[strongSwan] Double-Nat + IPSec/L2TP "no connection is known"
blue adept
blue.adept.0 at gmail.com
Sat May 14 03:37:38 CEST 2011
Been fighting getting this IPSec / L2TP server going for a fair amount
of time, but suspect I still have something wrong with my
configuration files. Currently I am stuck getting the IPSec portion to
work. Any help would be greatly appreciated.
Network Scenario:
================================================================================
roadwarrior (Windows Vista SP2 - IPSec certificate / L2TP) <--> switch
[192.168.1.0/24] <--> router 1 <--> internet
internet <--> router 2 <--> xen vm bridge [192.168.33.0/24] <--> VPN
server (StrongSwan U4.5.0/K2.6.38-2-amd64 / xl2tpd).
DNAT rules for udp 500/4500 and protocol 50 at router 2 routing
traffic to the VPN server.
/etc/ipsec.conf
================================================================================
config setup
plutodebug="control controlmore"
crlcheckinterval=600
strictcrlpolicy=no
# cachecrls=yes
nat_traversal=yes
charonstart=yes
plutostart=yes
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,!%v4:192.168.31.0/24,!v4:192.168.33.0/24
conn %default
keyingtries=1
compress=yes
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyexchange=ikev1
left=192.168.33.60
leftcert=vpn.earth.localCert.pem
leftfirewall=yes
conn roadwarrior-l2tp
type=transport
leftprotoport=17/1701
leftsubnetwithin=0.0.0.0/0
right=%any
rightprotoport=17/1701
#rightsubnet=vhost:%no,%priv
rightsubnetwithin=0.0.0.0/0
pfs=no
auto=add
ipsec status
================================================================================
000 "roadwarrior-l2tp": {0.0.0.0/0}===192.168.33.60[C=US,
ST=Minnesota, O=Earth VPN,
CN=vpn.earth.local]:17/1701...%any[%any]:17/1701==={0.0.0.0/0};
unrouted; eroute owner: #0
excerpt from /var/log/auth.log
================================================================================
May 13 19:50:32 vpn pluto[4964]: "roadwarrior-l2tp"[1] 71.210.154.175
#1: NAT-Traversal: Result using RFC 3947: both are NATed
May 13 19:50:32 vpn pluto[4964]: "roadwarrior-l2tp"[2]
71.210.154.175:4500 #1: sent MR3, ISAKMP SA established
May 13 19:50:32 vpn pluto[4964]: | find_client_connection starting
with roadwarrior-l2tp
May 13 19:50:32 vpn pluto[4964]: | looking for
71.210.150.22/32:17/1701 -> 192.168.1.120/32:17/1701
May 13 19:50:32 vpn pluto[4964]: | concrete checking against sr#0
0.0.0.0/0 -> 0.0.0.0/0
May 13 19:50:32 vpn pluto[4964]: | fc_try trying
roadwarrior-l2tp:71.210.150.22/32:17/1701 -> 192.168.1.120/32:17/1701
vs roadwarrior-l2tp:0.0.0.0/0:17/1701 -> 0.0.0.0/0:17/1701
May 13 19:50:32 vpn pluto[4964]: | fc_try concluding with none [0]
May 13 19:50:32 vpn pluto[4964]: | fc_try roadwarrior-l2tp gives none
May 13 19:50:32 vpn pluto[4964]: | checking hostpair 0.0.0.0/0 ->
0.0.0.0/0 is found
May 13 19:50:32 vpn pluto[4964]: | fc_try trying
roadwarrior-l2tp:71.210.150.22/32:17/1701 -> 192.168.1.120/32:17/1701
vs roadwarrior-l2tp:0.0.0.0/0:17/1701 -> 0.0.0.0/0:17/1701
May 13 19:50:32 vpn pluto[4964]: | fc_try concluding with none [0]
May 13 19:50:32 vpn pluto[4964]: | fc_try_oppo trying
roadwarrior-l2tp:71.210.150.22/32 -> 192.168.1.120/32 vs
roadwarrior-l2tp:0.0.0.0/0 -> 0.0.0.0/0
May 13 19:50:32 vpn pluto[4964]: | fc_try_oppo concluding with none [328]
May 13 19:50:32 vpn pluto[4964]: | concluding with d = none
May 13 19:50:32 vpn pluto[4964]: "roadwarrior-l2tp"[2]
71.210.154.175:4500 #1: cannot respond to IPsec SA request because no
connection is known for {71.210.150.22/32}===192.168.33.60:4500[C=US,
ST=Minnesota, O=Earth VPN,
CN=vpn.earth.local]:17/1701...71.210.154.175:4500[C=US, ST=Minnesota,
O=Earth VPN, CN=leaf.earth.local]:17/1701==={192.168.1.120/32}
More information about the Users
mailing list