[strongSwan] strongswan 5.0.1, iOS4.3.5, problems when client is not behind NAT

Klaus Darilion klaus.mailinglists at pernau.at
Fri Dec 28 13:30:02 CET 2012 

Hi!

I have setup strongSwan 5.0.1 with certificate authentication. The 
tunnel creation works fine, and if the iPhone is behind NAT, strongSwan 
detects the NAT, uses port 4500 and everything works fine.

But if the iPhone is not behind NAT, the tunnel creation works fine, but 
then, if I want to surf on the iPhone it does not work. Attached is the 
output of "tail -f /var/log/syslog|grep charon" multiplexed with 
"tcpdump -i any -n port 500 or 4500 or host 192.168.102.2":

There is some traffic after the tunnel is created, but what kind of 
traffic is this? "real" traffic or some "keep alive" traffic?

Any ideas why it does not work when the client uses a public IP address?

Is it possible to force "NAT" behavior also if clients are not behind NAT?

Any hints are appreciated.

Thanks
Klaus


# ipsec.conf - strongSwan IPsec configuration file
##################################################
config setup
         charondebug=all

conn RoadWarrior-CiscoIPsec-klaus
         type=tunnel
         dpdaction=clear
         dpddelay=60
         dpdtimeout=60
         keyexchange=ikev1
         authby=xauthrsasig
         xauth=server
         left=%defaultroute
         leftsubnet=0.0.0.0/0
         leftfirewall=yes
         leftcert=serverCert.pem
         right=%any
         rightsourceip=192.168.102.2
         rightcert=clientCert.pem
         auto=add


# strongswan.conf - strongSwan configuration file
#################################################
charon {
         threads = 16
         dns1=192.168.99.1
}


