[strongSwan] Win7 and Window10Mobile: IKE authentication credentials are unacceptable

Tobias Brunner tobias at strongswan.org
Fri May 6 15:16:05 CEST 2016


Hi Arne,

> My router has ports 500/4500 fwd to 192.168.0.3 (both TCP/UDP)

Only UDP is required.

> and the ESP protocoll is bound to 192.168.0.3

Not needed as ESP will be UDP encapsulated and sent to port 4500 due to
the NAT.

> I added following nat POSTROUTING according to [1] (tried with -s 172.10.1.0/24 and now omitted the -s completely)

To avoid conflicts you should probably add -s.  If you capture traffic
on the server do you see packets getting natted properly?

> $ iptables -L -t nat

You can check the counters with -v to see if any of the rules matched.

> These are the FORWARD policies applied due to leftfirewall=yes (leftfirewall=no doesn't work, as well)

Since the policy of the FORWARD chain is set to ACCEPT the rules added
via leftfirewall serve no purpose, so disabling it is fine as well (but
you should see the counters increase if they are installed).

Can you reach the VPN server itself from the client (i.e. 192.168.0.3)?
 What about the router (192.168.0.1)?  If not, what exactly happens with
the packets (try tcpdump/wireshark, or [1])?

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump



More information about the Users mailing list