[strongSwan] No CHILD_SA tunnel{2} established with nat public IP

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Mar 22 23:37:13 CET 2018


Hello,

Some old version of strongSwan didn't verify the existence of the tunnel when success or failure was reported. That only pertained the stroke interface. The provided output only shows the IKE SAs going up. Configure logging and provide logs as shown on the HelpRequests page.

Kind regards

Noel

On 13.03.2018 14:09, Sujoy wrote:
> Hi All,
>  
>   I am facing a issue while establish tunnel through the nated Public IP. When I connect to the same Strongswan server from LAN I get "*CHILD_SA tunnel{2} established with SPIs cb7bd615_i c3fb87d7_o and TS 172.25.12.38/32 == 172.25.1.23/32"*. But from public network "IKE_SA tunnel is established but CHILD_SA tunnel" is not displayed. Even during the public IP tunneling- "ip route list table 220" no output in the server. Due to that traffic is also not passing.
> The configuration file is same of both the client. It will be a big help if someone can provide any solution.
>
>
> root at Device_BD2009:~# ipsec up tunnel
> no files found matching '/etc/strongswan.d/*.conf'
> initiating IKE_SA tunnel[1] to X.X.X.X
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
> sending packet: from 192.168.1.100[500] to X.X.X.X[500] (1080 bytes)
> received packet: from X.X.X.X[500] to 192.168.1.100[500] (464 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> local host is behind NAT, sending keep alives
> remote host is behind NAT
> authentication of '192.168.1.100' (myself) with pre-shared key
> establishing CHILD_SA tunnel
> generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.1.100[4500] to X.X.X.X[4500] (332 bytes)
> received packet: from X.X.X.X[4500] to 192.168.1.100[4500] (220 bytes)
> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
> authentication of 'X.X.X.X' with pre-shared key successful
> IKE_SA tunnel[1] established between 192.168.1.100[192.168.1.100]...X.X.X.X[X.X.X.X]
> scheduling reauthentication in 10015s
> maximum IKE_SA lifetime 10555s
> connection 'tunnel' established successfully
>
>
> config setup
>
>         charondebug="all"
>         uniqueids=no
>         strictcrlpolicy=no
> conn %default
> conn tunnel #
>        left=192.168.1.100
>        leftsubnet=192.168.1.100/32
>        right=X.X.X.X
>        rightsubnet=X.X.X.X/32
>        ike=aes256-sha1-modp2048
>        esp=aes256-sha1
>        keyingtries=1
>        keylife=60m
>        dpddelay=30s
>        dpdtimeout=150s
>        dpdaction=clear
>        authby=psk
>        auto=route
>        keyexchange=ikev2
>        type=tunnel
>        mobike=no
>        fragmentation=yes
>
> -- 
> Thanks in advance.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180322/ab7c6cac/attachment.sig>


More information about the Users mailing list