[strongSwan] Double NAT Transport in 5.1 rc1/rd2 config question

Thu Jul 25 22:21:39 CEST 2013

Tobias,

Thank you.
I ran into some problems getting the connection routed correctly, but
I managed to figure it out after looking at the xfrm policy in the
kernel.

My connections (that work) are:
conn moon-sun
  left=%any
  leftsubnet=10.251.75.98/32
  leftid=moon
  leftprotoport=tcp/%any
  rightid=sun
  right=54.241.192.159
  rightprotoport=tcp/8080

Discovered two things in addition to the naming requirement you
mentioned when configuring double NAT Transport:

1) If the rightsubnet is specified as the private address of the sun
server, the xform route in the kernel is pointing at both NAT'ed
addresses resulting in no packets being routed.

# ip -s xfrm policy
  src 10.170.95.110/32 dst 10.251.75.98/32 proto tcp sport 8080 uid 0
  ... snip ...
src 10.251.75.98/32 dst 10.170.95.110/32 proto tcp dport 8080 uid 0
  ... snip ...

2)  If the "left" parameter is specified as the public ip address of
54.214.139.16 instead of "%any" or "%default" I receive "Invalid
argument" - writing to the socket errors.  I would have expected this
to work also since the connection is NAT'ed and the "leftsubnet"
address should have been used if it was not a network address. (32-bit
CIDR).

Here is the charon log on moon for number 2:
2013-07-25T19:11:59+0000 08[KNL] creating acquire job for policy
10.251.75.98/32[tcp] === 54.241.192.159/32[tcp/http-alt] with reqid
{1}
2013-07-25T19:11:59+0000 15[IKE] initiating IKE_SA moon-sun to 54.241.192.159
2013-07-25T19:11:59+0000 15[ENC] generating IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
2013-07-25T19:11:59+0000 15[NET] sending packet: from
54.214.139.16[500] to 54.241.192.159[500] (272 bytes)
2013-07-25T19:11:59+0000 09[NET] error writing to socket: Invalid argument
2013-07-25T19:12:03+0000 16[IKE] retransmit 1 of request with message ID 0
2013-07-25T19:12:03+0000 16[NET] sending packet: from
54.214.139.16[500] to 54.241.192.159[500] (272 bytes)
2013-07-25T19:12:03+0000 09[NET] error writing to socket: Invalid argument
2013-07-25T19:12:11+0000 02[IKE] retransmit 2 of request with message ID 0
2013-07-25T19:12:11+0000 02[NET] sending packet: from
54.214.139.16[500] to 54.241.192.159[500] (272 bytes)
2013-07-25T19:12:11+0000 09[NET] error writing to socket: Invalid argument
2013-07-25T19:12:24+0000 01[IKE] retransmit 3 of request with message ID 0
2013-07-25T19:12:24+0000 01[NET] sending packet: from
54.214.139.16[500] to 54.241.192.159[500] (272 bytes)
2013-07-25T19:12:24+0000 09[NET] error writing to socket: Invalid argument

It appears that "left" in the configuration must be "%any" or
"%default" AND "rightsubnet" must not be used in the connection config
otherwise badness happens.

Dan

On Thu, Jul 25, 2013 at 12:06 AM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Dan,
>
>> 2013-07-25T02:01:37-0400 01[CFG] looking for peer configs matching
>> 10.170.95.110[54.241.192.159]...54.214.139.16[10.251.75.98]
>
> You can't use the IP addresses as identities (left|rightid default to
> left|right for PSK connections) because of the NAT.  As each client will
> use its private IP address as ID and your configs have right=<public IP>
> the config lookup fails.  Try setting the ID explicitly e.g. with
> leftid=moon and rightid=sun on moon and likewise on sun.
>
> Regards,
> Tobias
>