[strongSwan] No CHILD_SA tunnel{2} established with nat public IP

Sujoy sujoy.b at mindlogicx.com
Tue Mar 13 14:09:34 CET 2018 

Hi All,

   I am facing a issue while establish tunnel through the nated Public 
IP. When I connect to the same Strongswan server from LAN I get 
"*CHILD_SA tunnel{2} established with SPIs cb7bd615_i c3fb87d7_o and TS 
172.25.12.38/32 == 172.25.1.23/32"*. But from public network "IKE_SA 
tunnel is established but CHILD_SA tunnel" is not displayed. Even during 
the public IP tunneling- "ip route list table 220" no output in the 
server. Due to that traffic is also not passing.
The configuration file is same of both the client. It will be a big help 
if someone can provide any solution.


root at Device_BD2009:~# ipsec up tunnel
no files found matching '/etc/strongswan.d/*.conf'
initiating IKE_SA tunnel[1] to X.X.X.X
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) ]
sending packet: from 192.168.1.100[500] to X.X.X.X[500] (1080 bytes)
received packet: from X.X.X.X[500] to 192.168.1.100[500] (464 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of '192.168.1.100' (myself) with pre-shared key
establishing CHILD_SA tunnel
generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) 
N(EAP_ONLY) ]
sending packet: from 192.168.1.100[4500] to X.X.X.X[4500] (332 bytes)
received packet: from X.X.X.X[4500] to 192.168.1.100[4500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of 'X.X.X.X' with pre-shared key successful
IKE_SA tunnel[1] established between 
192.168.1.100[192.168.1.100]...X.X.X.X[X.X.X.X]
scheduling reauthentication in 10015s
maximum IKE_SA lifetime 10555s
connection 'tunnel' established successfully


config setup

         charondebug="all"
         uniqueids=no
         strictcrlpolicy=no
conn %default
conn tunnel #
        left=192.168.1.100
        leftsubnet=192.168.1.100/32
        right=X.X.X.X
        rightsubnet=X.X.X.X/32
        ike=aes256-sha1-modp2048
        esp=aes256-sha1
        keyingtries=1
        keylife=60m
        dpddelay=30s
        dpdtimeout=150s
        dpdaction=clear
        authby=psk
        auto=route
        keyexchange=ikev2
        type=tunnel
        mobike=no
        fragmentation=yes

-- 
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180313/c69d4f65/attachment.html>

More information about the Users mailing list