[strongSwan] IPAD via NATed firewall doesn't work
Uli Joergens
uli.joergens at orange.fr
Tue Feb 8 20:51:10 CET 2011
Hello, I’m back again...
I recompiled strongswan with that option and I set up the configuration according to that guide. NAT traversal seems to be O.K. (as it was actually with the SuSe strongswan package).
Unfortunately it still throws the same error message: “cannot respond to IPsec SA request because no connection is known for 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}“
I don’t quite understand what Pluto is trying to do there and what information is missing for finding the connection. It looks like it already found the connection “L2TP”.
Any ideas what’s going wrong there?
Here the logfile again:
Feb 8 20:21:15 webfrontend ipsec_starter[28321]: Starting strongSwan 4.5.0 IPsec [starter]...
Feb 8 20:21:16 webfrontend pluto[28330]: Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID
Feb 8 20:21:16 webfrontend pluto[28330]: listening on interfaces:
Feb 8 20:21:16 webfrontend pluto[28330]: eth0
Feb 8 20:21:16 webfrontend pluto[28330]: 192.168.1.250
Feb 8 20:21:16 webfrontend pluto[28330]: fe80::20c:29ff:fe60:14ef
Feb 8 20:21:16 webfrontend ipsec_starter[28329]: pluto (28330) started after 20 ms
Feb 8 20:21:16 webfrontend pluto[28330]: loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve
Feb 8 20:21:16 webfrontend pluto[28330]: including NAT-Traversal patch (Version 0.6c)
Feb 8 20:21:16 webfrontend charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
Feb 8 20:21:16 webfrontend charon: 00[KNL] listening on interfaces:
Feb 8 20:21:16 webfrontend charon: 00[KNL] eth0
Feb 8 20:21:16 webfrontend charon: 00[KNL] 192.168.1.250
Feb 8 20:21:16 webfrontend charon: 00[KNL] fe80::20c:29ff:fe60:14ef
Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Feb 8 20:21:16 webfrontend charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Feb 8 20:21:16 webfrontend charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Feb 8 20:21:16 webfrontend charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Feb 8 20:21:16 webfrontend charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for 192.168.1.250 %any
Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for 192.168.1.250 193.247.250.19
Feb 8 20:21:16 webfrontend charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
Feb 8 20:21:16 webfrontend charon: 00[JOB] spawning 16 worker threads
Feb 8 20:21:16 webfrontend ipsec_starter[28329]: charon (28331) started after 60 ms
Feb 8 20:21:16 webfrontend charon: 06[CFG] received stroke: add connection 'L2TP'
Feb 8 20:21:16 webfrontend charon: 06[CFG] added configuration 'L2TP'
Feb 8 20:21:16 webfrontend pluto[28330]: loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Feb 8 20:21:16 webfrontend pluto[28330]: loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Feb 8 20:21:16 webfrontend pluto[28330]: loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Feb 8 20:21:16 webfrontend pluto[28330]: Changing to directory '/usr/local/etc/ipsec.d/crls'
Feb 8 20:21:16 webfrontend pluto[28330]: loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Feb 8 20:21:16 webfrontend pluto[28330]: spawning 4 worker threads
Feb 8 20:21:16 webfrontend pluto[28330]: listening for IKE messages
Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0 192.168.1.250:500
Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0 192.168.1.250:4500
Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.2:500
Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.2:4500
Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.1:500
Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.1:4500
Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo ::1:500
Feb 8 20:21:16 webfrontend pluto[28330]: loading secrets from "/usr/local/etc/ipsec.secrets"
Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for 192.168.1.250 %any
Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for 192.168.1.250 193.247.250.19
Feb 8 20:21:16 webfrontend pluto[28330]: added connection description "L2TP"
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: received Vendor ID payload [RFC 3947]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: received Vendor ID payload [Dead Peer Detection]
Feb 8 20:21:27 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: responding to Main Mode from unknown peer 193.247.250.15:141
Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: NAT-Traversal: Result using RFC 3947: both are NATed
Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: Peer ID is ID_IPV4_ADDR: '10.114.236.80'
Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:141 #1: deleting connection "L2TP" instance with peer 193.247.250.15 {isakmp=#0/ipsec=#0}
Feb 8 20:21:28 webfrontend pluto[28330]: | NAT-T: new mapping 193.247.250.15:141/33096)
Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sent MR3, ISAKMP SA established
Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: cannot respond to IPsec SA request because no connection is known for 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}
Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sending encrypted notification INVALID_ID_INFORMATION to 193.247.250.15:33096
Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6f7badea (perhaps this is a duplicated packet)
Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sending encrypted notification INVALID_MESSAGE_ID to 193.247.250.15:33096
From: Martin Lambev [mailto:fsh3mve at gmail.com]
Sent: Montag, 7. Februar 2011 16:28
To: Uli Joergens
Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work
There is really good copy/paste guide for Strongswan & Iphone,Ipd,Mac here , <http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/>
you need to build strongswan form source with --enable-nat-transport , otherwise will not work.
Here is a note <http://blog.windfluechter.net/archives/916-StrongSwan-and-L2TPIPsec-on-Debian.html> that you need to know for security issue enabling that feature.
And you do not need dyndns for your Ipad it will work without one, only to your router is enough.
Bt in case anytime need it is has dyndns client for Ipad,Iphone form apple store.
However I did not try neither of these because i do net have Idevice.
