Hi all,
I'm trying to set up a strongswan gateway, behind a NAT router for
roadwarrior use.
I can initiate the connection from another debian machine also using
strongswan (also behind NAT), virtual ip is assigned correctly and I'm
able to ping/ssh to the gateway machine on its private ip address but
nothing else behind it.
Routes get added on both machines but I'm not convinced the next hop on
the initiator machine is correct.
My network:
192.168.0.0/24===192.168.0.18 (SS gw)--- 192.168.0.1 (router) .......
%any (vpn client) === 192.168.0.19/32 (virtual ip)
I've added rules to IP tables on the router to forward traffic on udp
ports 500 and 4500 aswell as esp traffic, coming in to a particular
public ip address, to the SS gw - with matching SNAT rules for outbound
traffic. I've tested all this using netcat.
Any help would be most appreciated - I can provide any more info if
required.
Thanks in advance!
Russ
(I've changed the public ip of my router for security to XX.XX.XX.XX and
the router of the roadwarrior machine to YY.YY.YY.YY)
Ipsec.conf on the gateway is;
config setup
# plutodebug=all
crlcheckinterval=180
strictcrlpolicy=no
# cachecrls=yes
nat_traversal=yes
charonstart=yes
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
conn edba-nat
left=%defaultroute
leftcert=lister.e-dba.net-cert.pem
[email protected]
leftsubnet=192.168.0.0/24
right=%any
rightsourceip=192.168.0.19
keyexchange=ikev2
auto=add
On the rw machine;
ted:~# cat /etc/ipsec.conf
config setup
crlcheckinterval=180
strictcrlpolicy=no
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn edba-nat
left=%defaultroute
leftsourceip=%config
leftcert=russ.e-dba.net-cert.pem
[email protected]
right=XX.XX.XX.XX
[email protected]
rightsubnet=192.168.0.0/24
auto=add
When I initiate the connection from the test roadwarrior machine I get ;
ted:~# ipsec up edba-nat
initiating IKE_SA edba-nat[1] to XX.XX.XX.XX
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.61.90[500] to XX.XX.XX.XX[500]
received packet: from XX.XX.XX.XX[500] to 192.168.61.90[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
remote host is behind NAT
received cert request for "C=UK, ST=East Sussex, O=eDBA Ltd, CN=vpngw,
[email protected]"
sending cert request for "C=UK, ST=East Sussex, O=eDBA Ltd, CN=vpngw,
[email protected]"
authentication of '[email protected]' (myself) with RSA signature
successful
sending end entity cert "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd,
CN=russ, [email protected]"
establishing CHILD_SA edba-nat
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ]
sending packet: from 192.168.61.90[4500] to XX.XX.XX.XX[4500]
received packet: from XX.XX.XX.XX[4500] to 192.168.61.90[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT)
N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
received end entity cert "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd,
CN=lister, [email protected]"
using certificate "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd,
CN=lister, [email protected]"
using trusted ca certificate "C=UK, ST=East Sussex, O=eDBA Ltd,
CN=vpngw, [email protected]"
checking certificate status of "C=UK, ST=East Sussex, L=Brighton, O=eDBA
Ltd, CN=lister, [email protected]"
certificate status is not available
authentication of 'lister.e-dba.net' with RSA signature successful
scheduling reauthentication in 3254s
maximum IKE_SA lifetime 3434s
IKE_SA edba-nat[1] established between
192.168.61.90[[email protected]]...xx.xx.xx.xx[lister.e-dba.net]
installing new virtual IP 192.168.0.19
ted:~#
Route on rw machine;
ted:~# ip r show table 220
192.168.0.0/24 via 192.168.61.1 dev eth0 proto static src 192.168.0.19
Ping gateway on private ip;
ted:~# ping -c 1 192.168.0.18
PING 192.168.0.18 (192.168.0.18) 56(84) bytes of data.
64 bytes from 192.168.0.18: icmp_seq=1 ttl=64 time=75.7 ms
Ping DNS server on private network;
ted:~# ping -c 1 192.168.0.15
PING 192.168.0.15 (192.168.0.15) 56(84) bytes of data.
