[strongSwan] Need help with vpn setup

Tue Feb 21 19:55:04 CET 2012

Hi,
Host A is a server with two adsl lines attached, it has two puplic IPs + 
a 16 IP public subnet. It has also dozens of Xen virtual machines 
(routed networking) and several gigabit ethernets. It has ingress 
shaping, egress shaping, spoofing load balancing for the virtual 
machines and NAT load balancing for the nated clients. The firewall 
alone is 5000+ lines, so it's quite a nightmare trying to figure out why 
the vpn does not work (especially considering I'm quite a newbie 
regarding ipsec VPN).

Host B is a roadwarrior, a laptop behind NAT.

I will try to simplify:

Host A internal interface is eth1 (192.168.1.0/24) and has IP 192.168.1.254.
Host A external interface is nas0 and has IP 1.2.3.4.
Clients from the 192.168.1.0/24 subnet are natted behind 1.2.3.4.

Host B (private) IP in the 192.168.20.0/24 range.

I want the roadwarrior (host B) to be able to ping the 192.168.1.0/24 
clients.

HOST A ipsec.conf:

config setup
         nat_traversal=yes
         virtual_private=%v4:192.168.20.0/24
         charonstart=yes
         plutostart=yes

conn server-laptop
         authby=rsasig
         keyexchange=ikev1
         leftfirewall=no
         left=1.2.3.4
         leftsubnet=192.168.1.0/24
         leftrsasigkey=0sAQPag...
         right=%any
         rightsubnet=vhost:%no,%priv
         rightid=@laptop
         rightrsasigkey=0sAQNo...
         type=tunnel
         auto=add

Host B ipsec.conf

config setup
         nat_traversal=yes
         virtual_private=%v4:192.168.20.0/24
         charonstart=yes
         plutostart=yes

conn server-laptop
         authby=rsasig
         keyexchange=ikev1
         leftfirewall=no
         left=%defaultroute
         leftid=@laptop
         leftrsasigkey=0sAQNoWm...
         right=1.2.3.4
         rightsubnet=192.168.1.0/24
         rightrsasigkey=0sAQPag...
         type=tunnel
         auto=start

Host A firewall:

DROP policy (INPUT, OUTPUT, FORWARD)
iptables -t mangle -A PREROUTING -p esp -j MARK --set-mark 1/0xFFFF0FFF
iptables -A INPUT -m mark --mark 1/0xFFFF0FFF -j ACCEPT
iptables -A OUTPUT -m mark --mark 1/0xFFFF0FFF -j ACCEPT
iptables -A FORWARD -m mark --mark 1/0xFFFF0FFF -j ACCEPT
iptables -A INPUT -i nas0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i nas0 -p udp --sport 500 -j ACCEPT
iptables -A INPUT -i nas0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i nas0 -p udp --sport 4500 -j ACCEPT
iptables -A INPUT -i nas0 -p 50 -j ACCEPT
iptables -A OUTPUT -o nas0 -p udp --sport 500 -j ACCEPT
iptables -A OUTPUT -o nas0 -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -o nas0 -p udp --sport 4500 -j ACCEPT
iptables -A OUTPUT -o nas0 -p udp --dport 4500 -j ACCEPT
iptables -A OUTPUT -o nas0 -p 50 -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o nas0 -j SNAT 
--to-source 1.2.3.4

HOST A /var/log/auth.log

Feb 21 18:29:27 firewall pluto[12165]: packet from 2.193.36.91:500: 
received Vendor ID payload [strongSwan]
Feb 21 18:29:27 firewall pluto[12165]: packet from 2.193.36.91:500: 
received Vendor ID payload [XAUTH]
Feb 21 18:29:27 firewall pluto[12165]: packet from 2.193.36.91:500: 
received Vendor ID payload [Dead Peer Detection]
Feb 21 18:29:27 firewall pluto[12165]: packet from 2.193.36.91:500: 
received Vendor ID payload [RFC 3947]
Feb 21 18:29:27 firewall pluto[12165]: packet from 2.193.36.91:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Feb 21 18:29:27 firewall pluto[12165]: packet from 2.193.36.91:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Feb 21 18:29:27 firewall pluto[12165]: packet from 2.193.36.91:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 21 18:29:27 firewall pluto[12165]: packet from 2.193.36.91:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 21 18:29:27 firewall pluto[12165]: "server-laptop"[1] 2.193.36.91 
#1: responding to Main Mode from unknown peer 2.193.36.91
Feb 21 18:29:28 firewall pluto[12165]: "server-laptop"[1] 2.193.36.91 
#1: NAT-Traversal: Result using RFC 3947: peer is NATed
Feb 21 18:29:28 firewall pluto[12165]: "server-laptop"[1] 2.193.36.91 
#1: Peer ID is ID_FQDN: 'laptop'
Feb 21 18:29:28 firewall pluto[12165]: "server-laptop"[1] 2.193.36.91 
#1: we don't have a cert
Feb 21 18:29:28 firewall pluto[12165]: | NAT-T: new mapping 
2.193.36.91:500/4500)
Feb 21 18:29:28 firewall pluto[12165]: "server-laptop"[1] 
2.193.36.91:4500 #1: sent MR3, ISAKMP SA established
Feb 21 18:29:28 firewall pluto[12165]: "server-laptop"[1] 
2.193.36.91:4500 #2: responding to Quick Mode
Feb 21 18:29:29 firewall pluto[12165]: "server-laptop"[1] 
2.193.36.91:4500 #2: IPsec SA established {ESP=>0xc2cf55a9 <0x096e16f9 
NATOA=0.0.0.0}

HOST A runs Debian Squeeze (Strongswan 4.4.1) while Host B runs Debian 
Unstable (Strongswan 4.5.2).

Host B can't ping 192.168.1.0/24 hosts :(

Cheers,
Niccolò