>>>> is there still no solution for this?
>>>>>>>
>>>>>>> i ran into the same situation like Uli getting the
>>>>>>> "cannot respond to IPsec SA request because no connection is known"
>>>>>>> error.
>>>>>>>
>>>>>>> i want the following setup:
>>>>>>>
>>>>>>> iPad<-- NOT NATed --> internet<-- DSL router --> strongswan (NATed)
>>>>>>>
>>>>>>> so just the strongswan server's side is NATed
>>>>>>>
>>>>>>> i recompiled strongswan (on debian) with NAT-T patch enabled and auth.log
>>>>>>> tells: "including NAT-Traversal patch (Version 0.6c)"
>>>>>>>
>>>>>>> ipsec.conf:
>>>>>>> config setup
>>>>>>> nat_traversal=yes
>>>>>>> charonstart=yes
>>>>>>> plutostart=yes
>>>>>>> conn ipads
>>>>>>> authby=psk
>>>>>>> pfs=no
>>>>>>> rekey=no
>>>>>>> type=tunnel
>>>>>>> forceencaps=yes
>>>>>>> esp=aes128-sha1
>>>>>>> ike=aes128-sha-modp1024
>>>>>>> left=%defaultroute
>>>>>>> leftprotoport=17/1701
>>>>>>> right=%any
>>>>>>> rightprotoport=17/%any
>>>>>>> rightsubnetwithin=0.0.0.0/0
>>>>>>> auto=add
>>>>>>>
>>>>>>> ipsec.secrets:
>>>>>>> 192.168.0.251 %any : PSK "xxxxxxxxxx"
>>>>>>>
>>>>>>> auth.log:
>>>>>>> Mar 29 16:39:45 vpn pluto[28437]: loaded PSK secret for 192.168.0.251 %any
>>>>>>> Mar 29 16:39:45 vpn ipsec_starter[28436]: charon (28444) started after 40 ms
>>>>>>> Mar 29 16:39:45 vpn pluto[28437]: added connection description "ipads"
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> received Vendor ID payload [RFC 3947]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
>>>>>>> received Vendor ID payload [Dead Peer Detection]
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1:
>>>>>>> responding to Main Mode from unknown peer 2.206.202.168
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1:
>>>>>>> NAT-Traversal: Result using RFC 3947: i am NATed
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: ignoring
>>>>>>> informational payload, type IPSEC_INITIAL_CONTACT
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: Peer ID
>>>>>>> is ID_IPV4_ADDR: '2.206.202.168'
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: | NAT-T: new mapping
>>>>>>> 2.206.202.168:500/4500)
>>>>>>> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: sent
>>>>>>> MR3, ISAKMP SA established
>>>>>>> Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> cannot respond to IPsec SA request because no connection is known for
>>>>>>> 188.101.67.77/32===192.168.0.251:4500[192.168.0.251]:17/1701...2.206.202.168:4500[2.206.202.168]:17/%any
>>>>>>> Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_ID_INFORMATION to 2.206.202.168:4500
>>>>>>> Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> Quick Mode I1 message is unacceptable because it uses a previously used
>>>>>>> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
>>>>>>> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
>>>>>>> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
>>>>>>> received Delete SA payload: deleting ISAKMP State #1
>>>>>>> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500:
>>>>>>> deleting connection "ipads" instance with peer 2.206.202.168
>>>>>>> {isakmp=#0/ipsec=#0}
>>>>>>> Mar 29 16:40:23 vpn pluto[28437]: ERROR: asynchronous network error
>>>>>>> report on eth0 for message to 2.206.202.168 port 4500, complainant
>>>>>>> 2.206.202.168: Connection refused [errno 111, origin ICMP type 3 code 3
>>>>>>> (not authenticated)]
>>>>>>>
>>>>>>> any ideas?
>>>>>>>
>>>>>>> regards
>>>>>>>
>>>>>> ======================================================================
>>>>>> Andreas Steffen andreas.steffen at strongswan.org
>>>>>> strongSwan - the Linux VPN Solution! www.strongswan.org
>>>>>> Institute for Internet Technologies and Applications
>>>>>> University of Applied Sciences Rapperswil
>>>>>> CH-8640 Rapperswil (Switzerland)
>>>>>> ===========================================================[ITA-HSR]==
>>>>>>
>>>>>
>>>>> ------------------------------
>>>>>
>>>>> Message: 2
>>>>> Date: Mon, 4 Apr 2011 15:48:59 -0500
>>>>> From: Dennis Frett<frett at us.ibm.com>
>>>>> Subject: [strongSwan] IKEv2 NAT issue
>>>>> To: users at lists.strongswan.org
>>>>> Message-ID:
>>>>> <OF923D4856.43799347-ON86257868.006FE754-86257868.0072598D at us.ibm.com>
>>>>> Content-Type: text/plain; charset="us-ascii"
>>>>>
>>>>> I'm running an IKEv2 NAT-T test with Strongswan 4.5.0 behind a NAT
>>>>>
>>>>>
>>>>> Linux ------- NAT| -------- initiator
>>>>>
>>>>>
>>>>>
>>>>> The IKE_SA_INIT and IKE_AUTH are sent and received from the linux just
>>>>> fine.
