[strongSwan] strongswan-5.1.x, NATed routing pb
s s
y52 at europe.com
Tue Mar 18 23:15:26 CET 2014
Hello Volker,
I revert back to our persistent problem with the NATed channel routing while migrating from Strongswan 4.3xx to 5.1.1.
I had a chance to obtain the public IP on the server behind the NAT and to correct the ipsec.conf settings.
This is the CN=academ server settings (aka MSC site 192.168.3.0/24) :
conn %default
left=%defaultroute
leftcert=academ2034.hostCert.pem
mobike=yes
auto=add
conn msc-hmnet
leftid=msc at ucp
leftsendcert = never
right=xx.xxx.221.28
rightcert=peercerts/karmaY2034.hostCert.pem
rightid=@karma.ucp
rightsubnet=192.168.4.0/24
leftsubnet=192.168.3.0/24
keyexchange=ikev2
compress=no
auto=start
Everything works like a charm, while the server is assigned a public IP.
[root at academ ipsec.d]# strongswan up msc-hmnet
initiating IKE_SA msc-hmnet[2] to xx.xxx.221.28
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from xx.xxx.195.57[500] to xx.xxx.221.28[500] (708 bytes)
received packet: from xx.xxx.221.28[500] to xx.xxx.195.57[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "OU=CA, CN=certauth"
sending cert request for "OU=CA, CN=certauth"
authentication of 'msc at ucp' (myself) with RSA signature successful
establishing CHILD_SA msc-hmnet
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from xx.xxx.195.57[4500] to xx.xxx.221.28[4500] (556 bytes)
received packet: from xx.xxx.221.28[4500] to xx.xxx.195.57[4500] (524 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
using trusted ca certificate "OU=CA, CN=certauth"
checking certificate status of "OU=hmnet, CN=karma.ucp"
certificate status is not available
reached self-signed root ca with a path length of 0
using trusted certificate "OU=hmnet, CN=karma.ucp"
authentication of 'karma.ucp' with RSA signature successful
IKE_SA msc-hmnet[2] established between xx.xxx.195.57[msc at ucp]...xx.xxx.221.28[karma.ucp]
scheduling reauthentication in 9919s
maximum IKE_SA lifetime 10459s
connection 'msc-hmnet' established successfully
Feb 1 01:39:05 academ charon: 01[KNL] adding policy 192.168.3.0/24 === 192.168.4.0/24 out (mark 0/0x00000000)
Feb 1 01:39:05 academ charon: 01[KNL] adding policy 192.168.4.0/24 === 192.168.3.0/24 in (mark 0/0x00000000)
Feb 1 01:39:05 academ charon: 01[KNL] adding policy 192.168.4.0/24 === 192.168.3.0/24 fwd (mark 0/0x00000000)
[root at academ ipsec.d]# ping 192.168.4.10
PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data.
64 bytes from 192.168.4.10: icmp_seq=1 ttl=64 time=112 ms
--- 192.168.4.10 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 112.362/112.362/112.362/0.000 ms
[root at karma ~]# ping 192.168.3.56
PING 192.168.3.56 (192.168.3.56) 56(84) bytes of data.
