[strongSwan] strongSWAN with NATed OS X roadwarrior client issue (INVALID_ID_INFORMATION & cannot respond to IPsec SA request because ...)
Emil Odelius
emil at odelius.se
Tue May 3 07:40:47 CEST 2011
Hi,
I have been struggling to configure strongSWAN + xl2tpd for a few weeks now, and have reached a point where a publicly accessible (not behind a NAT-device) roadwarrior client can connect to the VPN server (also no NAT). However, for this VPN to be of any use I need to get it functioning with NATed clients. This is pluto's log when a NATed OS X client try to connect:
OS X client = 213.xxx.xxx.3
VPN server = 213.xxx.xxx.9
packet from 213.xxx.xxx.3:500: received Vendor ID payload [RFC 3947]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from 213.xxx.xxx.3:500: received Vendor ID payload [Dead Peer Detection]
"mac"[1] 213.xxx.xxx.3 #1: responding to Main Mode from unknown peer 213.xxx.xxx.3
"mac"[1] 213.xxx.xxx.3 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
"mac"[1] 213.xxx.xxx.3 #1: Peer ID is ID_IPV4_ADDR: '192.168.9.116'
"mac"[2] 213.xxx.xxx.3 #1: deleting connection "mac" instance with peer 213.xxx.xxx.3 {isakmp=#0/ipsec=#0}
| NAT-T: new mapping 213.xxx.xxx.3:500/4500)
"mac"[2] 213.xxx.xxx.3:4500 #1: sent MR3, ISAKMP SA established
"mac"[2] 213.xxx.xxx.3:4500 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
"mac"[2] 213.xxx.xxx.3:4500 #1: cannot respond to IPsec SA request because no connection is known for 213.xxx.xxx.9:4500[213.xxx.xxx.9]:17/1701...213.xxx.xxx.3:4500[192.168.9.116]:17/%any===192.168.9.116/32
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: received Delete SA payload: deleting ISAKMP State #1
"mac"[2] 213.xxx.xxx.3:4500: deleting connection "mac" instance with peer 213.xxx.xxx.3 {isakmp=#0/ipsec=#0}
I have been struggling at this point for a while now and I just cant figure out how to resolve it.
Here is my ipsec.conf file:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
nat_traversal=yes
plutostart=yes
plutostderrlog=/var/log/pluto.log
charonstart=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,!%v4:10.9.8.0/24
interfaces=213.xxx.xxx.9
uniqueids=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
pfs=no
keyingtries=1
keyexchange=ikev1
authby=psk
conn mac
left=213.115.56.9
leftsubnet=213.115.56.0/28
esp=aes128-sha1
ike=aes128-sha-modp1024
type=transport
rekey=no
leftprotoport=17/1701
right=%any
rightsubnet=vhost:%no,%priv
rightprotoport=17/%any
auto=add
Apologize for the wall of text :)
I appreciate any and all help!
Best regards,
Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110503/1a752880/attachment.html>
More information about the Users
mailing list