[strongSwan] local host is behind NAT, sending keep alives

Stephen Feyrer stephen.feyrer at greensill.com
Wed Aug 14 16:16:52 CEST 2019


Hi Team,

An update.

ipsec.conf
conn officeVPN
        aggressive=yes
        type=transport
        authby=secret
        keyexchange=ikev1
        ike=aes128-sha1-modp2048,aes256-sha1-modp2048!
        left=%defaultroute
        leftsourceip=%config
        modeconfig=push
        leftprotoport=udp/l2tp
        right= 50.45.0.51
        rightprotoport=udp/l2tp
        righted=10.0.0.254
        auto=add

ipsec.secret:
50.45.0.51 %any : PSK "StrongKey-Honest!"

strongswan.conf
                keep_alive=0
i_dont_care_about_security_and_use_aggressive_mode_psk=yes

$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
generating AGGRESSIVE request 0  [ SA KE No ID V V V V V ]
sending packet:    from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254]
scheduling reauthentication in 9761s
maximum IKE_SA lifetime 10301s
generating AGGRESSIVE request 0 [ HASH NAT-D ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (140 bytes)
received packet:    from 50.54.0.51[4500] to 1.0.0.127[4500] (92 bytes)
generating TRANSACTION response 890044400 [ HASH CP ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ]

Please help, thanks.


--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer at greensill.com<mailto:stephen.feyrer at greensill.com>
http://www.greensill.com

From: Stephen Feyrer
Sent: 13 August 2019 13:11
To: users at lists.strongswan.org
Subject: local host is behind NAT, sending keep alives

Hey everyone,

I have a laptop tethered via my phone, Ubuntu 18.4.  I am unable to establish a connection and none of my research has thus far revealed anything helpful.  Please review the below and advise.  Other proprietary clients are able to connect without issue.

I have an ipsec.conf file which looks like:

conn officeVPN
        aggressive=yes
        type=tunnel
        authby=secret
        keyexchange=ikev1
        ike=aes128-sha1-modp2048
       esp= aes256-sha256-modp2048
        mobike=no
        left=%defaultroute
        leftsourceip=%config
        modeconfig=push
        leftprotoport=udp/l2tp
        right= 50.45.0.51
        rightprotoport=udp/l2tp
        righted=10.0.0.254
        auto=add
        xauth_identity=user

An ipsec.secrets that looks like:

50.45.0.51 %any : PSK "StrongKey-Honest!"
user %any : XAUTH "password"

An /etc/strongswan.conf that has the following line:

i_dont_care_about_security_and_use_aggressive_mode_psk=yes


Then the ipsec up officeVPN command is run:

$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
generating AGGRESSIVE request 0  [ SA KE No ID V V V V V ]
sending packet:    from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254]
scheduling reauthentication in 9761s
maximum IKE_SA lifetime 10301s
generating AGGRESSIVE request 0 [ HASH NAT-D ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet:    from 50.54.0.51[4500] to 1.0.0.127[4500] (76 bytes)
generating TRANSACTION response 890044400 [ HASH CP ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (76 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
deleting IKE_SA officeVPN[1] between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254]
sending DELETE for IKE_SA officeVPN[1]
parsed INFORMATIONAL_V1 request 5432109876 [ HASH D ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
establishing connection 'officeVPN' failed

Thank you.


--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer at greensill.com<mailto:stephen.feyrer at greensill.com>
http://www.greensill.com


This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190814/d9eb7262/attachment-0001.html>


More information about the Users mailing list