[strongSwan] NAT-T and StrongSwan conf

Alex Lucas alexander.lucas at tlscontact.com
Wed Nov 9 03:55:07 CET 2011


Dears,
No ideas? I've tried a lot of combinations of config, including 
specifying very specific IPs for "left", "leftsubnet", "right", 
"rightsubnet", "rightid" etc. The docs are not too helpful for NAT or 
especially double-NAT (which seems to be the case here) scenarios.

BR,
Alex

On 02/11/11 10:07, Alex Lucas wrote:
> Hi,
>
> The NAT-T stuff is very complicated. My VPN server is behind a router
> and I enabled port forwarding for ports 500/udp, 4500/udp.
> Now when I connect via Internet, I get the following log:
>
> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
> #1: responding to Main Mode from unknown peer 10.100.30.1:15541
> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
> #1: NAT-Traversal: Result using RFC 3947: both are NATed
> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
> #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
> #1: Peer ID is ID_IPV4_ADDR: '172.28.209.17'
> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:15541
> #1: deleting connection "L2TP" instance with peer 10.100.30.1
> {isakmp=#0/ipsec=#0}
> Nov  2 09:58:09 vpntest.local pluto[3745]: | NAT-T: new mapping
> 10.100.30.1:15541/14510)
> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
> #1: sent MR3, ISAKMP SA established
> Nov  2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
> #1: cannot respond to IPsec SA request because no connection is known
> for
> 202.96.4.106/32===10.100.30.121:4500[10.100.30.121]:17/1701...10.100.30.1:14510[172.28.209.47]:17/%any==={172.28.209.47/32}
> Nov  2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
> #1: sending encrypted notification INVALID_ID_INFORMATION to
> 10.100.30.1:14510
> Nov  2 09:58:14 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
> #1: Quick Mode I1 message is unacceptable because it uses a previously
> used Message ID 0xd45e9bf4 (perhaps this is a duplicated packet)
>
> How should I configure StrongSwan for it to be able to respond to the
> IPsec SA request.
>
> Regards,
> Alex
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users




More information about the Users mailing list