Best regards,
Martin
On 02/07/2011 03:15 PM, Uli Joergens wrote:
Hi Martin
Thanks a lot for your suggestions. I'll give the internet café a try, just to make sure it's not sunrise causing problems with their NAT.
I don't think the Ipad supports dyndns otherwise I would try that as well. I'll have a look.
Regards
Uli
On 07.02.2011, at 00:51, Martin Lambew <fsh3mve at gmail.com> wrote:
Hi Uil,
Did you try to connect to your ipsec tunnel from the internet but not over the 3G but for exaple from internet coffee etc.?
I assume that your mydomain.dyndns.org is for your DR-855 Internet GW? If that is true why do not try fallowing setup:
IPad<>ipad.dyndns.org<>mydomain.dyndns.org<>dr-855.... etc..
conn L2TP
left=mydomain.dyndns.org
leftnexthop=%defaultroute
leftsubnet=192.168.1.250/255.255.255.0
leftfirewall=yes
#lefthostaccess=yes
right=ipad.dyndns.org
rightsubnet=%Any
rightnexthop=%defaultroute
.....
Regards,
Martin
--
Sent from mobile location
----- Original message -----
> Hello Andreas
>
> Thanks for the rapid response!
> 86.194.205.27 is the public IP-address (dynamic) of my internet gateway.
> The dyndns entry points to that address.
> I guess that's where it all goes wrong but I can't really see how to
> configure that with strongswan. I tried to put that address into the
> right-parameter (plus the ipsec secrets) as well, but it doesn't change
> anything. The Ipad is NATed (Sunrise) as well as my internet access.
> Is it actually feasible that way?
>
> Regards
> Uli
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Sonntag, 6. Februar 2011 19:13
> To: Uli Joergens
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work
>
> Hello Uli,
>
> why does the peer want to access 86.194.205.27/32
> behind strongSwan gateway 192.168.1.250?
>
> Regards
>
> Andreas
>
> On 06.02.2011 18:50, Uli Joergens wrote:
> > Hello
> >
> >
> >
> > I'm trying to configure strongswan for accessing my home network with
> > my Ipad.
> >
> > I do manage to build up the vpn tunnel within the WLAN with the
> > ipsec.conf below.
> >
> >
> >
> > # ipsec.conf - strongSwan IPsec configuration file
> >
> >
> >
> > # basic configuration
> >
> >
> >
> > config setup
> >
> > nat_traversal=yes
> >
> > charonstart=no
> >
> > plutostart=yes
> >
> > conn L2TP
> >
> > authby=psk
> >
> > keyexchange=ikev1
> >
> > pfs=no
> >
> > rekey=no
> >
> > type=tunnel
> >
> > esp=aes128-sha1
> >
> > ike=aes128-sha-modp1024
> >
> > left=192.168.1.250
> >
> > leftprotoport=17/1701
> >
> > right=%any
> >
> > rightprotoport=17/%any
> >
> > rightsubnetwithin=0.0.0.0/0
> >
> > auto=add
> >
> >
> >
> > As soon as I try to access through the internet (dynamic IP-address via
> > dyndns), I get the following error message ": cannot respond to IPsec
> > SA request because no connection is known for" (see log below):
> >
> >
> >
> > Feb 6 18:45:43 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> > #5: responding to Main Mode from unknown peer 193.247.250.41:397
> >
> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> > #5: NAT-Traversal: Result using RFC 3947: both are NATed
> >
> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> > #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> >
> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> > #5: Peer ID is ID_IPV4_ADDR: '10.165.74.84'
> >
> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:397
> > #5: deleting connection "L2TP" instance with peer 193.247.250.41
> > {isakmp=#0/ipsec=#0}
> >
> > Feb 6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping
> > 193.247.250.41:397/18954)
> >
> > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7]
> > 193.247.250.41:18954 #5: sent MR3, ISAKMP SA established
> >
> > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]
> > 193.247.250.41:18954 #5: cannot respond to IPsec SA request because no
> > connection is known for
> >
> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.4
> 1:18954[10.165.74.84]:17/%any==={10.165.74.84/32}
> >
> > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]
> > 193.247.250.41:18954 #5: sending encrypted notification
> > INVALID_ID_INFORMATION to 193.247.250.41:18954
> >
> > Feb 6 18:45:48 webfrontend pluto[26687]: "L2TP"[7]
> > 193.247.250.41:18954 #5: Quick Mode I1 message is unacceptable because
> > it uses a previously used Message ID 0x1e7f53a7 (perhaps this is a
> > duplicated packet)
> >
> >
> >
> >
> >
> > My config looks the following:
> >
> >
> >
> > Ipad -> 3G -> MyDomain.dyndns.org -> DIR-855 internet gateway
> > (192.168.1.1) -> VPN-gateway (192.168.1.250) -> LAN / WLAN 192.168.1.0
> >
> >
> >
> > I tried all sorts of combinations including the NATed Ipad address as
> > parameter "right" (as well as the parameters rightsubnet,
> > rightsubnetwithin) but it doesn't change anything. I presume I got
> > something fundamentally wrong.
> >
> > Did anybody manage to get VPN up and running in a similar
> > configuration?
> >
> >
> >
> > Regards
> >
> > Uli
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110208/acd53f3e/attachment.html>
More information about the Users
mailing list