[strongSwan] connectivity between two machine behind NAT /Virtual IP

Farid Farid farid21657 at yahoo.com
Wed Oct 30 23:34:29 CET 2013 

HI Everyone,

I have two machines one running strongswan  5.0.4-1(Left)   and other  Openswan on Centos 2.6.35 ( Right).

They are both behind the NAT.  Right server is reachable via public IP( but eth0 is behind NAT) address and left one gets Mobil IP from carriers.

I am able to establish successful connection between theses two using the following ipsec.conf file  but I can't ping them.


LEFt ipsec.conf:

version 2
config setup
  charondebug = "ike 2,knl 2"
conn 1
          keylife=60m
          rekeymargin=9m
          keyingtries=2
          keyexchange=ikev1
          left=%any
          right=216.177.93.234
          authby=secret
          auto=add
          leftid="@lmu55"
          #leftsourceip=10.4.3.1
          #rightsourceip=10.4.3.2
          rightid="@lmudiag"
          leftfirewall=yes
          compress=no
          #mobike=no
          type=tunnel


RIGHt  ipsec.conf:



# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutostderrlog="/var/log/ipsec7.log"
        plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=auto
        nat_traversal=yes
        #virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
         nhelpers=0

conn  lmu
        #left=xx.xx.xx.xx
        left=10.0.12.34
        leftid=@lmudiag
        #ikev2=insist
        #ikev2=yes
        keyexchange=ike
        right=%any
        rightid=@lmu55
        type=tunnel
        authby=secret
        auth=esp
        pfs=no
        #aggrmode=no
        #leftsourceip=10.4.3.2
        #rightsourceip=10.4.3.1
         #rightsubnet=vhost:%no,%priv
        compress=no
        auto=add




Here is the tcpdump output from   mobile device on wan interface:


22:02:30.574491
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x1), length 132
22:02:31.588682
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x2), length 132
22:02:32.608384
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x3), length 132
22:02:33.618381
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x4), length 132
22:02:34.628406
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x5), length 132
22:02:35.638375
IP 10.114.177.50.4500 > 216.177.93.234.4500: UDP-encap:
ESP(spi=0xf9535901,seq=0x6), length 132



Here is the tcpdum out put on  Right machine : ( why the source and destination address is the same as the other end and why it is not ESP)

15:02:28.955252
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 4,
length 64
15:02:29.952576
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 5,
length 64
15:02:30.992655
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 6,
length 64
15:02:31.991295
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 7,
length 64
15:02:32.997846
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 8,
length 64
15:02:33.975175
IP 10.114.177.50 > 216.177.93.234: ICMP echo request, id 38918, seq 9,
length 64




Then I tried to use Virtual IP   on both side and hoping if that  helps me to connect two machines  but  I am not able to even establish a connection  . As you can see above if I added  the lines with rightsourceip and leftsourceip on both sides.


From  Left side  I see the following log data ( it gives up after 5 re-transmit):


root at LMU5k:~#
ipsec up  1

initiating Main
Mode IKE_SA 1[1] to 216.177.93.234
generating
ID_PROT request 0 [ SA V V V V ]
sending packet:
from 10.114.177.50[500] to 216.177.93.234[500] (224 bytes)
received packet:
from 216.177.93.234[500] to 10.114.177.50[500] (140 bytes)
parsed ID_PROT
response 0 [ SA V V V ]
received unknown
vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
received DPD
vendor ID
received NAT-T
(RFC 3947) vendor ID
generating
ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet:
from 10.114.177.50[500] to 216.177.93.234[500] (372 bytes)
received packet:
from 216.177.93.234[500] to 10.114.177.50[500] (356 bytes)
parsed ID_PROT
response 0 [ KE No NAT-D NAT-D ]
local host is
behind NAT, sending keep alives
remote host is
behind NAT
generating
ID_PROT request 0 [ ID HASH ]
sending packet:
from 10.114.177.50[4500] to 216.177.93.234[4500] (76 bytes)
received packet:
from 216.177.93.234[4500] to 10.114.177.50[4500] (76 bytes)
parsed ID_PROT
response 0 [ ID HASH V ]
IKE_SA 1[1]
established between 10.114.177.50[lmu55]...216.177.93.234[lmudiag]
scheduling
reauthentication in 10009s
maximum IKE_SA
lifetime 10549s
generating
TRANSACTION request 3067406310 [ HASH CP ]
sending packet:
from 10.114.177.50[4500] to 216.177.93.234[4500] (76 bytes)
sending
retransmit 1 of request message ID 3067406310, seq 4
sending packet:
from 10.114.177.50[4500] to 216.177.93.234[4500] (76 bytes)
   


On the RIGHT side ( openswan )    I captured the log.data that you can see as attachment   . I looked at the data and I can see the RIGHT side drops the following messages:

*received 76 bytes from 198.228.223.179:46799 on eth0 (port=4500)
| **parse ISAKMP Message:
|    initiator cookie:
|   56 a1 96 a2  b3 d2 61 8d
|    responder cookie:
|   7a 26 90 f7  c2 1a 2d d4
|    next payload type: ISAKMP_NEXT_HASH
|    ISAKMP version: ISAKMP Version 1.0 (rfc2407)
|    exchange type: ISAKMP_XCHG_MODE_CFG
|    flags: ISAKMP_FLAG_ENCRYPTION
|    message ID:  b6 d4 e7 e6
|    length: 76
|  processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6)
| ICOOKIE:  56 a1 96 a2  b3 d2 61 8d
| RCOOKIE:  7a 26 90 f7  c2 1a 2d d4
| state hash entry 12
| peer and cookies match on #1, provided msgid b6d4e7e6 vs 00000000/00000000
| p15 state object not found
| ICOOKIE:  56 a1 96 a2  b3 d2 61 8d
| RCOOKIE:  7a 26 90 f7  c2 1a 2d d4
| state hash entry 12
| peer and cookies match on #1, provided msgid 00000000 vs 00000000/00000000
| p15 state object #1 found, in STATE_MAIN_R3
| processing connection lmu[1] 198.228.223.179
"lmu"[1] 198.228.223.179 #1: received MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
| * processed 0 messages from cryptographic helpers 
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds



What would be proper way to establish  a Virtual IP interfaces between two hosts?  And Is there anyway without Virtual IP that I can make the PING working.



I appreciate your help.

Thanks and Regards,
Farid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131030/a2a7e1e4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec6.log
Type: application/octet-stream
Size: 29690 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131030/a2a7e1e4/attachment.obj>

More information about the Users mailing list