[strongSwan] Net to net double nat problem
anickname
anickname at gmail.com
Mon May 25 16:03:31 CEST 2020
Hello,
I try to implement an IPSEC tunnel between two networks (A, B). Network
a should access
hosts on network B:
+---------------+ +---------------------------------+
+------------------------+
| network A | | router mikrotik (ipsec client) | | router
isp |
+---------------+ +---------------------------------+ nat
+------------------------+
| 172.20.0.0/24 | --> | 172.20.0.1 192.168.0.2 | ---> |
192.168.0.1 37.1.1.1 |
+---------------+ +---------------------------------+
+------------------------+
|
nat
/----------------------------------- inet
---------------------------------------/
|
nat
| +-------------------------+
+-------------------------------+ +----------------+
| | router isp | | router linux (ipsec server)
| | notebook B |
| +-------------------------+ nat
+-------------------------------+ +----------------+
\---| 5.2.2.2 192.168.100.1 | <--- | 192.168.100.11 172.28.10.1 |
<-- | 172.28.10.0/24 |
+-------------------------+
+-------------------------------+ +----------------+
My config on server is:
connections {
rw {
local_addrs = 192.168.100.11
local {
auth = psk
id = 192.168.0.2
}
remote {
auth = psk
}
children {
net {
local_ts = 172.28.10.0/24
if_id_out = 42
if_id_in = 42
}
}
version = 2
}
}
secrets {
ike-mir {
id = 192.168.0.2
secret = XXXXXXXXXXXXXX
}
}
The log:
charon-systemd[134046]: received packet: from 37.1.1.1[39248] to
192.168.100.11[4500] (424 bytes)
charon-systemd[134046]: parsed IKE_SA_INIT request 0 [ N(NATD_D_IP)
N(NATD_S_IP) No KE SA ]
charon-systemd[134046]: 37.1.1.1 is initiating an IKE_SA
charon-systemd[134046]: selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon-systemd[134046]: local host is behind NAT, sending keep alives
charon-systemd[134046]: remote host is behind NAT
charon-systemd[134046]: generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ]
charon-systemd[134046]: sending packet: from 192.168.100.11[4500] to
37.1.1.1[39248] (448 bytes)
charon-systemd[134046]: received packet: from 37.1.1.1[39248] to
192.168.100.11[4500] (460 bytes)
charon-systemd[134046]: parsed IKE_AUTH request 1 [ IDi AUTH
N(INIT_CONTACT) SA TSi TSr N(USE_TRANSP) ]
charon-systemd[134046]: looking for peer configs matching
192.168.100.11[%any]...37.1.1.1[192.168.0.2]
charon-systemd[134046]: selected peer config 'rw'
charon-systemd[134046]: authentication of '192.168.0.2' with pre-shared
key successful
charon-systemd[134046]: authentication of '192.168.0.2' (myself) with
pre-shared key
charon-systemd[134046]: IKE_SA rw[2] established between
192.168.100.11[192.168.0.2]...37.1.1.1[192.168.0.2]
charon-systemd[134046]: scheduling rekeying in 14163s
charon-systemd[134046]: maximum IKE_SA lifetime 15603s
charon-systemd[134046]: traffic selectors 5.2.2.2.2/32 ===
192.168.0.2/32 unacceptable
charon-systemd[134046]: failed to establish CHILD_SA, keeping IKE_SA
charon-systemd[134046]: generating IKE_AUTH response 1 [ IDr AUTH
N(TS_UNACCEPT) ]
charon-systemd[134046]: sending packet: from 192.168.100.11[4500] to
37.1.1.1[39248] (124 bytes)
Thank you.
More information about the Users
mailing list