[strongSwan] charon, NAT and installpolicy=no

Guru Shetty gurushettylists at gmail.com
Fri Nov 30 22:53:06 CET 2012 

After trial and error, I see that I can send traffic from host1 to
host2, if I use the private IP address of host2 for SPD entries and
also as a destination for the traffic. My ipsec.conf remains the same
as written in the first mail.

In host1, my SPD entry is changed to (I use the private IP 172.16.1.2
instead of public IP 192.168.2.2):
192.168.1.1[any] 172.16.1.2[any] 255
        fwd prio def ipsec
        esp/tunnel/192.168.1.1-172.16.1.2/require
        created: Nov 30 12:11:23 2012  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=5986 seq=1 pid=12684
        refcnt=1
192.168.1.1[any] 172.16.1.2[any] 255
        in prio def ipsec
        esp/tunnel/192.168.1.1-172.16.1.2/unique:1
        created: Nov 30 12:11:23 2012  lastused: Nov 30 13:09:31 2012
        lifetime: 0(s) validtime: 0(s)
        spid=5976 seq=2 pid=12684
        refcnt=3
172.16.1.2[any] 192.168.1.1[any] 255
        out prio def ipsec
        esp/tunnel/172.16.1.2-192.168.1.1/unique:1
        created: Nov 30 12:11:23 2012  lastused: Nov 30 13:09:18 2012
        lifetime: 0(s) validtime: 0(s)
        spid=5969 seq=3 pid=12684
        refcnt=4


And host1 can now ping host2's private IP address. i.e., 172.16.1.2.

This is confusing to me. I think I have ended up creating a
road-warrior setup with NAT involved instead of a host-host + NAT
setup. Looking through the different configuration setups in the
strongswan.org website, I see that there is no example of host-host
connection with a NAT in between. Is this not a supported
configuration?