--- 192.168.0.15 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
excerpt of the daemon.log in case this is significant;
Jan 14 10:14:15 ted charon: 14[NET] sending packet: from
192.168.61.90[4500] to 217.154.55.251[4500]
Jan 14 10:14:22 ted charon: 03[KNL] creating rekey job for ESP CHILD_SA
with SPI cf8ef4a6 and reqid {1}
Jan 14 10:14:22 ted charon: 09[IKE] establishing CHILD_SA edba-nat{1}
Jan 14 10:14:22 ted charon: 09[ENC] generating CREATE_CHILD_SA request 2
[ N(REKEY_SA) SA No TSi TSr ]
Jan 14 10:14:22 ted charon: 09[NET] sending packet: from
192.168.61.90[4500] to 217.154.55.251[4500]
Jan 14 10:14:22 ted charon: 15[NET] received packet: from
217.154.55.251[4500] to 192.168.61.90[4500]
Jan 14 10:14:22 ted charon: 15[ENC] parsed CREATE_CHILD_SA response 2 [
SA No TSi TSr ]
Jan 14 10:14:22 ted charon: 15[IKE] CHILD_SA edba-nat{1} established
with SPIs c2c5f5e9_i cb2579f8_o and TS 192.168.0.19/32 === 192.168.0.0/24
Jan 14 10:14:22 ted charon: 15[IKE] closing CHILD_SA edba-nat{1} with
SPIs cf8ef4a6_i c72aadd3_o and TS 192.168.0.19/32 === 192.168.0.0/24
Jan 14 10:14:22 ted charon: 15[IKE] sending DELETE for ESP CHILD_SA with
SPI cf8ef4a6
Jan 14 10:14:22 ted charon: 15[ENC] generating INFORMATIONAL request 3 [
D ]
Jan 14 10:14:22 ted charon: 15[NET] sending packet: from
192.168.61.90[4500] to 217.154.55.251[4500]
Jan 14 10:14:22 ted charon: 16[NET] received packet: from
217.154.55.251[4500] to 192.168.61.90[4500]
Jan 14 10:14:22 ted charon: 16[ENC] parsed INFORMATIONAL response 3 [ D ]
Jan 14 10:14:22 ted charon: 16[IKE] received DELETE for ESP CHILD_SA
with SPI c72aadd3
Jan 14 10:14:22 ted charon: 16[IKE] CHILD_SA closed
Jan 14 10:14:46 ted charon: 10[IKE] sending keep alive
Jan 14 10:14:46 ted charon: 10[NET] sending packet: from
192.168.61.90[4500] to 217.154.55.251[4500]
Jan 14 10:15:06 ted charon: 12[IKE] sending keep alive
Jan 14 10:15:06 ted charon: 12[NET] sending packet: from
192.168.61.90[4500] to 217.154.55.251[4500]
Jan 14 10:15:26 ted charon: 13[IKE] sending keep alive
Jan 14 10:15:26 ted charon: 13[NET] sending packet: from
192.168.61.90[4500] to 217.154.55.251[4500]
Ipsec statusall on rw machine;
ted:~# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.2):
uptime: 31 minutes, since Jan 14 09:58:41 2010
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 4
loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent
gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka
eapmschapv2
Listening IP addresses:
192.168.61.90
Connections:
edba-nat: %any...XX.XX.XX.XX
edba-nat: local: [[email protected]] uses public key authentication
edba-nat: cert: "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd,
CN=russ, [email protected]"
edba-nat: remote: [lister.e-dba.net] uses any authentication
edba-nat: child: dynamic === 192.168.0.0/24
Security Associations:
edba-nat[1]: ESTABLISHED 31 minutes ago,
192.168.61.90[[email protected]]...xx.xx.xx.xx[lister.e-dba.net]
edba-nat[1]: IKE SPIs: 8f74877205e6e94a_i* ec51a88ef2fc6eb4_r,
public key reauthentication in 21 minutes
edba-nat[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
edba-nat{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c79a6ff9_i cb98be4d_o
edba-nat{1}: AES_CBC_128/HMAC_SHA1_96, rekeying in 15 minutes, last
use: no_i no_o
edba-nat{1}: 192.168.0.19/32 === 192.168.0.0/24
======================
On SS gateway machine;
Remote public ip masked for security to YY.YY.YY.YY
lister:/var/cache/apt/archives# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.3.2):
uptime: 33 minutes, since Jan 14 09:58:52 2010
worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac agent
gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka
eapmschapv2
Virtual IP pools (size/online/offline):
edba-nat: 1/1/0
Listening IP addresses:
192.168.0.18
Connections:
edba-nat: 192.168.0.18...%any
edba-nat: local: [lister.e-dba.net] uses public key authentication
edba-nat: cert: "C=UK, ST=East Sussex, L=Brighton, O=eDBA Ltd,
CN=lister, [email protected]"
edba-nat: remote: [%any] uses any authentication
edba-nat: child: 192.168.0.0/24 === dynamic
Security Associations:
edba-nat[1]: ESTABLISHED 33 minutes ago,
192.168.0.18[lister.e-dba.net]...yy.yy.yy.yy[[email protected]]
edba-nat[1]: IKE SPIs: 8f74877205e6e94a_i ec51a88ef2fc6eb4_r*,
public key reauthentication in 22 minutes
edba-nat[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
edba-nat{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cb98be4d_i c79a6ff9_o
edba-nat{1}: AES_CBC_128/HMAC_SHA1_96, rekeying in 11 minutes, last
use: no_i no_o
edba-nat{1}: 192.168.0.0/24 === 192.168.0.19/32
lister:/var/cache/apt/archives# ip r show table 220
192.168.0.19 via 192.168.0.1 dev eth0 proto static src 192.168.0.18
--
Russ Cox
Systems Engineer
e-DBA Ltd.
48A Old Steine,
Brighton, East Sussex,
BN1 1NH
Main: +44 (0) 870 366 7800
Direct: +44 (0) 127 322 4704
email: [email protected]
Msn: [email protected]
Skype: russc0x
Company No: 365969
Oracle Partner of the Year
General Business Technology
UKOUG Partner of the year
(4 categories)
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
