[strongSwan] No matching peer config w/ Secret and NAT-T

Andreas Steffen andreas.steffen at strongswan.org
Wed May 8 05:56:07 CEST 2013 

Hi Dan,

with NAT in place you must not bind PSKs to IP addresses.
Just use a static label for right|leftid:

Client ipsec.conf

conn lab-rackspace
  leftauthby=secret
  rightauthby=secret
  left=10.3.3.172
  leftid=lab
  leftprotoport=tcp
  right=YYY.YYY.YYY.YYY  <public ip of server in rackspace>
  rightid=rackspace
  rightprotoport=tcp
  type=transport
  auto=add

Client ipsec.secrets:
rackspace lab : PSK "foobar"

Server ipsec.conf

conn lab-rackspace
  leftauthby=secret
  rightauthby=secret
  left=XXX.XXX.XXX.XXX  < public ip of NAT router >
  leftid=rackspace
  leftprotoport=tcp
  right=YYY.YYY.YYY.YYY
  rightid=lab
  rightprotoport=tcp
  type=transport
  auto=add

Server ipsec.secret:
lab rackspace : PSK "foobar"

Regards

Andreas

On 05/07/2013 11:27 PM, Dan Cook wrote:
> I am trying to setup a simple host-host test connection using
> shared-secret through a NAT.
> 
> The client is behind the NAT and the server is on a static IP (but might
> be a NAT in the future).
> 
> From the logs on the server it looks to be trying to make an association
> between the client public ip address and the client internal nat ip
> address and it can't find it.  
> 
> I have looked at the sample configurations, but none seem to cover this
> case.
> 
> It looks like a simple config or secrets error, but I can't see it.  I
> have included the client and the server config and the server logs.  
> 
> Regards, 
> Dan
> 
> I don't want to give out public IPS so XXX.XXX.XXX.XXX is the public Ip
> of the NAT router and YYY.YYY.YYY.YYY is public ip of the server in
> rackspace.
> 
> Client ipsec.conf
> conn %default
>   ikelifetime=60m
>   keylife=20m
>   rekeymargin=3m
>   keyingtries=1
>   mobike=no
>   keyexchange=ikev2
> 
> conn lab-rackspace
>   leftauthby=secret
>   rightauthby=secret
>   left=10.3.3.172
>   leftprotoport=tcp
>   right=YYY.YYY.YYY.YYY  <public ip of server in rackspace>
>   rightprotoport=tcp
>   type=transport
>   auto=add
> 
> Client ipsec.secrets: 
> YYY.YYY.YYY.YYY 10.3.3.172 : PSK "foobar"
> 
> Server ipsec.conf
> 
> conn %default
>   ikelifetime=60m
>   keylife=20m
>   rekeymargin=3m
>   keyingtries=1
>   mobike=no
>   keyexchange=ikev2
> 
> conn lab-rackspace
>   leftauthby=secret
>   rightauthby=secret
>   left=XXX.XXX.XXX.XXX  < public ip of NAT router >
>   leftprotoport=tcp
>   right=YYY.YYY.YYY.YYY
>   rightprotoport=tcp
>   type=transport
>   auto=add
> 
> Server ipsec.secret:
> YYY.YYY.YYY.YYY XXX.XXX.XXX.XXX : PSK "foobar"
> 
> Client IPSec Up command:
> lab# ipsec up lab-rackspace
> initiating IKE_SA lab-rackspace[18] to YYY.YYY.YYY.YYY
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.3.3.172[500] to YYY.YYY.YYY.YYY[500]
> received packet: from YYY.YYY.YYY.YYY[500] to 10.3.3.172[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> authentication of '10.3.3.172' (myself) with pre-shared key
> establishing CHILD_SA lab-rackspace
> not using transport mode, connection NATed
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
> N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 10.3.3.172[4500] to YYY.YYY.YYY.YYY[4500]
> received packet: from  YYY.YYY.YYY.YYY[4500] to 10.3.3.172[4500]
> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> received AUTHENTICATION_FAILED notify error
> 
> Server Log:
> May  7 20:45:39 centos-6 charon: 12[NET] received packet: from
> XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
> May  7 20:45:39 centos-6 charon: 12[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> May  7 20:45:39 centos-6 charon: 12[IKE] XXX.XXX.XXX.XXX is initiating
> an IKE_SA
> May  7 20:45:39 centos-6 charon: 12[IKE] remote host is behind NAT
> May  7 20:45:39 centos-6 charon: 12[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> May  7 20:45:39 centos-6 charon: 12[NET] sending packet: from
> YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]
> May  7 20:45:39 centos-6 charon: 15[NET] received packet: from
> XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500]
> May  7 20:45:39 centos-6 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi
> N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> May  7 20:45:39 centos-6 charon: 15[CFG] looking for peer configs
> matching YYY.YYY.YYY.YYY[YYY.YYY.YYY.YYY]...XXX.XXX.XXX.XXX[10.3.3.172]
> May  7 20:45:39 centos-6 charon: 15[CFG] no matching peer config found
> May  7 20:45:39 centos-6 charon: 15[ENC] generating IKE_AUTH response 1
> [ N(AUTH_FAILED) ]
> May  7 20:45:39 centos-6 charon: 15[NET] sending packet: from
> YYY.YYY.YYY.YYY[4500] to XXX.XXX.XXX.XXX[4500]
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130508/b51204ee/attachment.bin>

More information about the Users mailing list