[strongSwan] No matching peer config w/ Secret and NAT-T

Dan Cook dan.cook at illum.io
Tue May 7 23:27:10 CEST 2013 

I am trying to setup a simple host-host test connection using shared-secret
through a NAT.

The client is behind the NAT and the server is on a static IP (but might be
a NAT in the future).

>From the logs on the server it looks to be trying to make an association
between the client public ip address and the client internal nat ip address
and it can't find it.

I have looked at the sample configurations, but none seem to cover this
case.

It looks like a simple config or secrets error, but I can't see it.  I have
included the client and the server config and the server logs.

Regards,
Dan

I don't want to give out public IPS so XXX.XXX.XXX.XXX is the public Ip of
the NAT router and YYY.YYY.YYY.YYY is public ip of the server in rackspace.

Client ipsec.conf
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  mobike=no
  keyexchange=ikev2

conn lab-rackspace
  leftauthby=secret
  rightauthby=secret
  left=10.3.3.172
  leftprotoport=tcp
  right=YYY.YYY.YYY.YYY  <public ip of server in rackspace>
  rightprotoport=tcp
  type=transport
  auto=add

Client ipsec.secrets:
YYY.YYY.YYY.YYY 10.3.3.172 : PSK "foobar"

Server ipsec.conf

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  mobike=no
  keyexchange=ikev2

conn lab-rackspace
  leftauthby=secret
  rightauthby=secret
  left=XXX.XXX.XXX.XXX  < public ip of NAT router >
  leftprotoport=tcp
  right=YYY.YYY.YYY.YYY
  rightprotoport=tcp
  type=transport
  auto=add

Server ipsec.secret:
YYY.YYY.YYY.YYY XXX.XXX.XXX.XXX : PSK "foobar"

Client IPSec Up command:
lab# ipsec up lab-rackspace
initiating IKE_SA lab-rackspace[18] to YYY.YYY.YYY.YYY
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.3.3.172[500] to YYY.YYY.YYY.YYY[500]
received packet: from YYY.YYY.YYY.YYY[500] to 10.3.3.172[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
authentication of '10.3.3.172' (myself) with pre-shared key
establishing CHILD_SA lab-rackspace
not using transport mode, connection NATed
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.3.3.172[4500] to YYY.YYY.YYY.YYY[4500]
received packet: from  YYY.YYY.YYY.YYY[4500] to 10.3.3.172[4500]
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error

Server Log:
May  7 20:45:39 centos-6 charon: 12[NET] received packet: from
XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
May  7 20:45:39 centos-6 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) ]
May  7 20:45:39 centos-6 charon: 12[IKE] XXX.XXX.XXX.XXX is initiating an
IKE_SA
May  7 20:45:39 centos-6 charon: 12[IKE] remote host is behind NAT
May  7 20:45:39 centos-6 charon: 12[ENC] generating IKE_SA_INIT response 0
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May  7 20:45:39 centos-6 charon: 12[NET] sending packet: from
YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]
May  7 20:45:39 centos-6 charon: 15[NET] received packet: from
XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500]
May  7 20:45:39 centos-6 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
May  7 20:45:39 centos-6 charon: 15[CFG] looking for peer configs matching
YYY.YYY.YYY.YYY[YYY.YYY.YYY.YYY]...XXX.XXX.XXX.XXX[10.3.3.172]
May  7 20:45:39 centos-6 charon: 15[CFG] no matching peer config found
May  7 20:45:39 centos-6 charon: 15[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
May  7 20:45:39 centos-6 charon: 15[NET] sending packet: from
YYY.YYY.YYY.YYY[4500] to XXX.XXX.XXX.XXX[4500]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130507/d79f278b/attachment.html>

More information about the Users mailing list