[strongSwan] local host is behind NAT, sending keep alives
Stephen Feyrer
stephen.feyrer at greensill.com
Wed Aug 14 16:16:52 CEST 2019
Hi Team,
An update.
ipsec.conf
conn officeVPN
aggressive=yes
type=transport
authby=secret
keyexchange=ikev1
ike=aes128-sha1-modp2048,aes256-sha1-modp2048!
left=%defaultroute
leftsourceip=%config
modeconfig=push
leftprotoport=udp/l2tp
right= 50.45.0.51
rightprotoport=udp/l2tp
righted=10.0.0.254
auto=add
ipsec.secret:
50.45.0.51 %any : PSK "StrongKey-Honest!"
strongswan.conf
keep_alive=0
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254]
scheduling reauthentication in 9761s
maximum IKE_SA lifetime 10301s
generating AGGRESSIVE request 0 [ HASH NAT-D ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (140 bytes)
received packet: from 50.54.0.51[4500] to 1.0.0.127[4500] (92 bytes)
generating TRANSACTION response 890044400 [ HASH CP ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ]
Please help, thanks.
--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer at greensill.com<mailto:stephen.feyrer at greensill.com>
http://www.greensill.com
From: Stephen Feyrer
Sent: 13 August 2019 13:11
To: users at lists.strongswan.org
Subject: local host is behind NAT, sending keep alives
Hey everyone,
I have a laptop tethered via my phone, Ubuntu 18.4. I am unable to establish a connection and none of my research has thus far revealed anything helpful. Please review the below and advise. Other proprietary clients are able to connect without issue.
I have an ipsec.conf file which looks like:
conn officeVPN
aggressive=yes
type=tunnel
authby=secret
keyexchange=ikev1
ike=aes128-sha1-modp2048
esp= aes256-sha256-modp2048
mobike=no
left=%defaultroute
leftsourceip=%config
modeconfig=push
leftprotoport=udp/l2tp
right= 50.45.0.51
rightprotoport=udp/l2tp
righted=10.0.0.254
auto=add
xauth_identity=user
An ipsec.secrets that looks like:
50.45.0.51 %any : PSK "StrongKey-Honest!"
user %any : XAUTH "password"
An /etc/strongswan.conf that has the following line:
i_dont_care_about_security_and_use_aggressive_mode_psk=yes
Then the ipsec up officeVPN command is run:
$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254]
scheduling reauthentication in 9761s
maximum IKE_SA lifetime 10301s
generating AGGRESSIVE request 0 [ HASH NAT-D ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet: from 50.54.0.51[4500] to 1.0.0.127[4500] (76 bytes)
generating TRANSACTION response 890044400 [ HASH CP ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (76 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet: from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
deleting IKE_SA officeVPN[1] between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254]
sending DELETE for IKE_SA officeVPN[1]
parsed INFORMATIONAL_V1 request 5432109876 [ HASH D ]
sending packet: from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
establishing connection 'officeVPN' failed
Thank you.
--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer at greensill.com<mailto:stephen.feyrer at greensill.com>
http://www.greensill.com
This message is for the designated recipient only and may contain privileged, proprietary or otherwise confidential information. If you have received this in error, please contact the sender immediately and delete the original. Any other use of this e-mail by you is prohibited. If we collect and use your personal data we will use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: 8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, Australia.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190814/d9eb7262/attachment-0001.html>
More information about the Users
mailing list