[strongSwan] IPAD via NATed firewall doesn't work
Martin Kellermann
kellermann at sk-datentechnik.com
Wed Mar 30 09:57:20 CEST 2011
hi,
is there still no solution for this?
i ran into the same situation like Uli getting the
"cannot respond to IPsec SA request because no connection is known"
error.
i want the following setup:
iPad <-- NOT NATed --> internet <-- DSL router --> strongswan (NATed)
so just the strongswan server's side is NATed
i recompiled strongswan (on debian) with NAT-T patch enabled and auth.log
tells: "including NAT-Traversal patch (Version 0.6c)"
ipsec.conf:
config setup
nat_traversal=yes
charonstart=yes
plutostart=yes
conn ipads
authby=psk
pfs=no
rekey=no
type=tunnel
forceencaps=yes
esp=aes128-sha1
ike=aes128-sha-modp1024
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
rightsubnetwithin=0.0.0.0/0
auto=add
ipsec.secrets:
192.168.0.251 %any : PSK "xxxxxxxxxx"
auth.log:
Mar 29 16:39:45 vpn pluto[28437]: loaded PSK secret for 192.168.0.251 %any
Mar 29 16:39:45 vpn ipsec_starter[28436]: charon (28444) started after 40 ms
Mar 29 16:39:45 vpn pluto[28437]: added connection description "ipads"
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
received Vendor ID payload [RFC 3947]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
received Vendor ID payload [Dead Peer Detection]
Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1:
responding to Main Mode from unknown peer 2.206.202.168
Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1:
NAT-Traversal: Result using RFC 3947: i am NATed
Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: Peer ID
is ID_IPV4_ADDR: '2.206.202.168'
Mar 29 16:39:51 vpn pluto[28437]: | NAT-T: new mapping
2.206.202.168:500/4500)
Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: sent
MR3, ISAKMP SA established
Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
cannot respond to IPsec SA request because no connection is known for
188.101.67.77/32===192.168.0.251:4500[192.168.0.251]:17/1701...2.206.202.168:4500[2.206.202.168]:17/%any
Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_ID_INFORMATION to 2.206.202.168:4500
Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
received Delete SA payload: deleting ISAKMP State #1
Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500:
deleting connection "ipads" instance with peer 2.206.202.168
{isakmp=#0/ipsec=#0}
Mar 29 16:40:23 vpn pluto[28437]: ERROR: asynchronous network error
report on eth0 for message to 2.206.202.168 port 4500, complainant
2.206.202.168: Connection refused [errno 111, origin ICMP type 3 code 3
(not authenticated)]
any ideas?
regards
Am 08.02.2011 20:51, schrieb Uli Joergens:
>
> Hello, I’m back again...
>
> I recompiled strongswan with that option and I set up the
> configuration according to that guide. NAT traversal seems to be O.K.
> (as it was actually with the SuSe strongswan package).
>
> Unfortunately it still throws the same error message: “cannot respond
> to IPsec SA request because no connection is known for
> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}“
>
> I don’t quite understand what Pluto is trying to do there and what
> information is missing for finding the connection. It looks like it
> already found the connection “L2TP”.
>
> Any ideas what’s going wrong there?
>
> Here the logfile again:
>
> Feb 8 20:21:15 webfrontend ipsec_starter[28321]: Starting strongSwan
> 4.5.0 IPsec [starter]...
