Hi all I am trying to set up a ipsec tunnel with iked in a double NAT scenario:
Client --> NAT GW 1 --> Inet --> NAT GW 2 --> VPN GW Client has 192.168.1.x, User is j...@doe.com VPN GW has 10.x.y.z, hostname vpn.doe.com NAT GW 1 does hide NAT to A.B.C.D NAT GW 2 does static NAT for public GW IP, forwards to VPN GW The client runs Strongswan on Linux. VPN GW is running 5.5 GENERIC#271 on amd64. I'm trying to set up RSA authentication with X.509 certificates, so I've configured Strongswan to use Key and Cert with subjectAltname=email:j...@doe.com, and to ask for IP address. Copied the client cert and the issuing CA cert to /etc/iked/certs on the VPN GW. PF is disabled. Configured iked on the VPN GW in iked.conf: ikev2 johndoevpn \ quick esp inet \ from any to 10.x.y.z \ peer any local any \ srcid vpn.doe.com dstid j...@doe.com \ config address 10.x.y.A \ config netmask 255.255.255.0 \ config name-server 10.x.y.B \ (valid IP of DNS at VPN site) tag johndoevpn VPNGW# sysctl -a | grep esp net.inet.esp.enable=1 net.inet.esp.udpencap=1 net.inet.esp.udpencap_port=4500 But the client is unable to connect to the VPN GW, and I just can't find out what's going wrong. Unfortunately there are two ways it is failing: 1) Client sends IKEv2 msg IKE_SA_INIT on Port 500, VPN GW replies with IKE_SA_INIT and CertReq, then client sends IKE_AUTH. But to this packet the VPN GW never replies, and the client resends until it times out. I see in the client log that it is selecting and sending the j...@doe.com certificate. In the VPN GW logs I get: Aug 9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_SA_INIT from initiator A.B.C.D:34276 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048 bytes Aug 9 08:40:35 tunnel iked[18255]: ikev2_msg_send: IKE_SA_INIT from 10.x.y.z:500 to A.B.C.D:34276, 457 bytes Aug 9 08:40:35 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes Aug 9 08:40:39 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes Aug 9 08:40:46 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes Aug 9 08:40:59 tunnel iked[18255]: ikev2_recv: IKE_AUTH from initiator A.B.C.D:4500 to 10.x.y.z:4500 policy 'johndoevpn' id 1, 2320 bytes 2) Client sends IKEv2 msg IKE_SA_INIT on Port 500, and iked terminates immediately. If this happens, only a reboot will ever again get it to at least answer the SA_INIT. If iked is simply restarted, it will only crash again when the next packet arrives. Aug 9 14:31:56 tunnel iked[32658]: ikev2_recv: IKE_SA_INIT from initiator A.B.C.D:36858 to 10.x.y.z:500 policy 'johndoevpn' id 0, 1048 bytes Aug 9 14:31:56 tunnel iked[4493]: lost child: ikev2 terminated; signal 11 Aug 9 14:31:56 tunnel iked[27717]: ikev1 exiting Aug 9 14:31:56 tunnel iked[20802]: ca exiting Aug 9 14:31:56 tunnel iked[4493]: parent terminating In both cases, there are no other logs anywhere on the VPN GW. I've started iked with "-DA=99 -v" and sent an "ikectl log verbose", but no change. ikectl monitor shows nothing. So I was wondering if anybody saw what I am doing wrong - probably I got the config wrong. Especially I'm not quite sure if the files containing the certs need to have special names. If not: How does one debug iked? Why is it not answering, and, above all, why is it crashing? Are there really no logs? I've also tried the following, with identical results: - 5.6 current-amd64 from Aug 8 - create a new RSA keypair and X.509 cert for VPN GW (extracted pubkey from cert to /etc/iked/local.pub, privkey to /etc/iked/private/local.key, and copied the cert (with subjectAltname=DNS:vpn.doe.com) to /etc/iked/certs) Would be very glad if anyone could share a pointer ... Thx /markus