[strongSwan] NAT-Traversal Problem with V4.3.4

Mon, 09 Nov 2009 03:05:24 -0800 

Hi together,

i have a problem in conjunction with NAT-Traversal.

Following scenario

<vpn1> -- INTERNET -- <router> -- <vpn2>

whereas on <vpn1>, there is Strongswan V4.3.4 and on <vpn2> there is 
Strongswan V2.5.7. <vpn1> and <router> have both an internet-connection over 
DSL (pppoe) and an reconnect after 24 hours. On the <router> we have a port
forward of Port 500/udp and 4500/udp to <vpn2>.

The problem arrives on the reconnect of <router>. Both, <vpn1> and <vpn2> are 
trying to reestablish the VPN-connection, <vpn1> tries this directly on Port
4500/udp and <vpn2> says:

  Nov  9 04:06:03 tux-bo2 pluto[3677]: packet from 80.153.140.246:4500: 
  initial Main Mode message received on 192.1.1.10:4500 but no connection has 
  been authorized

and <vpn2> tries a connect on port 500/udp and <vpn1> says:

  Nov  9 04:07:30 pluto[19098]: packet from 82.141.19.123:500: initial Main   
  Mode message received on 80.153.140.246:500 but no connection has been  
  authorized with policy=PUBKEY

so they are both not able to establish the connecton. In the past i've used
Strongswan V2.5.7 on both sites and it has worked without any problem.

I found no way on the command line to bring <vpn1> to use Port 500/udp, but an 
ipsec reload or an ipsec restart. But this also brings down other 
VPN-connections too. After an ipsec reload or restart everything works as 
expected until the next reconnect of <router>.

The only solution is to disable NAT-Traversal on <vpn1> (no nat_traversal=yes 
line in ipsec.conf) it works as <vpn1> now tries to setup the connection on 
Port 500/udp.

So, i have 2 qestions:
- do i only have to enable NAT-Traversal on a machine that is behind a 
  NAT-Router, in my case only on <vpn2>, in the past i enabled NAT-Traversal
  on both sides.
- what can i do to bring pluto into the same state like an ipsec reload or 
  restart but only relative to 1 vpn-connection, ipsec down and up is not
  enought ?

I am currently using on <vpn1> Linux V2.6.27.34 and Strongswan V4.3.4 and on 
<vpn2> Linux V2.4.37 and Strongswan V2.5.7.

best regards,
  Michael



-- 
Michael Niehren              __   _       powered by
                            / /  (_)__  __ ____  __
                           / /__/ / _ \/ // /\ \/ /
                          /____/_/_//_/\_,_/ /_/\_\
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to