[strongSwan] IPAD via NATed firewall doesn't work
Martin Lambev
fsh3mve at gmail.com
Wed Feb 9 07:13:05 CET 2011
Hi Uli,
until I'm fighting to start with my strongswan setup and looking around
I found something that could be useful to you:
Other way around for IPhone ( May work also on IPad) and strongswan -
certificate based auth. You can give them a try: here
<http://www.mail-archive.com/users@lists.strongswan.org/msg00798.html>
and here
<http://serverfault.com/questions/212382/how-to-set-up-strongswan-or-openswan-for-pure-ipsec-with-iphone-client>
some aditional help for certificate creation if you need it.
Michael Niehren report success.
Best regards,
Martin
On 02/09/2011 06:20 AM, Benoit Foucher wrote:
> Hi Uli
>
> I wasn't able to get the connection working with my iPhone or iPad
> when there's 2 NATs to go through. I believe I was able to go a bit
> further than you in the connection establishment process however. See
> my configuration in the emails from the list archive here:
>
> https://lists.strongswan.org/pipermail/users/2010-December/005692.html
>
> Also see this thread:
>
> https://lists.strongswan.org/pipermail/users/2010-December/005721.html
>
> The problem seems to be a bug in the raccoon OS X implementation.
> Unfortunately, I didn't get time to look more into it or report it to
> the appropriate parties...
>
> Benoit.
>
> On Feb 8, 2011, at 8:51 PM, Uli Joergens wrote:
>
>> Hello, I’m back again...
>> I recompiled strongswan with that option and I set up the
>> configuration according to that guide. NAT traversal seems to be O.K.
>> (as it was actually with the SuSe strongswan package).
>> Unfortunately it still throws the same error message: “cannot respond
>> to IPsec SA request because no connection is known for
>> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}“
>> I don’t quite understand what Pluto is trying to do there and what
>> information is missing for finding the connection. It looks like it
>> already found the connection “L2TP”.
>> Any ideas what’s going wrong there?
>> Here the logfile again:
>> Feb 8 20:21:15 webfrontend ipsec_starter[28321]: Starting strongSwan
>> 4.5.0 IPsec [starter]...
>> Feb 8 20:21:16 webfrontend pluto[28330]: Starting IKEv1 pluto daemon
>> (strongSwan 4.5.0) THREADS VENDORID
>> Feb 8 20:21:16 webfrontend pluto[28330]: listening on interfaces:
>> Feb 8 20:21:16 webfrontend pluto[28330]: eth0
>> Feb 8 20:21:16 webfrontend pluto[28330]: 192.168.1.250
>> Feb 8 20:21:16 webfrontend pluto[28330]: fe80::20c:29ff:fe60:14ef
>> Feb 8 20:21:16 webfrontend ipsec_starter[28329]: pluto (28330)
>> started after 20 ms
>> Feb 8 20:21:16 webfrontend pluto[28330]: loaded plugins: aes des
>> sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr
>> kernel-netlink resolve
>> Feb 8 20:21:16 webfrontend pluto[28330]: including NAT-Traversal
>> patch (Version 0.6c)
>> Feb 8 20:21:16 webfrontend charon: 00[DMN] Starting IKEv2 charon
>> daemon (strongSwan 4.5.0)
>> Feb 8 20:21:16 webfrontend charon: 00[KNL] listening on interfaces:
>> Feb 8 20:21:16 webfrontend charon: 00[KNL] eth0
>> Feb 8 20:21:16 webfrontend charon: 00[KNL] 192.168.1.250
>> Feb 8 20:21:16 webfrontend charon: 00[KNL] fe80::20c:29ff:fe60:14ef
>> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ca certificates
>> from '/usr/local/etc/ipsec.d/cacerts'
>> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading aa certificates
>> from '/usr/local/etc/ipsec.d/aacerts'
>> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ocsp signer
>> certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading attribute
>> certificates from '/usr/local/etc/ipsec.d/acerts'
>> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading crls from
>> '/usr/local/etc/ipsec.d/crls'
>> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading secrets from
>> '/usr/local/etc/ipsec.secrets'
>> Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for
>> 192.168.1.250 %any
>> Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for
>> 192.168.1.250 193.247.250.19
>> Feb 8 20:21:16 webfrontend charon: 00[DMN] loaded plugins: aes des
>> sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf
>> gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
>> Feb 8 20:21:16 webfrontend charon: 00[JOB] spawning 16 worker threads
>> Feb 8 20:21:16 webfrontend ipsec_starter[28329]: charon (28331)
>> started after 60 ms
>> Feb 8 20:21:16 webfrontend charon: 06[CFG] received stroke: add
>> connection 'L2TP'
>> Feb 8 20:21:16 webfrontend charon: 06[CFG] added configuration 'L2TP'
>> Feb 8 20:21:16 webfrontend pluto[28330]: loading ca certificates
