[strongSwan] GSM modem running strongSwan problems

Jacob Abel jabel at accuflow.com
Sat Oct 13 00:00:56 CEST 2012 

Hello all,

 

I have a Phoenix Contact GSM modem that I've been trying to configure as a
VPN server. The device is a Linux box running strongSwan, and because of the
web interface I have very limited control over the configuration. I've been
trying to connect to it without luck. It gets through the Phase 1
authentication and then fails at Phase 2. The problem seems to be a NAT
problem (where I don't know), as here is the relevant error from the log
(IPs replaced):

 

Oct 11 11:30:12 pluto[1405]: "vpn1"[2] [office_ip]:4500 #1: cannot respond
to IPsec SA request because no connection is known for
192.168.9.0/24===[modem_ip]:4500...[office_ip]:4500[192.168.0.15]===192.168.
0.240/32

 

Here's what I can tell you:

 

PSK for auth, not using certs

 

On the GSM modem:
Internal IP address: 192.168.0.1
External IP address: [modem_ip]
(on the VPN settings page):
"Address Remote Network": 192.168.9.0/24
"Address Local Network": 192.168.0.0/24
Local 1:1 NAT is unchecked

 

Office's setup:
Our router address: 192.168.0.1
External IP address: [office_ip]
My computer's IP address: 192.168.0.15

 

VPN client setup (GreenBow, tried Windows' built-in functionality first):
VPN client address: 192.168.0.240
Address type: subnet address
Remote LAN address: 192.168.9.0
Subnet mask: 255.255.255.0

 

The GreenBow client told me "Wrong Remote Address", and when I try to
connect with Windows it tells me "Error 789: The L2TP connection attempt
failed because the security layer encountered a processing error during
initial negotiations with the remote computer." and the modem's log shows:

 

Feb 20 13:08:43 pluto[1162]: "vpn1"[2] [office_ip]:58385 #1: cannot respond
to IPsec SA request because no connection is known for
[modem_ip]:4500:17/1701...[office_ip]:58385[192.168.0.15]:17/1701===192.168.
0.15/32

 

In Windows, I have the VPN connection's security set to L2TP/IPSec with the
PSK in place in the advanced settings, everything else left as default.

 

Any help would be greatly appreciated. I've tried so many different
combinations in all the fields with IP addresses without any luck. Is this a
problem with my office's router, the GSM router, or what? It's got to be
some sort of NAT problem.

 

Regards,

 

Jacob Abel
Project Engineer
Accuflow, Inc.
4801 District Blvd.
Bakersfield, CA 93313
 <http://www.accuflow.com/> www.accuflow.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121012/b1b674bb/attachment.html>

More information about the Users mailing list