[strongSwan] Can strongswan work with ip port forwarding and not NAT

christopher kamutumwa chriskamutumwa at gmail.com
Fri Jul 8 13:57:14 CEST 2016 

Hello,
I have a router which only allows port forwarding ,hence ive implemented
strongswan on a machine beyond this router and configured port forwarding.
am failing to get an establishment to host which is connected to public ip
directly using the same configurations which work when both machines are
directly connected to public. below is error and is the a solution or a way
round this?

 Jul  8 11:36:33 localhost charon: 05[ENC] generating INFORMATIONAL_V1
request 416838970 [ N(NO_PROP) ]
Jul  8 11:36:33 localhost charon: 05[NET] sending packet: from
192.168.100.2[500] to 185.3.95.94[500] (40 bytes)
Jul  8 11:36:33 localhost charon: 05[IKE] IKE_SA (unnamed)[1] state change:
CREATED => DESTROYING
Jul  8 11:36:33 localhost charon: 03[NET] sending packet: from
192.168.100.2[500] to 185.3.95.94[500]
Jul  8 11:47:04 localhost charon: 00[DMN] signal of type SIGINT received.
Shutting down
Jul  8 11:47:06 localhost charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.3.5, Linux 2.6.32-642.1.1.el6.x86_64, x86_64)
Jul  8 11:47:06 localhost charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Jul  8 11:47:06 localhost charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Jul  8 11:47:06 localhost charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'
Jul  8 11:47:06 localhost charon: 00[CFG] loading attribute certificates
from '/etc/ipsec.d/acerts'
Jul  8 11:47:06 localhost charon: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul  8 11:47:06 localhost charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul  8 11:47:06 localhost charon: 00[CFG]   loaded IKE secret for
41.60.182.160 185.3.95.94
Jul  8 11:47:06 localhost charon: 00[LIB] loaded plugins: charon aes des
rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr
kernel-netlink resolve socket-default stroke updown xauth-generic
Jul  8 11:47:06 localhost charon: 00[JOB] spawning 16 worker threads
Jul  8 11:47:06 localhost charon: 01[NET] waiting for data on sockets
Jul  8 11:47:06 localhost charon: 04[CFG] received stroke: add connection
'CRYSTALINE-gateway1'
Jul  8 11:47:06 localhost charon: 04[CFG] conn CRYSTALINE-gateway1
Jul  8 11:47:06 localhost charon: 04[CFG]   left=41.60.182.160
Jul  8 11:47:06 localhost charon: 04[CFG]   leftsubnet=192.168.1.5/32
Jul  8 11:47:06 localhost charon: 04[CFG]   leftauth=psk
Jul  8 11:47:06 localhost charon: 04[CFG]   leftid=41.60.182.160
Jul  8 11:47:06 localhost charon: 04[CFG]   right=185.3.95.94
Jul  8 11:47:06 localhost charon: 04[CFG]   rightsubnet=172.30.200.177/32
Jul  8 11:47:06 localhost charon: 04[CFG]   rightauth=psk
Jul  8 11:47:06 localhost charon: 04[CFG]   rightid=185.3.95.94
Jul  8 11:47:06 localhost charon: 04[CFG]   ike=3des-sha1-modp1024!
Jul  8 11:47:06 localhost charon: 04[CFG]   esp=3des-sha1!
Jul  8 11:47:06 localhost charon: 04[CFG]   dpddelay=30
Jul  8 11:47:06 localhost charon: 04[CFG]   dpdtimeout=150
Jul  8 11:47:06 localhost charon: 04[CFG]   mediation=no
Jul  8 11:47:06 localhost charon: 04[CFG]   keyexchange=ikev1
Jul  8 11:47:06 localhost charon: 04[CFG] left nor right host is our side,
assuming left=local
Jul  8 11:47:06 localhost charon: 04[CFG] added configuration
'CRYSTALINE-gateway1'
Jul  8 11:47:06 localhost charon: 05[CFG] received stroke: route
'CRYSTALINE-gateway1'
Jul  8 11:47:06 localhost charon: 05[CFG] proposing traffic selectors for
us:
Jul  8 11:47:06 localhost charon: 05[CFG]  192.168.1.5/32
Jul  8 11:47:06 localhost charon: 05[CFG] proposing traffic selectors for
other:
Jul  8 11:47:06 localhost charon: 05[CFG]  172.30.200.177/32
Jul  8 11:47:06 localhost charon: 05[CFG] configured proposals:
ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Jul  8 11:47:11 localhost charon: 08[CFG] received stroke: initiate
'CRYSTALINE-gateway1'
Jul  8 11:47:11 localhost charon: 11[IKE] queueing ISAKMP_VENDOR task
Jul  8 11:47:11 localhost charon: 11[IKE] queueing ISAKMP_CERT_PRE task
Jul  8 11:47:11 localhost charon: 11[IKE] queueing MAIN_MODE task
Jul  8 11:47:11 localhost charon: 11[IKE] queueing ISAKMP_CERT_POST task
Jul  8 11:47:11 localhost charon: 11[IKE] queueing ISAKMP_NATD task
Jul  8 11:47:11 localhost charon: 11[IKE] queueing QUICK_MODE task
Jul  8 11:47:11 localhost charon: 11[IKE] activating new tasks
Jul  8 11:47:11 localhost charon: 11[IKE]   activating ISAKMP_VENDOR task
Jul  8 11:47:11 localhost charon: 11[IKE]   activating ISAKMP_CERT_PRE task
Jul  8 11:47:11 localhost charon: 11[IKE]   activating MAIN_MODE task
Jul  8 11:47:11 localhost charon: 11[IKE]   activating ISAKMP_CERT_POST task