>
> Feb 8 20:21:16 webfrontend pluto[28330]: Starting IKEv1 pluto daemon
> (strongSwan 4.5.0) THREADS VENDORID
>
> Feb 8 20:21:16 webfrontend pluto[28330]: listening on interfaces:
>
> Feb 8 20:21:16 webfrontend pluto[28330]: eth0
>
> Feb 8 20:21:16 webfrontend pluto[28330]: 192.168.1.250
>
> Feb 8 20:21:16 webfrontend pluto[28330]: fe80::20c:29ff:fe60:14ef
>
> Feb 8 20:21:16 webfrontend ipsec_starter[28329]: pluto (28330)
> started after 20 ms
>
> Feb 8 20:21:16 webfrontend pluto[28330]: loaded plugins: aes des sha1
> sha2 md5 random x509 pkcs1 pgp dnskey pem gmp hmac xauth attr
> kernel-netlink resolve
>
> Feb 8 20:21:16 webfrontend pluto[28330]: including NAT-Traversal
> patch (Version 0.6c)
>
> Feb 8 20:21:16 webfrontend charon: 00[DMN] Starting IKEv2 charon
> daemon (strongSwan 4.5.0)
>
> Feb 8 20:21:16 webfrontend charon: 00[KNL] listening on interfaces:
>
> Feb 8 20:21:16 webfrontend charon: 00[KNL] eth0
>
> Feb 8 20:21:16 webfrontend charon: 00[KNL] 192.168.1.250
>
> Feb 8 20:21:16 webfrontend charon: 00[KNL] fe80::20c:29ff:fe60:14ef
>
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ca certificates
> from '/usr/local/etc/ipsec.d/cacerts'
>
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading aa certificates
> from '/usr/local/etc/ipsec.d/aacerts'
>
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading ocsp signer
> certificates from '/usr/local/etc/ipsec.d/ocspcerts'
>
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading attribute
> certificates from '/usr/local/etc/ipsec.d/acerts'
>
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading crls from
> '/usr/local/etc/ipsec.d/crls'
>
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loading secrets from
> '/usr/local/etc/ipsec.secrets'
>
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for
> 192.168.1.250 %any
>
> Feb 8 20:21:16 webfrontend charon: 00[CFG] loaded IKE secret for
> 192.168.1.250 193.247.250.19
>
> Feb 8 20:21:16 webfrontend charon: 00[DMN] loaded plugins: aes des
> sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp
> xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
>
> Feb 8 20:21:16 webfrontend charon: 00[JOB] spawning 16 worker threads
>
> Feb 8 20:21:16 webfrontend ipsec_starter[28329]: charon (28331)
> started after 60 ms
>
> Feb 8 20:21:16 webfrontend charon: 06[CFG] received stroke: add
> connection 'L2TP'
>
> Feb 8 20:21:16 webfrontend charon: 06[CFG] added configuration 'L2TP'
>
> Feb 8 20:21:16 webfrontend pluto[28330]: loading ca certificates from
> '/usr/local/etc/ipsec.d/cacerts'
>
> Feb 8 20:21:16 webfrontend pluto[28330]: loading aa certificates from
> '/usr/local/etc/ipsec.d/aacerts'
>
> Feb 8 20:21:16 webfrontend pluto[28330]: loading ocsp certificates
> from '/usr/local/etc/ipsec.d/ocspcerts'
>
> Feb 8 20:21:16 webfrontend pluto[28330]: Changing to directory
> '/usr/local/etc/ipsec.d/crls'
>
> Feb 8 20:21:16 webfrontend pluto[28330]: loading attribute
> certificates from '/usr/local/etc/ipsec.d/acerts'
>
> Feb 8 20:21:16 webfrontend pluto[28330]: spawning 4 worker threads
>
> Feb 8 20:21:16 webfrontend pluto[28330]: listening for IKE messages
>
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0
> 192.168.1.250:500
>
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface eth0/eth0
> 192.168.1.250:4500
>
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo
> 127.0.0.2:500
>
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo
> 127.0.0.2:4500
>
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo
> 127.0.0.1:500
>
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo
> 127.0.0.1:4500
>
> Feb 8 20:21:16 webfrontend pluto[28330]: adding interface lo/lo ::1:500
>
> Feb 8 20:21:16 webfrontend pluto[28330]: loading secrets from
> "/usr/local/etc/ipsec.secrets"
>
> Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for
> 192.168.1.250 %any
>
> Feb 8 20:21:16 webfrontend pluto[28330]: loaded PSK secret for
> 192.168.1.250 193.247.250.19
>
> Feb 8 20:21:16 webfrontend pluto[28330]: added connection description
> "L2TP"
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: received Vendor ID payload [RFC 3947]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [4df37928e9fc4fd1b3262170d515c662]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [8f8d83826d246b6fc7a8a6a428c11de8]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [439b59f8ba676c4c7737ae22eab8f582]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [4d1e0e136deafa34c4f3ea9f02ec7285]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [80d0bb3def54565ee84645d4c85ce3ee]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [9909b64eed937c6573de52ace952fa6b]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: packet from
