[strongSwan] Double NAT Transport in 5.1 rc1/rd2 config question
Dan Cook
dan.cook at illum.io
Thu Jul 25 08:25:12 CEST 2013
I am trying to get double NAT Transport (UDP Encapsulation) going on
5.1 dr2 and 5.1 rc1.
I have two servers Moon and Sun. Moon wants to talk to Sun over TCP
on port 8080.
The firewall ports 500 and 4500 are open between the two servers and
they are both 1:1 NAT.
When I try to initiate communication between the servers via iperf the
IPSec connection does not start and the traffic flows normally over
8080 from moon to sun. Again it is not encapsulated/encrypted. When
I force the connection "up" I receive an AUTH_FAILED which is show
below in the logs. I have included the connection configs, the
charon.log and the output of the statusall command.
I could really use some help getting this connection up and going.
Thanks,
Dan Cook
Configs:
conn moon
left=%any
leftprotoport=tcp/%any
right=54.241.192.159
rightsubnet=10.170.95.110/32
rightprotoport=tcp/8080
Moon is behind a NAT with a 10.251.75.98 private ip address.
conn sun
left=%any
leftprotoport=tcp/8080
right=54.214.139.16
rightsubnet=10.251.75.98/32
rightprotoport=tcp/%any
Sun is also behind a NAT with a private IP address of 10.170.95.110
The %defaults on each server is:
conn %default
authby=secret
mobike=no
closeaction=none
dpdaction=clear
dpddelay=30s
dpdtimeout=150s
inactivity=30m
ikelifetime=3h
keyexchange=ikev2
keyingtries=3
lifetime=1h
reauth=yes
rekey=yes
margintime=9m
esp=aes256!
ike=aes256-sha384-prfsha384-ecp384!
forceencaps=yes
type=transport
auto=route
Moon Charon.log:
2013-07-25T06:01:14+0000 16[CFG] received stroke: initiate 'moon'
2013-07-25T06:01:14+0000 02[IKE] initiating IKE_SA moon[1] to 54.241.192.159
2013-07-25T06:01:14+0000 02[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
2013-07-25T06:01:14+0000 02[NET] sending packet: from
10.251.75.98[500] to 54.241.192.159[500] (272 bytes)
2013-07-25T06:01:14+0000 01[NET] received packet: from
54.241.192.159[500] to 10.251.75.98[500] (280 bytes)
2013-07-25T06:01:14+0000 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
2013-07-25T06:01:14+0000 01[IKE] local host is behind NAT, sending keep alives
2013-07-25T06:01:14+0000 01[IKE] remote host is behind NAT
2013-07-25T06:01:14+0000 01[CFG] no IDi configured, fall back on IP address
2013-07-25T06:01:14+0000 01[IKE] authentication of '10.251.75.98'
(myself) with pre-shared key
2013-07-25T06:01:14+0000 01[IKE] establishing CHILD_SA moon
2013-07-25T06:01:14+0000 01[ENC] generating IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
2013-07-25T06:01:14+0000 01[NET] sending packet: from
10.251.75.98[4500] to 54.241.192.159[4500] (280 bytes)
2013-07-25T06:01:14+0000 13[NET] received packet: from
54.241.192.159[4500] to 10.251.75.98[4500] (88 bytes)
2013-07-25T06:01:14+0000 13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2013-07-25T06:01:14+0000 13[IKE] received AUTHENTICATION_FAILED notify error
Sun Charon.log: (all logging at 1):
2013-07-25T02:01:37-0400 16[NET] received packet: from
54.214.139.16[500] to 10.170.95.110[500] (272 bytes)
2013-07-25T02:01:37-0400 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
2013-07-25T02:01:37-0400 16[IKE] 54.214.139.16 is initiating an IKE_SA
2013-07-25T02:01:37-0400 16[IKE] local host is behind NAT, sending keep alives
2013-07-25T02:01:37-0400 16[IKE] remote host is behind NAT
2013-07-25T02:01:37-0400 16[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
2013-07-25T02:01:37-0400 16[NET] sending packet: from
10.170.95.110[500] to 54.214.139.16[500] (280 bytes)
2013-07-25T02:01:37-0400 01[NET] received packet: from
54.214.139.16[4500] to 10.170.95.110[4500] (280 bytes)
2013-07-25T02:01:37-0400 01[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
2013-07-25T02:01:37-0400 01[CFG] looking for peer configs matching
10.170.95.110[54.241.192.159]...54.214.139.16[10.251.75.98]
2013-07-25T02:01:37-0400 01[CFG] no matching peer config found
2013-07-25T02:01:37-0400 01[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
2013-07-25T02:01:37-0400 01[NET] sending packet: from
10.170.95.110[4500] to 54.214.139.16[4500] (88 bytes)
Moon statusall output:
Status of IKE charon daemon (strongSwan 5.1.0dr2, Linux
3.2.0-49-virtual, x86_64):
uptime: 16 minutes, since Jul 25 06:01:04 2013
malloc: sbrk 270336, mmap 0, used 221344, free 48992
worker threads: 7 of 16 idle, 8/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes sha2 random nonce sshkey openssl gmp xcbc
hmac attr kernel-netlink socket-default stroke updown error-notify
Listening IP addresses:
10.251.75.98
Connections:
moon: %any...54.241.192.159 IKEv2, dpddelay=30s
moon: local: uses pre-shared key authentication
moon: remote: [54.241.192.159] uses pre-shared key authentication
moon: child: dynamic[tcp] ===
10.170.95.110/32[tcp/http-alt] TRANSPORT, dpdaction=clear
Routed Connections:
moon{1}: ROUTED, TRANSPORT
moon{1}: 10.251.75.98/32[tcp] === 10.170.95.110/32[tcp/http-alt]
Security Associations (0 up, 0 connecting):
none
Sun statusall output:
Status of IKE charon daemon (strongSwan 5.1.0dr2, Linux
2.6.32-358.11.1.el6.x86_64, x86_64):
uptime: 17 minutes, since Jul 25 02:00:34 2013
malloc: sbrk 270336, mmap 0, used 215808, free 54528
worker threads: 7 of 16 idle, 8/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes sha2 random nonce sshkey openssl gmp xcbc
hmac attr kernel-netlink socket-default stroke updown error-notify
Listening IP addresses:
10.170.95.110
Connections:
sun: %any...54.214.139.16 IKEv2, dpddelay=30s
sun: local: uses pre-shared key authentication
sun: remote: [54.214.139.16] uses pre-shared key authentication
sun: child: dynamic[tcp/webcache] === 10.251.75.98/32[tcp]
TRANSPORT, dpdaction=clear
Routed Connections:
sun{1}: ROUTED, TRANSPORT
sun{1}: 10.170.95.110/32[tcp/webcache] === 10.251.75.98/32[tcp]
Security Associations (0 up, 0 connecting):
none
More information about the Users
mailing list