[strongSwan] IPAD via NATed firewall doesn't work

Uli Joergens uli.joergens at orange.fr
Sun Feb 6 18:50:21 CET 2011 

Hello

 

I'm trying to configure strongswan for accessing my home network with my
Ipad.

I do manage to build up the vpn tunnel within the WLAN with the ipsec.conf
below.

 

# ipsec.conf - strongSwan IPsec configuration file

 

# basic configuration

 

config setup

        nat_traversal=yes

        charonstart=no

        plutostart=yes

conn L2TP

        authby=psk

        keyexchange=ikev1

        pfs=no

        rekey=no

        type=tunnel

        esp=aes128-sha1

        ike=aes128-sha-modp1024

        left=192.168.1.250

        leftprotoport=17/1701

        right=%any

        rightprotoport=17/%any

        rightsubnetwithin=0.0.0.0/0

        auto=add

 

As soon as I try to access through the internet (dynamic IP-address via
dyndns), I get the following error message ": cannot respond to IPsec SA
request because no connection is known for" (see log below):

 

Feb  6 18:45:43 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397 #5:
responding to Main Mode from unknown peer 193.247.250.41:397

Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397 #5:
NAT-Traversal: Result using RFC 3947: both are NATed

Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397 #5:
ignoring informational payload, type IPSEC_INITIAL_CONTACT

Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397 #5:
Peer ID is ID_IPV4_ADDR: '10.165.74.84'

Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:397 #5:
deleting connection "L2TP" instance with peer 193.247.250.41
{isakmp=#0/ipsec=#0}

Feb  6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping
193.247.250.41:397/18954)

Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954 #5:
sent MR3, ISAKMP SA established

Feb  6 18:45:45 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954 #5:
cannot respond to IPsec SA request because no connection is known for
86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.4
1:18954[10.165.74.84]:17/%any==={10.165.74.84/32}

Feb  6 18:45:45 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954 #5:
sending encrypted notification INVALID_ID_INFORMATION to
193.247.250.41:18954

Feb  6 18:45:48 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954 #5:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x1e7f53a7 (perhaps this is a duplicated packet)

 

 

My config looks the following:

 

Ipad -> 3G -> MyDomain.dyndns.org -> DIR-855 internet gateway (192.168.1.1)
-> VPN-gateway (192.168.1.250) -> LAN / WLAN 192.168.1.0

 

I tried all sorts of combinations including the NATed Ipad address as
parameter "right" (as well as the parameters rightsubnet, rightsubnetwithin)
but it doesn't change anything. I presume I got something fundamentally
wrong.

Did anybody manage to get VPN up and running in a similar configuration? 

 

Regards

Uli

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110206/b41cc71e/attachment.html>

More information about the Users mailing list