64 bytes from 192.168.3.56: icmp_seq=1 ttl=64 time=101 ms
64 bytes from 192.168.3.56: icmp_seq=2 ttl=64 time=97.9 ms
[root at academ ipsec.d]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.1.1, Linux 2.6.18-92.1.10.el5, i686):
uptime: 4 minutes, since Feb 01 01:37:34 2014
malloc: sbrk 270336, mmap 0, used 211160, free 59176
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp
Listening IP addresses:
xx.xxx.195.57
192.168.3.56
Connections:
academ.certs.locally.stored: %any...xx.xx.230.112 IKEv2
academ.certs.locally.stored: local: [msc at ucp] uses public key authentication
academ.certs.locally.stored: cert: "OU=repr.msc, CN=academ.msc"
academ.certs.locally.stored: remote: [vpn.ucp] uses public key authentication
academ.certs.locally.stored: cert: "OU=frqx, CN=vpn.ucp"
academ.certs.locally.stored: child: 192.168.3.0/24 === 192.168.169.0/24 TUNNEL
msc-hmnet: %any...xx.xxx.221.28 IKEv2
msc-hmnet: local: [msc at ucp] uses public key authentication
msc-hmnet: cert: "OU=repr.msc, CN=academ.msc"
msc-hmnet: remote: [karma.ucp] uses public key authentication
msc-hmnet: cert: "OU=hmnet, CN=karma.ucp"
msc-hmnet: child: 192.168.3.0/24 === 192.168.4.0/24 TUNNEL
Security Associations (2 up, 0 connecting):
msc-hmnet[2]: ESTABLISHED 2 minutes ago, xx.xxx.195.57[msc at ucp]...xx.xxx.221.28[karma.ucp]
msc-hmnet[2]: IKEv2 SPIs: 82d4b4cd14528280_i* 1828eba2706adde0_r, public key reauthentication in 2 hours
msc-hmnet[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
msc-hmnet{2}: INSTALLED, TUNNEL, ESP SPIs: c7898787_i c30972d5_o
msc-hmnet{2}: AES_CBC_128/HMAC_SHA1_96, 420 bytes_i (5 pkts, 33s ago), 760 bytes_o (5 pkts, 33s ago), rekeying in 41 minutes
msc-hmnet{2}: 192.168.3.0/24 === 192.168.4.0/24
academ.certs.locally.stored[1]: ESTABLISHED 4 minutes ago, xx.xxx.195.57[msc at ucp]...xx.xx.230.112[vpn.ucp]
academ.certs.locally.stored[1]: IKEv2 SPIs: bf1c502052f227ae_i* 05fe3261f979239b_r, public key reauthentication in 2 hours
academ.certs.locally.stored[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
academ.certs.locally.stored{1}: INSTALLED, TUNNEL, ESP SPIs: cdd198f4_i cfc5d5ff_o
academ.certs.locally.stored{1}: AES_CBC_128/HMAC_SHA1_96, 336 bytes_i (4 pkts, 226s ago), 608 bytes_o (4 pkts, 226s ago), rekeying in 40 minutes
academ.certs.locally.stored{1}: 192.168.3.0/24 === 192.168.169.0/24
Jan 31 22:39:00 karma charon: 06[NET] received packet: from xx.xxx.195.57[500] to xx.xxx.221.28[500] (708 bytes)
Jan 31 22:39:00 karma charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Jan 31 22:39:00 karma charon: 06[IKE] xx.xxx.195.57 is initiating an IKE_SA
Jan 31 22:39:00 karma charon: 06[IKE] sending cert request for "OU=CA, CN=certauth"
Jan 31 22:39:00 karma charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jan 31 22:39:00 karma charon: 06[NET] sending packet: from xx.xxx.221.28[500] to xx.xxx.195.57[500] (465 bytes)
Jan 31 22:39:01 karma charon: 09[NET] received packet: from xx.xxx.195.57[4500] to xx.xxx.221.28[4500] (556 bytes)
Jan 31 22:39:01 karma charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Jan 31 22:39:01 karma charon: 09[IKE] received cert request for "OU=CA, CN=certauth"
Jan 31 22:39:01 karma charon: 09[CFG] looking for peer configs matching xx.xxx.221.28[karma.ucp]...xx.xxx.195.57[msc at ucp]
Jan 31 22:39:01 karma charon: 09[CFG] selected peer config 'msc-hmnet'
Jan 31 22:39:01 karma charon: 09[CFG] using trusted ca certificate "OU=CA, CN=certauth"
Jan 31 22:39:01 karma charon: 09[CFG] checking certificate status of "OU=repr.msc, CN=academ.msc"
Jan 31 22:39:01 karma charon: 09[CFG] certificate status is not available
