[strongSwan] iOS and fun with double natting.
Uli Joergens
uli.joergens at orange.fr
Sun Dec 18 14:41:58 CET 2011
I tried in vqin to get it working with psk, too.
I finally gave up as it seems to be impossible via double NAT.
Try certificates. That is a bit more complicated to configure but at least it works well.
Cheers
Uli
> Okay, I've soaked several days of my life into this and still can't make it work .. so I'm going to toss it into the ether and hope someone has a cluebat to hit me with
>
> Configuration:
> ubuntu unix .. I've used stock, 4.6.1 and 4.6.2dr2 ipsec ... also 1.2.x and 1.3.x xl2tpd's but I don't think we are getting that far
>
> Authentication via PSK (at least attempting this way at first)
>
>
> network is as follows
>
> ubuntu[192.168.1.x/24] --- fiosmodem (forwarding 4500, 500, 50 udp as confirmed by tcpdump)[static IP] { internet } ??whatevers on AT&Ts network?? -- iphone [10.x.x.x/8]
>
> localhost is 192.168.1.50, default route is 192.168.1.1 pretty stuck stuff
>
> The iphone, in true apple form, is less than verbose about what it thinks is wrong.
>
>
>
> [----ipsec.conf----]
>
> config setup
> nat_traversal=yes
> charonstart=yes
> plutostart=yes
>
>
> conn L2TP
> keyexchange=ikev1
> authby=psk
> pfs=no
> type=tunnel [ I've also tried transport mode here and have the same results ]
> left=192.168.1.50
> leftnexthop=%defaultroute
> leftsubnet={my static ip is here}/32
> leftprotoport=udp/1701
> right=%any
> rightprotoport=udp/%any
> rightsubnetwithin=10.0.0.0/8
> auto=add
>
>
> [----ipsec.secrets----]
>
> include /var/lib/strongswan/ipsec.secrets.inc
>
> 192.168.1.50 %any: PSK "my.lovely.password.goes.here"
>
>
>
> [----auth.log----]
> Dec 17 10:23:05 dwall508 pluto[3536]: loading secrets from "/var/lib/strongswan/ipsec.secrets.inc"
> Dec 17 10:23:05 dwall508 pluto[3536]: loaded private key from '/etc/ipsec.d/private/dwall508Key.pem'
> Dec 17 10:23:05 dwall508 pluto[3536]: loaded PSK secret for 192.168.1.50 %any
> Dec 17 10:23:05 dwall508 pluto[3536]: added connection description "L2TP"
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: received Vendor ID payload [RFC 3947]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Dec 17 10:23:07 dwall508 pluto[3536]: packet from 166.205.10.112:3447: received Vendor ID payload [Dead Peer Detection]
>
> Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[1] 166.205.10.112:3447 #1: responding to Main Mode from unknown peer 166.205.10.112:3447
> Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[1] 166.205.10.112:3447 #1: NAT-Traversal: Result using RFC 3947: both are NATed
> Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[1] 166.205.10.112:3447 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[1] 166.205.10.112:3447 #1: Peer ID is ID_IPV4_ADDR: '10.138.154.86'
> Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:3447 #1: deleting connection "L2TP" instance with peer 166.205.10.112 {isakmp=#0/ipsec=#0}
> Dec 17 10:23:07 dwall508 pluto[3536]: | NAT-T: new mapping 166.205.10.112:3447/4059)
> Dec 17 10:23:07 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #1: sent MR3, ISAKMP SA established
> Dec 17 10:23:08 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #2: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Dec 17 10:23:08 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #2: responding to Quick Mode
> Dec 17 10:23:09 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #1: ignoring informational payload, type INVALID_HASH_INFORMATION
> Dec 17 10:23:09 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #1: received Delete SA payload: deleting ISAKMP State #1
> Dec 17 10:23:09 dwall508 pluto[3536]: ERROR: asynchronous network error report on eth0 for message to 166.205.10.112 port 4059, complainant 166.205.10.112: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> Dec 17 10:23:18 dwall508 pluto[3536]: ERROR: asynchronous network error report on eth0 for message to 166.205.10.112 port 4059, complainant 166.205.10.112: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> Dec 17 10:23:40 dwall508 pluto[3536]: ERROR: asynchronous network error report on eth0 for message to 166.205.10.112 port 4059, complainant 166.205.10.112: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
> Dec 17 10:24:19 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059 #2: max number of retransmissions (2) reached STATE_QUICK_R1
> Dec 17 10:24:19 dwall508 pluto[3536]: "L2TP"[2] 166.205.10.112:4059: deleting connection "L2TP" instance with peer 166.205.10.112 {isakmp=#0/ipsec=#0}
>
>
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
> End of Users Digest, Vol 23, Issue 15
> *************************************
More information about the Users
mailing list