[strongSwan] iOS and fun with double natting.

Doug Davis dougd at dldavis.com
Sat Dec 17 17:36:17 CET 2011 

Okay, I've soaked several days of my life into this and still can't make it work .. so I'm going to toss it into the ether and hope someone has a cluebat to hit me with

Configuration:
ubuntu unix .. I've used stock, 4.6.1 and 4.6.2dr2 ipsec  ...  also 1.2.x and 1.3.x xl2tpd's but I don't think we are getting that far

Authentication via PSK (at least attempting this way at first) 


network is as follows

ubuntu[192.168.1.x/24]   --- fiosmodem (forwarding 4500, 500, 50 udp as confirmed by tcpdump)[static IP]   {   internet  }   ??whatevers on AT&Ts network??  --  iphone [10.x.x.x/8] 

localhost is 192.168.1.50, default route is 192.168.1.1   pretty stuck stuff

The iphone, in true apple form, is less than verbose about what it thinks is wrong. 



[----ipsec.conf----]

config setup
        nat_traversal=yes
        charonstart=yes
        plutostart=yes


conn    L2TP
        keyexchange=ikev1
        authby=psk
        pfs=no
        type=tunnel      [ I've also tried transport mode here and have the same results ] 
        left=192.168.1.50
        leftnexthop=%defaultroute
        leftsubnet={my static ip is here}/32
        leftprotoport=udp/1701
        right=%any
        rightprotoport=udp/%any
        rightsubnetwithin=10.0.0.0/8
        auto=add


[----ipsec.secrets----]

include /var/lib/strongswan/ipsec.secrets.inc

192.168.1.50    %any:   PSK "my.lovely.password.goes.here"



[----auth.log----]
Dec 17 10:23:05 dwall508 pluto[3536]: loading secrets from "/var/lib/strongswan/ipsec.secrets.inc"
Dec 17 10:23:05 dwall508 pluto[3536]:   loaded private key from '/etc/ipsec.d/private/dwall508Key.pem'
Dec 17 10:23:05 dwall508 pluto[3536]:   loaded PSK secret for 192.168.1.50 %any 
Dec 17 10:23:05 dwall508 pluto[3536]: added connection description "L2TP"
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: received Vendor ID payload [RFC 3947]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: received Vendor ID payload [Dead Peer Detection]

Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[1] 166.205.10.112:3447 #1: responding to Main Mode from unknown peer 166.205.10.112:3447
Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[1] 166.205.10.112:3447 #1: NAT-Traversal: Result using RFC 3947: both are NATed
Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[1] 166.205.10.112:3447 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[1] 166.205.10.112:3447 #1: Peer ID is ID_IPV4_ADDR: '10.138.154.86'
Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:3447 #1: deleting connection "L2TP" instance with peer 166.205.10.112 {isakmp=#0/ipsec=#0}
Dec 17 10:23:07 dwall508 pluto[3536]: | NAT-T: new mapping 166.205.10.112:3447/4059)
Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #1: sent MR3, ISAKMP SA established
Dec 17 10:23:08 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Dec 17 10:23:08 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #2: responding to Quick Mode
Dec 17 10:23:09 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #1: ignoring informational payload, type INVALID_HASH_INFORMATION
Dec 17 10:23:09 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #1: received Delete SA payload: deleting ISAKMP State #1
Dec 17 10:23:09 dwall508 pluto[3536]: ERROR: asynchronous network error report on eth0 for message to 166.205.10.112 port 4059, complainant 166.205.10.112: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Dec 17 10:23:18 dwall508 pluto[3536]: ERROR: asynchronous network error report on eth0 for message to 166.205.10.112 port 4059, complainant 166.205.10.112: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Dec 17 10:23:40 dwall508 pluto[3536]: ERROR: asynchronous network error report on eth0 for message to 166.205.10.112 port 4059, complainant 166.205.10.112: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Dec 17 10:24:19 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #2: max number of retransmissions (2) reached STATE_QUICK_R1
Dec 17 10:24:19 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059: deleting connection "L2TP" instance with peer 166.205.10.112 {isakmp=#0/ipsec=#0}

More information about the Users mailing list