[strongSwan] nat_traversal_new_mapping: address change currently not supported [50.1.1.226:1797, 50.1.1.228:1797]
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Sun Apr 1 19:54:43 CEST 2012
Hi Andreas,
Any update on this question ?? waiting for your reply.
Regards,
Saravanan N
On Fri, Mar 30, 2012 at 6:46 AM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:
> Hi Andreas,
>
> Thanks for your prompt reply. I understand that IKEv2 will accept dynamic
> port change.
> We are also trying to understand whether IKEv2 will accept dynamic IP
> address change in NAT-T.
> For example:
> Let us assume, IPSec IKEv2 peer response timeout at the VPN client side is
> very high.
> After the VPN client is connected, If my NAT device(DSL modem) loses
> connection with ISP and if its comes back with a different IP address (Note
> that DSL modem would have cleared the old NAT entries). Will the VPN
> connection continue without any disconnect using the new NATTED IP address
> and Port Number?
>
> Regards,
> Saravanan N
>
>
> On Fri, Mar 30, 2012 at 6:40 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hello,
>>
>> RFC 4306 defines IKEv2 whereas you are using the obsoleted IKEv1
>> protocol. IKEv1 does not support the update of NAT ports whereas
>> our IKEv2 charon daemon does.
>>
>> Regards
>>
>> Andreas
>>
>> On 03/30/2012 03:01 PM, SaRaVanAn wrote:
>> > Hi,
>> > It seems , dynamic update of the other ends IP address in NAT
>> > traversal is not supported in StrongSwan.
>> > According to rfc4306, it should be supported as part of NAT traversal.
>> > Please find the topology and issue I m facing out of this.
>> >
>> >
>> > Cisco
>> > VPN client -------------- Router1 -------------------------------------
>> > VPN Sever(Strongswan)
>> >
>> > 20.1.1.1 20.1.1.2 50.1.1.226
>> 50.1.1.227
>> > (eth1)
>> > Iptables
>> > ++++++
>> > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE.
>> >
>> > I have established a VPN connection between VPN client and VPN server
>> > with the natted IP 50.1.1.226 to 50.1.1.227.
>> > After some time , eth1 interface IP address have got changed as
>> > 50.1.1.228 in eth1 of router 1, and tunnel gets disturbed by throwing
>> > the following error.
>> >
>> >
>> > Mar 30 14:52:54 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797
>> > <http://50.1.1.226:1797> #17: nat_traversal_new_mapping: address change
>> > currently not supported [50.1.1.226:1797
>> > <http://50.1.1.226:1797>,50.1.1.228:1797 <http://50.1.1.228:1797>]
>> > Mar 30 14:52:56 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797
>> > <http://50.1.1.226:1797> #17: nat_traversal_new_mapping: address change
>> > currently not supported [50.1.1.226:1797
>> > <http://50.1.1.226:1797>,50.1.1.228:1797 <http://50.1.1.228:1797>]
>> > Mar 30 14:52:59 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> > Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
>> > report on eth0 for message to 50.1.1.226 port 1797, complainant
>> > 50.1.1.227 <http://50.1.1.227>: No route to host [errno 113, origin
>> ICMP
>> > type 3 code 1 (not authenticated)]
>> > Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
>> > report on eth0 for message to 50.1.1.226 port 1797, complainant
>> > 50.1.1.227 <http://50.1.1.227>: No route to host [errno 113, origin
>> ICMP
>> > type 3 code 1 (not authenticated)]
>> > Mar 30 14:53:04 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> > Mar 30 14:53:09 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> > Mar 30 14:53:14 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> > Mar 30 14:53:19 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> >
>> > Do Strongswan have planned to implement dynamic IP address update
>> > feature in NAT-T ??
>> >
>> >
>> >
>> > /etc/ipsec.conf
>> > ++++++++++++
>> > ca vpnca
>> > cacert=caCert.pem
>> > #crluri=crl.pem
>> > auto=add
>> >
>> > config setup
>> > plutostart=yes
>> > #plutodebug=control
>> > charonstart=no
>> > charondebug="net 0"
>> > nat_traversal=yes
>> > crlcheckinterval=10m
>> > strictcrlpolicy=no
>> >
>> > conn %default
>> > ikelifetime=60m
>> > keylife=20m
>> > keyexchange=ikev1
>> > rekeymargin=3m
>> > keyingtries=1
>> > #leftupdown="sudo -E ipsec _updown"
>> >
>> > # Add connections here.
>> > conn cisco-vpn
>> > type=tunnel
>> > ike=aes256-sha1-modp1536!
>> > esp=aes256-sha1!
>> > #keyexchange=ikev2
>> > dpdaction=clear
>> > dpddelay=300s
>> > rekeymargin=3m
>> > keyingtries=1
>> > left=%defaultroute
>> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> > #leftsubnetwithin=10.3.1.1/24 <http://10.3.1.1/24>
>> > leftcert=dutCert.pem
>> > leftid="C=CH, O=strongSwan, CN=strongswan"
>> > right=%any
>> > #rightsourceip=%abcd
>> > leftfirewall=yes
>> > rightsourceip=30.1.1.1/24 <http://30.1.1.1/24>
>> > #rightsubnet=30.1.1.1/24 <http://30.1.1.1/24>
>> > pfs=no
>> > authby=xauthrsasig
>> > xauth=server
>> >
>> >
>> > ipsec.secrets
>> > +++++++++++
>> > : RSA dutKey.pem
>> > tester : XAUTH "tester"
>> >
>> >
>> > Regards,
>> > Saravanan N
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> --
>> ======================================================================
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120401/e4f67a2f/attachment.html>
More information about the Users
mailing list