Jan 31 22:39:01 karma charon: 09[CFG] reached self-signed root ca with a path length of 0
Jan 31 22:39:01 karma charon: 09[CFG] using trusted certificate "OU=repr.msc, CN=academ.msc"
Jan 31 22:39:01 karma charon: 09[IKE] authentication of 'msc at ucp' with RSA signature successful
Jan 31 22:39:01 karma charon: 09[IKE] peer supports MOBIKE
Jan 31 22:39:01 karma charon: 09[IKE] authentication of 'karma.ucp' (myself) with RSA signature successful
Jan 31 22:39:01 karma charon: 09[IKE] IKE_SA msc-hmnet[4] established between xx.xxx.221.28[karma.ucp]...xx.xxx.195.57[msc at ucp]
Jan 31 22:39:01 karma charon: 09[IKE] scheduling reauthentication in 9928s
Jan 31 22:39:01 karma charon: 09[IKE] maximum IKE_SA lifetime 10468s
Jan 31 22:39:01 karma charon: 09[IKE] CHILD_SA msc-hmnet{3} established with SPIs c30972d5_i c7898787_o and TS 192.168.4.0/24 === 192.168.3.0/24
Jan 31 22:39:01 karma charon: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Jan 31 22:39:01 karma charon: 09[NET] sending packet: from xx.xxx.221.28[4500] to xx.xxx.195.57[4500] (524 bytes)
Feb 1 01:21:46 academ charon: 08[NET] sending packet: from xx.xxx.195.57[4500] to xx.xx.230.112[4500] (1484 bytes)
Feb 1 01:21:47 academ charon: 11[NET] received packet: from xx.xx.230.112[4500] to xx.xxx.195.57[4500] (380 bytes)
Feb 1 01:21:47 academ charon: 11[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Feb 1 01:21:47 academ charon: 11[CFG] using trusted ca certificate "OU=CA, CN=certauth"
Feb 1 01:21:47 academ charon: 11[CFG] checking certificate status of "OU=frqx, CN=vpn.ucp"
Feb 1 01:21:47 academ charon: 11[CFG] certificate status is not available
Feb 1 01:21:47 academ charon: 11[CFG] reached self-signed root ca with a path length of 0
Feb 1 01:21:47 academ charon: 11[CFG] using trusted certificate "OU=frqx, CN=vpn.ucp"
Feb 1 01:21:47 academ charon: 11[IKE] authentication of 'vpn.ucp' with RSA signature successful
Feb 1 01:21:47 academ charon: 11[IKE] IKE_SA academ.certs.locally.stored[1] established between xx.xxx.195.57[msc at ucp]...xx.xx.230.112[vpn.ucp]
Feb 1 01:21:47 academ charon: 11[IKE] IKE_SA academ.certs.locally.stored[1] state change: CONNECTING => ESTABLISHED
Feb 1 01:21:47 academ charon: 11[IKE] scheduling reauthentication in 9990s
Feb 1 01:21:47 academ charon: 11[IKE] maximum IKE_SA lifetime 10530s
Feb 1 01:21:47 academ charon: 11[KNL] adding SAD entry with SPI c39ad460 and reqid {1} (mark 0/0x00000000)
Feb 1 01:21:47 academ charon: 11[KNL] using encryption algorithm AES_CBC with key size 128
Feb 1 01:21:47 academ charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Feb 1 01:21:47 academ charon: 11[KNL] using replay window of 32 packets
Feb 1 01:21:47 academ charon: 11[KNL] adding SAD entry with SPI ce4ab82c and reqid {1} (mark 0/0x00000000)
Feb 1 01:21:47 academ charon: 11[KNL] using encryption algorithm AES_CBC with key size 128
Feb 1 01:21:47 academ charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Feb 1 01:21:47 academ charon: 11[KNL] using replay window of 32 packets
Feb 1 01:21:47 academ charon: 11[KNL] adding policy 192.168.3.0/24 === 192.168.169.0/24 out (mark 0/0x00000000)
Feb 1 01:21:47 academ charon: 11[KNL] adding policy 192.168.169.0/24 === 192.168.3.0/24 in (mark 0/0x00000000)
Feb 1 01:21:47 academ charon: 11[KNL] adding policy 192.168.169.0/24 === 192.168.3.0/24 fwd (mark 0/0x00000000)
Feb 1 01:21:47 academ charon: 11[KNL] getting a local address in traffic selector 192.168.3.0/24
Feb 1 01:21:47 academ charon: 11[KNL] using host 192.168.3.56
Feb 1 01:21:47 academ charon: 11[KNL] using xxx.xx.195.33 as nexthop to reach xx.xx.230.112
Feb 1 01:21:47 academ charon: 11[KNL] xx.xxx.195.57 is on interface eth1