>> from '/usr/local/etc/ipsec.d/cacerts'
>> Feb 8 20:21:16 webfrontend pluto[28330]: loading aa certificates
>> from '/usr/local/etc/ipsec.d/aacerts'
>> Feb 8 20:21:16 webfrontend pluto[28330]: loading ocsp certificates
>> from '/usr/local/etc/ipsec.d/ocspcerts'
>> Feb 8 20:21:16 webfrontend pluto[28330]: Changing to directory
>> '/usr/local/etc/ipsec.d/crls'
>> Feb 8 20:21:16 webfrontend pluto[28330]: loading attribute
>> certificates from '/usr/local/etc/ipsec.d/acerts'
>> Feb 8 20:21:16 webfrontend pluto[28330]: spawning 4 worker threads
>> Feb 8 20:21:16 webfrontend pluto[28330]: listening for IKE messages
>> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0
>> 192.168.1.250:500
>> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0
>> 192.168.1.250:4500
>> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo
>> 127.0.0.2:500
>> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo
>> 127.0.0.2:4500
>> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo
>> 127.0.0.1:500
>> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo
>> 127.0.0.1:4500
>> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo ::1:500
>> Feb 8 20:21:16 webfrontend pluto[28330]: loading secrets from
>> "/usr/local/etc/ipsec.secrets"
>> Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for
>> 192.168.1.250 %any
>> Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for
>> 192.168.1.250 193.247.250.19
>> Feb 8 20:21:16 webfrontend pluto[28330]: added connection
>> description "L2TP"
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: received Vendor ID payload [RFC 3947]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [4df37928e9fc4fd1b3262170d515c662]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [8f8d83826d246b6fc7a8a6a428c11de8]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [439b59f8ba676c4c7737ae22eab8f582]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [4d1e0e136deafa34c4f3ea9f02ec7285]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [80d0bb3def54565ee84645d4c85ce3ee]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [9909b64eed937c6573de52ace952fa6b]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-03]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: ignoring Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n]
>> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
>> 193.247.250.15:141: received Vendor ID payload [Dead Peer Detection]
>> Feb 8 20:21:27 webfrontend pluto[28330]: "L2TP"[1]
>> 193.247.250.15:141 #1: responding to Main Mode from unknown peer
>> 193.247.250.15:141
>> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1]
>> 193.247.250.15:141 #1: NAT-Traversal: Result using RFC 3947: both are
>> NATed
>> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1]
>> 193.247.250.15:141 #1: ignoring informational payload, type
>> IPSEC_INITIAL_CONTACT
>> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1]
>> 193.247.250.15:141 #1: Peer ID is ID_IPV4_ADDR: '10.114.236.80'
>> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2]
>> 193.247.250.15:141 #1: deleting connection "L2TP" instance with peer
>> 193.247.250.15 {isakmp=#0/ipsec=#0}
>> Feb 8 20:21:28 webfrontend pluto[28330]: | NAT-T: new mapping
>> 193.247.250.15:141/33096)
>> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2]
>> 193.247.250.15:33096 #1: sent MR3, ISAKMP SA established
>> Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2]
>> 193.247.250.15:33096 #1: cannot respond to IPsec SA request because
>> no connection is known for
>> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}
>> Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2]
>> 193.247.250.15:33096 #1: sending encrypted notification
>> INVALID_ID_INFORMATION to 193.247.250.15:33096
>> Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2]
>> 193.247.250.15:33096 #1: Quick Mode I1 message is unacceptable
>> because it uses a previously used Message ID 0x6f7badea (perhaps this
>> is a duplicated packet)
>> Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2]
>> 193.247.250.15:33096 #1: sending encrypted notification
>> INVALID_MESSAGE_ID to 193.247.250.15:33096
>> *From:*Martin Lambev [mailto:fsh3mve at gmail.com]
>> *Sent:*Montag, 7. Februar 2011 16:28
>> *To:*Uli Joergens
>> *Subject:*Re: [strongSwan] IPAD via NATed firewall doesn't work
>> There is really good copy/paste guide for Strongswan &
>> Iphone,Ipd,Machere ,
>> <http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/>
>> you need to build strongswan form source with
>> --/enable-nat-transport/, otherwise will not work.
