[strongSwan] nat_traversal_new_mapping: address change currently not supported [50.1.1.226:1797, 50.1.1.228:1797]
Andreas Steffen
andreas.steffen at strongswan.org
Mon Apr 2 09:07:35 CEST 2012
Hi,
I recommend to use the IKEv2 MOBIKE protocol
http://tools.ietf.org/html/rfc4555
which is activated by default in the charon daemon to communicate
to the other endpoint that the IP address has changed. Have a look
at the following example scenario:
http://www.strongswan.org/uml/testresults/ikev2/mobike-nat/
Regards
Andreas
On 04/01/2012 07:54 PM, SaRaVanAn wrote:
> Hi Andreas,
> Any update on this question ?? waiting for your reply.
> Regards,
> Saravanan N
>
> On Fri, Mar 30, 2012 at 6:46 AM, SaRaVanAn
> <saravanan.nagarajan87 at gmail.com
> <mailto:saravanan.nagarajan87 at gmail.com>> wrote:
>
> Hi Andreas,
>
> Thanks for your prompt reply. I understand that IKEv2 will accept
> dynamic port change.
> We are also trying to understand whether IKEv2 will accept dynamic
> IP address change in NAT-T.
> For example:
> Let us assume, IPSec IKEv2 peer response timeout at the VPN client
> side is very high.
> After the VPN client is connected, If my NAT device(DSL modem) loses
> connection with ISP and if its comes back with a different IP
> address (Note that DSL modem would have cleared the old NAT
> entries). Will the VPN connection continue without any disconnect
> using the new NATTED IP address and Port Number?
>
> Regards,
> Saravanan N
>
>
> On Fri, Mar 30, 2012 at 6:40 PM, Andreas Steffen
> <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>> wrote:
>
> Hello,
>
> RFC 4306 defines IKEv2 whereas you are using the obsoleted IKEv1
> protocol. IKEv1 does not support the update of NAT ports whereas
> our IKEv2 charon daemon does.
>
> Regards
>
> Andreas
>
> On 03/30/2012 03:01 PM, SaRaVanAn wrote:
> > Hi,
> > It seems , dynamic update of the other ends IP address in NAT
> > traversal is not supported in StrongSwan.
> > According to rfc4306, it should be supported as part of NAT
> traversal.
> > Please find the topology and issue I m facing out of this.
> >
> >
> > Cisco
> > VPN client -------------- Router1
> -------------------------------------
> > VPN Sever(Strongswan)
> >
> > 20.1.1.1 20.1.1.2 50.1.1.226
> 50.1.1.227
> > (eth1)
> > Iptables
> > ++++++
> > iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE.
> >
> > I have established a VPN connection between VPN client and
> VPN server
> > with the natted IP 50.1.1.226 to 50.1.1.227.
> > After some time , eth1 interface IP address have got changed as
> > 50.1.1.228 in eth1 of router 1, and tunnel gets disturbed by
> throwing
> > the following error.
