[strongSwan] No matching peer config w/ Secret and NAT-T

Dan Cook dan.cook at illum.io
Wed May 8 07:00:23 CEST 2013 

Andreas,

Thank you very much.  I am new with StrongSwan config.
I am using the strongswan that came with Ubuntu (4.5.2) in the lab and
CentOS (4.64) in rackspace.

I had to tweak the configs a little since 4.5/4.6 does not support
rightauthby/leftauthby
I am now able to authenticate, but now I get an "inacceptable" error now.

Below the servers are:
198.101.XXX.XXX [rackspace]...
199.192.YYY.YYY [lab] public ip of the NAT router
10.3.3.172 private ip address of client behind the NAT.

Server Log:
May  8 04:46:28 dcook-centos-6 charon: 16[IKE] IKE_SA lab-rackspace[2]
state change: CONNECTING => ESTABLISHED
May  8 04:46:28 dcook-centos-6 charon: 16[IKE] scheduling reauthentication
in 3384s
May  8 04:46:28 dcook-centos-6 charon: 16[IKE] maximum IKE_SA lifetime 3564s
May  8 04:46:28 dcook-centos-6 charon: 16[CFG] looking for a child config
for 198.101.XXX.XXX/32[tcp] === 10.3.3.172/32[tcp]
May  8 04:46:28 dcook-centos-6 charon: 16[CFG] proposing traffic selectors
for us:
May  8 04:46:28 dcook-centos-6 charon: 16[CFG]  198.101.XXX.XXX/32[tcp]
(derived from dynamic[tcp])
May  8 04:46:28 dcook-centos-6 charon: 16[CFG] proposing traffic selectors
for other:
May  8 04:46:28 dcook-centos-6 charon: 16[CFG]  199.192.YYY.YYY/32[tcp]
(derived from dynamic[tcp])
May  8 04:46:28 dcook-centos-6 charon: 16[IKE] traffic selectors
198.101.XXX.XXX/32[tcp] === 10.3.3.172/32[tcp]  inacceptable
May  8 04:46:28 dcook-centos-6 charon: 16[IKE] failed to establish
CHILD_SA, keeping IKE_SA
May  8 04:46:28 dcook-centos-6 charon: 16[ENC] generating IKE_AUTH response
1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
May  8 04:46:28 dcook-centos-6 charon: 16[NET] sending packet: from
198.101.XXX.XXX[4500] to 199.192.YYY.YYY[4500]

