[strongSwan] need to find a host-host configuration for strongswan with NAT .

ramakanth varala ramakanth.varala at gmail.com
Mon Dec 3 20:43:58 CET 2012 

Hello all ,


i get below error in log


"host-host" #2: Quick Mode I1 message is unacceptable because it uses
a previously used Message ID 0xd964a2a1 (perhaps this is a duplicated
packet)
"
"host-host" #2: sending encrypted notification INVALID_MESSAGE_ID to
10.90.200.22:500



any ideas why am i getting this.


thanks
--rama kanth
On 11/30/12, ramakanth varala <ramakanth.varala at gmail.com> wrote:
> Hello all,
>
> Iam having two VPN Servers behind NAT as show below.
>
>
>  ______________                  ___________
>                             ___________           _____________ __
> |  192.168.1.254  |_________| 192.168.1.1 |             ___________________
>             | 192.168.1.1 |=====|192.168.1.254 (B) |
> |_(PC A) _______|                | 10.10.15.3  |  ====> |10.10.15.1
> (router)      |=====>| 10.10.15.8   |          |_______________ |
>                                           --------------------
> ----------------------------------            ---------------------
>
> ipsec.conf currently iam using following at PC A
>
>
> *config setup
>         charonstart=no
>         plutodebug=all
>         plutostderrlog=/var/pluto.txt
>         crlcheckinterval=180
>         strictcrlpolicy=no
>         nat_traversal=yes
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
>         auto=add
>         authby=secret
>
> conn host-host
>         right=192.168.1.254
>         left=%defaultroute
>         leftsubnet=192.168.1.0/24
>         leftnexthop=192.168.1.1
>         rightsubnet=192.168.1.0/24
>         rightnexthop=10.10.15.8
>         #rightid=@sun.strongswan.org
>         auto=add
>         authby=secret
>
>
> *
>
> and ipsec.conf PC B.
>
> *config setup
>         charonstart=no
>         plutodebug=all
>         plutostderrlog=/var/pluto.txt
>         crlcheckinterval=180
>         strictcrlpolicy=no
>         nat_traversal=yes
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
>         auto=add
>         authby=secret
>
> conn host-host
>         right=192.168.1.254
>         left=%defaultroute
>         leftsubnet=192.168.1.0/24
>         leftnexthop=192.168.1.1
>         rightsubnet=192.168.1.0/24
>         rightnexthop=10.10.15.3
>         #rightid=@sun.strongswan.org
>         auto=add
>         authby=secret
>
> *
>
>
> when i do ipsec up host-host i get error as below
>
>
> *022 "host-host": we have no ipsecN interface for either end of this
> connection*
>
>
> Where am i going wrong exactly can any body help me here
>
> thanks
> Rama Kanth
>
>
> On Sun, Aug 19, 2012 at 12:27 PM, Andreas Steffen <
> andreas.steffen at strongswan.org> wrote:
>> You need the parameter
>>
>>   auto=add
>>
>> because the default is auto=ignore which doesn't load the
>> connection definition. pluto doesn't support left=%any,
>> either defined an IP address or write
>>
>>   left=%defaultroute
>>
>> For the initiator you have to give an IP address for right so
>> it can actively connect to the responder.
>>
>> Regards
>>
>> Andreas
>>
>> On 08/18/2012 05:07 PM, ramakanth varala wrote:
>>> Hello all,
>>>
>>> Iam new to strongswan, i am trying to run strongswan in my target
>>> board and a RHEL6 machine connected to that .
>>>
>>> My aim is to run the strongswan VPN server on my target board with a
>>> host-host tunnel to my linux machine connected to that.
>>>
>>> There are lot of missing blocks for me.
>>>
>>> 1) When ever i try to run the ipsec ( either in my target board or in
>>> my linux machine) with some configurations like below
>>>
>>> ipsec.conf
>>> ========
>>>
>>> config setup
>>>         #charonstart=no
>>>         plutostart=yes
>>>
>>> conn %default
>>>         left=%any
>>>         right=%any
>>>         authby=psk
>>>
>>>
>>> ipsec.secrets
>>> ===========
>>> %any %any : PSK "123456"
>>>
>>>
>>> i see that it does not show any thing when i type ipsec status
>>>
>>> 2) i oftenly see my ipsec.conf getting autogenerated and wiped out my
>>> confiugrations which ever i kept
>>>
>>> 3) Here my aim is to establish a simplist configuration to have VPN
>>> tunnel between my target board and my LINUX machine. if any body can
>>> sugget a simple configuration related to it , that would be really
>>> helpfull.
>>>
>>> iam running strongswan 4.6.1
>>>
>>> thanks
>>
>> ======================================================================
>> Andreas Steffen                         andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list