> 193.247.250.15:141: received Vendor ID payload [Dead Peer Detection]
>
> Feb 8 20:21:27 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141
> #1: responding to Main Mode from unknown peer 193.247.250.15:141
>
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141
> #1: NAT-Traversal: Result using RFC 3947: both are NATed
>
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141
> #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
>
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[1] 193.247.250.15:141
> #1: Peer ID is ID_IPV4_ADDR: '10.114.236.80'
>
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2] 193.247.250.15:141
> #1: deleting connection "L2TP" instance with peer 193.247.250.15
> {isakmp=#0/ipsec=#0}
>
> Feb 8 20:21:28 webfrontend pluto[28330]: | NAT-T: new mapping
> 193.247.250.15:141/33096)
>
> Feb 8 20:21:28 webfrontend pluto[28330]: "L2TP"[2]
> 193.247.250.15:33096 #1: sent MR3, ISAKMP SA established
>
> Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2]
> 193.247.250.15:33096 #1: cannot respond to IPsec SA request because no
> connection is known for
> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.15:33096[10.114.236.80]:17/%any==={10.114.236.80/32}
>
> Feb 8 20:21:30 webfrontend pluto[28330]: "L2TP"[2]
> 193.247.250.15:33096 #1: sending encrypted notification
> INVALID_ID_INFORMATION to 193.247.250.15:33096
>
> Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2]
> 193.247.250.15:33096 #1: Quick Mode I1 message is unacceptable because
> it uses a previously used Message ID 0x6f7badea (perhaps this is a
> duplicated packet)
>
> Feb 8 20:21:33 webfrontend pluto[28330]: "L2TP"[2]
> 193.247.250.15:33096 #1: sending encrypted notification
> INVALID_MESSAGE_ID to 193.247.250.15:33096
>
> *From:*Martin Lambev [mailto:fsh3mve at gmail.com]
> *Sent:* Montag, 7. Februar 2011 16:28
> *To:* Uli Joergens
> *Subject:* Re: [strongSwan] IPAD via NATed firewall doesn't work
>
> There is really good copy/paste guide for Strongswan & Iphone,Ipd,Mac
> here ,
> <http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/>
>
> you need to build strongswan form source with --/enable-nat-transport
> /, otherwise will not work.
> Here is a note
> <http://blog.windfluechter.net/archives/916-StrongSwan-and-L2TPIPsec-on-Debian.html>
> that you need to know for security issue enabling that feature.
>
> And you do not need dyndns for your Ipad it will work without one,
> only to your router is enough.
> Bt in case anytime need it is has dyndns client for Ipad,Iphone form
> apple store.
>
> However I did not try neither of these because i do net have Idevice.
>
> Best regards,
> Martin
>
> On 02/07/2011 03:15 PM, Uli Joergens wrote:
>
> Hi Martin
>
> Thanks a lot for your suggestions. I'll give the internet café a try,
> just to make sure it's not sunrise causing problems with their NAT.
>
> I don't think the Ipad supports dyndns otherwise I would try that as
> well. I'll have a look.
>
> Regards
>
> Uli
>
>
> On 07.02.2011, at 00:51, Martin Lambew <fsh3mve at gmail.com
> <mailto:fsh3mve at gmail.com>> wrote:
>
> Hi Uil,
>
> Did you try to connect to your ipsec tunnel from the internet but
> not over the 3G but for exaple from internet coffee etc.?
>
> I assume that your mydomain.dyndns.org
> <http://mydomain.dyndns.org> is for your DR-855 Internet GW? If
> that is true why do not try fallowing setup:
> IPad<>ipad.dyndns.org<>mydomain.dyndns.org<>dr-855.... etc..
>
> conn L2TP
> left=mydomain.dyndns.org
> leftnexthop=%defaultroute
> leftsubnet=192.168.1.250/255.255.255.0
> leftfirewall=yes
> #lefthostaccess=yes
> right=ipad.dyndns.org
> rightsubnet=%Any
> rightnexthop=%defaultroute
> .....
> Regards,
>
> Martin
>
> --
> Sent from mobile location
>
> ----- Original message -----
> > Hello Andreas
> >
> > Thanks for the rapid response!
> > 86.194.205.27 is the public IP-address (dynamic) of my internet
> gateway.
> > The dyndns entry points to that address.
> > I guess that's where it all goes wrong but I can't really see
> how to
> > configure that with strongswan. I tried to put that address into
> the
> > right-parameter (plus the ipsec secrets) as well, but it doesn't
> change
> > anything. The Ipad is NATed (Sunrise) as well as my internet
> access.
> > Is it actually feasible that way?
> >
> > Regards
> > Uli
> >
> > -----Original Message-----
> > From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> > Sent: Sonntag, 6. Februar 2011 19:13
> > To: Uli Joergens
> > Cc: users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> > Subject: Re: [strongSwan] IPAD via NATed firewall doesn't work
> >
> > Hello Uli,
> >
> > why does the peer want to access 86.194.205.27/32
> > behind strongSwan gateway 192.168.1.250?