>> Here is anote
>> <http://blog.windfluechter.net/archives/916-StrongSwan-and-L2TPIPsec-on-Debian.html>that
>> you need to know for security issue enabling that feature.
>>
>> And you do not need dyndns for your Ipad it will work without one,
>> only to your router is enough.
>> Bt in case anytime need it is has dyndns client for Ipad,Iphone form
>> apple store.
>>
>> However I did not try neither of these because i do net have Idevice.
>>
>> Best regards,
>> Martin
>>
>> On 02/07/2011 03:15 PM, Uli Joergens wrote:
>> Hi Martin
>> Thanks a lot for your suggestions. I'll give the internet café a try,
>> just to make sure it's not sunrise causing problems with their NAT.
>> I don't think the Ipad supports dyndns otherwise I would try that as
>> well. I'll have a look.
>> Regards
>> Uli
>>
>>
>> On 07.02.2011, at 00:51, Martin Lambew <fsh3mve at gmail.com
>> <mailto:fsh3mve at gmail.com>> wrote:
>>
>> Hi Uil,
>>
>> Did you try to connect to your ipsec tunnel from the internet but
>> not over the 3G but for exaple from internet coffee etc.?
>>
>> I assume that yourmydomain.dyndns.org
>> <http://mydomain.dyndns.org>is for your DR-855 Internet GW? If
>> that is true why do not try fallowing setup:
>> IPad<>ipad.dyndns.org<>mydomain.dyndns.org<>dr-855.... etc..
>>
>> conn L2TP
>> left=mydomain.dyndns.org
>> leftnexthop=%defaultroute
>> leftsubnet=192.168.1.250/255.255.255.0
>> leftfirewall=yes
>> #lefthostaccess=yes
>> right=ipad.dyndns.org
>> rightsubnet=%Any
>> rightnexthop=%defaultroute
>> .....
>> Regards,
>>
>> Martin
>>
>> --
>> Sent from mobile location
>>
>> ----- Original message -----
>> > Hello Andreas
>> >
>> > Thanks for the rapid response!
>> > 86.194.205.27 is the public IP-address (dynamic) of my internet
>> gateway.
>> > The dyndns entry points to that address.
>> > I guess that's where it all goes wrong but I can't really see
>> how to
>> > configure that with strongswan. I tried to put that address
>> into the
>> > right-parameter (plus the ipsec secrets) as well, but it
>> doesn't change
>> > anything. The Ipad is NATed (Sunrise) as well as my internet
>> access.
>> > Is it actually feasible that way?
>> >
>> > Regards
>> > Uli
>> >
>> > -----Original Message-----
>> > From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
>> > Sent: Sonntag, 6. Februar 2011 19:13
>> > To: Uli Joergens
>> > Cc:users at lists.strongswan.org <mailto:users at lists.strongswan.org>
>> > Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work
>> >
>> > Hello Uli,
>> >
>> > why does the peer want to access 86.194.205.27/32
>> > behind strongSwan gateway 192.168.1.250?
>> >
>> > Regards
>> >
>> > Andreas
>> >
>> > On 06.02.2011 18:50, Uli Joergens wrote:
>> > > Hello
>> > >
>> > >
>> > >
>> > > I'm trying to configure strongswan for accessing my home
>> network with
>> > > my Ipad.
>> > >
>> > > I do manage to build up the vpn tunnel within the WLAN with the
>> > > ipsec.conf below.
