[strongSwan] strongSWAN with NATed OS X roadwarrior client issue (INVALID_ID_INFORMATION & cannot respond to IPsec SA request because ...)

Emil Odelius emil at odelius.se
Tue May 3 07:40:47 CEST 2011


Hi,

I have been struggling to configure strongSWAN + xl2tpd for a few weeks now, and have reached a point where a publicly accessible (not behind a NAT-device) roadwarrior client can connect to the VPN server (also no NAT). However, for this VPN to be of any use I need to get it functioning with NATed clients. This is pluto's log when a NATed OS X client try to connect:

OS X client = 213.xxx.xxx.3
VPN server = 213.xxx.xxx.9

packet from 213.xxx.xxx.3:500: received Vendor ID payload [RFC 3947]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
packet from 213.xxx.xxx.3:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
packet from 213.xxx.xxx.3:500: received Vendor ID payload [Dead Peer Detection]
"mac"[1] 213.xxx.xxx.3 #1: responding to Main Mode from unknown peer 213.xxx.xxx.3
"mac"[1] 213.xxx.xxx.3 #1: NAT-Traversal: Result using RFC 3947: peer is NATed
"mac"[1] 213.xxx.xxx.3 #1: Peer ID is ID_IPV4_ADDR: '192.168.9.116'
"mac"[2] 213.xxx.xxx.3 #1: deleting connection "mac" instance with peer 213.xxx.xxx.3 {isakmp=#0/ipsec=#0}
| NAT-T: new mapping 213.xxx.xxx.3:500/4500)
"mac"[2] 213.xxx.xxx.3:4500 #1: sent MR3, ISAKMP SA established
"mac"[2] 213.xxx.xxx.3:4500 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
"mac"[2] 213.xxx.xxx.3:4500 #1: cannot respond to IPsec SA request because no connection is known for 213.xxx.xxx.9:4500[213.xxx.xxx.9]:17/1701...213.xxx.xxx.3:4500[192.168.9.116]:17/%any===192.168.9.116/32
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_ID_INFORMATION to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfcf442bf (perhaps this is a duplicated packet)
"mac"[2] 213.xxx.xxx.3:4500 #1: sending encrypted notification INVALID_MESSAGE_ID to 213.xxx.xxx.3:4500
"mac"[2] 213.xxx.xxx.3:4500 #1: received Delete SA payload: deleting ISAKMP State #1
"mac"[2] 213.xxx.xxx.3:4500: deleting connection "mac" instance with peer 213.xxx.xxx.3 {isakmp=#0/ipsec=#0}

I have been struggling at this point for a while now and I just cant figure out how to resolve it.
Here is my ipsec.conf file:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        strictcrlpolicy=no
        nat_traversal=yes
        plutostart=yes
        plutostderrlog=/var/log/pluto.log
        charonstart=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,!%v4:10.9.8.0/24
        interfaces=213.xxx.xxx.9
        uniqueids=yes

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        pfs=no
        keyingtries=1
        keyexchange=ikev1
        authby=psk

conn mac
        left=213.115.56.9
        leftsubnet=213.115.56.0/28
        esp=aes128-sha1
        ike=aes128-sha-modp1024
        type=transport
        rekey=no
        leftprotoport=17/1701
        right=%any
        rightsubnet=vhost:%no,%priv
        rightprotoport=17/%any
        auto=add

Apologize for the wall of text :)
I appreciate any and all help!

Best regards,

Emil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110503/1a752880/attachment.html>


More information about the Users mailing list