> >
> > Regards
> >
> > Andreas
> >
> > On 06.02.2011 18:50, Uli Joergens wrote:
> > > Hello
> > >
> > >
> > >
> > > I'm trying to configure strongswan for accessing my home
> network with
> > > my Ipad.
> > >
> > > I do manage to build up the vpn tunnel within the WLAN with the
> > > ipsec.conf below.
> > >
> > >
> > >
> > > # ipsec.conf - strongSwan IPsec configuration file
> > >
> > >
> > >
> > > # basic configuration
> > >
> > >
> > >
> > > config setup
> > >
> > > nat_traversal=yes
> > >
> > > charonstart=no
> > >
> > > plutostart=yes
> > >
> > > conn L2TP
> > >
> > > authby=psk
> > >
> > > keyexchange=ikev1
> > >
> > > pfs=no
> > >
> > > rekey=no
> > >
> > > type=tunnel
> > >
> > > esp=aes128-sha1
> > >
> > > ike=aes128-sha-modp1024
> > >
> > > left=192.168.1.250
> > >
> > > leftprotoport=17/1701
> > >
> > > right=%any
> > >
> > > rightprotoport=17/%any
> > >
> > > rightsubnetwithin=0.0.0.0/0
> > >
> > > auto=add
> > >
> > >
> > >
> > > As soon as I try to access through the internet (dynamic
> IP-address via
> > > dyndns), I get the following error message ": cannot respond
> to IPsec
> > > SA request because no connection is known for" (see log below):
> > >
> > >
> > >
> > > Feb 6 18:45:43 webfrontend pluto[26687]: "L2TP"[6]
> 193.247.250.41:397
> > > #5: responding to Main Mode from unknown peer 193.247.250.41:397
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6]
> 193.247.250.41:397
> > > #5: NAT-Traversal: Result using RFC 3947: both are NATed
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6]
> 193.247.250.41:397
> > > #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[6]
> 193.247.250.41:397
> > > #5: Peer ID is ID_IPV4_ADDR: '10.165.74.84'
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7]
> 193.247.250.41:397
> > > #5: deleting connection "L2TP" instance with peer 193.247.250.41
> > > {isakmp=#0/ipsec=#0}
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: | NAT-T: new mapping
> > > 193.247.250.41:397/18954)
> > >
> > > Feb 6 18:45:44 webfrontend pluto[26687]: "L2TP"[7]
> > > 193.247.250.41:18954 #5: sent MR3, ISAKMP SA established
> > >
> > > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]
> > > 193.247.250.41:18954 #5: cannot respond to IPsec SA request
> because no
> > > connection is known for
> > >
> >
> 86.194.205.27/32===192.168.1.250:4500[192.168.1.250]:17/1701...193.247.250.4
> > 1:18954[10.165.74.84]:17/%any==={10.165.74.84/32}
> > >
> > > Feb 6 18:45:45 webfrontend pluto[26687]: "L2TP"[7]
> > > 193.247.250.41:18954 #5: sending encrypted notification
> > > INVALID_ID_INFORMATION to 193.247.250.41:18954
> > >
> > > Feb 6 18:45:48 webfrontend pluto[26687]: "L2TP"[7]
> > > 193.247.250.41:18954 #5: Quick Mode I1 message is unacceptable
> because
> > > it uses a previously used Message ID 0x1e7f53a7 (perhaps this
> is a
> > > duplicated packet)
> > >
> > >
> > >
> > >
> > >
> > > My config looks the following:
> > >
> > >
> > >
> > > Ipad -> 3G -> MyDomain.dyndns.org <http://MyDomain.dyndns.org>
> -> DIR-855 internet gateway
> > > (192.168.1.1) -> VPN-gateway (192.168.1.250) -> LAN / WLAN
> 192.168.1.0
> > >
> > >
> > >
> > > I tried all sorts of combinations including the NATed Ipad
> address as
> > > parameter "right" (as well as the parameters rightsubnet,
> > > rightsubnetwithin) but it doesn't change anything. I presume I
> got
> > > something fundamentally wrong.
> > >
> > > Did anybody manage to get VPN up and running in a similar
> > > configuration?
> > >
> > >
> > >
> > > Regards
> > >
> > > Uli
> >
> >
> ======================================================================
>
> > Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> > strongSwan - the Linux VPN Solution! www.strongswan.org
> <http://www.strongswan.org>
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> >
> ===========================================================[ITA-HSR]==
>
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110330/3640ac68/attachment.html>
More information about the Users
mailing list