[strongSwan] nat_traversal_new_mapping: address change currently not supported [50.1.1.226:1797, 50.1.1.228:1797]
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Fri Mar 30 15:01:17 CEST 2012
Hi,
It seems , dynamic update of the other ends IP address in NAT traversal
is not supported in StrongSwan.
According to rfc4306, it should be supported as part of NAT traversal.
Please find the topology and issue I m facing out of this.
Cisco
VPN client -------------- Router1 ------------------------------------- VPN
Sever(Strongswan)
20.1.1.1 20.1.1.2 50.1.1.226 50.1.1.227
(eth1)
Iptables
++++++
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE.
I have established a VPN connection between VPN client and VPN server with
the natted IP 50.1.1.226 to 50.1.1.227.
After some time , eth1 interface IP address have got changed as 50.1.1.228
in eth1 of router 1, and tunnel gets disturbed by throwing the following
error.
Mar 30 14:52:54 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797 #17:
nat_traversal_new_mapping: address change currently not supported [
50.1.1.226:1797,50.1.1.228:1797]
Mar 30 14:52:56 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797 #17:
nat_traversal_new_mapping: address change currently not supported [
50.1.1.226:1797,50.1.1.228:1797]
Mar 30 14:52:59 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
report on eth0 for message to 50.1.1.226 port 1797, complainant 50.1.1.227:
No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
report on eth0 for message to 50.1.1.226 port 1797, complainant 50.1.1.227:
No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 30 14:53:04 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Mar 30 14:53:09 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Mar 30 14:53:14 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Mar 30 14:53:19 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Do Strongswan have planned to implement dynamic IP address update feature
in NAT-T ??
/etc/ipsec.conf
++++++++++++
ca vpnca
cacert=caCert.pem
#crluri=crl.pem
auto=add
config setup
plutostart=yes
#plutodebug=control
charonstart=no
charondebug="net 0"
nat_traversal=yes
crlcheckinterval=10m
strictcrlpolicy=no
conn %default
ikelifetime=60m
keylife=20m
keyexchange=ikev1
rekeymargin=3m
keyingtries=1
#leftupdown="sudo -E ipsec _updown"
# Add connections here.
conn cisco-vpn
type=tunnel
ike=aes256-sha1-modp1536!
esp=aes256-sha1!
#keyexchange=ikev2
dpdaction=clear
dpddelay=300s
rekeymargin=3m
keyingtries=1
left=%defaultroute
leftsubnet=0.0.0.0/0
#leftsubnetwithin=10.3.1.1/24
leftcert=dutCert.pem
leftid="C=CH, O=strongSwan, CN=strongswan"
right=%any
#rightsourceip=%abcd
leftfirewall=yes
rightsourceip=30.1.1.1/24
#rightsubnet=30.1.1.1/24
pfs=no
authby=xauthrsasig
xauth=server
ipsec.secrets
+++++++++++
: RSA dutKey.pem
tester : XAUTH "tester"
Regards,
Saravanan N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120330/addfea86/attachment.html>
More information about the Users
mailing list