Feb 1 01:21:47 academ charon: 11[KNL] installing route: 192.168.169.0/24 via 195.91.195.33 src 192.168.3.56 dev eth1
Feb 1 01:21:47 academ charon: 11[KNL] getting iface index for eth1
Feb 1 01:21:47 academ charon: 11[KNL] policy 192.168.3.0/24 === 192.168.169.0/24 out (mark 0/0x00000000) already exists, increasing refcount
Feb 1 01:21:47 academ charon: 11[KNL] updating policy 192.168.3.0/24 === 192.168.169.0/24 out (mark 0/0x00000000)
Feb 1 01:21:47 academ charon: 11[KNL] policy 192.168.169.0/24 === 192.168.3.0/24 in (mark 0/0x00000000) already exists, increasing refcount
Feb 1 01:21:47 academ charon: 11[KNL] updating policy 192.168.169.0/24 === 192.168.3.0/24 in (mark 0/0x00000000)
Feb 1 01:21:47 academ charon: 11[KNL] policy 192.168.169.0/24 === 192.168.3.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount
Feb 1 01:21:47 academ charon: 11[KNL] updating policy 192.168.169.0/24 === 192.168.3.0/24 fwd (mark 0/0x00000000)
Feb 1 01:21:47 academ charon: 11[KNL] getting a local address in traffic selector 192.168.3.0/24
Feb 1 01:21:47 academ charon: 11[KNL] using host 192.168.3.56
Feb 1 01:21:47 academ charon: 11[KNL] using xxx.xx.195.33 as nexthop to reach xx.xx.230.112
Feb 1 01:21:47 academ charon: 11[KNL] xx.xxx.195.57 is on interface eth1
Feb 1 01:21:47 academ charon: 11[IKE] CHILD_SA academ.certs.locally.stored{1} established with SPIs c39ad460_i ce4ab82c_o and TS 192.168.3.0/24 === 192.168.169.0/24
Feb 1 01:21:47 academ charon: 11[IKE] received AUTH_LIFETIME of 9835s, scheduling reauthentication in 9295s
Feb 1 01:21:47 academ charon: 11[IKE] peer supports MOBIKE
Feb 1 01:21:47 academ charon: 11[IKE] got additional MOBIKE peer address: 192.168.169.110
Feb 1 01:21:47 academ charon: 11[IKE] got additional MOBIKE peer address: 2a01:e35:8aee:6700:2d0:b7ff:fe8f:4fd8
Feb 1 01:21:47 academ charon: 11[IKE] activating new tasks
Feb 1 01:21:47 academ charon: 11[IKE] nothing to initiate
But once the "academ" server is set behind the NAT (the provider's IP xxx.xx.210.3 ) the routing fails, despite that the tunnel looks to be up:
Feb 3 09:00:16 karma charon: 09[NET] received packet: from xxx.xx.210.3[500] to xx.xxx.221.28[500] (708 bytes)
Feb 3 09:00:16 karma charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 3 09:00:16 karma charon: 09[IKE] xxx.xx.210.3 is initiating an IKE_SA
Feb 3 09:00:16 karma charon: 09[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Feb 3 09:00:16 karma charon: 09[IKE] remote host is behind NAT
Feb 3 09:00:16 karma charon: 09[IKE] sending cert request for "OU=CA, CN=certauth"
Feb 3 09:00:16 karma charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 3 09:00:16 karma charon: 09[NET] sending packet: from xx.xxx.221.28[500] to xxx.xx.210.3[500] (465 bytes)
Feb 3 09:00:17 karma charon: 06[NET] received packet: from xxx.xx.210.3[4500] to xx.xxx.221.28[4500] (556 bytes)
Feb 3 09:00:17 karma charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Feb 3 09:00:17 karma charon: 06[IKE] received cert request for "OU=CA, CN=certauth"
Feb 3 09:00:17 karma charon: 06[CFG] looking for peer configs matching xx.xxx.221.28[karma.ucp]...xxx.xx.210.3[msc at ucp]
Feb 3 09:00:17 karma charon: 06[CFG] selected peer config 'msc-hmnet'
Feb 3 09:00:17 karma charon: 06[CFG] using trusted ca certificate "OU=CA, CN=certauth"
Feb 3 09:00:17 karma charon: 06[CFG] checking certificate status of "OU=repr.msc, CN=academ.msc"
Feb 3 09:00:17 karma charon: 06[CFG] certificate status is not available
Feb 3 09:00:17 karma charon: 06[CFG] reached self-signed root ca with a path length of 0
Feb 3 09:00:17 karma charon: 06[CFG] using trusted certificate "OU=repr.msc, CN=academ.msc"
