[strongSwan] Header verification failed and NAT mapping changed

Kim Zeitler Kim.Zeitler at konzept-is.de
Mon Mar 19 11:59:53 CET 2012 

Hello,

we have are trying to have a net-2-net-2-net setup running here.
Sadly one of the two connections shows a distinct unreliability.

+------+    +------------+                   +--------+    +-------+
| moon | -- | NAT GW     | -----{ WAN }----- | NAT GW | -- | earth |
|      |    | w statc IP |         |         | dyn IP |    |       |
+------+    +------------+         |         +--------+    +-------+
                                   |
                           +---------------+
                           |  sun          |
                           | static, no NAT|
                           +---------------+

moon and earth are both connected to and via sun. no direct connection
between moon and earth exists.

On our IPSec GW moon we can see following message repeatedly in our log
files:
------------------------
Mar 19 11:02:45 moon charon: 14[NET] sending packet: from
192.168.2.17[4500] to sun[500]
Mar 19 11:02:46 moon charon: 01[KNL] NAT mappings of ESP CHILD_SA
------------------------
with SPI c2aa0995 and reqid {804} changed, queuing update job

On the GW sun:
------------------------
Mar 19 11:04:59 sun charon: 09[ENC] header verification failed
Mar 19 11:04:59 sun charon: 09[NET] received invalid IKE header from
moon - ignored
------------------------
-> searching the mailing list revealed that this shouldn't happen and
seems to be *very* bad.

The connection between sun and earth shows no errors and is reported to
be stable.


---------------------- moon-ipsec.conf ----------------------
config setup
    crlcheckinterval=600
    strictcrlpolicy=no
    cachecrls=yes
    charonstart=yes
    plutostart=no

# Add connections here.

conn %default
    ikelifetime=60m
    keylife=20m
    rekey=yes
    rekeymargin=3m
    keyingtries=3
    keyexchange=ikev2
    mobike=no

conn moon-sun
    left=%defaultroute
    leftcert=moonCert.pem
    leftsubnet=172.17.0.0/16
    leftfirewall=yes
    lefthostaccess=yes
    right=sun
    rightid=@sun
    rightsubnet=172.16.0.0/16,172.18.0.0/16,172.30.0.0/24
    auto=start

---------------------- sun-ipsec.conf ----------------------
config setup
    charonstart=yes
    plutostart=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2
    left=sun
    leftfirewall=yes

conn moon
    rekey=yes
    keyingtries=3
    leftsubnet=172.16.0.0/16,172.18.0.0/16,172.30.0.0/24
    leftcert=sunCert.pem
    leftid=@sun
    lefthostaccess=yes
    right=moon
    rightid="...CN=moon"
    rightsubnet=172.17.0.0/16
    auto=route
    mobike=no


Moon is running: Linux strongSwan U4.5.0/K2.6.37.6-0.5-desktop
Sun is running:  Linux strongSwan U4.2.8/K2.6.27.7-9-pae


Thank you for any help and pointers.

Kim Zeitler

More information about the Users mailing list