Jul  8 11:47:11 localhost charon: 11[IKE]   activating ISAKMP_NATD task
Jul  8 11:47:11 localhost charon: 11[IKE] sending XAuth vendor ID
Jul  8 11:47:11 localhost charon: 11[IKE] sending DPD vendor ID
Jul  8 11:47:11 localhost charon: 11[IKE] sending NAT-T (RFC 3947) vendor ID
Jul  8 11:47:11 localhost charon: 11[IKE] sending
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jul  8 11:47:11 localhost charon: 11[IKE] initiating Main Mode IKE_SA
CRYSTALINE-gateway1[1] to 185.3.95.94
Jul  8 11:47:11 localhost charon: 11[IKE] IKE_SA CRYSTALINE-gateway1[1]
state change: CREATED => CONNECTING
Jul  8 11:47:11 localhost charon: 11[CFG] configured proposals:
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul  8 11:47:11 localhost charon: 11[ENC] generating ID_PROT request 0 [ SA
V V V V ]
Jul  8 11:47:11 localhost charon: 11[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500] (152 bytes)
Jul  8 11:47:11 localhost charon: 03[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500]
Jul  8 11:47:11 localhost charon: 03[NET] error writing to socket: Invalid
argument
Jul  8 11:47:15 localhost charon: 10[IKE] sending retransmit 1 of request
message ID 0, seq 1
Jul  8 11:47:15 localhost charon: 10[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500] (152 bytes)
Jul  8 11:47:15 localhost charon: 03[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500]
Jul  8 11:47:15 localhost charon: 03[NET] error writing to socket: Invalid
argument
Jul  8 11:47:22 localhost charon: 14[IKE] sending retransmit 2 of request
message ID 0, seq 1
Jul  8 11:47:22 localhost charon: 14[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500] (152 bytes)
Jul  8 11:47:22 localhost charon: 03[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500]
Jul  8 11:47:22 localhost charon: 03[NET] error writing to socket: Invalid
argument
Jul  8 11:47:35 localhost charon: 12[IKE] sending retransmit 3 of request
message ID 0, seq 1
Jul  8 11:47:35 localhost charon: 12[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500] (152 bytes)
Jul  8 11:47:35 localhost charon: 03[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500]
Jul  8 11:47:35 localhost charon: 03[NET] error writing to socket: Invalid
argument
Jul  8 11:47:58 localhost charon: 15[IKE] sending retransmit 4 of request
message ID 0, seq 1
Jul  8 11:47:58 localhost charon: 15[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500] (152 bytes)
Jul  8 11:47:58 localhost charon: 03[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500]
Jul  8 11:47:58 localhost charon: 03[NET] error writing to socket: Invalid
argument
Jul  8 11:48:16 localhost charon: 01[NET] received packet: from
185.3.95.94[500] to 192.168.100.2[500]
Jul  8 11:48:16 localhost charon: 01[NET] waiting for data on sockets
Jul  8 11:48:16 localhost charon: 13[NET] received packet: from
185.3.95.94[500] to 192.168.100.2[500] (152 bytes)
Jul  8 11:48:16 localhost charon: 13[ENC] parsed ID_PROT request 0 [ SA V V
V V ]
Jul  8 11:48:16 localhost charon: 13[CFG] looking for an ike config for
192.168.100.2...185.3.95.94
Jul  8 11:48:16 localhost charon: 13[IKE] no IKE config found for
192.168.100.2...185.3.95.94, sending NO_PROPOSAL_CHOSEN
Jul  8 11:48:16 localhost charon: 13[ENC] generating INFORMATIONAL_V1
request 409253792 [ N(NO_PROP) ]
Jul  8 11:48:16 localhost charon: 13[NET] sending packet: from
192.168.100.2[500] to 185.3.95.94[500] (40 bytes)
Jul  8 11:48:16 localhost charon: 13[IKE] IKE_SA (unnamed)[2] state change:
CREATED => DESTROYING
Jul  8 11:48:16 localhost charon: 03[NET] sending packet: from
192.168.100.2[500] to 185.3.95.94[500]
Jul  8 11:48:38 localhost charon: 06[CFG] received stroke: initiate
'CRYSTALINE-gateway1'
Jul  8 11:48:38 localhost charon: 07[IKE] queueing QUICK_MODE task
Jul  8 11:48:38 localhost charon: 07[IKE] delaying task initiation, ID_PROT
exchange in progress
Jul  8 11:48:40 localhost charon: 05[IKE] sending retransmit 5 of request
message ID 0, seq 1
Jul  8 11:48:40 localhost charon: 05[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500] (152 bytes)
Jul  8 11:48:40 localhost charon: 03[NET] sending packet: from
41.60.182.160[500] to 185.3.95.94[500]
Jul  8 11:48:40 localhost charon: 03[NET] error writing to socket: Invalid
argument
Jul  8 11:49:56 localhost charon: 09[IKE] giving up after 5 retransmits
Jul  8 11:49:56 localhost charon: 09[IKE] establishing IKE_SA failed, peer
not responding
Jul  8 11:49:56 localhost charon: 09[IKE] IKE_SA CRYSTALINE-gateway1[1]
state change: CONNECTING => DESTROYING
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160708/3b0f9f83/attachment.html>

More information about the Users mailing list