Hi all
I am trying to set up a ipsec tunnel with iked in a double NAT scenario:
Client --> NAT GW 1 --> Inet --> NAT GW 2 --> VPN GW
Client has 192.168.1.x, User is j...@doe.com
VPN GW has 10.x.y.z, hostname vpn.doe.com
NAT GW 1 does hide NAT to A.B.C.D
NAT GW 2 does static NAT for public GW IP, forwards to VPN GW
The client runs Strongswan on Linux.
VPN GW is running 5.5 GENERIC#271 on amd64.
I'm trying to set up RSA authentication with X.509 certificates, so I've
configured Strongswan to use Key and Cert with
subjectAltname=email:j...@doe.com, and to ask for IP address. Copied the
client cert and the issuing CA cert to /etc/iked/certs on the VPN GW.
PF is disabled. Configured iked on the VPN GW in iked.conf:
ikev2 johndoevpn \
quick esp inet \
from any to 10.x.y.z \
peer any local any \
srcid vpn.doe.com dstid j...@doe.com \
config address 10.x.y.A \
config netmask 255.255.255.0 \
config name-server 10.x.y.B \ (valid IP of DNS at VPN site)
tag johndoevpn
VPNGW# sysctl -a | grep esp
net.inet.esp.enable=1
net.inet.esp.udpencap=1
net.inet.esp.udpencap_port=4500
But the client is unable to connect to the VPN GW, and I just can't find
out what's going wrong. Unfortunately there are two ways it is failing:
1) Client sends IKEv2 msg IKE_SA_INIT on Port 500, VPN GW replies with
IKE_SA_INIT and CertReq, then client sends IKE_AUTH. But to this packet
the VPN GW never replies, and the client resends until it times out. I
see in the client log that it is selecting and sending the j...@doe.com
certificate. In the VPN GW logs I get:
Aug 9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_SA_INIT from
initiator A.B.C.D:34276 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048 bytes
Aug 9 08:40:35 tunnel iked[18255]: ikev2_msg_send: IKE_SA_INIT from
10.x.y.z:500 to A.B.C.D:34276, 457 bytes
Aug 9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
Aug 9 08:40:39 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
Aug 9 08:40:46 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
Aug 9 08:40:59 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator
A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes
2) Client sends IKEv2 msg IKE_SA_INIT on Port 500, and iked terminates
immediately. If this happens, only a reboot will ever again get it to at
least answer the SA_INIT. If iked is simply restarted, it will only
crash again when the next packet arrives.
Aug 9 14:31:56 tunnel iked[32658]: ikev2_recv: IKE_SA_INIT from
initiator A.B.C.D:36858 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048 bytes
Aug 9 14:31:56 tunnel iked[4493]: lost child: ikev2 terminated; signal 11
Aug 9 14:31:56 tunnel iked[27717]: ikev1 exiting
Aug 9 14:31:56 tunnel iked[20802]: ca exiting
Aug 9 14:31:56 tunnel iked[4493]: parent terminating
In both cases, there are no other logs anywhere on the VPN GW. I've
started iked with "-DA=99 -v" and sent an "ikectl log verbose", but no
change. ikectl monitor shows nothing.
So I was wondering if anybody saw what I am doing wrong - probably I
got the config wrong. Especially I'm not quite sure if the files
containing the certs need to have special names.
If not: How does one debug iked? Why is it not answering, and, above
all, why is it crashing? Are there really no logs?
I've also tried the following, with identical results:
- 5.6 current-amd64 from Aug 8
- create a new RSA keypair and X.509 cert for VPN GW (extracted pubkey
from cert to /etc/iked/local.pub, privkey to
/etc/iked/private/local.key, and copied the cert (with
subjectAltname=DNS:vpn.doe.com) to /etc/iked/certs)
Would be very glad if anyone could share a pointer ...
Thx /markus
