[strongSwan] about strongswan nat error updown: iptables x.x.x.x: host/network `PH_IP_ALICE' not found

我爱臭豆腐 hao.wangbj at gmail.com
Mon Sep 9 08:03:53 CEST 2013


hi list :
I'm using as a reference
http://www2.strongswan.org/uml/testresults5/ikev2/nat-virtual-ip/index.html
make a nat ipsec vpn .
Can I create vpn tunnel to vps server.
LAN must have a computer system through the 192.168.5.0/24 .GW: 192.168.5.1
nat to this vpn server vps server.
But when the vpn link is established, 192.168.5.0/24  computer can not
communicate and gateways (192.168.5.1 Ubuntu 12.04.3 LTS \n \l
)
Check log files and found there is an error in charon.log
/var/log/charon.log

Sep  9 13:42:48 14[CHD] updown: iptables v1.4.12: host/network
`PH_IP_ALICE' not found
Sep  9 13:42:48 14[CHD] updown: Try `iptables -h' or 'iptables --help' for
more information.
Sep  9 13:42:48 14[CHD] updown: iptables v1.4.12: host/network
`PH_IP_ALICE' not found
Sep  9 13:42:48 14[CHD] updown: Try `iptables -h' or 'iptables --help' for
more information.
Sep  9 13:42:48 14[CHD] updown: iptables v1.4.12: host/network
`PH_IP_ALICE' not found
Sep  9 13:42:48 14[CHD] updown: Try `iptables -h' or 'iptables --help' for
more information.
Sep  9 13:42:48 14[CHD] updown: inserted NAT rule mapping PH_IP_ALICE to
virtual IP 10.4.0.1

Thank you for you help

root at ubuntu:/var/log# cat /usr/local/etc/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
        keyingtries=1
keyexchange=ikev2
authby=secret
mobike=no

conn net-net
left=192.168.2.132
leftsourceip=%config
leftupdown=/usr/local/etc/nat_updown
lefthostaccess=yes
right=aaaa
rightsubnet=0.0.0.0/0
auto=add
root at ubuntu:/var/log#


root at ubuntu:/var/log# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.0, Linux 3.8.0-29-generic,
i686):
  uptime: 6 minutes, since Sep 09 13:42:26 2013
  malloc: sbrk 135168, mmap 0, used 109544, free 25624
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default
stroke updown xauth-generic
Listening IP addresses:
  192.168.5.1
  192.168.2.132
  10.4.0.1
  192.168.122.1
Connections:
     net-net:  192.168.2.132...aaaaa  IKEv2
     net-net:   local:  [192.168.2.132] uses pre-shared key authentication
     net-net:   remote: [aaaaa] uses pre-shared key authentication
     net-net:   child:  dynamic === 0.0.0.0/0 TUNNEL
Security Associations (1 up, 0 connecting):
     net-net[1]: ESTABLISHED 6 minutes ago,
192.168.2.132[192.168.2.132]...aaaa[aaaa]
     net-net[1]: IKEv2 SPIs: 173601cd7dbaf308_i* f5252d462b165af1_r,
pre-shared key reauthentication in 45 minutes
     net-net[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     net-net{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c88b5515_i c573f88b_o
     net-net{1}:  AES_CBC_128/HMAC_SHA1_96, 3110 bytes_i (37 pkts, 43s
ago), 3759 bytes_o (53 pkts, 43s ago), rekeying in 8 minutes
     net-net{1}:   10.4.0.1/32 === 0.0.0.0/0


root at ubuntu:/var/log# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 5c:63:bf:8b:f4:93
          inet addr:192.168.2.132  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::5e63:bfff:fe8b:f493/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:77245 errors:0 dropped:810 overruns:0 frame:0
          TX packets:21770 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8837448 (8.8 MB)  TX bytes:2952018 (2.9 MB)

eth1      Link encap:Ethernet  HWaddr 00:0b:2f:57:58:24
          inet addr:192.168.5.1  Bcast:192.168.5.255  Mask:255.255.255.0
          inet6 addr: fe80::20b:2fff:fe57:5824/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18596 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6622 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1230544 (1.2 MB)  TX bytes:544986 (544.9

-- 
我爱臭豆腐
老老实实做人 认认真真做事
email:hao.wangbj at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130909/476a8b4c/attachment.html>


More information about the Users mailing list