[strongSwan] Help Connecting Strongswan to iPhone

Andreas Steffen andreas.steffen at strongswan.org
Wed Jun 29 22:19:17 CEST 2011 

Due to the double NAT situation you must add

leftsubnet=53.33.152.45/32
rightsubnet=10.152.73.157/32

Regards

Andreas

On 06/29/2011 10:02 PM, Ingmar Rosenhagen wrote:
> Hi,
>
> I've nearly the same situation.
> Strongswan behind a NAT-Router and trying to connect with my Android Handset.
>
> My Config looks like this:
>
> config setup
>          # plutodebug=all
>          # crlcheckinterval=600
>          # strictcrlpolicy=yes
>          # cachecrls=yes
>          nat_traversal=yes
>          charonstart=yes
>          plutostart=yes
>
>
> conn nat-t
>          left=192.168.178.3
>          leftnexthop=%defaultroute
>          leftprotoport=17/1701
>          right=%any
>          rightprotoport=17/1701
>          auto=add
>          authby=secret
>          type=tunnel
>          pfs=no
>
> Obviously 192.168.178.3 is my internal IP 192.168.178.1 would be my next hop.
> On my android-device I configured it to connect to a dyndns-account of my public ip, and on my router ports udp 400+4500 are forwarded to 192.168.178.3. When trying to connect I get:
>
> un 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: received Vendor ID payload [RFC 3947]
> Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
> Jun 29 21:55:09 adelheid pluto[3943]: packet from 19.24.143.13:20887: ignoring Vendor ID payload [FRAGMENTATION 80000000]
> Jun 29 21:55:09 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1: responding to Main Mode from unknown peer 19.24.143.13:20887
> Jun 29 21:55:10 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1: NAT-Traversal: Result using RFC 3947: both are NATed
> Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[1] 19.24.143.13:20887 #1: Peer ID is ID_IPV4_ADDR: '10.152.73.157'
> Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:20887 #1: deleting connection "nat-t" instance with peer 19.24.143.13 {isakmp=#0/ipsec=#0}
> Jun 29 21:55:12 adelheid pluto[3943]: | NAT-T: new mapping 19.24.143.13:20887/19739)
> Jun 29 21:55:12 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: sent MR3, ISAKMP SA established
> Jun 29 21:55:13 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: cannot respond to IPsec SA request because no connection is known for 53.33.152.45/32===192.168.178.3:4500:17/1701...19.24.143.13:19739[10.152.73.157]:17/0===10.152.73.157/32
> Jun 29 21:55:14 adelheid pluto[3943]: "nat-t"[2] 19.24.143.13:19739 #1: sending encrypted notification INVALID_ID_INFORMATION to 19.24.143.13:19739
>
> I've no idea left what else one should try to get a setup like this working.
>
> Do you have any more hints?
>

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list