[strongSwan] Help Connecting Strongswan to iPhone

Ingmar Rosenhagen IRosenhagen at gmx.net
Tue Jul 5 02:11:28 CEST 2011


I've moved the strongswan-server to a public ip now, due to the obstacles with double nat. My configuration now looks like this:

conn android
        left=77.66.55.44
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        rightsubnetwithin=10.0.0.0/8
        auto=add
        authby=secret
        type=tunnel
        pfs=no

But now I get another error. What am I missing here?

Jul  5 01:56:32 Ubuntu-1004-lucid-64-minimal pluto[3681]: added connection description "android"
Jul  5 01:56:33 Ubuntu-1004-lucid-64-minimal sudo:   ingmar : TTY=pts/0 ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/tail -f /var/log/auth.log
Jul  5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: received Vendor ID payload [RFC 3947]
Jul  5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul  5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul  5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul  5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: packet from 99.88.77.66:35574: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jul  5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[1] 99.88.77.66:35574 #1: responding to Main Mode from unknown peer 99.88.77.66:35574
Jul  5 01:56:46 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[1] 99.88.77.66:35574 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
Jul  5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[1] 99.88.77.66:35574 #1: Peer ID is ID_IPV4_ADDR: '10.172.161.49'
Jul  5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:35574 #1: deleting connection "android" instance with peer 99.88.77.66 {isakmp=#0/ipsec=#0}
Jul  5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: | NAT-T: new mapping 99.88.77.66:35574/59834)
Jul  5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: sent MR3, ISAKMP SA established
Jul  5 01:56:47 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jul  5 01:56:48 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #2: NAT-Traversal: Transport mode disabled due to security concerns
Jul  5 01:56:48 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #2: sending encrypted notification BAD_PROPOSAL_SYNTAX to 99.88.77.66:59834
Jul  5 01:56:58 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1f39a9ca (perhaps this is a duplicated packet)
Jul  5 01:56:58 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: sending encrypted notification INVALID_MESSAGE_ID to 99.88.77.66:59834
Jul  5 01:57:08 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1f39a9ca (perhaps this is a duplicated packet)
Jul  5 01:57:08 Ubuntu-1004-lucid-64-minimal pluto[3681]: "android"[2] 99.88.77.66:59834 #1: sending encrypted notification INVALID_MESSAGE_ID to 99.88.77.66:59834


-------- Original-Nachricht --------
> Datum: Wed, 29 Jun 2011 22:19:17 +0200
> Von: Andreas Steffen <andreas.steffen at strongswan.org>
> An: Ingmar Rosenhagen <IRosenhagen at gmx.net>
> CC: users at lists.strongswan.org
> Betreff: Re: [strongSwan] Help Connecting Strongswan to iPhone

> Due to the double NAT situation you must add
> 
> leftsubnet=53.33.152.45/32
> rightsubnet=10.152.73.157/32
> 
> Regards
> 
> Andreas
> 
> On 06/29/2011 10:02 PM, Ingmar Rosenhagen wrote:
> > Hi,
> >
> > I've nearly the same situation.
> > Strongswan behind a NAT-Router and trying to connect with my Android
> Handset.
> >
> > My Config looks like this:
> >
> > config setup
> >          # plutodebug=all
> >          # crlcheckinterval=600
> >          # strictcrlpolicy=yes
> >          # cachecrls=yes
> >          nat_traversal=yes
> >          charonstart=yes
> >          plutostart=yes
> >
> >
> > conn nat-t
> >          left=192.168.178.3
> >          leftnexthop=%defaultroute
> >          leftprotoport=17/1701
> >          right=%any
> >          rightprotoport=17/1701
> >          auto=add
> >          authby=secret
> >          type=tunnel
> >          pfs=no
> >
> > Obviously 192.168.178.3 is my internal IP 192.168.178.1 would be my next
> hop.
> > On my android-device I configured it to connect to a dyndns-account of
> my public ip, and on my router ports udp 400+4500 are forwarded to
> 192.168.178.3. When trying to connect I get:
> >
> > un 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> received Vendor ID payload [RFC 3947]
> > Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> > Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> > Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> > Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887:
> ignoring Vendor ID payload [FRAGMENTATION 80000000]
> > Jun 29 21:55:09 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1:
> responding to Main Mode from unknown peer 19.24.143.13:20887
> > Jun 29 21:55:10 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1:
> NAT-Traversal: Result using RFC 3947: both are NATed
> > Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1:
> Peer ID is ID_IPV4_ADDR: '10.152.73.157'
> > Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:20887 #1:
> deleting connection "nat-t" instance with peer 19.24.143.13
> {isakmp=#0/ipsec=#0}
> > Jun 29 21:55:12 adelheid pluto[3943]: | NAT-T: new mapping
> 19.24.143.13:20887/19739)
> > Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> sent MR3, ISAKMP SA established
> > Jun 29 21:55:13 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> ignoring informational payload, type IPSEC_INITIAL_CONTACT
> > Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> cannot respond to IPsec SA request because no connection is known for
> 53.33.152.45/32===192.168.178.3:4500:17/1701...19.24.143.13:19739[10.152.73.157]:17/0===10.152.73.157/32
> > Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1:
> sending encrypted notification INVALID_ID_INFORMATION to 19.24.143.13:19739
> >
> > I've no idea left what else one should try to get a setup like this
> working.
> >
> > Do you have any more hints?
> >
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

-- 
NEU: FreePhone - kostenlos mobil telefonieren!			
Jetzt informieren: http://www.gmx.net/de/go/freephone




More information about the Users mailing list