[strongSwan] NAT + RoadWarrior: cannot create IPsec SA, ISAKMP ok
Richard Chan
rspchan at starhub.net.sg
Sun Feb 13 08:28:03 CET 2011
Hello,
I am testing out the Remote access (RA) +PSK configuration. It is working
if the
two devices are routed. But the if RA is behind NAT, IKE Phase I succeeds,
Phase II fails.
>From auth.log below, I can see that IKE Phase I succeeds, but then I cannot
create the Phase II
SA. Any suggestions?
moon (the VPN hub)
ipsec.secrets
192.168.123.12 %any : PSK "secret"
ipsec.conf
conn hub
left=192.168.123.12
leftsubnet=172.25.12.0/24
right=%any
authby=secret
auto=add
carol (the RA client, behind NAT)
ipsec.secrets
10.10.124.14 192.168.123.12 : PSK "secret"
ipsec.conf
conn rw
left=%defaultroute
right=192.168.123.12
rightsubnet=172.25.12.0/24
authby=secret
auto=add
auth.log on moon:
Feb 13 15:18:33 vm01 pluto[6774]: | *received 268 bytes from
192.168.123.1:1031 on eth0
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: received
Vendor ID payload [strongSwan]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: received
Vendor ID payload [XAUTH]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: received
Vendor ID payload [Dead Peer Detection]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: received
Vendor ID payload [RFC 3947]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 13 15:18:33 vm01 pluto[6774]: | preparse_isakmp_policy: peer requests
PSK authentication
Feb 13 15:18:33 vm01 pluto[6774]: | instantiated "hub" for 192.168.123.1
Feb 13 15:18:33 vm01 pluto[6774]: | creating state object #1 at
0x7fe4f2b2db20
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE: 41 51 f8 ff 2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE: 5f 41 53 47 1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer: c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_SO_DISCARD,
timeout in 0 seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031 #1: responding
to Main Mode from unknown peer 192.168.123.1:1031
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: |
Feb 13 15:18:33 vm01 pluto[6774]: | *received 356 bytes from
192.168.123.1:1031 on eth0
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE: 41 51 f8 ff 2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE: 5f 41 53 47 1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer: c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R1
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031 #1:
NAT-Traversal: Result using RFC 3947: peer is NATed
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_NAT_T_KEEPALIVE,
timeout in 20 seconds
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: |
Feb 13 15:18:33 vm01 pluto[6774]: | *received 76 bytes from
192.168.123.1:4500 on eth0
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE: 41 51 f8 ff 2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE: 5f 41 53 47 1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer: c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R2
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031 #1: Peer ID is
ID_IPV4_ADDR: '10.10.124.14'
Feb 13 15:18:33 vm01 pluto[6774]: | peer CA: %none
Feb 13 15:18:33 vm01 pluto[6774]: | offered CA: %none
Feb 13 15:18:33 vm01 pluto[6774]: | switched from "hub" to "hub"
Feb 13 15:18:33 vm01 pluto[6774]: | instantiated "hub" for 192.168.123.1
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:1031 #1: deleting
connection "hub" instance with peer 192.168.123.1 {isakmp=#0/ipsec=#0}
Feb 13 15:18:33 vm01 pluto[6774]: | NAT-T: new mapping
192.168.123.1:1031/4500)
Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_SA_REPLACE,
timeout in 10530 seconds for #1
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:4500 #1: sent MR3,
ISAKMP SA established
Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_NAT_T_KEEPALIVE in 20
seconds
Feb 13 15:18:33 vm01 pluto[6774]: |
Feb 13 15:18:33 vm01 pluto[6774]: | *received 444 bytes from
192.168.123.1:4500 on eth0
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE: 41 51 f8 ff 2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE: 5f 41 53 47 1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer: c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | state object not found
Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE: 41 51 f8 ff 2a 0a 4a 34
Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE: 5f 41 53 47 1b fa 54 d7
Feb 13 15:18:33 vm01 pluto[6774]: | peer: c0 a8 7b 01
Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R3
Feb 13 15:18:33 vm01 pluto[6774]: | peer client is 10.10.124.14
Feb 13 15:18:33 vm01 pluto[6774]: | peer client protocol/port is 0/0
Feb 13 15:18:33 vm01 pluto[6774]: | our client is subnet 172.25.12.0/24
Feb 13 15:18:33 vm01 pluto[6774]: | our client protocol/port is 0/0
Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:4500 #1: cannot
respond to IPsec SA request because no connection is known for
172.25.12.0/24===192.168.123.12:4500[192.168.123.12]...192.168.123.1:4500[10.10.124.14]===10.10.124.14/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110213/8091a026/attachment.html>
More information about the Users
mailing list