[strongSwan] [strongswan] NAT-T fails for Ikev1 negotiation

SaRaVanAn saravanan.nagarajan87 at gmail.com
Thu Oct 4 16:59:18 CEST 2012


Hi ,
   I  tried to form a site-site tunnel with NAT device in between using
Ikev1. But I am getting the below error messages. I dont know what went
wrong.  Please help me to understand the problem.

strongswan ---(NAT device)----- Netgear

Logs
+++++

Oct  4 20:25:12 localhost pluto[15315]: | inserting event EVENT_SA_EXPIRE,
timeout in 86400 seconds for #1
Oct  4 20:25:12 localhost pluto[15315]: "fqdn_vr"[1]
172.31.114.227:4500#1: sent MR3, ISAKMP SA established
Oct  4 20:25:12 localhost pluto[15315]: | next event EVENT_NAT_T_KEEPALIVE
in 19 seconds
Oct  4 20:25:22 localhost pluto[15315]: |
Oct  4 20:25:22 localhost pluto[15315]: | *received 76 bytes from
172.31.114.227:4500 on eth0
Oct  4 20:25:22 localhost pluto[15315]: |   26 ed 6f e6  44 ce 76 36  e2 e7
9e e8  84 73 ff 5a
Oct  4 20:25:22 localhost pluto[15315]: |   05 10 02 01  00 00 00 00  00 00
00 4c  db b5 e7 60
Oct  4 20:25:22 localhost pluto[15315]: |   e4 2b 1d eb  e1 5d f8 41  64 1c
d0 4a  d7 7c 89 1c
Oct  4 20:25:22 localhost pluto[15315]: |   d9 02 cb 42  ee 8f 35 4a  69 b6
00 b1  4a f7 d1 69
Oct  4 20:25:22 localhost pluto[15315]: |   9d f4 6d 74  bf 15 03 73  e2 96
fc 3a
Oct  4 20:25:22 localhost pluto[15315]: | **parse ISAKMP Message:
Oct  4 20:25:22 localhost pluto[15315]: |    initiator cookie:
Oct  4 20:25:22 localhost pluto[15315]: |   26 ed 6f e6  44 ce 76 36
Oct  4 20:25:22 localhost pluto[15315]: |    responder cookie:
Oct  4 20:25:22 localhost pluto[15315]: |   e2 e7 9e e8  84 73 ff 5a
Oct  4 20:25:22 localhost pluto[15315]: |    next payload type:
ISAKMP_NEXT_ID
Oct  4 20:25:22 localhost pluto[15315]: |    ISAKMP version: ISAKMP Version
1.0
Oct  4 20:25:22 localhost pluto[15315]: |    exchange type:
ISAKMP_XCHG_IDPROT
Oct  4 20:25:22 localhost pluto[15315]: |    flags: ISAKMP_FLAG_ENCRYPTION
Oct  4 20:25:22 localhost pluto[15315]: |    message ID:  00 00 00 00
Oct  4 20:25:22 localhost pluto[15315]: |    length: 76
Oct  4 20:25:22 localhost pluto[15315]: | ICOOKIE:  26 ed 6f e6  44 ce 76 36
Oct  4 20:25:22 localhost pluto[15315]: | RCOOKIE:  e2 e7 9e e8  84 73 ff 5a
Oct  4 20:25:22 localhost pluto[15315]: | peer:  ac 1f 72 e3
Oct  4 20:25:22 localhost pluto[15315]: | state hash entry 17
Oct  4 20:25:22 localhost pluto[15315]: | state object #1 found, in
STATE_MAIN_R3
Oct  4 20:25:22 localhost pluto[15315]: "fqdn_vr"[1]
172.31.114.227:4500#1: retransmitting in response to duplicate packet;
already STATE_MAIN_R3
Oct  4 20:25:22 localhost pluto[15315]: | sending 76 bytes for retransmit
in response to duplicate through eth0 to 172.31.114.227:4500:
Oct  4 20:25:22 localhost pluto[15315]: |   26 ed 6f e6  44 ce 76 36  e2 e7
9e e8  84 73 ff 5a
Oct  4 20:25:22 localhost pluto[15315]: |   05 10 02 01  00 00 00 00  00 00
00 4c  c8 83 25 f7
Oct  4 20:25:22 localhost pluto[15315]: |   cb 77 1d 73  92 2b 0b 34  a0 93
05 ea  99 3a 06 1b
Oct  4 20:25:22 localhost pluto[15315]: |   3f d6 66 7f  6f fe 2b b2  48 e8
a7 e8  e0 4f 90 6e
Oct  4 20:25:22 localhost pluto[15315]: |   04 55 50 a4  5c 7f f1 36  41 c1
ac be
Oct  4 20:25:22 localhost pluto[15315]: | next event EVENT_NAT_T_KEEPALIVE
