[strongSwan] connecting openswan - strongswan host-host

Farid Farid farid21657 at yahoo.com
Tue Oct 22 20:42:20 CEST 2013


Hi Everyone,

I need help to connect my  strongswan based machine to a openswan  based machine  behind NAT  ( host-host).


On my remote machine which runs strongswan here is the output of >>  ipsec   up   1      which tries to connect to the other end:
It seems it never connects.

  root at LMU5k:~# ipsec up 1
initiating Main Mode IKE_SA 1[2] to
216.177.93.234
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 10.133.32.81[500] to
216.177.93.234[500] (224 bytes)
received packet: from 216.177.93.234[500]
to 10.133.32.81[500] (140 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received unknown vendor ID:
4f:45:68:79:4c:64:41:43:65:63:66:61
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D
NAT-D ]
sending packet: from 10.133.32.81[500] to
216.177.93.234[500] (372 bytes)
received packet: from 216.177.93.234[500]
to 10.133.32.81[500] (356 bytes)
parsed ID_PROT response 0 [ KE No NAT-D
NAT-D ]
local host is behind NAT, sending keep
alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (76 bytes)
received packet: from 216.177.93.234[4500]
to 10.133.32.81[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
IKE_SA 1[2] established between
10.133.32.81[lmu55]...216.177.93.234[lmudiag]
scheduling reauthentication in 9721s
maximum IKE_SA lifetime 10261s
generating QUICK_MODE request 1783046561 [
HASH SA No ]
sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (204 bytes)
sending retransmit 1 of request message ID
1783046561, seq 4
sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (204 bytes)
sending retransmit 2 of request message ID
1783046561, seq 4
sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (204 bytes)
sending retransmit 3 of request message ID
1783046561, seq 4
sending packet: from 10.133.32.81[4500] to
216.177.93.234[4500] (204 bytes)



Here is the     ipsec.conf    :

# generated by /etc/init.d/lmu_ipsec
version 2
config setup
  charondebug = "ike 2,knl 2"
conn 1
   keylife=60m
   rekeymargin=9m
   keyingtries=1
   keyexchange=ikev1
   left=10.133.32.81
   right=216.177.93.234     
   authby=secret
   auto=add
   leftid="@lmu55"
   rightid="@lmudiag"
   type=tunnel





Here is the   ipsec.conf  on the other end that runs openswan on it:

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

conn  lmu
        left=10.0.12.34
        leftid=@lmudiag
        right=%any
        rightid=@lmu55
        type=tunnel
        authby=secret
        auto=add



And here is the output   of  >>ipsec  auto  --status     from openswan part:


000 stats db_ops: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000 
000 "lmu":
10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...%any[@lmu55,+S=C]; unrouted;
eroute owner: #0
000 "lmu":     myip=unset; hisip=unset;
000 "lmu":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 0 
000 "lmu":   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
32,32; interface: eth0; 
000 "lmu":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "lmu"[1]:
10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...166.137.187.250[@lmu55,+S=C];
unrouted; eroute owner: #0
000 "lmu"[1]:     myip=unset; hisip=unset;
000 "lmu"[1]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:
100%; keyingtries: 0 
000 "lmu"[1]:   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0; 
000 "lmu"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #0; 
000 "lmu"[1]:   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 
000 #1: "lmu"[1] 166.137.187.250:45911
STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2454s;
newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set


As you see I added  %any for right address since it gets changed all the time. also left=10.0.12.34    is the address behind the NAT. 

I appreciate if someone can give me some hints on this setup.


Best Regards,
Farid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131022/16ad7a88/attachment.html>


More information about the Users mailing list