[strongSwan] IPAD via NATed firewall doesn't work

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 30 12:37:33 CEST 2011 

Hello Martin,

because the responder is NAT-ed you don't have to set
rightsubnetwithin but

  leftsubnetwithin=0.0.0.0/0

Regards

Andreas

On 30.03.2011 09:57, Martin Kellermann wrote:
> hi,
> 
> is there still no solution for this?
> 
> i ran into the same situation like Uli getting the
> "cannot respond to IPsec SA request because no connection is known"
> error.
> 
> i want the following setup:
> 
> iPad  <-- NOT NATed --> internet <-- DSL router --> strongswan (NATed)
> 
> so just the strongswan server's side is NATed
> 
> i recompiled strongswan (on debian) with NAT-T patch enabled and auth.log
> tells: "including NAT-Traversal patch (Version 0.6c)"
> 
> ipsec.conf:
> config setup
>     nat_traversal=yes
>     charonstart=yes
>     plutostart=yes
> conn ipads
>     authby=psk
>     pfs=no
>     rekey=no
>     type=tunnel
>     forceencaps=yes
>     esp=aes128-sha1
>     ike=aes128-sha-modp1024
>     left=%defaultroute
>     leftprotoport=17/1701
>     right=%any
>     rightprotoport=17/%any
>     rightsubnetwithin=0.0.0.0/0
>     auto=add
> 
> ipsec.secrets:
> 192.168.0.251 %any : PSK "xxxxxxxxxx"
> 
> auth.log:
> Mar 29 16:39:45 vpn pluto[28437]:   loaded PSK secret for 192.168.0.251 %any
> Mar 29 16:39:45 vpn ipsec_starter[28436]: charon (28444) started after 40 ms
> Mar 29 16:39:45 vpn pluto[28437]: added connection description "ipads"
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> received Vendor ID payload [RFC 3947]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500:
> received Vendor ID payload [Dead Peer Detection]
> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1:
> responding to Main Mode from unknown peer 2.206.202.168
> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1:
> NAT-Traversal: Result using RFC 3947: i am NATed
> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: ignoring
> informational payload, type IPSEC_INITIAL_CONTACT
> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: Peer ID
> is ID_IPV4_ADDR: '2.206.202.168'
> Mar 29 16:39:51 vpn pluto[28437]: | NAT-T: new mapping
> 2.206.202.168:500/4500)
> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: sent
> MR3, ISAKMP SA established
> Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> cannot respond to IPsec SA request because no connection is known for
> 188.101.67.77/32===192.168.0.251:4500[192.168.0.251]:17/1701...2.206.202.168:4500[2.206.202.168]:17/%any
> Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_ID_INFORMATION to 2.206.202.168:4500
> Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> Quick Mode I1 message is unacceptable because it uses a previously used
> Message ID 0xcf9299e3 (perhaps this is a duplicated packet)
> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500
> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1:
> received Delete SA payload: deleting ISAKMP State #1
> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500:
> deleting connection "ipads" instance with peer 2.206.202.168
> {isakmp=#0/ipsec=#0}
> Mar 29 16:40:23 vpn pluto[28437]: ERROR: asynchronous network error
> report on eth0 for message to 2.206.202.168 port 4500, complainant
> 2.206.202.168: Connection refused [errno 111, origin ICMP type 3 code 3
> (not authenticated)]
> 
> any ideas?
> 
> regards
> 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list