> >
> >
> > Mar 30 14:52:54 uxcasxxx pluto[26817]: "cisco-vpn"[10]
> 50.1.1.226:1797 <http://50.1.1.226:1797>
> > <http://50.1.1.226:1797> #17: nat_traversal_new_mapping:
> address change
> > currently not supported [50.1.1.226:1797 <http://50.1.1.226:1797>
> > <http://50.1.1.226:1797>,50.1.1.228:1797
> <http://50.1.1.228:1797> <http://50.1.1.228:1797>]
> > Mar 30 14:52:56 uxcasxxx pluto[26817]: "cisco-vpn"[10]
> 50.1.1.226:1797 <http://50.1.1.226:1797>
> > <http://50.1.1.226:1797> #17: nat_traversal_new_mapping:
> address change
> > currently not supported [50.1.1.226:1797 <http://50.1.1.226:1797>
> > <http://50.1.1.226:1797>,50.1.1.228:1797
> <http://50.1.1.228:1797> <http://50.1.1.228:1797>]
> > Mar 30 14:52:59 uxcasxxx pluto[26817]: packet from
> 50.1.1.228:1797 <http://50.1.1.228:1797>
> > <http://50.1.1.228:1797>: Informational Exchange is for an
> unknown
> > (expired?) SA
> > Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous
> network error
> > report on eth0 for message to 50.1.1.226 port 1797, complainant
> > 50.1.1.227 <http://50.1.1.227>: No route to host [errno 113,
> origin ICMP
> > type 3 code 1 (not authenticated)]
> > Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous
> network error
> > report on eth0 for message to 50.1.1.226 port 1797, complainant
> > 50.1.1.227 <http://50.1.1.227>: No route to host [errno 113,
> origin ICMP
> > type 3 code 1 (not authenticated)]
> > Mar 30 14:53:04 uxcasxxx pluto[26817]: packet from
> 50.1.1.228:1797 <http://50.1.1.228:1797>
> > <http://50.1.1.228:1797>: Informational Exchange is for an
> unknown
> > (expired?) SA
> > Mar 30 14:53:09 uxcasxxx pluto[26817]: packet from
> 50.1.1.228:1797 <http://50.1.1.228:1797>
> > <http://50.1.1.228:1797>: Informational Exchange is for an
> unknown
> > (expired?) SA
> > Mar 30 14:53:14 uxcasxxx pluto[26817]: packet from
> 50.1.1.228:1797 <http://50.1.1.228:1797>
> > <http://50.1.1.228:1797>: Informational Exchange is for an
> unknown
> > (expired?) SA
> > Mar 30 14:53:19 uxcasxxx pluto[26817]: packet from
> 50.1.1.228:1797 <http://50.1.1.228:1797>
> > <http://50.1.1.228:1797>: Informational Exchange is for an
> unknown
> > (expired?) SA
> >
> > Do Strongswan have planned to implement dynamic IP address update
> > feature in NAT-T ??
> >
> >
> >
> > /etc/ipsec.conf
> > ++++++++++++
> > ca vpnca
> > cacert=caCert.pem
> > #crluri=crl.pem
> > auto=add
> >
> > config setup
> > plutostart=yes
> > #plutodebug=control
> > charonstart=no
> > charondebug="net 0"
> > nat_traversal=yes
> > crlcheckinterval=10m
> > strictcrlpolicy=no
> >
> > conn %default
> > ikelifetime=60m
> > keylife=20m
> > keyexchange=ikev1
> > rekeymargin=3m
> > keyingtries=1
> > #leftupdown="sudo -E ipsec _updown"
> >
> > # Add connections here.
> > conn cisco-vpn
> > type=tunnel
> > ike=aes256-sha1-modp1536!
> > esp=aes256-sha1!
> > #keyexchange=ikev2
> > dpdaction=clear
> > dpddelay=300s
> > rekeymargin=3m
> > keyingtries=1
> > left=%defaultroute
> > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> <http://0.0.0.0/0>
> > #leftsubnetwithin=10.3.1.1/24 <http://10.3.1.1/24>
> <http://10.3.1.1/24>
> > leftcert=dutCert.pem
> > leftid="C=CH, O=strongSwan, CN=strongswan"
> > right=%any
> > #rightsourceip=%abcd
> > leftfirewall=yes
> > rightsourceip=30.1.1.1/24 <http://30.1.1.1/24>
> <http://30.1.1.1/24>
> > #rightsubnet=30.1.1.1/24 <http://30.1.1.1/24>
> <http://30.1.1.1/24>
> > pfs=no
> > authby=xauthrsasig
> > xauth=server
> >
> >
> > ipsec.secrets
> > +++++++++++
> > : RSA dutKey.pem
> > tester : XAUTH "tester"
> >
> >
> > Regards,
> > Saravanan N
> >
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list