[strongSwan] IPSec SA's not coming up when the device is behind a NAT
Deepika Agarwal
deepi7.agarwal at gmail.com
Wed Apr 11 09:01:35 CEST 2012
Hello All,
I'm trying to setup an IPSec session using Strongswan when the client
device is behind a NAT router.
Here is the setup details:
Client ======================NAT router==========================IPSEC
server===================Subnet1
192.168.0.100 192.168.0.1 192.168.1.10
192.168.1.154 192.168.5.1
192.168.5.2
Subnet1(192.168.5.2) is pingable from the client machine(192.168.0.100)
The tunnel should automatically come up whenever there is any traffic
from the client machine to Subnet1 (192.168.5.2). The tunnel should be
established between the client (192.168.0.100) and
server(192.168.1.154).
Here is the ipsec.conf on client:
conn android
left=%any
leftid="abc"
leftsourceip=%config
leftsubnet=192.168.0.100/24
leftauth=eap-mschapv2
eap_identity=deepika
right=192.168.1.154
rightid=192.168.1.154
rightsubnet=192.168.5.2/32
rightauth=pubkey
auto=route
ipsec.conf on server:
conn android
left=192.168.1.154
leftid=192.168.1.154
leftsubnet=192.168.5.2/32
leftcert=moonCert.pem
leftauth=pubkey
rightsourceip=192.168.0.100/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=add
When I send some traffic from client to 192.168.5.2 (subnet 1)
although the IKE SA's are created, but IPSec SA's are not coming up.
Neither I'm getting the ping reply on the client machine.
Although, ESP packets are being sent from client to server as:
Encrypted: src:192.168.1.10 dest: 192.168.1.154
After decryption: src:192.168.0.100 dest:192.168.5.2
But the server is not able to send any reply to this ESP packet.
Please suggest if I'm missing something in the server configuration file.
Thanks in advance
Deepika
--
If you think you can or if you think you can't, you are right.
-Henry Ford
More information about the Users
mailing list