[strongSwan] nat_traversal_new_mapping: address change currently not supported [50.1.1.226:1797, 50.1.1.228:1797]

SaRaVanAn saravanan.nagarajan87 at gmail.com
Sun Apr 1 19:54:43 CEST 2012 

Hi Andreas,
   Any update on this question ?? waiting for your reply.
Regards,
Saravanan N

On Fri, Mar 30, 2012 at 6:46 AM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:

> Hi Andreas,
>
> Thanks for your prompt reply. I understand that IKEv2 will accept dynamic
> port change.
> We are also trying to understand whether IKEv2 will accept dynamic IP
> address change in NAT-T.
> For example:
> Let us assume, IPSec IKEv2 peer response timeout at the VPN client side is
> very high.
> After the VPN client is connected, If my NAT device(DSL modem) loses
> connection with ISP and if its comes back with a different IP address (Note
> that DSL modem would have cleared the old NAT entries). Will the VPN
> connection continue without any disconnect using the new NATTED IP address
> and Port Number?
>
> Regards,
> Saravanan N
>
>
> On Fri, Mar 30, 2012 at 6:40 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>
>> Hello,
>>
>> RFC 4306 defines IKEv2 whereas you are using the obsoleted IKEv1
>> protocol. IKEv1 does not support the update of NAT ports whereas
>> our IKEv2 charon daemon does.
>>
>> Regards
>>
>> Andreas
>>
>> On 03/30/2012 03:01 PM, SaRaVanAn wrote:
>> > Hi,
>> >   It seems , dynamic update of the  other ends IP address in NAT
>> > traversal is not supported in StrongSwan.
>> > According to rfc4306, it should be supported as part of NAT traversal.
>> > Please find the topology and issue I m facing out of this.
>> >
>> >
>> > Cisco
>> > VPN client -------------- Router1 -------------------------------------
>> > VPN Sever(Strongswan)
>> >
>> > 20.1.1.1           20.1.1.2        50.1.1.226
>>  50.1.1.227
>> >                                             (eth1)
>> > Iptables
>> > ++++++
>> > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE.
>> >
>> > I have established a VPN connection between VPN client and VPN server
>> > with the natted IP 50.1.1.226 to 50.1.1.227.
>> > After some time , eth1 interface IP address  have got changed as
>> > 50.1.1.228 in eth1 of router 1, and tunnel gets disturbed by throwing
>> > the following error.
>> >
>> >
>> > Mar 30 14:52:54 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797
>> > <http://50.1.1.226:1797> #17: nat_traversal_new_mapping: address change
>> > currently not supported [50.1.1.226:1797
>> > <http://50.1.1.226:1797>,50.1.1.228:1797 <http://50.1.1.228:1797>]
>> > Mar 30 14:52:56 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797
>> > <http://50.1.1.226:1797> #17: nat_traversal_new_mapping: address change
>> > currently not supported [50.1.1.226:1797
>> > <http://50.1.1.226:1797>,50.1.1.228:1797 <http://50.1.1.228:1797>]
>> > Mar 30 14:52:59 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> > Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
>> > report on eth0 for message to 50.1.1.226 port 1797, complainant
>> > 50.1.1.227 <http://50.1.1.227>: No route to host [errno 113, origin
>> ICMP
>> > type 3 code 1 (not authenticated)]
>> > Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
>> > report on eth0 for message to 50.1.1.226 port 1797, complainant
>> > 50.1.1.227 <http://50.1.1.227>: No route to host [errno 113, origin
>> ICMP
>> > type 3 code 1 (not authenticated)]
>> > Mar 30 14:53:04 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> > Mar 30 14:53:09 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> > Mar 30 14:53:14 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> > Mar 30 14:53:19 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
>> > <http://50.1.1.228:1797>: Informational Exchange is for an unknown
>> > (expired?) SA
>> >
>> > Do Strongswan have planned to implement dynamic IP address update
>> > feature in NAT-T ??
>> >
>> >
>> >
>> > /etc/ipsec.conf
>> > ++++++++++++
>> > ca vpnca
>> >           cacert=caCert.pem
>> >           #crluri=crl.pem
>> >           auto=add
>> >
>> > config setup
>> >           plutostart=yes
>> >           #plutodebug=control
>> >           charonstart=no
>> >           charondebug="net 0"
>> >           nat_traversal=yes
>> >           crlcheckinterval=10m
>> >           strictcrlpolicy=no
>> >
>> > conn %default
>> >         ikelifetime=60m
>> >         keylife=20m
>> >         keyexchange=ikev1
>> >         rekeymargin=3m
>> >         keyingtries=1
>> >         #leftupdown="sudo -E ipsec _updown"
>> >
>> > # Add connections here.
>> > conn cisco-vpn
>> >           type=tunnel
>> >           ike=aes256-sha1-modp1536!
>> >           esp=aes256-sha1!
>> >           #keyexchange=ikev2
>> >           dpdaction=clear
>> >           dpddelay=300s
>> >           rekeymargin=3m
>> >           keyingtries=1
>> >           left=%defaultroute
>> >           leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>> >           #leftsubnetwithin=10.3.1.1/24 <http://10.3.1.1/24>
>> >           leftcert=dutCert.pem
>> >           leftid="C=CH, O=strongSwan, CN=strongswan"
>> >           right=%any
>> >           #rightsourceip=%abcd
>> >           leftfirewall=yes
>> >           rightsourceip=30.1.1.1/24 <http://30.1.1.1/24>
>> >           #rightsubnet=30.1.1.1/24 <http://30.1.1.1/24>
>> >           pfs=no
>> >           authby=xauthrsasig
>> >           xauth=server
>> >
>> >
>> > ipsec.secrets
>> > +++++++++++
>> > : RSA dutKey.pem
>> > tester : XAUTH "tester"
>> >
>> >
>> > Regards,
>> > Saravanan N
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.strongswan.org
>> > https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> --
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120401/e4f67a2f/attachment.html>

More information about the Users mailing list