[strongSwan] No CHILD_SA tunnel{2} established with nat public IP

Info infosec at quantum-equities.com
Tue Mar 13 16:43:32 CET 2018 

No one is using swanctl yet?


On 03/13/2018 06:09 AM, Sujoy wrote:
> Hi All,
>  
>   I am facing a issue while establish tunnel through the nated Public
> IP. When I connect to the same Strongswan server from LAN I get
> "*CHILD_SA tunnel{2} established with SPIs cb7bd615_i c3fb87d7_o and
> TS 172.25.12.38/32 == 172.25.1.23/32"*. But from public network
> "IKE_SA tunnel is established but CHILD_SA tunnel" is not displayed.
> Even during the public IP tunneling- "ip route list table 220" no
> output in the server. Due to that traffic is also not passing.
> The configuration file is same of both the client. It will be a big
> help if someone can provide any solution.
>
>
> root at Device_BD2009:~# ipsec up tunnel
> no files found matching '/etc/strongswan.d/*.conf'
> initiating IKE_SA tunnel[1] to X.X.X.X
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) ]
> sending packet: from 192.168.1.100[500] to X.X.X.X[500] (1080 bytes)
> received packet: from X.X.X.X[500] to 192.168.1.100[500] (464 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> remote host is behind NAT
> authentication of '192.168.1.100' (myself) with pre-shared key
> establishing CHILD_SA tunnel
> generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH)
> N(EAP_ONLY) ]
> sending packet: from 192.168.1.100[4500] to X.X.X.X[4500] (332 bytes)
> received packet: from X.X.X.X[4500] to 192.168.1.100[4500] (220 bytes)
> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
> authentication of 'X.X.X.X' with pre-shared key successful
> IKE_SA tunnel[1] established between
> 192.168.1.100[192.168.1.100]...X.X.X.X[X.X.X.X]
> scheduling reauthentication in 10015s
> maximum IKE_SA lifetime 10555s
> connection 'tunnel' established successfully
>
>
> config setup
>
>         charondebug="all"
>         uniqueids=no
>         strictcrlpolicy=no
> conn %default
> conn tunnel #
>        left=192.168.1.100
>        leftsubnet=192.168.1.100/32
>        right=X.X.X.X
>        rightsubnet=X.X.X.X/32
>        ike=aes256-sha1-modp2048
>        esp=aes256-sha1
>        keyingtries=1
>        keylife=60m
>        dpddelay=30s
>        dpdtimeout=150s
>        dpdaction=clear
>        authby=psk
>        auto=route
>        keyexchange=ikev2
>        type=tunnel
>        mobike=no
>        fragmentation=yes
>
> -- 
> Thanks in advance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180313/58fae823/attachment.html>

More information about the Users mailing list