Thanks,
Guru

On 28 November 2012 20:27, Guru Shetty <gurushettylists at gmail.com> wrote:
> On 28 November 2012 17:34, Guru Shetty <gurushettylists at gmail.com> wrote:
>> Hello All,
>>  Strongswan works very well in non-NAT setups for me.
>>
>>  But my NAT setup does not work. The security associations get
>> established fine. But when I send traffic, I get "trap not found,
>> unable to acquire reqid 1" errors. I really appreciate any advice
>> here. There must be a solution here that I am missing, because if I
>> repeat the exact same setup with racoon, things work fine.
>>
>>  This is my setup:
>>
>> host1----------------------------NAT---------------host2
>> 192.168.1.1         192.168.2.2           172.16.1.2
>>
>> So, the public IP of host2 (as visible by host1) is 192.168.2.2.
>>
>> The config of host1:
>>
>> config setup
>>     charonstart=yes
>>     plutostart=no
>>
>> conn %default
>>         keyingtries=%forever
>>         type=transport
>>         installpolicy=no
>>         keyexchange=ikev2
>>         auto=start
>>         ike=aes128gcm12-aesxcbc-modp1024
>>         esp=aes128gcm12-modp1024
>>
>> conn remote-192.168.2.2
>>         reqid=1
>>         left=%any
>>         authby=psk
>>         right=192.168.2.2
>>         rightsubnet=172.16.1.2/32
>>
>> setkey -D: Shows the following o/p:
>> 192.168.1.1[4500] 192.168.2.2[4500]
>>         esp-udp mode=tunnel spi=3279815240(0xc37e0248) reqid=1(0x00000001)
>>         seq=0x00000000 replay=32 flags=0x00000000 state=mature
>>         created: Nov 28 17:00:08 2012   current: Nov 28 17:03:58 2012
>>         diff: 230(s)    hard: 3600(s)   soft: 2584(s)
>>         last:                           hard: 0(s)      soft: 0(s)
>>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>>         allocated: 0    hard: 0 soft: 0
>>         sadb_seq=2 pid=6330 refcnt=0
>> 192.168.2.2[4500] 192.168.1.1[4500]
>>         esp-udp mode=tunnel spi=3439470266(0xcd0226ba) reqid=1(0x00000001)
>>         seq=0x00000000 replay=32 flags=0x00000000 state=mature
>>         created: Nov 28 17:00:08 2012   current: Nov 28 17:03:58 2012
>>         diff: 230(s)    hard: 3600(s)   soft: 2754(s)
>>         last:                           hard: 0(s)      soft: 0(s)
>>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>>         allocated: 0    hard: 0 soft: 0
>>         sadb_seq=0 pid=6330 refcnt=0
>>
>> setkey -DP: Shows the following o/p
>> 192.168.2.2[7470] 0.0.0.0/0[7471] tcp
>>         fwd prio def ipsec
>>         esp/transport//require
>>         created: Nov 28 17:00:08 2012  lastused:
>>         lifetime: 0(s) validtime: 0(s)
>>         spid=4850 seq=1 pid=6333
>>         refcnt=1
>> 192.168.2.2[7470] 0.0.0.0/0[7471] tcp
>>         in prio def ipsec
>>         esp/transport//unique:1
>>         created: Nov 28 17:00:08 2012  lastused:
>>         lifetime: 0(s) validtime: 0(s)
>>         spid=4840 seq=2 pid=6333
>>         refcnt=1
>> 0.0.0.0/0[7470] 192.168.2.2[7471] tcp
>>         out prio def ipsec
>>         esp/transport//unique:1
>>         created: Nov 28 17:00:08 2012  lastused:
>>         lifetime: 0(s) validtime: 0(s)
>>         spid=4833 seq=3 pid=6333
>>         refcnt=3
>>
>> Sending traffic from host1 to host2 gives me the error:
>> Nov 28 17:06:27 host1 charon: 08[KNL] creating acquire job for policy
>> 192.168.1.1/32[tcp/7470] === 192.168.2.2/32[tcp/7471] with reqid {1}
>> Nov 28 17:06:27 host1 charon: 15[CFG] trap not found, unable to acquire reqid 1
>>
>> What should I be doing here to get it to work?
>>
>> Thanks in advance,
>> Guru
>
> It looks like if I provide provide the following spd entries in host1,
> I can send traffic out.
> setkey -c << END
> spdflush;
> spdadd 0.0.0.0/0[7470] 192.168.2.2[7471] tcp -P out ipsec
>            esp/tunnel/192.168.1.1[4500]-192.168.2.2[4500]/unique:1;
> spdadd 192.168.2.2[7470] 0.0.0.0/0[7471] tcp -P in ipsec
>            esp/tunnel/192.168.2.2[4500]-192.168.1.1[4500]/unique:1;
> END
>
> So it is probably that in case of racoon when the kernel gets a
> traffic and it sees a match in SPD (as provided in previous mail) and
> does not see the corresponding match in SAD, it sends a request for
> the key to racoon and racoon responds back with correct answer. This
> feature is probably not implemented in strongswan? Is my assumption
> correct?
>
> Eitherways, my revised SPD entry does encrypt data while going out of
> the host. But it does not get decrypted when the data enters host1.
>
> Example, the data that I receive is as follows as seen in the tcpdump:
>
> 19:44:53.052374 IP 192.168.2.2.4500 > 192.168.1.1.4500: UDP-encap:
> ESP(spi=0xc655c334,seq=0x5e), length 132
>
> The SPD entry that I expect to be relevent is:
> spdadd 192.168.2.2[7470] 0.0.0.0/0[7471] tcp -P in ipsec
>            esp/tunnel/192.168.2.2[4500]-192.168.1.1[4500]/unique:1;
>
> But it does not get decrypted. Can anyone tell me what is it that I am missing?
>
> The corresponding SAD entry is:
>
> 192.168.2.2[4500] 192.168.1.1[4500]
>         esp-udp mode=tunnel spi=3327509300(0xc655c334) reqid=1(0x00000001)
>         seq=0x00000000 replay=32 flags=0x00000000 state=mature
>         created: Nov 28 19:43:19 2012   current: Nov 28 19:47:48 2012
>         diff: 269(s)    hard: 3600(s)   soft: 2522(s)
>         last: Nov 28 19:43:20 2012      hard: 0(s)      soft: 0(s)
>         current: 26900(bytes)   hard: 0(bytes)  soft: 0(bytes)
>         allocated: 269  hard: 0 soft: 0
>         sadb_seq=0 pid=7550 refcnt=0
>
> I see the same behavior if I change the SPD to act on all traffic
> (instead of just tcp and specific ports).
>
> Thanks,
> Guru

More information about the Users mailing list