[strongSwan] NAT-T and StrongSwan conf

Alex Lucas alexander.lucas at tlscontact.com
Tue Nov 15 02:20:02 CET 2011 

Thank you for your help and suggestions guys, got it working with OpenSwan.

On 09/11/11 10:55, Alex Lucas wrote:
> Dears,
> No ideas? I've tried a lot of combinations of config, including
> specifying very specific IPs for "left", "leftsubnet", "right",
> "rightsubnet", "rightid" etc. The docs are not too helpful for NAT or
> especially double-NAT (which seems to be the case here) scenarios.
>
> BR,
> Alex
>
> On 02/11/11 10:07, Alex Lucas wrote:
>> Hi,
>>
>> The NAT-T stuff is very complicated. My VPN server is behind a router
>> and I enabled port forwarding for ports 500/udp, 4500/udp.
>> Now when I connect via Internet, I get the following log:
>>
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
>> #1: responding to Main Mode from unknown peer 10.100.30.1:15541
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
>> #1: NAT-Traversal: Result using RFC 3947: both are NATed
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
>> #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[1] 10.100.30.1:15541
>> #1: Peer ID is ID_IPV4_ADDR: '172.28.209.17'
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:15541
>> #1: deleting connection "L2TP" instance with peer 10.100.30.1
>> {isakmp=#0/ipsec=#0}
>> Nov  2 09:58:09 vpntest.local pluto[3745]: | NAT-T: new mapping
>> 10.100.30.1:15541/14510)
>> Nov  2 09:58:09 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
>> #1: sent MR3, ISAKMP SA established
>> Nov  2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
>> #1: cannot respond to IPsec SA request because no connection is known
>> for
>> 202.96.4.106/32===10.100.30.121:4500[10.100.30.121]:17/1701...10.100.30.1:14510[172.28.209.47]:17/%any==={172.28.209.47/32}
>> Nov  2 09:58:11 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
>> #1: sending encrypted notification INVALID_ID_INFORMATION to
>> 10.100.30.1:14510
>> Nov  2 09:58:14 vpntest.local pluto[3745]: "L2TP"[2] 10.100.30.1:14510
>> #1: Quick Mode I1 message is unacceptable because it uses a previously
>> used Message ID 0xd45e9bf4 (perhaps this is a duplicated packet)
>>
>> How should I configure StrongSwan for it to be able to respond to the
>> IPsec SA request.
>>
>> Regards,
>> Alex
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list