[strongSwan] Cisco to Strongswan NAT-T Issue
Tony De Keizer
tony at verticalconnect.net
Fri May 24 01:18:42 CEST 2013
Hello,
I have been trying to establish a reliable IPSEC tunnel between a CISCO
SRP527W appliance and a Hosted Ubuntu server 10.04 LTS running Strongswan
4.3.2-1.1ubuntu1.
The Ubuntu server is behind a NAT'ed static Ip provided by the hosting
provider . I have provided the necessary port 500 and 4500 port forwards.
The ipsec.conf configuration is as follows (with relevant IP's disguised):
config setup
plutodebug="control controlmore"
charondebug="ike 2, knl 3, cfg 0"
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
charonstart=yes
plutostart=yes
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=psk
rekey=no
conn net-net
#local
left=10.12.89.248
leftsubnet=10.12.89.0/24
leftsourceip=10.12.89.0/24
leftid=openvpms
leftfirewall=no
#
# Remote
right=XXX.YYYY.ZZZZ.AAAA
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.0/24
rightid=%any
auto=add
#
# IPSec
pfs=no
auth=esp
esp=aes-sha
ike=aes256-sha-modp1024
type=tunnel
I am able to initiate a working Ipsec tunnel between the Cisco device and
the hosted server and have two way access across the tunnel. This works
for a period of time (approx 1 hour) until I believe a rekeyng event is
initiated and then the tunnel disconnects and will not re-connect until I
restart ipsec on the Ubuntu host.
On the Cisco device (limited debug information unfortunately) I see a Main
Mode IKE failure. In /var/log/authlog I see.
May 19 06:39:30 openvpms pluto[28833]: | next event EVENT_NAT_T_KEEPALIVE
in 18 seconds
May 19 06:39:30 openvpms pluto[28833]: |
May 19 06:39:30 openvpms pluto[28833]: | *received 224 bytes from
149.135.31.64:500 on eth0
May 19 06:39:30 openvpms pluto[28833]: packet from XXX.YYYY.ZZZZ.AAAA 500:
ignoring Vendor ID payload [4f4543714271574c644b7a41]
May 19 06:39:30 openvpms pluto[28833]: packet from XXX.YYYY.ZZZZ.AAAA 500:
received Vendor ID payload [Dead Peer Detection]
May 19 06:39:30 openvpms pluto[28833]: packet from XXX.YYYY.ZZZZ.AAAA 500:
received Vendor ID payload [RFC 3947]
May 19 06:39:30 openvpms pluto[28833]: packet from XXX.YYYY.ZZZZ.AAAA:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
May 19 06:39:30 openvpms pluto[28833]: packet from XXX.YYYY.ZZZZ.AAAA:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 19 06:39:30 openvpms pluto[28833]: packet from XXX.YYYY.ZZZZ.AAAA:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
May 19 06:39:30 openvpms pluto[28833]: packet from XXX.YYYY.ZZZZ.AAAA:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 19 06:39:30 openvpms pluto[28833]: | preparse_isakmp_policy: peer
requests PSK authentication
May 19 06:39:30 openvpms pluto[28833]: packet from XXX.YYYY.ZZZZ.AAAA 500:
initial Main Mode message received on 10.12.89.248:500 but no connection
has been authorized with policy=PSK
If I turn off NAT-T on the Cisco device the tunnel remains up, I can access
the remote network from the Ubuntu server but I am unable to access the
Ubuntu server from the remote network.
I am sure I have something amiss in my configuration but the logs and my
diagnostics have not provided me with any insights into what.
I would greatly appreciate some guidance from anyone on the list who has
experienced this issue before.
Kind Regards
Tony De Keizer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130524/22b95e25/attachment.html>
More information about the Users
mailing list