[strongSwan] IPSec SA's not coming up when the device is behind a NAT

Deepika Agarwal deepi7.agarwal at gmail.com
Fri Apr 13 09:38:06 CEST 2012

Hi Tobias,

I tried the second option of setting a static virtual ip to the client
and same subnet as the rightsourceip on server.


conn android


  conn android

But still client is not able to pick the virtual ip address of for installing the routes.

ipsec statusall on client:

Listening IP addresses:
     android:  %any...
     android:   local:  [abc] uses EAP_MSCHAPV2 authentication with
EAP identity 'deepika'
     android:   remote: [] uses public key authentication
     android:   child:  dynamic === TUNNEL
Routed Connections:
     android{1}:  ROUTED, TUNNEL
     android{1}: ===
Security Associations (1 up, 0 connecting):
     android[2]: ESTABLISHED 4 seconds ago,[abc]...[]
     android[2]: IKE SPIs: bf44a3ca69840a0a_i* af70f0ddb6d8e14a_r, EAP
reauthentication in 46 minutes
     android[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

As you can see , the installed policy is for === Am I missing something here?


On Thu, Apr 12, 2012 at 3:18 PM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Deepika,
>> I was wondering if
>>> auto=route with
>>> leftsourceip=%config is currently not supported
>> then how will the client gets the virtual ip address in case of an
>> automatic tunnel establishment as per the established traffic
>> selectors (auto=route)
> The problem is that the client does generally not know the virtual IP
> address assigned by the gateway.  So if you wanted to actually use the
> virtual IP address inside of the IPsec tunnel you'd have to install that
> (unknown) address on your system and install a trap policy that matches
> packets sent from this (unknown) address.  Additionally, a source route
> is most likely required to force the use of this (still unknown) IP
> address otherwise the packets will be addressed with the native IP
> address of the client and the trap policy will not be matched.  Due to
> this auto=route does not work with virtual IPs in general.
>> My primary goal is to start the IPSec tunnel automatically whenever
>> there is any traffic from the RW client to the subnet behing the GW
>> (i.e
> Ok, see below for a possible workaround.
>> Following configs seems to be working, but the virtual ip from the
>> pool is not assigned to the client.
>> client:
>> conn android
>>     ...
>>     leftsubnet=
>>     ...
>> server:
>> conn android
>>     ...
>>     rightsourceip=
>>     rightsubnet=
>>     ...
> With this config you simply force the client to the following traffic
> selector
>>      android{1}: ===
> so the virtual IP (probably does not fit into this and is not
> assigned.
>> However, if I do auto=add on the client side and remove leftsubnet(on
>> the client side) and rightsubnet(on the server side), virtual ip
>> address is successfully installed and used.
> Yes that's the typical RW setup where left|rightsubnet is automatically
> derived from the assigned virtual IP address.
>> Please suggest if there is any workaround to fetch the virtual ip in
>> the case of "auto=route" option.
> There is but you have to assign fixed virtual IP addresses to each
> client (based on their leftid) and the clients have to know the IP
> beforehand.  To do that you can either add individual conn sections for
> each client with their rightid and rightsource=x.x.x.x/32 set or you use
> the attr-sql plugin which allows you to add fixed leases in the database
> (see [1], for an example see [2]).  Then you can configure the clients
> with leftsubnet=x.x.x.x/32, leftsourceip=%config and auto=route.  You
> should also be able to use leftsourceip=x.x.x.x/32 on the clients and
> the server should accept that proposal (when configured with e.g.
> rightsourceip=x.x.x.0/24) if the requested IP address is free, but it
> will break again if it is not.
> Regards,
> Tobias
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/Attrsql
> [2] http://strongswan.org/uml/testresults/sql/ip-pool-db-restart/index.html

If you think you can or if you think you can't, you are right.
-Henry Ford

More information about the Users mailing list