[strongSwan] Net to net double nat problem

anickname anickname at gmail.com
Mon May 25 16:03:31 CEST 2020


Hello,

I try to implement an IPSEC tunnel between two networks (A, B). Network
a should access
hosts on network B:

+---------------+     +---------------------------------+     
+------------------------+
| network A     |     | router mikrotik (ipsec client)  |      | router
isp             |
+---------------+     +---------------------------------+ nat 
+------------------------+
| 172.20.0.0/24 | --> | 172.20.0.1          192.168.0.2 | ---> |
192.168.0.1   37.1.1.1 |
+---------------+     +---------------------------------+     
+------------------------+
                                                                                
|
                                                                       
        nat
/----------------------------------- inet
---------------------------------------/
|
nat
|   +-------------------------+     
+-------------------------------+     +----------------+
|   | router isp              |      | router linux (ipsec server)  
|     | notebook B     |
|   +-------------------------+  nat
+-------------------------------+     +----------------+
\---| 5.2.2.2   192.168.100.1 | <--- | 192.168.100.11    172.28.10.1 |
<-- | 172.28.10.0/24 |
    +-------------------------+     
+-------------------------------+     +----------------+

My config on server is:
connections {
 
   rw {
      local_addrs = 192.168.100.11
     
      local {
         auth = psk
         id = 192.168.0.2
      }
      remote {
         auth = psk
      }
      children {
         net {
            local_ts = 172.28.10.0/24
           
            if_id_out = 42
            if_id_in = 42
         }
      }
      version = 2
   }
}

secrets {
   ike-mir {
      id = 192.168.0.2
      secret = XXXXXXXXXXXXXX
   }
}

The log:
charon-systemd[134046]: received packet: from 37.1.1.1[39248] to
192.168.100.11[4500] (424 bytes)
charon-systemd[134046]: parsed IKE_SA_INIT request 0 [ N(NATD_D_IP)
N(NATD_S_IP) No KE SA ]
charon-systemd[134046]: 37.1.1.1 is initiating an IKE_SA
charon-systemd[134046]: selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon-systemd[134046]: local host is behind NAT, sending keep alives
charon-systemd[134046]: remote host is behind NAT
charon-systemd[134046]: generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ]
charon-systemd[134046]: sending packet: from 192.168.100.11[4500] to
37.1.1.1[39248] (448 bytes)
charon-systemd[134046]: received packet: from 37.1.1.1[39248] to
192.168.100.11[4500] (460 bytes)
charon-systemd[134046]: parsed IKE_AUTH request 1 [ IDi AUTH
N(INIT_CONTACT) SA TSi TSr N(USE_TRANSP) ]
charon-systemd[134046]: looking for peer configs matching
192.168.100.11[%any]...37.1.1.1[192.168.0.2]
charon-systemd[134046]: selected peer config 'rw'
charon-systemd[134046]: authentication of '192.168.0.2' with pre-shared
key successful
charon-systemd[134046]: authentication of '192.168.0.2' (myself) with
pre-shared key
charon-systemd[134046]: IKE_SA rw[2] established between
192.168.100.11[192.168.0.2]...37.1.1.1[192.168.0.2]
charon-systemd[134046]: scheduling rekeying in 14163s
charon-systemd[134046]: maximum IKE_SA lifetime 15603s
charon-systemd[134046]: traffic selectors 5.2.2.2.2/32 ===
192.168.0.2/32 unacceptable
charon-systemd[134046]: failed to establish CHILD_SA, keeping IKE_SA
charon-systemd[134046]: generating IKE_AUTH response 1 [ IDr AUTH
N(TS_UNACCEPT) ]
charon-systemd[134046]: sending packet: from 192.168.100.11[4500] to
37.1.1.1[39248] (124 bytes)

Thank you.





More information about the Users mailing list