[strongSwan] IPAD via NATed firewall doesn't work

Uli Joergens uli.joergens at orange.fr
Sun Feb 6 22:08:15 CET 2011


Hello Andreas

Thanks for the rapid response!
86.194.205.27 is the public IP-address (dynamic) of my internet gateway. The
dyndns entry points to that address.
I guess that's where it all goes wrong but I can't really see how to
configure that with strongswan. I tried to put that address into the
right-parameter (plus the ipsec secrets) as well, but it doesn't change
anything. The Ipad is NATed (Sunrise) as well as my internet access.
Is it actually feasible that way?

Regards
Uli

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Sonntag, 6. Februar 2011 19:13
To: Uli Joergens
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work

Hello Uli,

why does the peer want to access 86.194.205.27/32
behind strongSwan gateway 192.168.1.250?

Regards

Andreas

On 06.02.2011 18:50, Uli Joergens wrote:
> Hello
> 
>  
> 
> I'm trying to configure strongswan for accessing my home network with my
> Ipad.
> 
> I do manage to build up the vpn tunnel within the WLAN with the
> ipsec.conf below.
> 
>  
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
>  
> 
> # basic configuration
> 
>  
> 
> config setup
> 
>         nat_traversal=yes
> 
>         charonstart=no
> 
>         plutostart=yes
> 
> conn L2TP
> 
>         authby=psk
> 
>         keyexchange=ikev1
> 
>         pfs=no
> 
>         rekey=no
> 
>         type=tunnel
> 
>         esp=aes128-sha1
> 
>         ike=aes128-sha-modp1024
> 
>         left=192.168.1.250
> 
>         leftprotoport=17/1701
> 
>         right=%any
> 
>         rightprotoport=17/%any
> 
>         rightsubnetwithin=0.0.0.0/0
> 
>         auto=add
> 
>  
> 
> As soon as I try to access through the internet (dynamic IP-address via
> dyndns), I get the following error message ": cannot respond to IPsec SA
> request because no connection is known for" (see log below):
> 
>  
> 
> Feb  6 18:45:43 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> #5: responding to Main Mode from unknown peer 193.247.250.41:397
> 
> Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> #5: NAT-Traversal: Result using RFC 3947: both are NATed
> 
> Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> 
> Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> #5: Peer ID is ID_IPV4_ADDR: '10.165.74.84'
> 
> Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:397
> #5: deleting connection "L2TP" instance with peer 193.247.250.41
> {isakmp=#0/ipsec=#0}
> 
> Feb  6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping
> 193.247.250.41:397/18954)
> 
> Feb  6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954
> #5: sent MR3, ISAKMP SA established
> 
> Feb  6 18:45:45 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954
> #5: cannot respond to IPsec SA request because no connection is known
> for
>
86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.4
1:18954[10.165.74.84]:17/%any==={10.165.74.84/32}
> 
> Feb  6 18:45:45 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954
> #5: sending encrypted notification INVALID_ID_INFORMATION to
> 193.247.250.41:18954
> 
> Feb  6 18:45:48 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:18954
> #5: Quick Mode I1 message is unacceptable because it uses a previously
> used Message ID 0x1e7f53a7 (perhaps this is a duplicated packet)
> 
>  
> 
>  
> 
> My config looks the following:
> 
>  
> 
> Ipad -> 3G -> MyDomain.dyndns.org -> DIR-855 internet gateway
> (192.168.1.1) -> VPN-gateway (192.168.1.250) -> LAN / WLAN 192.168.1.0
> 
>  
> 
> I tried all sorts of combinations including the NATed Ipad address as
> parameter "right" (as well as the parameters rightsubnet,
> rightsubnetwithin) but it doesn't change anything. I presume I got
> something fundamentally wrong.
> 
> Did anybody manage to get VPN up and running in a similar configuration?
> 
>  
> 
> Regards
> 
> Uli

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==





More information about the Users mailing list