[strongSwan] NAT + RoadWarrior: cannot create IPsec SA, ISAKMP ok

Richard Chan rspchan at starhub.net.sg
Sun Feb 13 08:28:03 CET 2011


Hello,

I am testing out the Remote access (RA) +PSK  configuration. It is working
if the
two devices are routed. But the if RA is behind NAT, IKE Phase I succeeds,
Phase II fails.

>From auth.log below, I can see that IKE Phase I succeeds, but then I cannot
create the Phase II
SA. Any suggestions?

moon (the VPN hub)

ipsec.secrets

192.168.123.12 %any : PSK "secret"

ipsec.conf

conn hub
left=192.168.123.12
leftsubnet=172.25.12.0/24
right=%any
authby=secret
auto=add

carol (the RA client, behind NAT)

ipsec.secrets

10.10.124.14 192.168.123.12 : PSK "secret"

ipsec.conf

conn rw
left=%defaultroute
right=192.168.123.12
rightsubnet=172.25.12.0/24
authby=secret
auto=add


auth.log on moon:

Feb 13 15:18:33 vm01 pluto[6774]: | *received 268 bytes from
192.168.123.1:1031 on eth0
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: received
Vendor ID payload [strongSwan]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: received
Vendor ID payload [XAUTH]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: received
Vendor ID payload [Dead Peer Detection]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: received
Vendor ID payload [RFC 3947]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 13 15:18:33 vm01 pluto[6774]: | preparse_isakmp_policy: peer requests
PSK authentication
Feb 13 15:18:33 vm01 pluto[6774]: | instantiated "hub" for 192.168.123.1
Feb 13 15:18:33 vm01 pluto[6774]: | creating state object #1 at
0x7fe4f2b2db20
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031 #1: responding
to Main Mode from unknown peer 192.168.123.1:1031
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: |
Feb 13 15:18:33 vm01 pluto[6774]: | *received 356 bytes from
192.168.123.1:1031 on eth0
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R1
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031 #1:
NAT-Traversal: Result using RFC 3947: peer is NATed
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_NAT_T_KEEPALIVE,
timeout in 20 seconds
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: |
Feb 13 15:18:33 vm01 pluto[6774]: | *received 76 bytes from
192.168.123.1:4500 on eth0
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R2
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031 #1: Peer ID is
ID_IPV4_ADDR: '10.10.124.14'
Feb 13 15:18:33 vm01 pluto[6774]: | peer CA:      %none
Feb 13 15:18:33 vm01 pluto[6774]: | offered CA:   %none
Feb 13 15:18:33 vm01 pluto[6774]: | switched from "hub" to "hub"
Feb 13 15:18:33 vm01 pluto[6774]: | instantiated "hub" for 192.168.123.1
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:1031 #1: deleting
connection "hub" instance with peer 192.168.123.1 {isakmp=#0/ipsec=#0}
Feb 13 15:18:33 vm01 pluto[6774]: | NAT-T: new mapping
192.168.123.1:1031/4500)
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_SA_REPLACE,
timeout in 10530 seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:4500 #1: sent MR3,
ISAKMP SA established
Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_NAT_T_KEEPALIVE in 20
seconds
Feb 13 15:18:33 vm01 pluto[6774]: |
Feb 13 15:18:33 vm01 pluto[6774]: | *received 444 bytes from
192.168.123.1:4500 on eth0
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | state object not found
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R3
Feb 13 15:18:33 vm01 pluto[6774]: | peer client is 10.10.124.14
Feb 13 15:18:33 vm01 pluto[6774]: | peer client protocol/port is 0/0
Feb 13 15:18:33 vm01 pluto[6774]: | our client is subnet 172.25.12.0/24
Feb 13 15:18:33 vm01 pluto[6774]: | our client protocol/port is 0/0
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:4500 #1: cannot
respond to IPsec SA request because no connection is known for
172.25.12.0/24===192.168.123.12:4500[192.168.123.12]...192.168.123.1:4500[10.10.124.14]===10.10.124.14/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110213/8091a026/attachment.html>


More information about the Users mailing list