Feb 3 09:00:17 karma charon: 06[IKE] authentication of 'msc at ucp' with RSA signature successful
Feb 3 09:00:17 karma charon: 06[IKE] peer supports MOBIKE
Feb 3 09:00:17 karma charon: 06[IKE] got additional MOBIKE peer address: 192.168.3.56
Feb 3 09:00:17 karma charon: 06[IKE] authentication of 'karma.ucp' (myself) with RSA signature successful
Feb 3 09:00:17 karma charon: 06[IKE] IKE_SA msc-hmnet[5] established between xx.xxx.221.28[karma.ucp]...xxx.xx.210.3[msc at ucp]
Feb 3 09:00:17 karma charon: 06[IKE] IKE_SA msc-hmnet[5] state change: CONNECTING => ESTABLISHED
Feb 3 09:00:17 karma charon: 06[IKE] scheduling reauthentication in 10161s
Feb 3 09:00:17 karma charon: 06[IKE] maximum IKE_SA lifetime 10701s
Feb 3 09:00:17 karma charon: 06[KNL] getting SPI for reqid {3}
Feb 3 09:00:17 karma charon: 06[KNL] got SPI ce7ffe2c for reqid {3}
Feb 3 09:00:17 karma charon: 06[KNL] adding SAD entry with SPI ce7ffe2c and reqid {3} (mark 0/0x00000000)
Feb 3 09:00:17 karma charon: 06[KNL] using encryption algorithm AES_CBC with key size 128
Feb 3 09:00:18 karma charon: 06[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Feb 3 09:00:18 karma charon: 06[KNL] using replay window of 32 packets
Feb 3 09:00:18 karma charon: 06[KNL] adding SAD entry with SPI cbd1af5e and reqid {3} (mark 0/0x00000000)
Feb 3 09:00:18 karma charon: 06[KNL] using encryption algorithm AES_CBC with key size 128
Feb 3 09:00:18 karma charon: 06[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Feb 3 09:00:18 karma charon: 06[KNL] using replay window of 32 packets
Feb 3 09:00:18 karma charon: 06[KNL] adding policy 192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000)
Feb 3 09:00:18 karma charon: 06[KNL] adding policy 192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000)
Feb 3 09:00:18 karma charon: 06[KNL] adding policy 192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000)
Feb 3 09:00:18 karma charon: 06[KNL] getting a local address in traffic selector 192.168.4.0/24
Feb 3 09:00:18 karma charon: 06[KNL] using host 192.168.4.10
Feb 3 09:00:18 karma charon: 06[KNL] using xx.xxx.221.254 as nexthop to reach xxx.xx.210.3
Feb 3 09:00:18 karma charon: 06[KNL] xx.xxx.221.28 is on interface eth1
Feb 3 09:00:18 karma charon: 06[KNL] installing route: 192.168.3.0/24 via 82.239.221.254 src 192.168.4.10 dev eth1
Feb 3 09:00:18 karma charon: 06[KNL] getting iface index for eth1
Feb 3 09:00:18 karma charon: 06[KNL] policy 192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000) already exists, increasing refcount
Feb 3 09:00:18 karma charon: 06[KNL] updating policy 192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000)
Feb 3 09:00:18 karma charon: 06[KNL] policy 192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000) already exists, increasing refcount
Feb 3 09:00:18 karma charon: 06[KNL] updating policy 192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000)
Feb 3 09:00:18 karma charon: 06[KNL] policy 192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount
Feb 3 09:00:18 karma charon: 06[KNL] updating policy 192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000)
Feb 3 09:00:18 karma charon: 06[KNL] getting a local address in traffic selector 192.168.4.0/24
Feb 3 09:00:18 karma charon: 06[KNL] using host 192.168.4.10
Feb 3 09:00:18 karma charon: 06[KNL] using xx.xxx.221.254 as nexthop to reach xxx.xx.210.3
Feb 3 09:00:18 karma charon: 06[KNL] xx.xxx.221.28 is on interface eth1
Feb 3 09:00:18 karma charon: 06[IKE] CHILD_SA msc-hmnet{3} established with SPIs ce7ffe2c_i cbd1af5e_o and TS 192.168.4.0/24 === 192.168.3.0/24
