[strongSwan] Help Connecting Strongswan to iPhone

Ingmar Rosenhagen IRosenhagen at gmx.net
Wed Jun 29 22:02:33 CEST 2011


Hi,

I've nearly the same situation. 
Strongswan behind a NAT-Router and trying to connect with my Android Handset.

My Config looks like this:

config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        nat_traversal=yes
        charonstart=yes
        plutostart=yes


conn nat-t
        left=192.168.178.3
        leftnexthop=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        auto=add
        authby=secret
        type=tunnel
        pfs=no

Obviously 192.168.178.3 is my internal IP 192.168.178.1 would be my next hop.
On my android-device I configured it to connect to a dyndns-account of my public ip, and on my router ports udp 400+4500 are forwarded to 192.168.178.3. When trying to connect I get:

un 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: received Vendor ID payload [RFC 3947]
Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Jun 29 21:55:09 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1: responding to Main Mode from unknown peer 19.24.143.13:20887
Jun 29 21:55:10 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1: NAT-Traversal: Result using RFC 3947: both are NATed
Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1: Peer ID is ID_IPV4_ADDR: '10.152.73.157'
Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:20887 #1: deleting connection "nat-t" instance with peer 19.24.143.13 {isakmp=#0/ipsec=#0}
Jun 29 21:55:12 adelheid pluto[3943]: | NAT-T: new mapping 19.24.143.13:20887/19739)
Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: sent MR3, ISAKMP SA established
Jun 29 21:55:13 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: cannot respond to IPsec SA request because no connection is known for 53.33.152.45/32===192.168.178.3:4500:17/1701...19.24.143.13:19739[10.152.73.157]:17/0===10.152.73.157/32
Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: sending encrypted notification INVALID_ID_INFORMATION to 19.24.143.13:19739

I've no idea left what else one should try to get a setup like this working. 

Do you have any more hints?




Andreas/Martin/Uli,

Thanks for the suggestions.  Unfortunately, after playing around with the
settings, I'm still unable to advance past that same error.

Martin's suggestion to check the ports I'm using did help me spot that I had
xl2tpd configured wrong, but once I got that fixed, it still showed that
same error in strongswan itself.

I actually started using openswan intially and had no luck with that, so I
figured I'd try strongswan.  Maybe I'll give openswan another try now that I
am slightly less clueless about what I'm doing.  Maybe what Uli said is true
and it's more compatible with double NATting?

The double NAT thing that Andreas and Uli mention sounds like a reasonable
explanation, except that when I try to VPN in from my work's wireless
instead of using 3G, it still doesn't work (not sure yet if the error is the
same or not).  Of course, my work's wireless might be NAT'ed also.

I'm close to giving up on this.  It's proving very difficult and if it
weren't for the few people online who claim to have gotten it working, I'd
almost say it can't be done.

If I get the time/inclination I'll try and post some more debugging details
and specifics on what all I've tried.  But as of now, I ran through all the
suggestions that folks have posted so far without any luck.

Thanks for trying though and if anyone has any ideas on other stuff to try,
I'm all ears.

Actually... Andreas, when you say to try IPSec tunnel mode on my iPhone, do
you mean to use the IPSec VPN type?  Cuz the instructions I'm using say to
use the L2TP mode... IPSec mode doesn't seem to work either, for what it's
worth.

On Sun, Mar 27, 2011 at 12:01 PM, Andreas Steffen <
andreas.stef... at strongswan.org> wrote:

> Hi Dan,
>
> what is missing is
>
> leftsubnet=53.74.66.108/32
>
> as you have a double NAT situation. Can you configure
> the iPhone to use IPsec Tunnel Mode so that the
> internal destination IP would be 192.168.1.10, too?
>
> Regards
>
> Andreas
>
> On 03/26/2011 09:06 PM, Dan Deming wrote:
> > Hello,
> >
> > I'm trying to get a strongswan VPN set up so I can connect my iPhone
> > to my Ubuntu Lucid Lynx desktop, but I can't seem to get it
> > working and would appreciate any help anyone can give me.
> >
> > I feel like I'm close, but networking is not one of my
> > strong suits, so the whole leftnexthop, rightprotoport
> > thing is pretty confusing to me.
> >
> > I've been generally following the directions on these 3
> > pages:
> >
> >
> http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
> > https://lists.strongswan.org/pipermail/users/2009-March/003291.html
> >
> http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html
> >
> > Currently, I'm getting the following error:
> >
> > cannot respond to IPsec SA request because no connection is known for
> >
> 53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32
> > <
> http://53.74.66.108/32===192.168.1.10:17/%any...192.168.1.1[192.168.1.12]:17/%any===192.168.1.12/32
> >
> >
> > Here are the stats on what I'm running:
> >
> > Ubuntu Desktop:
> >  * Internal IP address is 192.168.1.10
> >  * Running custom compiled version of strongswan-4.3.2 with
> > --enable-nat-transport option enabled
> >  * Running xl2tpd
> >  * Both were set up by following
> >
> http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/
> >  * Firewall was off while I was trying to get this working
> >
> > Linksys E3000 router:
> >  * Internal IP address is 192.168.1.1
> >  * Comcast IP address is 53.74.66.108 (not my actual IP, but you get the
> > idea)
> >  * NAT Enabled
> >  * VPN Passthrough Enabled
> >  * Ports 4500 and 1701 forwarded to 192.168.1.10
> >
> > iPhone 3GS:
> >  * I guess the IP for this device is 166.121.15.14? (Again, I changed it
> > in the log below)
> >
> > Here is my ipsec.conf:
> >
> > config setup
> >     nat_traversal=yes
> >     charonstart=yes
> >     plutostart=yes
> >
> > conn L2TP
> >         authby=psk
> >         pfs=no
> >         rekey=no
> >         type=tunnel
> >         esp=aes128-sha1
> >         ike=aes128-sha-modp1024
> >         left=192.168.1.10
> >         leftnexthop=%defaultroute
> >         #leftprotoport=17/%any
> >         leftprotoport=17/1701
> >         right=%any
> >         rightprotoport=17/%any
> >         #rightsubnetwithin=10.0.0.0/8 <http://10.0.0.0/8>
> >         auto=add
> >
> >
> ======================================================================
> Andreas Steffen                         andreas.stef... at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
-- 
NEU: FreePhone - kostenlos mobil telefonieren!			
Jetzt informieren: http://www.gmx.net/de/go/freephone




More information about the Users mailing list