[strongSwan] NAT-T and StrongSwan conf
Alex Lucas
alexander.lucas at tlscontact.com
Wed Nov 2 03:07:54 CET 2011
Hi,
The NAT-T stuff is very complicated. My VPN server is behind a router
and I enabled port forwarding for ports 500/udp, 4500/udp.
Now when I connect via Internet, I get the following log:
Nov 2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
#1: responding to Main Mode from unknown peer 10.100.30.1:15541
Nov 2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
#1: NAT-Traversal: Result using RFC 3947: both are NATed
Nov 2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
#1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
#1: Peer ID is ID_IPV4_ADDR: '172.28.209.17'
Nov 2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:15541
#1: deleting connection "L2TP" instance with peer 10.100.30.1
{isakmp=#0/ipsec=#0}
Nov 2 09:58:09 vpntest.local pluto[3745]: | NAT-T: new mapping
10.100.30.1:15541/14510)
Nov 2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
#1: sent MR3, ISAKMP SA established
Nov 2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
#1: cannot respond to IPsec SA request because no connection is known
for
202.96.4.106/32===10.100.30.121:4500[10.100.30.121]:17/1701...10.100.30.1:14510[172.28.209.47]:17/%any==={172.28.209.47/32}
Nov 2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
#1: sending encrypted notification INVALID_ID_INFORMATION to
10.100.30.1:14510
Nov 2 09:58:14 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
#1: Quick Mode I1 message is unacceptable because it uses a previously
used Message ID 0xd45e9bf4 (perhaps this is a duplicated packet)
How should I configure StrongSwan for it to be able to respond to the
IPsec SA request.
Regards,
Alex
More information about the Users
mailing list