Feb 3 09:00:18 karma charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Feb 3 09:00:18 karma charon: 06[NET] sending packet: from xx.xxx.221.28[4500] to xxx.xx.210.3[4500] (524 bytes)
msc-hmnet: %any...%any IKEv2
msc-hmnet: local: [karma.ucp] uses public key authentication
msc-hmnet: cert: "OU=hmnet, CN=karma.ucp"
msc-hmnet: remote: [msc at ucp] uses public key authentication
msc-hmnet: cert: "OU=repr.msc, CN=academ.msc"
msc-hmnet: child: 192.168.4.0/24 === 192.168.3.0/24 TUNNEL
Security Associations (3 up, 0 connecting):
msc-hmnet[5]: ESTABLISHED 28 minutes ago, xx.xxx.221.28[karma.ucp]...xxx.xx.210.3[msc at ucp]
msc-hmnet[5]: IKEv2 SPIs: 9e00679214ba46c9_i 2fe19cad88f0f615_r*, public key reauthentication in 2 hours
msc-hmnet[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
msc-hmnet{3}: INSTALLED, TUNNEL, ESP in UDP SPIs: ce7ffe2c_i cbd1af5e_o
msc-hmnet{3}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 480 bytes_o (3 pkts, 477s ago), rekeying in 15 minutes
msc-hmnet{3}: 192.168.4.0/24 === 192.168.3.0/24
[root at karma ~]# ip xfrm state
src xx.xxx.221.28 dst xxx.xx.210.3
proto esp spi 0xcbd1af5e reqid 3 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x01a716f997bc81250792d1a171c7b9bac38b1cc5
enc cbc(aes) 0xf907745f6ff8e256cdd64ec242529f69
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src xxx.xx.210.3 dst xx.xxx.221.28
proto esp spi 0xce7ffe2c reqid 3 mode tunnel
replay-window 32 flag 20
auth hmac(sha1) 0x8a08c9776fccabd345ab5f26697d5bcea5fa08e5
enc cbc(aes) 0x5bd565f6d9064718e489ec66ad0917a1
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
I can't ping the 192.168.3.56 server, nor access it any way.
The statusall counter shows 0 bytes_i.
I am running our of ideas of what could be checked further and how to fix it.
The setup was perfectly working under strongswan 4.3 and works well for other connections and even with the Win8 roadwarrior (behind the NAT).
Could you go throught once again through the logs and probably suggest to check someting else?
Thanks again,
Serge
> ----- Original Message -----
> From: Volker Rümelin
> Sent: 01/21/14 10:55 PM
> To: s s
> Subject: Re: [strongSwan] strongswan-5.1.x, NATed routing pb
>
> Hello Serge,
>
> please look again at the three policies.
>
> > [root at frqx ~]# ip xfrm policy
> > src 192.168.3.0/24 dst 192.168.169.0/24
> > dir in priority 1859
> > tmpl src xx.xx.210.3 dst xx.xx.230.112
> > proto esp reqid 78 mode tunnel
> >
> > src 192.168.169.0/24 dst 192.168.3.0/24
> > dir out priority 1859
> > tmpl src xx.xx.230.112 dst xx.xx.210.3
> > proto esp reqid 78 mode tunnel
> >
> > src 192.168.3.0/24 dst 192.168.169.0/24
> > dir fwd priority 1859
> > tmpl src xx.xx.210.3 dst xx.xx.230.112
> > proto esp reqid 78 mode tunnel
> >
> >
>
> These are three different policies (in ,out, fwd). For tunnel mode you
> need all three.
>
> > The two outputs are inconsistent between each other (duplicated policy, doesn't match the academ's peer).
> > Any ideas of what could be checked and twikled more?
>
> There is nothing wrong here. Because of NAT the host address of academ
> is different for frqx. I guess you just forgot to copy/paste the out
> policy on academ. The issue is something different.
>
> >
> > I don't see how to push the name resolution to the remote site.
> > Although the dns entry exists:
> > [root at wave ~]# cat /etc/strongswan/strongswan.conf
> > charon {
> > # ...
> > dns1 = 192.168.0.100
> > nbns1 = 192.168.0.100
> > }
> >
>
> With strongswan 5 add rightdns=192.168.0.100 to connection karma-wave in
> ipsec.conf on wave. This works if karma is initiator.
>
> Regards,
> Volker
More information about the Users
mailing list