[strongSwan] Double NAT Transport in 5.1 rc1/rd2 config question

Dan Cook dan.cook at illum.io
Thu Jul 25 08:25:12 CEST 2013


I am trying to get double NAT Transport (UDP Encapsulation) going on
5.1 dr2 and 5.1 rc1.
I have two servers Moon and Sun.  Moon wants to talk to Sun over TCP
on port 8080.

The firewall ports 500 and 4500 are open between the two servers and
they are both 1:1 NAT.

When I try to initiate communication between the servers via iperf the
IPSec connection does not start and the traffic flows normally over
8080 from moon to sun.  Again it is not encapsulated/encrypted.  When
I force the connection "up" I receive an AUTH_FAILED which is show
below in the logs.  I have included the connection configs, the
charon.log and the output of the statusall command.

I could really use some help getting this connection up and going.

Thanks,
Dan Cook

Configs:
conn moon
  left=%any
  leftprotoport=tcp/%any
  right=54.241.192.159
  rightsubnet=10.170.95.110/32
  rightprotoport=tcp/8080

Moon is behind a NAT with a 10.251.75.98 private ip address.

conn sun
  left=%any
  leftprotoport=tcp/8080
  right=54.214.139.16
  rightsubnet=10.251.75.98/32
  rightprotoport=tcp/%any

Sun is also behind a NAT with a private IP address of 10.170.95.110

The %defaults on each server is:
conn %default
  authby=secret
  mobike=no
  closeaction=none
  dpdaction=clear
  dpddelay=30s
  dpdtimeout=150s
  inactivity=30m
  ikelifetime=3h
  keyexchange=ikev2
  keyingtries=3
  lifetime=1h
  reauth=yes
  rekey=yes
  margintime=9m
  esp=aes256!
  ike=aes256-sha384-prfsha384-ecp384!
  forceencaps=yes
  type=transport
  auto=route

Moon Charon.log:
2013-07-25T06:01:14+0000 16[CFG] received stroke: initiate 'moon'
2013-07-25T06:01:14+0000 02[IKE] initiating IKE_SA moon[1] to 54.241.192.159
2013-07-25T06:01:14+0000 02[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
2013-07-25T06:01:14+0000 02[NET] sending packet: from
10.251.75.98[500] to 54.241.192.159[500] (272 bytes)
2013-07-25T06:01:14+0000 01[NET] received packet: from
54.241.192.159[500] to 10.251.75.98[500] (280 bytes)
2013-07-25T06:01:14+0000 01[ENC] parsed IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
2013-07-25T06:01:14+0000 01[IKE] local host is behind NAT, sending keep alives
2013-07-25T06:01:14+0000 01[IKE] remote host is behind NAT
2013-07-25T06:01:14+0000 01[CFG] no IDi configured, fall back on IP address
2013-07-25T06:01:14+0000 01[IKE] authentication of '10.251.75.98'
(myself) with pre-shared key
2013-07-25T06:01:14+0000 01[IKE] establishing CHILD_SA moon
2013-07-25T06:01:14+0000 01[ENC] generating IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
2013-07-25T06:01:14+0000 01[NET] sending packet: from
10.251.75.98[4500] to 54.241.192.159[4500] (280 bytes)
2013-07-25T06:01:14+0000 13[NET] received packet: from
54.241.192.159[4500] to 10.251.75.98[4500] (88 bytes)
2013-07-25T06:01:14+0000 13[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2013-07-25T06:01:14+0000 13[IKE] received AUTHENTICATION_FAILED notify error

Sun Charon.log: (all logging at 1):
2013-07-25T02:01:37-0400 16[NET] received packet: from
54.214.139.16[500] to 10.170.95.110[500] (272 bytes)
2013-07-25T02:01:37-0400 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) ]
2013-07-25T02:01:37-0400 16[IKE] 54.214.139.16 is initiating an IKE_SA
2013-07-25T02:01:37-0400 16[IKE] local host is behind NAT, sending keep alives
2013-07-25T02:01:37-0400 16[IKE] remote host is behind NAT
2013-07-25T02:01:37-0400 16[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
2013-07-25T02:01:37-0400 16[NET] sending packet: from
10.170.95.110[500] to 54.214.139.16[500] (280 bytes)
2013-07-25T02:01:37-0400 01[NET] received packet: from
54.214.139.16[4500] to 10.170.95.110[4500] (280 bytes)
2013-07-25T02:01:37-0400 01[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
2013-07-25T02:01:37-0400 01[CFG] looking for peer configs matching
10.170.95.110[54.241.192.159]...54.214.139.16[10.251.75.98]
2013-07-25T02:01:37-0400 01[CFG] no matching peer config found
2013-07-25T02:01:37-0400 01[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
2013-07-25T02:01:37-0400 01[NET] sending packet: from
10.170.95.110[4500] to 54.214.139.16[4500] (88 bytes)

Moon statusall output:
Status of IKE charon daemon (strongSwan 5.1.0dr2, Linux
3.2.0-49-virtual, x86_64):
  uptime: 16 minutes, since Jul 25 06:01:04 2013
  malloc: sbrk 270336, mmap 0, used 221344, free 48992
  worker threads: 7 of 16 idle, 8/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon aes sha2 random nonce sshkey openssl gmp xcbc
hmac attr kernel-netlink socket-default stroke updown error-notify
Listening IP addresses:
  10.251.75.98
Connections:
        moon:  %any...54.241.192.159  IKEv2, dpddelay=30s
        moon:   local:  uses pre-shared key authentication
        moon:   remote: [54.241.192.159] uses pre-shared key authentication
        moon:   child:  dynamic[tcp] ===
10.170.95.110/32[tcp/http-alt] TRANSPORT, dpdaction=clear
Routed Connections:
        moon{1}:  ROUTED, TRANSPORT
        moon{1}:   10.251.75.98/32[tcp] === 10.170.95.110/32[tcp/http-alt]
Security Associations (0 up, 0 connecting):
  none

Sun statusall output:
Status of IKE charon daemon (strongSwan 5.1.0dr2, Linux
2.6.32-358.11.1.el6.x86_64, x86_64):
  uptime: 17 minutes, since Jul 25 02:00:34 2013
  malloc: sbrk 270336, mmap 0, used 215808, free 54528
  worker threads: 7 of 16 idle, 8/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon aes sha2 random nonce sshkey openssl gmp xcbc
hmac attr kernel-netlink socket-default stroke updown error-notify
Listening IP addresses:
  10.170.95.110
Connections:
         sun:  %any...54.214.139.16  IKEv2, dpddelay=30s
         sun:   local:  uses pre-shared key authentication
         sun:   remote: [54.214.139.16] uses pre-shared key authentication
         sun:   child:  dynamic[tcp/webcache] === 10.251.75.98/32[tcp]
TRANSPORT, dpdaction=clear
Routed Connections:
         sun{1}:  ROUTED, TRANSPORT
         sun{1}:   10.170.95.110/32[tcp/webcache] === 10.251.75.98/32[tcp]
Security Associations (0 up, 0 connecting):
  none




More information about the Users mailing list