[strongSwan] strongswan 5.0.0 with L2TP

Kailesh Mussai Kailesh.Mussai at cs.mcgill.ca
Wed May 1 23:03:47 CEST 2013 

Hello all,

We are using strongswan with l2tp ( using xl2tpd ) to provide VPN services for our department.  It works great with a client that has a  public IP, the ipsec connection is made and then xl2tpd kicks in to provide the tunnel.  Our issue here is when we have clients behind a NAT, in the logs we can the ipsec connection getting created and then it just timeouts.

We tried a couple of things, disabling firewall and a few other options but to no avail, any help on this would be much appreciated.

Sincerely, 
Kailesh Mussai

Below is our config:

config setup
     charonstart = yes
  
conn %default
        keyingtries = 3
        ikelifetime = 3h
        keylife = 1h

conn roadwarrior-l2tp
        rightprotoport = 17/%any
        also = roadwarrior

conn roadwarrior-l2tp-updatedwin
        rightprotoport = 17/1701
        also = roadwarrior

conn roadwarrior
        authby = secret
        auto = add
        type = transport
        left = <public IP here>
        leftprotoport = 17/1701
        right = %any
        rightsubnet = 0.0.0.0/0


Our logs shows:

May  1 16:56:15 new_vpn charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
          snip....
May  1 16:56:15 new_vpn charon: 12[IKE] 132.206.54.14 is initiating a Main Mode IKE_SA
May  1 16:56:15 new_vpn charon: 12[ENC] generating ID_PROT response 0 [ SA V V V ]
May  1 16:56:15 new_vpn charon: 12[NET] sending packet: from <public_ip>[500] to <public_ip>[500]
May  1 16:56:15 new_vpn charon: 15[NET] received packet: from <public_ip>[500] to <public_ip>[500]
May  1 16:56:15 new_vpn charon: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
May  1 16:56:16 new_vpn charon: 15[IKE] remote host is behind NAT
May  1 16:56:16 new_vpn charon: 15[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
May  1 16:56:16 new_vpn charon: 15[NET] sending packet: from <public_ip>[500] to <public_ip>[500]
May  1 16:56:16 new_vpn charon: 03[NET] received packet: from <public_ip>[4500] to <public_ip>[4500]
May  1 16:56:16 new_vpn charon: 03[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
May  1 16:56:16 new_vpn charon: 03[CFG] looking for pre-shared key peer configs matching <public_ip>...<public_ip>[10.0.14.4]
May  1 16:56:16 new_vpn charon: 03[CFG] selected peer config "roadwarrior-l2tp"
May  1 16:56:16 new_vpn charon: 03[IKE] IKE_SA roadwarrior-l2tp[9] established between [<public_ip>]...<public_ip>[10.0.14.4]
May  1 16:56:16 new_vpn charon: 03[IKE] scheduling reauthentication in 10144s
May  1 16:56:16 new_vpn charon: 03[IKE] maximum IKE_SA lifetime 10684s
May  1 16:56:16 new_vpn charon: 03[ENC] generating ID_PROT response 0 [ ID HASH ]
    snip ....
May  1 16:56:17 new_vpn charon: 01[ENC] parsed QUICK_MODE request 3956378091 [ HASH SA No ID ID NAT-OA NAT-OA ]
May  1 16:56:17 new_vpn charon: 01[ENC] generating QUICK_MODE response 3956378091 [ HASH SA No ID ID NAT-OA NAT-OA ]
  snip ....
May  1 16:56:17 new_vpn charon: 02[NET] received packet: from <public_ip>[4500] to <public_ip>[4500]
May  1 16:56:17 new_vpn charon: 02[ENC] parsed QUICK_MODE request 3956378091 [ HASH ]
May  1 16:56:17 new_vpn charon: 02[IKE] CHILD_SA roadwarrior{9} established with SPIs cd43abd1_i 005f3e0d_o and TS <public_ip>/32[udp/l2tp] === 10.0.14.4/32[udp/62083] 
May  1 16:56:37 new_vpn charon: 11[NET] received packet: from <public_ip>[4500] to <public_ip>[4500]
May  1 16:56:37 new_vpn charon: 11[ENC] parsed INFORMATIONAL_V1 request 2915905331 [ HASH D ]
May  1 16:56:37 new_vpn charon: 11[IKE] received DELETE for ESP CHILD_SA with SPI 005f3e0d
May  1 16:56:37 new_vpn charon: 11[IKE] closing CHILD_SA roadwarrior{9} with SPIs cd43abd1_i (553 bytes) 005f3e0d_o (0 bytes) and TS <public_ip>/32[udp/l2tp] === 10.0.14.4/32[udp/62083] 
May  1 16:56:37 new_vpn charon: 16[NET] received packet: from <public_ip>[4500] to <public_ip>[4500]
May  1 16:56:37 new_vpn charon: 16[ENC] parsed INFORMATIONAL_V1 request 3137403066 [ HASH D ]
May  1 16:56:37 new_vpn charon: 16[IKE] received DELETE for IKE_SA roadwarrior-l2tp[9]
May  1 16:56:37 new_vpn charon: 16[IKE] deleting IKE_SA roadwarrior-l2tp[9] between <public_ip>[<public_ip>]...<public_ip>[10.0.14.4]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130501/e8e9df9b/attachment.pgp>

More information about the Users mailing list