[strongSwan] nat_traversal_new_mapping: address change currently not supported [50.1.1.226:1797, 50.1.1.228:1797]

Andreas Steffen andreas.steffen at strongswan.org
Fri Mar 30 15:10:44 CEST 2012 

Hello,

RFC 4306 defines IKEv2 whereas you are using the obsoleted IKEv1
protocol. IKEv1 does not support the update of NAT ports whereas
our IKEv2 charon daemon does.

Regards

Andreas

On 03/30/2012 03:01 PM, SaRaVanAn wrote:
> Hi,
>   It seems , dynamic update of the  other ends IP address in NAT
> traversal is not supported in StrongSwan.
> According to rfc4306, it should be supported as part of NAT traversal.
> Please find the topology and issue I m facing out of this.
> 
> 
> Cisco
> VPN client -------------- Router1 -------------------------------------
> VPN Sever(Strongswan)
> 
> 20.1.1.1           20.1.1.2        50.1.1.226                    50.1.1.227
>                                             (eth1)
> Iptables
> ++++++
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE.
> 
> I have established a VPN connection between VPN client and VPN server
> with the natted IP 50.1.1.226 to 50.1.1.227.
> After some time , eth1 interface IP address  have got changed as
> 50.1.1.228 in eth1 of router 1, and tunnel gets disturbed by throwing
> the following error.
> 
> 
> Mar 30 14:52:54 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797
> <http://50.1.1.226:1797> #17: nat_traversal_new_mapping: address change
> currently not supported [50.1.1.226:1797
> <http://50.1.1.226:1797>,50.1.1.228:1797 <http://50.1.1.228:1797>]
> Mar 30 14:52:56 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797
> <http://50.1.1.226:1797> #17: nat_traversal_new_mapping: address change
> currently not supported [50.1.1.226:1797
> <http://50.1.1.226:1797>,50.1.1.228:1797 <http://50.1.1.228:1797>]
> Mar 30 14:52:59 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
> <http://50.1.1.228:1797>: Informational Exchange is for an unknown
> (expired?) SA
> Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
> report on eth0 for message to 50.1.1.226 port 1797, complainant
> 50.1.1.227 <http://50.1.1.227>: No route to host [errno 113, origin ICMP
> type 3 code 1 (not authenticated)]
> Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
> report on eth0 for message to 50.1.1.226 port 1797, complainant
> 50.1.1.227 <http://50.1.1.227>: No route to host [errno 113, origin ICMP
> type 3 code 1 (not authenticated)]
> Mar 30 14:53:04 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
> <http://50.1.1.228:1797>: Informational Exchange is for an unknown
> (expired?) SA
> Mar 30 14:53:09 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
> <http://50.1.1.228:1797>: Informational Exchange is for an unknown
> (expired?) SA
> Mar 30 14:53:14 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
> <http://50.1.1.228:1797>: Informational Exchange is for an unknown
> (expired?) SA
> Mar 30 14:53:19 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797
> <http://50.1.1.228:1797>: Informational Exchange is for an unknown
> (expired?) SA
> 
> Do Strongswan have planned to implement dynamic IP address update
> feature in NAT-T ??
> 
> 
> 
> /etc/ipsec.conf
> ++++++++++++
> ca vpnca
>           cacert=caCert.pem
>           #crluri=crl.pem
>           auto=add
> 
> config setup
>           plutostart=yes
>           #plutodebug=control
>           charonstart=no
>           charondebug="net 0"
>           nat_traversal=yes
>           crlcheckinterval=10m
>           strictcrlpolicy=no
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         keyexchange=ikev1
>         rekeymargin=3m
>         keyingtries=1
>         #leftupdown="sudo -E ipsec _updown"
> 
> # Add connections here.
> conn cisco-vpn
>           type=tunnel
>           ike=aes256-sha1-modp1536!
>           esp=aes256-sha1!
>           #keyexchange=ikev2
>           dpdaction=clear
>           dpddelay=300s
>           rekeymargin=3m
>           keyingtries=1
>           left=%defaultroute
>           leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>           #leftsubnetwithin=10.3.1.1/24 <http://10.3.1.1/24>
>           leftcert=dutCert.pem
>           leftid="C=CH, O=strongSwan, CN=strongswan"
>           right=%any
>           #rightsourceip=%abcd
>           leftfirewall=yes
>           rightsourceip=30.1.1.1/24 <http://30.1.1.1/24>
>           #rightsubnet=30.1.1.1/24 <http://30.1.1.1/24>
>           pfs=no
>           authby=xauthrsasig
>           xauth=server
>                                                                                 
> 
> ipsec.secrets
> +++++++++++
> : RSA dutKey.pem
> tester : XAUTH "tester"
> 
> 
> Regards,
> Saravanan N
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list