Dan




On Tue, May 7, 2013 at 8:56 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Dan,
>
> with NAT in place you must not bind PSKs to IP addresses.
> Just use a static label for right|leftid:
>
> Client ipsec.conf
>
> conn lab-rackspace
>   leftauthby=secret
>   rightauthby=secret
>   left=10.3.3.172
>   leftid=lab
>   leftprotoport=tcp
>   right=YYY.YYY.YYY.YYY  <public ip of server in rackspace>
>   rightid=rackspace
>   rightprotoport=tcp
>   type=transport
>   auto=add
>
> Client ipsec.secrets:
> rackspace lab : PSK "foobar"
>
> Server ipsec.conf
>
> conn lab-rackspace
>   leftauthby=secret
>   rightauthby=secret
>   left=XXX.XXX.XXX.XXX  < public ip of NAT router >
>   leftid=rackspace
>   leftprotoport=tcp
>   right=YYY.YYY.YYY.YYY
>   rightid=lab
>   rightprotoport=tcp
>   type=transport
>   auto=add
>
> Server ipsec.secret:
> lab rackspace : PSK "foobar"
>
> Regards
>
> Andreas
>
> On 05/07/2013 11:27 PM, Dan Cook wrote:
> > I am trying to setup a simple host-host test connection using
> > shared-secret through a NAT.
> >
> > The client is behind the NAT and the server is on a static IP (but might
> > be a NAT in the future).
> >
> > From the logs on the server it looks to be trying to make an association
> > between the client public ip address and the client internal nat ip
> > address and it can't find it.
> >
> > I have looked at the sample configurations, but none seem to cover this
> > case.
> >
> > It looks like a simple config or secrets error, but I can't see it.  I
> > have included the client and the server config and the server logs.
> >
> > Regards,
> > Dan
> >
> > I don't want to give out public IPS so XXX.XXX.XXX.XXX is the public Ip
> > of the NAT router and YYY.YYY.YYY.YYY is public ip of the server in
> > rackspace.
> >
> > Client ipsec.conf
> > conn %default
> >   ikelifetime=60m
> >   keylife=20m
> >   rekeymargin=3m
> >   keyingtries=1
> >   mobike=no
> >   keyexchange=ikev2
> >
> > conn lab-rackspace
> >   leftauthby=secret
> >   rightauthby=secret
> >   left=10.3.3.172
> >   leftprotoport=tcp
> >   right=YYY.YYY.YYY.YYY  <public ip of server in rackspace>
> >   rightprotoport=tcp
> >   type=transport
> >   auto=add
> >
> > Client ipsec.secrets:
> > YYY.YYY.YYY.YYY 10.3.3.172 : PSK "foobar"
> >
> > Server ipsec.conf
> >
> > conn %default
> >   ikelifetime=60m
> >   keylife=20m
> >   rekeymargin=3m
> >   keyingtries=1
> >   mobike=no
> >   keyexchange=ikev2
> >
> > conn lab-rackspace
> >   leftauthby=secret
> >   rightauthby=secret
> >   left=XXX.XXX.XXX.XXX  < public ip of NAT router >
> >   leftprotoport=tcp
> >   right=YYY.YYY.YYY.YYY
> >   rightprotoport=tcp
> >   type=transport
> >   auto=add
> >
> > Server ipsec.secret:
> > YYY.YYY.YYY.YYY XXX.XXX.XXX.XXX : PSK "foobar"
> >
> > Client IPSec Up command:
> > lab# ipsec up lab-rackspace
> > initiating IKE_SA lab-rackspace[18] to YYY.YYY.YYY.YYY
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 10.3.3.172[500] to YYY.YYY.YYY.YYY[500]
> > received packet: from YYY.YYY.YYY.YYY[500] to 10.3.3.172[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > N(MULT_AUTH) ]
> > local host is behind NAT, sending keep alives
> > authentication of '10.3.3.172' (myself) with pre-shared key
> > establishing CHILD_SA lab-rackspace
> > not using transport mode, connection NATed
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
> > N(MULT_AUTH) N(EAP_ONLY) ]
> > sending packet: from 10.3.3.172[4500] to YYY.YYY.YYY.YYY[4500]
> > received packet: from  YYY.YYY.YYY.YYY[4500] to 10.3.3.172[4500]
> > parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> > received AUTHENTICATION_FAILED notify error
> >
> > Server Log:
> > May  7 20:45:39 centos-6 charon: 12[NET] received packet: from
> > XXX.XXX.XXX.XXX[500] to YYY.YYY.YYY.YYY[500]
> > May  7 20:45:39 centos-6 charon: 12[ENC] parsed IKE_SA_INIT request 0 [
> > SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > May  7 20:45:39 centos-6 charon: 12[IKE] XXX.XXX.XXX.XXX is initiating
> > an IKE_SA
> > May  7 20:45:39 centos-6 charon: 12[IKE] remote host is behind NAT
> > May  7 20:45:39 centos-6 charon: 12[ENC] generating IKE_SA_INIT response
> > 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> > May  7 20:45:39 centos-6 charon: 12[NET] sending packet: from
> > YYY.YYY.YYY.YYY[500] to XXX.XXX.XXX.XXX[500]
> > May  7 20:45:39 centos-6 charon: 15[NET] received packet: from
> > XXX.XXX.XXX.XXX[4500] to YYY.YYY.YYY.YYY[4500]
> > May  7 20:45:39 centos-6 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi
> > N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> > May  7 20:45:39 centos-6 charon: 15[CFG] looking for peer configs
> > matching YYY.YYY.YYY.YYY[YYY.YYY.YYY.YYY]...XXX.XXX.XXX.XXX[10.3.3.172]
> > May  7 20:45:39 centos-6 charon: 15[CFG] no matching peer config found
> > May  7 20:45:39 centos-6 charon: 15[ENC] generating IKE_AUTH response 1
> > [ N(AUTH_FAILED) ]
> > May  7 20:45:39 centos-6 charon: 15[NET] sending packet: from
> > YYY.YYY.YYY.YYY[4500] to XXX.XXX.XXX.XXX[4500]
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130507/792c7e7f/attachment.html>

More information about the Users mailing list