>> > >
>> > >
>> > >
>> > > # ipsec.conf - strongSwan IPsec configuration file
>> > >
>> > >
>> > >
>> > > # basic configuration
>> > >
>> > >
>> > >
>> > > config setup
>> > >
>> > > nat_traversal=yes
>> > >
>> > > charonstart=no
>> > >
>> > > plutostart=yes
>> > >
>> > > conn L2TP
>> > >
>> > > authby=psk
>> > >
>> > > keyexchange=ikev1
>> > >
>> > > pfs=no
>> > >
>> > > rekey=no
>> > >
>> > > type=tunnel
>> > >
>> > > esp=aes128-sha1
>> > >
>> > > ike=aes128-sha-modp1024
>> > >
>> > > left=192.168.1.250
>> > >
>> > > leftprotoport=17/1701
>> > >
>> > > right=%any
>> > >
>> > > rightprotoport=17/%any
>> > >
>> > > rightsubnetwithin=0.0.0.0/0
>> > >
>> > > auto=add
>> > >
>> > >
>> > >
>> > > As soon as I try to access through the internet (dynamic
>> IP-address via
>> > > dyndns), I get the following error message ": cannot respond
>> to IPsec
>> > > SA request because no connection is known for" (see log below):
>> > >
>> > >
>> > >
>> > > Feb 6 18:45:43 webfrontend pluto[26687]: "L2TP"[6]
>> 193.247.250.41:397
>> > > #5: responding to Main Mode from unknown peer 193.247.250.41:397
>> > >
>> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6]
>> 193.247.250.41:397
>> > > #5: NAT-Traversal: Result using RFC 3947: both are NATed
>> > >
>> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6]
>> 193.247.250.41:397
>> > > #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
>> > >
>> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6]
>> 193.247.250.41:397
>> > > #5: Peer ID is ID_IPV4_ADDR: '10.165.74.84'
>> > >
>> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7]
>> 193.247.250.41:397
>> > > #5: deleting connection "L2TP" instance with peer 193.247.250.41
>> > > {isakmp=#0/ipsec=#0}
>> > >
>> > > Feb 6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping
>> > > 193.247.250.41:397/18954)
>> > >
>> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7]
>> > > 193.247.250.41:18954 #5: sent MR3, ISAKMP SA established
>> > >
>> > > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]
>> > > 193.247.250.41:18954 #5: cannot respond to IPsec SA request
>> because no
>> > > connection is known for
>> > >
>> >
>> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.4
>> > 1:18954[10.165.74.84]:17/%any==={10.165.74.84/32}
>> > >
>> > > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]
>> > > 193.247.250.41:18954 #5: sending encrypted notification
>> > > INVALID_ID_INFORMATION to 193.247.250.41:18954
>> > >
>> > > Feb 6 18:45:48 webfrontend pluto[26687]: "L2TP"[7]
>> > > 193.247.250.41:18954 #5: Quick Mode I1 message is
>> unacceptable because
>> > > it uses a previously used Message ID 0x1e7f53a7 (perhaps this
>> is a
>> > > duplicated packet)
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > My config looks the following:
>> > >
>> > >
>> > >
>> > > Ipad -> 3G ->MyDomain.dyndns.org
>> <http://MyDomain.dyndns.org>-> DIR-855 internet gateway
>> > > (192.168.1.1) -> VPN-gateway (192.168.1.250) -> LAN / WLAN
>> 192.168.1.0
>> > >
>> > >
>> > >
>> > > I tried all sorts of combinations including the NATed Ipad
>> address as
>> > > parameter "right" (as well as the parameters rightsubnet,
>> > > rightsubnetwithin) but it doesn't change anything. I presume
>> I got
>> > > something fundamentally wrong.
>> > >
>> > > Did anybody manage to get VPN up and running in a similar
>> > > configuration?
>> > >
>> > >
>> > >
>> > > Regards
>> > >
>> > > Uli
>> >
>> >
>> ======================================================================
>> > Andreas Steffen andreas.steffen at strongswan.org
>> <mailto:andreas.steffen at strongswan.org>
>> > strongSwan - the Linux VPN Solution! www.strongswan.org
>> <http://www.strongswan.org>
>> > Institute for Internet Technologies and Applications
>> > University of Applied Sciences Rapperswil
>> > CH-8640 Rapperswil (Switzerland)
>> >
>> ===========================================================[ITA-HSR]==
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> >Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> >https://lists.strongswan.org/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110209/bc5b0523/attachment.html>
More information about the Users
mailing list