in 9 seconds
Oct  4 20:25:31 localhost pluto[15315]: |
Oct  4 20:25:31 localhost pluto[15315]: | *time to handle event
Oct  4 20:25:31 localhost pluto[15315]: | event after this is
EVENT_REINIT_SECRET in 3567 seconds
Oct  4 20:25:31 localhost pluto[15315]: | next event EVENT_REINIT_SECRET in
3567 seconds
Oct  4 20:25:32 localhost pluto[15315]: |
Oct  4 20:25:32 localhost pluto[15315]: | *received 76 bytes from
172.31.114.227:4500 on eth0
Oct  4 20:25:32 localhost pluto[15315]: |   26 ed 6f e6  44 ce 76 36  e2 e7
9e e8  84 73 ff 5a
Oct  4 20:25:32 localhost pluto[15315]: |   05 10 02 01  00 00 00 00  00 00
00 4c  db b5 e7 60
Oct  4 20:25:32 localhost pluto[15315]: |   e4 2b 1d eb  e1 5d f8 41  64 1c
d0 4a  d7 7c 89 1c
Oct  4 20:25:32 localhost pluto[15315]: |   d9 02 cb 42  ee 8f 35 4a  69 b6
00 b1  4a f7 d1 69
Oct  4 20:25:32 localhost pluto[15315]: |   9d f4 6d 74  bf 15 03 73  e2 96
fc 3a
Oct  4 20:25:32 localhost pluto[15315]: | **parse ISAKMP Message:
Oct  4 20:25:32 localhost pluto[15315]: |    initiator cookie:
Oct  4 20:25:32 localhost pluto[15315]: |   26 ed 6f e6  44 ce 76 36
Oct  4 20:25:32 localhost pluto[15315]: |    responder cookie:
Oct  4 20:25:32 localhost pluto[15315]: |   e2 e7 9e e8  84 73 ff 5a
Oct  4 20:25:32 localhost pluto[15315]: |    next payload type:
ISAKMP_NEXT_ID
Oct  4 20:25:32 localhost pluto[15315]: |    ISAKMP version: ISAKMP Version
1.0
Oct  4 20:25:32 localhost pluto[15315]: |    exchange type:
ISAKMP_XCHG_IDPROT
Oct  4 20:25:32 localhost pluto[15315]: |    flags: ISAKMP_FLAG_ENCRYPTION
Oct  4 20:25:32 localhost pluto[15315]: |    message ID:  00 00 00 00
Oct  4 20:25:32 localhost pluto[15315]: |    length: 76
Oct  4 20:25:32 localhost pluto[15315]: | ICOOKIE:  26 ed 6f e6  44 ce 76 36
Oct  4 20:25:32 localhost pluto[15315]: | RCOOKIE:  e2 e7 9e e8  84 73 ff 5a
Oct  4 20:25:32 localhost pluto[15315]: | peer:  ac 1f 72 e3
Oct  4 20:25:32 localhost pluto[15315]: | state hash entry 17
Oct  4 20:25:32 localhost pluto[15315]: | state object #1 found, in
STATE_MAIN_R3
Oct  4 20:25:32 localhost pluto[15315]: "fqdn_vr"[1]
172.31.114.227:4500#1: retransmitting in response to duplicate packet;
already STATE_MAIN_R3
Oct  4 20:25:32 localhost pluto[15315]: | sending 76 bytes for retransmit
in response to duplicate through eth0 to 172.31.114.227:4500:

*Configuration for your reference
*
ipsec.conf
_______

ca vpnca
         cacert=ikeca-sha1-2048-dn.crt
         auto=add

config setup
          plutostart=yes
          plutodebug=all
          charonstart=yes
          charondebug=all
          nat_traversal=yes
          crlcheckinterval=10m
          strictcrlpolicy=no

conn %default
        ikelifetime=8h
        lifetime = 8h
        rekeyfuzz = 100%
        keyingtries=1

conn fqdn_vr
    auth=esp
    type=tunnel
    keyexchange=ikev1
    left=172.31.114.246
    right=%any
    rightid=cross at cas.com
    rightsubnet=0.0.0.0/0
    authby=secret
    pfs=no
    rekey=no
    auto=add

ipsec.secrets
_____________
172.31.114.246 %any : PSK "sachinten1"

Regards,
Saravanan N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121004/b6a3cb4d/attachment.html>


More information about the Users mailing list