-------------- next part --------------
### starting VPN on the iPhone

13:16:10.265524 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 1 I ident
Dec 28 13:16:10 ds3000 charon: 16[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:10 ds3000 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V ]
Dec 28 13:16:10 ds3000 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
13:16:10.267013 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 1 R ident
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received XAuth vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received Cisco Unity vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received DPD vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] 151.217.223.75 is initiating a Main Mode IKE_SA
Dec 28 13:16:10 ds3000 charon: 16[ENC] generating ID_PROT response 0 [ SA V V V ]
Dec 28 13:16:10 ds3000 charon: 16[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:10.530963 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 1 I ident
Dec 28 13:16:10 ds3000 charon: 14[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:10 ds3000 charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 28 13:16:10 ds3000 charon: 14[IKE] sending cert request for "C=CH, O=MY.DOMAIN strongSwan, CN=MY.DOMAIN strongSwan CA"
Dec 28 13:16:10 ds3000 charon: 14[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Dec 28 13:16:10 ds3000 charon: 14[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:10.557742 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 1 R ident
13:16:11.555726 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 1 I ident[E]
Dec 28 13:16:11 ds3000 charon: 11[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:11 ds3000 charon: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
Dec 28 13:16:11 ds3000 charon: 11[IKE] ignoring certificate request without data
Dec 28 13:16:11 ds3000 charon: 11[IKE] received end entity cert "C=US, O=MY.DOMAIN strongSwan VPN, CN=client klaus"
Dec 28 13:16:11 ds3000 charon: 11[CFG] looking for XAuthInitRSA peer configs matching MY.IPSEC.SER.VER...151.217.223.75[C=US, O=MY.DOMAIN strongSwan VPN, CN=client klaus]
Dec 28 13:16:11 ds3000 charon: 11[CFG] selected peer config "RoadWarrior-CiscoIPsec-klaus"
Dec 28 13:16:11 ds3000 charon: 11[CFG]   using trusted ca certificate "C=CH, O=MY.DOMAIN strongSwan, CN=MY.DOMAIN strongSwan CA"
Dec 28 13:16:11 ds3000 charon: 11[CFG] checking certificate status of "C=US, O=MY.DOMAIN strongSwan VPN, CN=client klaus"
Dec 28 13:16:11 ds3000 charon: 11[CFG] certificate status is not available
Dec 28 13:16:11 ds3000 charon: 11[CFG]   reached self-signed root ca with a path length of 0
Dec 28 13:16:11 ds3000 charon: 11[CFG]   using trusted certificate "C=US, O=MY.DOMAIN strongSwan VPN, CN=client klaus"
Dec 28 13:16:11 ds3000 charon: 11[IKE] authentication of 'C=US, O=MY.DOMAIN strongSwan VPN, CN=client klaus' with RSA successful
Dec 28 13:16:11 ds3000 charon: 11[IKE] authentication of 'C=CH, O=MY.DOMAIN strongSwan VPN, CN=MY.DOMAIN' (myself) successful
Dec 28 13:16:11 ds3000 charon: 11[IKE] sending end entity cert "C=CH, O=MY.DOMAIN strongSwan VPN, CN=MY.DOMAIN"
Dec 28 13:16:11 ds3000 charon: 11[ENC] generating ID_PROT response 0 [ ID CERT SIG ]
Dec 28 13:16:11 ds3000 charon: 11[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:11.566784 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 1 R ident[E]
Dec 28 13:16:11 ds3000 charon: 11[ENC] generating TRANSACTION request 1459394581 [ HASH CP ]
Dec 28 13:16:11 ds3000 charon: 11[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:11.567165 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R #6[E]
13:16:11.930631 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I #6[E]
13:16:11.930937 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R #6[E]
Dec 28 13:16:11 ds3000 charon: 15[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:11 ds3000 charon: 15[ENC] parsed TRANSACTION response 1459394581 [ HASH CP ]
Dec 28 13:16:11 ds3000 charon: 15[IKE] XAuth authentication of 'klaus' successful
Dec 28 13:16:11 ds3000 charon: 15[ENC] generating TRANSACTION request 2063302200 [ HASH CP ]
Dec 28 13:16:11 ds3000 charon: 15[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:12.062785 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I #6[E]
13:16:12.062799 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I #6[E]
Dec 28 13:16:12 ds3000 charon: 03[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
13:16:12.063686 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R #6[E]
Dec 28 13:16:12 ds3000 charon: 03[ENC] parsed TRANSACTION response 2063302200 [ HASH CP ]
Dec 28 13:16:12 ds3000 charon: 03[IKE] IKE_SA RoadWarrior-CiscoIPsec-klaus[7] established between MY.IPSEC.SER.VER[C=CH, O=MY.DOMAIN strongSwan VPN, CN=MY.DOMAIN]...151.217.223.75[C=US, O=MY.DOMAIN strongSwan VPN, CN=client klaus]
Dec 28 13:16:12 ds3000 charon: 03[IKE] scheduling reauthentication in 10229s
Dec 28 13:16:12 ds3000 charon: 03[IKE] maximum IKE_SA lifetime 10769s
Dec 28 13:16:12 ds3000 charon: 03[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:12 ds3000 charon: 03[ENC] unknown attribute type (28683)
Dec 28 13:16:12 ds3000 charon: 03[ENC] parsed TRANSACTION request 4096269604 [ HASH CP ]
Dec 28 13:16:12 ds3000 charon: 03[IKE] peer requested virtual IP %any
Dec 28 13:16:12 ds3000 charon: 03[CFG] reassigning offline lease to 'klaus'
Dec 28 13:16:12 ds3000 charon: 03[IKE] assigning virtual IP 192.168.102.2 to peer 'klaus'
Dec 28 13:16:12 ds3000 charon: 03[ENC] generating TRANSACTION response 4096269604 [ HASH CP ]
Dec 28 13:16:12 ds3000 charon: 03[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:12.230672 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I oakley-quick[E]
13:16:12.231252 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R oakley-quick[E]
Dec 28 13:16:12 ds3000 charon: 01[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:12 ds3000 charon: 01[ENC] parsed QUICK_MODE request 2753132480 [ HASH SA No ID ID ]
Dec 28 13:16:12 ds3000 charon: 01[ENC] generating QUICK_MODE response 2753132480 [ HASH SA No ID ID ]
Dec 28 13:16:12 ds3000 charon: 01[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:12.305790 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I oakley-quick[E]
Dec 28 13:16:12 ds3000 charon: 13[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:12 ds3000 charon: 13[ENC] parsed QUICK_MODE request 2753132480 [ HASH ]
Dec 28 13:16:12 ds3000 charon: 13[IKE] CHILD_SA RoadWarrior-CiscoIPsec-klaus{7} established with SPIs c2e60017_i 00857b31_o and TS 0.0.0.0/0 === 192.168.102.2/32

