[strongSwan] IPAD via NATed firewall doesn't work
Benoit Foucher
benoit at bittrap.com
Tue Feb 8 23:20:54 CET 2011
Hi Uli
I wasn't able to get the connection working with my iPhone or iPad when there's 2 NATs to go through. I believe I was able to go a bit further than you in the connection establishment process however. See my configuration in the emails from the list archive here:
https://lists.strongswan.org/pipermail/users/2010-December/005692.html
Also see this thread:
https://lists.strongswan.org/pipermail/users/2010-December/005721.html
The problem seems to be a bug in the raccoon OS X implementation. Unfortunately, I didn't get time to look more into it or report it to the appropriate parties...
Benoit.
On Feb 8, 2011, at 8:51 PM, Uli Joergens wrote:
> Hello, I’m back again...
>
> I recompiled strongswan with that option and I set up the configuration according to that guide. NAT traversal seems to be O.K. (as it was actually with the SuSe strongswan package).
> Unfortunately it still throws the same error message: “cannot respond to IPsec SA request because no connection is known for 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}“
>
> I don’t quite understand what Pluto is trying to do there and what information is missing for finding the connection. It looks like it already found the connection “L2TP”.
> Any ideas what’s going wrong there?
>
>
> Here the logfile again:
>
> Feb 8 20:21:15 webfrontend ipsec_starter[28321]: Starting strongSwan 4.5.0 IPsec [starter]...
> Feb 8 20:21:16 webfrontend pluto[28330]: Starting IKEv1 pluto daemon (strongSwan 4.5.0) THREADS VENDORID
> Feb 8 20:21:16 webfrontend pluto[28330]: listening on interfaces:
> Feb 8 20:21:16 webfrontend pluto[28330]: eth0
> Feb 8 20:21:16 webfrontend pluto[28330]: 192.168.1.250
> Feb 8 20:21:16 webfrontend pluto[28330]: fe80::20c:29ff:fe60:14ef
> Feb 8 20:21:16 webfrontend ipsec_starter[28329]: pluto (28330) started after 20 ms
> Feb 8 20:21:16 webfrontend pluto[28330]: loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr kernel-netlink resolve
> Feb 8 20:21:16 webfrontend pluto[28330]: including NAT-Traversal patch (Version 0.6c)
> Feb 8 20:21:16 webfrontend charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
> Feb 8 20:21:16 webfrontend charon: 00[KNL] listening on interfaces:
> Feb 8 20:21:16 webfrontend charon: 00[KNL] eth0
> Feb 8 20:21:16 webfrontend charon: 00[KNL] 192.168.1.250
> Feb 8 20:21:16 webfrontend charon: 00[KNL] fe80::20c:29ff:fe60:14ef
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for 192.168.1.250 %any
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for 192.168.1.250 193.247.250.19
> Feb 8 20:21:16 webfrontend charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
> Feb 8 20:21:16 webfrontend charon: 00[JOB] spawning 16 worker threads
> Feb 8 20:21:16 webfrontend ipsec_starter[28329]: charon (28331) started after 60 ms
> Feb 8 20:21:16 webfrontend charon: 06[CFG] received stroke: add connection 'L2TP'
> Feb 8 20:21:16 webfrontend charon: 06[CFG] added configuration 'L2TP'
> Feb 8 20:21:16 webfrontend pluto[28330]: loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> Feb 8 20:21:16 webfrontend pluto[28330]: loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> Feb 8 20:21:16 webfrontend pluto[28330]: loading ocsp certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> Feb 8 20:21:16 webfrontend pluto[28330]: Changing to directory '/usr/local/etc/ipsec.d/crls'
> Feb 8 20:21:16 webfrontend pluto[28330]: loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> Feb 8 20:21:16 webfrontend pluto[28330]: spawning 4 worker threads
> Feb 8 20:21:16 webfrontend pluto[28330]: listening for IKE messages
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0 192.168.1.250:500
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0 192.168.1.250:4500
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.2:500
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.2:4500
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.1:500
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo 127.0.0.1:4500
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo ::1:500
> Feb 8 20:21:16 webfrontend pluto[28330]: loading secrets from "/usr/local/etc/ipsec.secrets"
> Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for 192.168.1.250 %any
> Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for 192.168.1.250 193.247.250.19
> Feb 8 20:21:16 webfrontend pluto[28330]: added connection description "L2TP"
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: received Vendor ID payload [RFC 3947]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from 193.247.250.15:141: received Vendor ID payload [Dead Peer Detection]
> Feb 8 20:21:27 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: responding to Main Mode from unknown peer 193.247.250.15:141
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: NAT-Traversal: Result using RFC 3947: both are NATed
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141 #1: Peer ID is ID_IPV4_ADDR: '10.114.236.80'
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:141 #1: deleting connection "L2TP" instance with peer 193.247.250.15 {isakmp=#0/ipsec=#0}
> Feb 8 20:21:28 webfrontend pluto[28330]: | NAT-T: new mapping 193.247.250.15:141/33096)
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sent MR3, ISAKMP SA established
> Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: cannot respond to IPsec SA request because no connection is known for 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}
> Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sending encrypted notification INVALID_ID_INFORMATION to 193.247.250.15:33096
> Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x6f7badea (perhaps this is a duplicated packet)
> Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:33096 #1: sending encrypted notification INVALID_MESSAGE_ID to 193.247.250.15:33096
>
>
> From: Martin Lambev [mailto:fsh3mve at gmail.com]
> Sent: Montag, 7. Februar 2011 16:28
> To: Uli Joergens
> Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work
>
> There is really good copy/paste guide for Strongswan & Iphone,Ipd,Mac here ,
> you need to build strongswan form source with --enable-nat-transport , otherwise will not work.
> Here is a note that you need to know for security issue enabling that feature.
>
> And you do not need dyndns for your Ipad it will work without one, only to your router is enough.
> Bt in case anytime need it is has dyndns client for Ipad,Iphone form apple store.
>
> However I did not try neither of these because i do net have Idevice.
>
> Best regards,
> Martin
>
> On 02/07/2011 03:15 PM, Uli Joergens wrote:
> Hi Martin
>
> Thanks a lot for your suggestions. I'll give the internet café a try, just to make sure it's not sunrise causing problems with their NAT.
> I don't think the Ipad supports dyndns otherwise I would try that as well. I'll have a look.
>
> Regards
> Uli
>
>
>
> On 07.02.2011, at 00:51, Martin Lambew <fsh3mve at gmail.com> wrote:
>
> Hi Uil,
>
> Did you try to connect to your ipsec tunnel from the internet but not over the 3G but for exaple from internet coffee etc.?
>
> I assume that your mydomain.dyndns.org is for your DR-855 Internet GW? If that is true why do not try fallowing setup:
> IPad<>ipad.dyndns.org<>mydomain.dyndns.org<>dr-855.... etc..
>
> conn L2TP
> left=mydomain.dyndns.org
> leftnexthop=%defaultroute
> leftsubnet=192.168.1.250/255.255.255.0
> leftfirewall=yes
> #lefthostaccess=yes
> right=ipad.dyndns.org
> rightsubnet=%Any
> rightnexthop=%defaultroute
> .....
> Regards,
>
> Martin
>
> --
> Sent from mobile location
>
> ----- Original message -----
> > Hello Andreas
> >
> > Thanks for the rapid response!
> > 86.194.205.27 is the public IP-address (dynamic) of my internet gateway.
> > The dyndns entry points to that address.
> > I guess that's where it all goes wrong but I can't really see how to
> > configure that with strongswan. I tried to put that address into the
> > right-parameter (plus the ipsec secrets) as well, but it doesn't change
> > anything. The Ipad is NATed (Sunrise) as well as my internet access.
> > Is it actually feasible that way?
> >
> > Regards
> > Uli
> >
> > -----Original Message-----
> > From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> > Sent: Sonntag, 6. Februar 2011 19:13
> > To: Uli Joergens
> > Cc: users at lists.strongswan.org
> > Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work
> >
> > Hello Uli,
> >
> > why does the peer want to access 86.194.205.27/32
> > behind strongSwan gateway 192.168.1.250?
