[strongSwan] NAT-T and StrongSwan conf

Alex Lucas alexander.lucas at tlscontact.com
Wed Nov 2 03:07:54 CET 2011


Hi,

The NAT-T stuff is very complicated. My VPN server is behind a router 
and I enabled port forwarding for ports 500/udp, 4500/udp.
Now when I connect via Internet, I get the following log:

Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541 
#1: responding to Main Mode from unknown peer 10.100.30.1:15541
Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541 
#1: NAT-Traversal: Result using RFC 3947: both are NATed
Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541 
#1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541 
#1: Peer ID is ID_IPV4_ADDR: '172.28.209.17'
Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:15541 
#1: deleting connection "L2TP" instance with peer 10.100.30.1 
{isakmp=#0/ipsec=#0}
Nov  2 09:58:09 vpntest.local pluto[3745]: | NAT-T: new mapping 
10.100.30.1:15541/14510)
Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510 
#1: sent MR3, ISAKMP SA established
Nov  2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510 
#1: cannot respond to IPsec SA request because no connection is known 
for 
202.96.4.106/32===10.100.30.121:4500[10.100.30.121]:17/1701...10.100.30.1:14510[172.28.209.47]:17/%any==={172.28.209.47/32}
Nov  2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510 
#1: sending encrypted notification INVALID_ID_INFORMATION to 
10.100.30.1:14510
Nov  2 09:58:14 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510 
#1: Quick Mode I1 message is unacceptable because it uses a previously 
used Message ID 0xd45e9bf4 (perhaps this is a duplicated packet)

How should I configure StrongSwan for it to be able to respond to the 
IPsec SA request.

Regards,
Alex




More information about the Users mailing list