### tunnel was created successfully

### now doing nothing on the client, waiting for DPD

13:17:12.063615 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R inf[E]
Dec 28 13:17:12 ds3000 charon: 12[IKE] sending DPD request
Dec 28 13:17:12 ds3000 charon: 12[ENC] generating INFORMATIONAL_V1 request 3313085811 [ HASH N(DPD) ]
Dec 28 13:17:12 ds3000 charon: 12[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:17:12.223312 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I inf[E]
Dec 28 13:17:12 ds3000 charon: 02[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:17:12 ds3000 charon: 02[ENC] parsed INFORMATIONAL_V1 request 2999607135 [ HASH N(DPD_ACK) ]

### it seems DPD works fine

### now starting the web browser on the iPhone and checking emails on the iPhone

13:17:32.289868 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I inf[E]
13:17:32.290474 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R inf[E]
Dec 28 13:17:32 ds3000 charon: 03[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:17:32 ds3000 charon: 03[ENC] parsed INFORMATIONAL_V1 request 2805476239 [ HASH N(DPD) ]
Dec 28 13:17:32 ds3000 charon: 03[ENC] generating INFORMATIONAL_V1 request 1836150469 [ HASH N(DPD_ACK) ]
Dec 28 13:17:32 ds3000 charon: 03[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]

13:17:51.383557 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I inf[E]
Dec 28 13:17:51 ds3000 charon: 01[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:17:51 ds3000 charon: 01[ENC] parsed INFORMATIONAL_V1 request 2896228455 [ HASH N(DPD) ]
Dec 28 13:17:51 ds3000 charon: 01[ENC] generating INFORMATIONAL_V1 request 3272131721 [ HASH N(DPD_ACK) ]
Dec 28 13:17:51 ds3000 charon: 01[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:17:51.384221 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R inf[E]

13:18:11.603111 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I inf[E]
Dec 28 13:18:11 ds3000 charon: 13[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:18:11 ds3000 charon: 13[ENC] parsed INFORMATIONAL_V1 request 2435256353 [ HASH N(DPD) ]
Dec 28 13:18:11 ds3000 charon: 13[ENC] generating INFORMATIONAL_V1 request 1970616359 [ HASH N(DPD_ACK) ]
Dec 28 13:18:11 ds3000 charon: 13[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:18:11.603817 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R inf[E]

13:18:31.676626 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I inf[E]
Dec 28 13:18:31 ds3000 charon: 11[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:18:31 ds3000 charon: 11[ENC] parsed INFORMATIONAL_V1 request 3672642392 [ HASH N(DPD) ]
Dec 28 13:18:31 ds3000 charon: 11[ENC] generating INFORMATIONAL_V1 request 382103556 [ HASH N(DPD_ACK) ]
Dec 28 13:18:31 ds3000 charon: 11[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:18:31.677332 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R inf[E]

13:18:51.826454 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 2/others I inf[E]
Dec 28 13:18:51 ds3000 charon: 15[NET] received packet: from 151.217.223.75[500] to MY.IPSEC.SER.VER[500]
13:18:51.827100 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 2/others R inf[E]
Dec 28 13:18:51 ds3000 charon: 15[ENC] parsed INFORMATIONAL_V1 request 2379163917 [ HASH N(DPD) ]
Dec 28 13:18:51 ds3000 charon: 15[ENC] generating INFORMATIONAL_V1 request 3939530675 [ HASH N(DPD_ACK) ]
Dec 28 13:18:51 ds3000 charon: 15[NET] sending packet: from MY.IPSEC.SER.VER[500] to 151.217.223.75[500]

### there is some traffic, but what kind of traffic is this? "real" traffic or some "keep alive" traffic?

More information about the Users mailing list