> >
> > Regards
> >
> > Andreas
> >
> > On 06.02.2011 18:50, Uli Joergens wrote:
> > > Hello
> > >
> > >
> > >
> > > I'm trying to configure strongswan for accessing my home network with
> > > my Ipad.
> > >
> > > I do manage to build up the vpn tunnel within the WLAN with the
> > > ipsec.conf below.
> > >
> > >
> > >
> > > # ipsec.conf - strongSwan IPsec configuration file
> > >
> > >
> > >
> > > # basic configuration
> > >
> > >
> > >
> > > config setup
> > >
> > > nat_traversal=yes
> > >
> > > charonstart=no
> > >
> > > plutostart=yes
> > >
> > > conn L2TP
> > >
> > > authby=psk
> > >
> > > keyexchange=ikev1
> > >
> > > pfs=no
> > >
> > > rekey=no
> > >
> > > type=tunnel
> > >
> > > esp=aes128-sha1
> > >
> > > ike=aes128-sha-modp1024
> > >
> > > left=192.168.1.250
> > >
> > > leftprotoport=17/1701
> > >
> > > right=%any
> > >
> > > rightprotoport=17/%any
> > >
> > > rightsubnetwithin=0.0.0.0/0
> > >
> > > auto=add
> > >
> > >
> > >
> > > As soon as I try to access through the internet (dynamic IP-address via
> > > dyndns), I get the following error message ": cannot respond to IPsec
> > > SA request because no connection is known for" (see log below):
> > >
> > >
> > >
> > > Feb 6 18:45:43 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> > > #5: responding to Main Mode from unknown peer 193.247.250.41:397
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> > > #5: NAT-Traversal: Result using RFC 3947: both are NATed
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> > > #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6] 193.247.250.41:397
> > > #5: Peer ID is ID_IPV4_ADDR: '10.165.74.84'
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7] 193.247.250.41:397
> > > #5: deleting connection "L2TP" instance with peer 193.247.250.41
> > > {isakmp=#0/ipsec=#0}
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping
> > > 193.247.250.41:397/18954)
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7]
> > > 193.247.250.41:18954 #5: sent MR3, ISAKMP SA established
> > >
> > > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]
> > > 193.247.250.41:18954 #5: cannot respond to IPsec SA request because no
> > > connection is known for
> > >
> > 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.4
> > 1:18954[10.165.74.84]:17/%any==={10.165.74.84/32}
> > >
> > > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]
> > > 193.247.250.41:18954 #5: sending encrypted notification
> > > INVALID_ID_INFORMATION to 193.247.250.41:18954
> > >
> > > Feb 6 18:45:48 webfrontend pluto[26687]: "L2TP"[7]
> > > 193.247.250.41:18954 #5: Quick Mode I1 message is unacceptable because
> > > it uses a previously used Message ID 0x1e7f53a7 (perhaps this is a
> > > duplicated packet)
> > >
> > >
> > >
> > >
> > >
> > > My config looks the following:
> > >
> > >
> > >
> > > Ipad -> 3G -> MyDomain.dyndns.org -> DIR-855 internet gateway
> > > (192.168.1.1) -> VPN-gateway (192.168.1.250) -> LAN / WLAN 192.168.1.0
> > >
> > >
> > >
> > > I tried all sorts of combinations including the NATed Ipad address as
> > > parameter "right" (as well as the parameters rightsubnet,
> > > rightsubnetwithin) but it doesn't change anything. I presume I got
> > > something fundamentally wrong.
> > >
> > > Did anybody manage to get VPN up and running in a similar
> > > configuration?
> > >
> > >
> > >
> > > Regards
> > >
> > > Uli
> >
> > ======================================================================
> > Andreas Steffen andreas.steffen at strongswan.org
> > strongSwan - the Linux VPN Solution! www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110208/91da6b15/attachment.html>
More information about the Users
mailing list