[strongSwan] Help Connecting Strongswan to iPhone
Ingmar Rosenhagen
IRosenhagen at gmx.net
Tue Jul 5 02:11:28 CEST 2011
I've moved the strongswan-server to a public ip now, due to the obstacles with double nat. My configuration now looks like this:
conn android
left=77.66.55.44
leftnexthop=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=10.0.0.0/8
auto=add
authby=secret
type=tunnel
pfs=no
But now I get another error. What am I missing here?
Jul 5 01:56:32 Ubuntu-1004-lucid-64-minimal pluto[3681]: added connection description "android"
Jul 5 01:56:33 Ubuntu-1004-lucid-64-minimal sudo: ingmar : TTY=pts/0 ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/auth.log
Jul 5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: received Vendor ID payload [RFC 3947]
Jul 5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jul 5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[1] 99.88.77.66:35574 #1: responding to Main Mode from unknown peer 99.88.77.66:35574
Jul 5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[1] 99.88.77.66:35574 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
Jul 5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[1] 99.88.77.66:35574 #1: Peer ID is ID_IPV4_ADDR: '10.172.161.49'
Jul 5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:35574 #1: deleting connection "android" instance with peer 99.88.77.66 {isakmp=#0/ipsec=#0}
Jul 5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: | NAT-T: new mapping 99.88.77.66:35574/59834)
Jul 5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: sent MR3, ISAKMP SA established
Jul 5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jul 5 01:56:48 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #2: NAT-Traversal: Transport mode disabled due to security concerns
Jul 5 01:56:48 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #2: sending encrypted notification BAD_PROPOSAL_SYNTAX to 99.88.77.66:59834
Jul 5 01:56:58 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1f39a9ca (perhaps this is a duplicated packet)
Jul 5 01:56:58 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: sending encrypted notification INVALID_MESSAGE_ID to 99.88.77.66:59834
Jul 5 01:57:08 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1f39a9ca (perhaps this is a duplicated packet)
Jul 5 01:57:08 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: sending encrypted notification INVALID_MESSAGE_ID to 99.88.77.66:59834
-------- Original-Nachricht --------
> Datum: Wed, 29 Jun 2011 22:19:17 +0200
> Von: Andreas Steffen <andreas.steffen at strongswan.org>
> An: Ingmar Rosenhagen <IRosenhagen at gmx.net>
> CC: users at lists.strongswan.org
> Betreff: Re: [strongSwan] Help Connecting Strongswan to iPhone
> Due to the double NAT situation you must add
>
> leftsubnet=53.33.152.45/32
> rightsubnet=10.152.73.157/32
>
> Regards
>
> Andreas
>
> On 06/29/2011 10:02 PM, Ingmar Rosenhagen wrote:
> > Hi,
> >
> > I've nearly the same situation.
> > Strongswan behind a NAT-Router and trying to connect with my Android
> Handset.
> >
> > My Config looks like this:
> >
> > config setup
> > # plutodebug=all
> > # crlcheckinterval=600
> > # strictcrlpolicy=yes
> > # cachecrls=yes
> > nat_traversal=yes
> > charonstart=yes
> > plutostart=yes
> >
> >
> > conn nat-t
> > left=192.168.178.3
> > leftnexthop=%defaultroute
> > leftprotoport=17/1701
> > right=%any
> > rightprotoport=17/1701
> > auto=add
> > authby=secret
> > type=tunnel
> > pfs=no
> >
> > Obviously 192.168.178.3 is my internal IP 192.168.178.1 would be my next
> hop.
> > On my android-device I configured it to connect to a dyndns-account of
> my public ip, and on my router ports udp 400+4500 are forwarded to
> 192.168.178.3. When trying to connect I get:
> >
> > un 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> received Vendor ID payload [RFC 3947]
> > Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> > Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> > Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> > Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> ignoring Vendor ID payload [FRAGMENTATION 80000000]
> > Jun 29 21:55:09 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1:
> responding to Main Mode from unknown peer 19.24.143.13:20887
> > Jun 29 21:55:10 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1:
> NAT-Traversal: Result using RFC 3947: both are NATed
> > Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1:
> Peer ID is ID_IPV4_ADDR: '10.152.73.157'
> > Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:20887 #1:
> deleting connection "nat-t" instance with peer 19.24.143.13
> {isakmp=#0/ipsec=#0}
> > Jun 29 21:55:12 adelheid pluto[3943]: | NAT-T: new mapping
> 19.24.143.13:20887/19739)
> > Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> sent MR3, ISAKMP SA established
> > Jun 29 21:55:13 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
> > Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> cannot respond to IPsec SA request because no connection is known for
> 53.33.152.45/32===192.168.178.3:4500:17/1701...19.24.143.13:19739[10.152.73.157]:17/0===10.152.73.157/32
> > Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> sending encrypted notification INVALID_ID_INFORMATION to 19.24.143.13:19739
> >
> > I've no idea left what else one should try to get a setup like this
> working.
> >
> > Do you have any more hints?
> >
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
--
NEU: FreePhone - kostenlos mobil telefonieren!
Jetzt informieren: http://www.gmx.net/de/go/freephone
More information about the Users
mailing list