[strongSwan] charon, NAT and installpolicy=no

Guru Shetty gurushettylists at gmail.com
Thu Nov 29 05:27:20 CET 2012 

On 28 November 2012 17:34, Guru Shetty <gurushettylists at gmail.com> wrote:
> Hello All,
>  Strongswan works very well in non-NAT setups for me.
>
>  But my NAT setup does not work. The security associations get
> established fine. But when I send traffic, I get "trap not found,
> unable to acquire reqid 1" errors. I really appreciate any advice
> here. There must be a solution here that I am missing, because if I
> repeat the exact same setup with racoon, things work fine.
>
>  This is my setup:
>
> host1----------------------------NAT---------------host2
> 192.168.1.1         192.168.2.2           172.16.1.2
>
> So, the public IP of host2 (as visible by host1) is 192.168.2.2.
>
> The config of host1:
>
> config setup
>     charonstart=yes
>     plutostart=no
>
> conn %default
>         keyingtries=%forever
>         type=transport
>         installpolicy=no
>         keyexchange=ikev2
>         auto=start
>         ike=aes128gcm12-aesxcbc-modp1024
>         esp=aes128gcm12-modp1024
>
> conn remote-192.168.2.2
>         reqid=1
>         left=%any
>         authby=psk
>         right=192.168.2.2
>         rightsubnet=172.16.1.2/32
>
> setkey -D: Shows the following o/p:
> 192.168.1.1[4500] 192.168.2.2[4500]
>         esp-udp mode=tunnel spi=3279815240(0xc37e0248) reqid=1(0x00000001)
>         seq=0x00000000 replay=32 flags=0x00000000 state=mature
>         created: Nov 28 17:00:08 2012   current: Nov 28 17:03:58 2012
>         diff: 230(s)    hard: 3600(s)   soft: 2584(s)
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=2 pid=6330 refcnt=0
> 192.168.2.2[4500] 192.168.1.1[4500]
>         esp-udp mode=tunnel spi=3439470266(0xcd0226ba) reqid=1(0x00000001)
>         seq=0x00000000 replay=32 flags=0x00000000 state=mature
>         created: Nov 28 17:00:08 2012   current: Nov 28 17:03:58 2012
>         diff: 230(s)    hard: 3600(s)   soft: 2754(s)
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=0 pid=6330 refcnt=0
>
> setkey -DP: Shows the following o/p
> 192.168.2.2[7470] 0.0.0.0/0[7471] tcp
>         fwd prio def ipsec
>         esp/transport//require
>         created: Nov 28 17:00:08 2012  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=4850 seq=1 pid=6333
>         refcnt=1
> 192.168.2.2[7470] 0.0.0.0/0[7471] tcp
>         in prio def ipsec
>         esp/transport//unique:1
>         created: Nov 28 17:00:08 2012  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=4840 seq=2 pid=6333
>         refcnt=1
> 0.0.0.0/0[7470] 192.168.2.2[7471] tcp
>         out prio def ipsec
>         esp/transport//unique:1
>         created: Nov 28 17:00:08 2012  lastused:
>         lifetime: 0(s) validtime: 0(s)
>         spid=4833 seq=3 pid=6333
>         refcnt=3
>
> Sending traffic from host1 to host2 gives me the error:
> Nov 28 17:06:27 host1 charon: 08[KNL] creating acquire job for policy
> 192.168.1.1/32[tcp/7470] === 192.168.2.2/32[tcp/7471] with reqid {1}
> Nov 28 17:06:27 host1 charon: 15[CFG] trap not found, unable to acquire reqid 1
>
> What should I be doing here to get it to work?
>
> Thanks in advance,
> Guru

It looks like if I provide provide the following spd entries in host1,
I can send traffic out.
setkey -c << END
spdflush;
spdadd 0.0.0.0/0[7470] 192.168.2.2[7471] tcp -P out ipsec
           esp/tunnel/192.168.1.1[4500]-192.168.2.2[4500]/unique:1;
spdadd 192.168.2.2[7470] 0.0.0.0/0[7471] tcp -P in ipsec
           esp/tunnel/192.168.2.2[4500]-192.168.1.1[4500]/unique:1;
END

So it is probably that in case of racoon when the kernel gets a
traffic and it sees a match in SPD (as provided in previous mail) and
does not see the corresponding match in SAD, it sends a request for
the key to racoon and racoon responds back with correct answer. This
feature is probably not implemented in strongswan? Is my assumption
correct?

Eitherways, my revised SPD entry does encrypt data while going out of
the host. But it does not get decrypted when the data enters host1.

Example, the data that I receive is as follows as seen in the tcpdump:

19:44:53.052374 IP 192.168.2.2.4500 > 192.168.1.1.4500: UDP-encap:
ESP(spi=0xc655c334,seq=0x5e), length 132

The SPD entry that I expect to be relevent is:
spdadd 192.168.2.2[7470] 0.0.0.0/0[7471] tcp -P in ipsec
           esp/tunnel/192.168.2.2[4500]-192.168.1.1[4500]/unique:1;

But it does not get decrypted. Can anyone tell me what is it that I am missing?

The corresponding SAD entry is:

192.168.2.2[4500] 192.168.1.1[4500]
	esp-udp mode=tunnel spi=3327509300(0xc655c334) reqid=1(0x00000001)
	seq=0x00000000 replay=32 flags=0x00000000 state=mature
	created: Nov 28 19:43:19 2012	current: Nov 28 19:47:48 2012
	diff: 269(s)	hard: 3600(s)	soft: 2522(s)
	last: Nov 28 19:43:20 2012	hard: 0(s)	soft: 0(s)
	current: 26900(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 269	hard: 0	soft: 0
	sadb_seq=0 pid=7550 refcnt=0

I see the same behavior if I change the SPD to act on all traffic
(instead of just tcp and specific ports).

Thanks,
Guru

More information about the Users mailing list