[strongSwan] IPSec SA's not coming up when the device is behind a NAT

Deepika Agarwal deepi7.agarwal at gmail.com
Wed Apr 11 09:01:35 CEST 2012


Hello All,

I'm trying to setup an IPSec session using Strongswan when the client
device is behind a NAT router.
Here is the setup details:


Client ======================NAT router==========================IPSEC
server===================Subnet1
192.168.0.100                      192.168.0.1          192.168.1.10
            192.168.1.154             192.168.5.1
192.168.5.2

Subnet1(192.168.5.2) is pingable from the client machine(192.168.0.100)

The tunnel should automatically come up whenever there is any traffic
from the client machine to Subnet1 (192.168.5.2). The tunnel should be
established between the client (192.168.0.100) and
server(192.168.1.154).

Here is the ipsec.conf on client:

conn android
    left=%any
    leftid="abc"
    leftsourceip=%config
    leftsubnet=192.168.0.100/24
    leftauth=eap-mschapv2
    eap_identity=deepika
    right=192.168.1.154
    rightid=192.168.1.154
    rightsubnet=192.168.5.2/32
    rightauth=pubkey
    auto=route


ipsec.conf on server:

 conn android
    left=192.168.1.154
    leftid=192.168.1.154
    leftsubnet=192.168.5.2/32
    leftcert=moonCert.pem
    leftauth=pubkey
    rightsourceip=192.168.0.100/24
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    auto=add


When I send some traffic from client to 192.168.5.2 (subnet 1)
although the IKE SA's are created, but IPSec SA's are not coming up.
Neither I'm getting the ping reply on the client machine.
Although, ESP packets are being sent from client to server as:
Encrypted:  src:192.168.1.10  dest: 192.168.1.154
After decryption:  src:192.168.0.100  dest:192.168.5.2

But the server is not able to send any reply to this ESP packet.
Please suggest if I'm missing something in the server configuration file.

Thanks in advance
Deepika








-- 
If you think you can or if you think you can't, you are right.
-Henry Ford




More information about the Users mailing list