[strongSwan] double nat

Pietro Vassalli pietro.vassalli at organizesystems.ch
Tue Oct 11 14:46:34 CEST 2011 

  

I can't get my ipsec infrastructure working. 

My goal is to
authenticate on vpn server the wifi network. 

The vpn server is
protected by the firewall. 

The wifi network has to surf the internal
network (10. class) 

My conf is this: 

192.168.1.0/24 192.168.1.4
10.10.1.254 10.10.1.213 

---------------------- -----------------------
------------------------ 

| wifi network | -> | firewall | -> | vpn
server | 

---------------------- ------------------------
------------------------ 

Now, my configuration is: 

config setup
 #
plutodebug=all
 # crlcheckinterval=600
 # strictcrlpolicy=yes
 #
cachecrls=yes
 # nat_traversal=yes
 charonstart=yes
 plutostart=yes

nat_traversal=yes
 virtual_private=%v4:192.168.1.0/24

conn L2TP

authby=psk
 pfs=no
 rekey=no
 type=transport
 esp=aes128-sha1

ike=aes128-sha-modp1024
 left=10.10.1.213
 leftnexthop=%defaultroute

leftprotoport=17/1701
 right=%any
 rightprotoport=17/%any

 auto=add

forceencaps=yes

include /var/lib/strongswan/ipsec.conf.inc

When I
start ipsec everything goes well, but when I try to authenticate what I
get (mainly) is:

srvvpn pluto[19642]: "L2TP"[1] 192.168.1.104:4500 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.1.4/32===10.10.1.213:4500:17/1701...192.168.1.104:4500:17/%any

Moreover
my ipsec statusall shows:

ipsec statusall
000 interface lo/lo
::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo
127.0.0.1:500
000 interface eth0/eth0 10.10.1.213:4500
000 interface
eth0/eth0 10.10.1.213:500
000 %myid = (none)
000 debug none

000 
000
"L2TP": 10.10.1.213:17/1701---10.10.1.254...%any:17/%any; unrouted;
eroute owner: #0
000 "L2TP": ike_life: 10800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP": policy:
PSK+ENCRYPT+DONTREKEY; prio: 32,32; interface: eth0; 
000 "L2TP": newest
ISAKMP SA: #0; newest IPsec SA: #0; 
000 "L2TP": IKE algorithms wanted:
7_128-2-2, 
000 "L2TP": IKE algorithms found: 7_128-2_160-2, 
000
"L2TP": ESP algorithms wanted: 12_128-2, 
000 "L2TP": ESP algorithms
loaded: 12_128-2_160, 
000

Performance:
 uptime: 8 minutes, since Oct
11 13:29:07 2011
 worker threads: 9 idle of 16, job queue load: 0,
scheduled events: 0
 loaded plugins: curl ldap random x509 pubkey xcbc
hmac openssl agent gmp kernel-netlink stroke updown 
Listening IP
addresses:
 10.10.1.213
Connections:
Security Associations:
 none

What
should I do?

Thanks in advance,

Pietro Vassalli

--

Pietro
Vassalli
Organize Systems S.A.
Via Carvina 1
6807
Taverne
Tel.+41919453322
Fax+41919453320
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111011/32a99885/attachment.html>

More information about the Users mailing list