>>>>> Strongswan detects the NAT in front of itself and also returns the
>>>>> IKE_AUTH on src port 4500; dst port 4500 just fine.
>>>>>
>>>>> However, after that everything that's sent from strongswan is w/ srcport
>>>>> 4500; dstport 500.
>>>>> That includes:
>>>>> - delete child_sa informational
>>>>> - any ESP packets that are sent in UDP encap
>>>>> - any create_child_sa requests.
>>>>>
>>>>>
>>>>> If i take the same configuration and initiate from strongswan the entire
>>>>> NAT exchange works including whatever is sent after IKE_AUTH exchange.
>>>>>
>>>>>
>>>>> I'm not seeing where this is a configuration issue, but might be missing
>>>>> something.
>>>>>
>>>>>
>>>>>
>>>>> traces from strongswan:
>>>>> Apr 4 01:55:59 blackthumb charon: 16[NET] received packet: from
>>>>> 10.10.110.204[500] to 9.5.149.53[500]
>>>>> Apr 4 01:55:59 blackthumb charon: 16[ENC] parsed IKE_SA_INIT request 0 [
>>>>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>>>>> Apr 4 01:55:59 blackthumb charon: 16[IKE] 10.10.110.204 is initiating an
>>>>> IKE_SA
>>>>> Apr 4 01:55:59 blackthumb charon: 16[IKE] local host is behind NAT,
>>>>> sending keep alives
>>>>> Apr 4 01:55:59 blackthumb charon: 16[IKE] sending cert request for "C=US,
>>>>> O=IBM, CN=BlackthumbCA"
>>>>> Apr 4 01:55:59 blackthumb charon: 16[ENC] generating IKE_SA_INIT response
>>>>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>>>>> Apr 4 01:55:59 blackthumb charon: 16[NET] sending packet: from
>>>>> 9.5.149.53[500] to 10.10.110.204[500]
>>>>> Apr 4 01:56:01 blackthumb charon: 01[NET] received packet: from
>>>>> 10.10.110.204[4500] to 9.5.149.53[4500]
>>>>> Apr 4 01:56:01 blackthumb charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi
>>>>> AUTH SA TSi TSr ]
>>>>> Apr 4 01:56:01 blackthumb charon: 01[CFG] looking for peer configs
>>>>> matching 9.5.149.53[%any]...10.10.110.204[10.10.110.204]
>>>>> Apr 4 01:56:01 blackthumb charon: 01[CFG] selected peer config
>>>>> 'strongswan-remotehost'
>>>>> Apr 4 01:56:01 blackthumb charon: 01[IKE] authentication of
>>>>> '10.10.110.204' with pre-shared key successful
>>>>> Apr 4 01:56:01 blackthumb charon: 01[IKE] authentication of '9.5.149.53'
>>>>> (myself) with pre-shared key
>>>>> Apr 4 01:56:01 blackthumb charon: 01[IKE] IKE_SA strongswan-remotehost[1]
>>>>> established between 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
>>>>> Apr 4 01:56:01 blackthumb charon: 01[IKE] scheduling reauthentication in
>>>>> 10181s
>>>>> Apr 4 01:56:01 blackthumb charon: 01[IKE] maximum IKE_SA lifetime 10721s
>>>>> Apr 4 01:56:01 blackthumb charon: 01[IKE] CHILD_SA
>>>>> strongswan-remotehost{1} established with SPIs ce28fab5_i 58db4f08_o and
>>>>> TS 9.5.149.53/32 === 10.10.110.204/32
>>>>> Apr 4 01:56:01 blackthumb charon: 01[ENC] generating IKE_AUTH response 1
>>>>> [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
>>>>> Apr 4 01:56:01 blackthumb charon: 01[NET] sending packet: from
>>>>> 9.5.149.53[4500] to 10.10.110.204[4500]
>>>>> Apr 4 01:56:12 blackthumb charon: 00[DMN] signal of type SIGINT received.
>>>>> Shutting down
>>>>> Apr 4 01:56:12 blackthumb charon: 00[IKE] deleting IKE_SA
>>>>> strongswan-remotehost[1] between
>>>>> 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
>>>>> Apr 4 01:56:12 blackthumb charon: 00[IKE] sending DELETE for IKE_SA
>>>>> strongswan-remotehost[1]
>>>>> Apr 4 01:56:12 blackthumb charon: 00[ENC] generating INFORMATIONAL
>>>>> request 0 [ D ]
>>>>> Apr 4 01:56:12 blackthumb charon: 00[NET] sending packet: from
>>>>> 9.5.149.53[4500] to 10.10.110.204[500]
>>>>>
>>>>>
>>>>>
>>>>> Dennis Frett
>>>>> -------------- next part --------------
>>>>> An HTML attachment was scrubbed...
>>>>> URL: http://lists.strongswan.org/pipermail/users/attachments/20110404/6f66fa49/attachment-0001.html
>>>>>
>>>>> ------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.strongswan.org
>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>>
>>>>> End of Users Digest, Vol 15, Issue 2
>>>>> ************************************
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.strongswan.org
>>>> https://lists.strongswan.org/mailman/listinfo/users
>>>>
More information about the Users
mailing list