[strongSwan] IPAD via NATed firewall doesn't work
Andreas Steffen
andreas.steffen at strongswan.org
Sun Feb 6 19:12:44 CET 2011
Hello Uli,
why does the peer want to access 86.194.205.27/32
behind strongSwan gateway 192.168.1.250?
Regards
Andreas
On 06.02.2011 18:50, Uli Joergens wrote:
> Hello
>
>
>
> I’m trying to configure strongswan for accessing my home network with my
> Ipad.
>
> I do manage to build up the vpn tunnel within the WLAN with the
> ipsec.conf below.
>
>
>
> # ipsec.conf - strongSwan IPsec configuration file
>
>
>
> # basic configuration
>
>
>
> config setup
>
> nat_traversal=yes
>
> charonstart=no
>
> plutostart=yes
>
> conn L2TP
>
> authby=psk
>
> keyexchange=ikev1
>
> pfs=no
>
> rekey=no
>
> type=tunnel
>
> esp=aes128-sha1
>
> ike=aes128-sha-modp1024
>
> left=192.168.1.250
>
> leftprotoport=17/1701
>
> right=%any
>
> rightprotoport=17/%any
>
> rightsubnetwithin=0.0.0.0/0
>
> auto=add
>
>
>
> As soon as I try to access through the internet (dynamic IP-address via
> dyndns), I get the following error message “: cannot respond to IPsec SA
> request because no connection is known for” (see log below):
>
>
>
> Feb 6 18:45:43 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> #5: responding to Main Mode from unknown peer 193.247.250.41:397
>
> Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> #5: NAT-Traversal: Result using RFC 3947: both are NATed
>
> Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
>
> Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> #5: Peer ID is ID_IPV4_ADDR: '10.165.74.84'
>
> Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:397
> #5: deleting connection "L2TP" instance with peer 193.247.250.41
> {isakmp=#0/ipsec=#0}
>
> Feb 6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping
> 193.247.250.41:397/18954)
>
> Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954
> #5: sent MR3, ISAKMP SA established
>
> Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954
> #5: cannot respond to IPsec SA request because no connection is known
> for
> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.41:18954[10.165.74.84]:17/%any==={10.165.74.84/32}
>
> Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954
> #5: sending encrypted notification INVALID_ID_INFORMATION to
> 193.247.250.41:18954
>
> Feb 6 18:45:48 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954
> #5: Quick Mode I1 message is unacceptable because it uses a previously
> used Message ID 0x1e7f53a7 (perhaps this is a duplicated packet)
>
>
>
>
>
> My config looks the following:
>
>
>
> Ipad -> 3G -> MyDomain.dyndns.org -> DIR-855 internet gateway
> (192.168.1.1) -> VPN-gateway (192.168.1.250) -> LAN / WLAN 192.168.1.0
>
>
>
> I tried all sorts of combinations including the NATed Ipad address as
> parameter “right” (as well as the parameters rightsubnet,
> rightsubnetwithin) but it doesn’t change anything. I presume I got
> something fundamentally wrong…
>
> Did anybody manage to get VPN up and running in a similar configuration?
>
>
>
> Regards
>
> Uli
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list