[strongSwan] charon, NAT and installpolicy=no

Guru Shetty gurushettylists at gmail.com
Thu Nov 29 02:34:51 CET 2012 

Hello All,
 Strongswan works very well in non-NAT setups for me.

 But my NAT setup does not work. The security associations get
established fine. But when I send traffic, I get "trap not found,
unable to acquire reqid 1" errors. I really appreciate any advice
here. There must be a solution here that I am missing, because if I
repeat the exact same setup with racoon, things work fine.

 This is my setup:

host1----------------------------NAT---------------host2
192.168.1.1         192.168.2.2           172.16.1.2

So, the public IP of host2 (as visible by host1) is 192.168.2.2.

The config of host1:

config setup
    charonstart=yes
    plutostart=no

conn %default
        keyingtries=%forever
        type=transport
        installpolicy=no
        keyexchange=ikev2
        auto=start
        ike=aes128gcm12-aesxcbc-modp1024
        esp=aes128gcm12-modp1024

conn remote-192.168.2.2
        reqid=1
        left=%any
        authby=psk
        right=192.168.2.2
        rightsubnet=172.16.1.2/32

setkey -D: Shows the following o/p:
192.168.1.1[4500] 192.168.2.2[4500]
	esp-udp mode=tunnel spi=3279815240(0xc37e0248) reqid=1(0x00000001)
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 28 17:00:08 2012	current: Nov 28 17:03:58 2012
	diff: 230(s)	hard: 3600(s)	soft: 2584(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=2 pid=6330 refcnt=0
192.168.2.2[4500] 192.168.1.1[4500]
	esp-udp mode=tunnel spi=3439470266(0xcd0226ba) reqid=1(0x00000001)
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 28 17:00:08 2012	current: Nov 28 17:03:58 2012
	diff: 230(s)	hard: 3600(s)	soft: 2754(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=6330 refcnt=0

setkey -DP: Shows the following o/p
192.168.2.2[7470] 0.0.0.0/0[7471] tcp
        fwd prio def ipsec
        esp/transport//require
        created: Nov 28 17:00:08 2012  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=4850 seq=1 pid=6333
        refcnt=1
192.168.2.2[7470] 0.0.0.0/0[7471] tcp
        in prio def ipsec
        esp/transport//unique:1
        created: Nov 28 17:00:08 2012  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=4840 seq=2 pid=6333
        refcnt=1
0.0.0.0/0[7470] 192.168.2.2[7471] tcp
        out prio def ipsec
        esp/transport//unique:1
        created: Nov 28 17:00:08 2012  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=4833 seq=3 pid=6333
        refcnt=3

Sending traffic from host1 to host2 gives me the error:
Nov 28 17:06:27 host1 charon: 08[KNL] creating acquire job for policy
192.168.1.1/32[tcp/7470] === 192.168.2.2/32[tcp/7471] with reqid {1}
Nov 28 17:06:27 host1 charon: 15[CFG] trap not found, unable to acquire reqid 1

What should I be doing here to get it to work?

Thanks in advance,
Guru

More information about the Users mailing list