[strongSwan] question about how to connect from a mobile station

Farid Farid farid21657 at yahoo.com
Wed Oct 23 21:26:56 CEST 2013 

Hi Everyone,

I appreciate if someone can help me with some configuration issue that I am facing with.
I have a  Linux machine running Strongswan 5.0.4-1 . That machine gets connected to the internet via a modem ( 3g GSM AT at T)and it gets different IP address every time it connects( like 10.227.110.112) .Of course this not the public address and it is behind the AT at T firewall/NAT.

I want to connect my machine to my remote server which has a public IP address. ( host -to -host).
Since my letf ip address keeps changing can I use  %any for left ?
I used the following  ipsec,conf:( ipsec start ran without error)

version 2
config setup
  charondebug = "ike 2,knl 2"

conn 1
        keylife=60m
        rekeymargin=9m
        keyingtries=1
        keyexchange=ikev1
        left=%any
        right=216.177.93.234
        authby=secret
        auto=add
        leftid="@lmu55"
        rightid="@lmudiag"
        leftfirewall=yes
        type=tunnel


When I try to connect  I can see the IKE_SA 1  established between two machines:


IKE_SA 1[1] established between 10.227.110.112[lmu55]...216.177.93.234[lmudiag]


but after that it keeps re transmitting  keepalive packets to remote machine port 4500 and after 5 retires it fails with following error:

sending keep alive to 216.177.93.234[4500]
giving up after 5 retransmits
unable to delete SAD entry with SPI c027d68a: No such process (3)
establishing connection '1' failed


At the end I put the whole data captured from my machine for your review.


I truly appreciate if someone can help me with this.
 
The  other end  run Openswan on a Centos 5.8 machine.  Is there any strongswan package available for Centos?

Other end is also behind firewall/NAT  and its eth0 address is  10.0.12.34 which never changes.

Just to mention in ipsec.conf  in strongswan machine if  put the current IP address in left=  instead of %any I get the same result.

Thanks,
Farid



root at LMU5k:~# ipsec up 1
initiating Main Mode IKE_SA 1[1] to 216.177.93.234
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 10.227.110.112[500] to 216.177.93.234[500] (224 bytes)
received packet: from 216.177.93.234[500] to 10.227.110.112[500] (140 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.227.110.112[500] to 216.177.93.234[500] (372 bytes)
received packet: from 216.177.93.234[500] to 10.227.110.112[500] (356 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (76 bytes)
received packet: from 216.177.93.234[4500] to 10.227.110.112[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
IKE_SA 1[1] established between 10.227.110.112[lmu55]...216.177.93.234[lmudiag]
scheduling reauthentication in 10233s
maximum IKE_SA lifetime 10773s
generating QUICK_MODE request 1438687057 [ HASH SA No ]
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending retransmit 1 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending retransmit 2 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending retransmit 3 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending keep alive to 216.177.93.234[4500]
sending retransmit 4 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending keep alive to 216.177.93.234[4500]
sending keep alive to 216.177.93.234[4500]
sending retransmit 5 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending keep alive to 216.177.93.234[4500]
sending keep alive to 216.177.93.234[4500]
sending keep alive to 216.177.93.234[4500]
giving up after 5 retransmits
unable to delete SAD entry with SPI c027d68a: No such process (3)
establishing connection '1' failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131023/2d4970ac/attachment.html>

More information about the Users mailing list