[strongSwan] net-to-net with one gateway behind NAT

Alexis Salinas Wed, 10 Nov 2010 12:46:46 -0800

Hi all,
I tested this configuration successfully many times without the NAT. This time 
I connected one of the GW behind a NAT/FIREWALL device and although the tunnel 
comes up I get an error message regarding routes (you can see almost at the 
bottom of the log). Have you seen this before?. Thanks in advance for your help
Cheers,
Alexis


My setup:
172.22.0.0/28--GW1--Internet--(24.207.4.81)NAT_DEVICE--(192.168.21.100)GW2--10.0.0.0/24--OTHER_ROUTERS

My configuration (full tunnel)
GW1(Linux strongSwan U4.3.5/K2.6.30-310):
config setup
        cachecrls=no
        charonstart=yes
        crlcheckinterval=0
        plutostart=yes
        strictcrlpolicy=no
        nat_traversal=yes
        plutodebug=none
        charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 0, net 0, 
enc 0, lib 0"

conn net-to-net
        left=%defaultroute
        left...@gw1
        leftsubnet=172.22.0.0/28
        leftfirewall=yes
        right=24.207.4.81
        right...@gw2
        rightsubnet=0.0.0.0/0
        keyexchange=ikev2
        mobike=yes
        ikelifetime=60m
        keylife=20m
        compress=no
        authby=secret
        dpdaction=restart
        dpddelay=10
        dpdtimeout=30
        auto=add
        keyingtries=1
        rekeymargin=3m
        forceencaps=no 


GW2 (Linux strongSwan U4.3.2/K2.6.31-1)
config setup
        charonstart=yes
        nat_traversal=yes
        charondebug="dmn 0, mgr 0, ike 0, chd 0, job 0, cfg 0, knl 2, net 0, 
enc 0, lib 0"

conn net2net
        left=192.168.21.100
        left...@gw2
        right=%any
        right...@gw1
        rekey=no
        leftsubnet=0.0.0.0/0
        rightsubnet=172.22.0.0/28
        ike=aes128-md5-modp1536!
        ikelifetime=3600s
        keyexchange=ikev2
        mobike=yes
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=clear
        esp=aes128-md5!
        keylife=1200s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        compress=no
        authby=secret
        auto=add

GW2 logs (I cut removed some part for brevity, let me now if you need the whole 
thing)
Nov  9 10:56:46 GW2 charon: 09[IKE] 174.90.242.85 is initiating an IKE_SA
Nov  9 10:56:46 GW2 charon: 09[IKE] 174.90.242.85 is initiating an IKE_SA
Nov  9 10:56:46 GW2 charon: 09[IKE] IKE_SA (unnamed)[1] state change: CREATED 
=> CONNECTING
Nov  9 10:56:46 GW2 charon: 09[IKE] local host is behind NAT, sending keep 
alives
Nov  9 10:56:46 GW2 charon: 08[IKE] authentication of 'GW1' with pre-shared key 
successful
Nov  9 10:56:46 GW2 charon: 08[IKE] peer supports MOBIKE
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 
172.22.0.1
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 
172.22.1.1
Nov  9 10:56:46 GW2 charon: 08[IKE] got additional MOBIKE peer address: 
172.22.2.1
Nov  9 10:56:46 GW2 charon: 08[IKE] authentication of 'GW2' (myself) with 
pre-shared key
Nov  9 10:56:46 GW2 charon: 08[IKE] successfully created shared key MAC
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] state change: CONNECTING 
=> ESTABLISHED
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] established between 
192.168.21.100[GW2]...174.90.242.85[GW1]
Nov  9 10:56:46 GW2 charon: 08[IKE] IKE_SA net2net[1] established between 
192.168.21.100[GW2]...174.90.242.85[GW1]
Nov  9 10:56:46 GW2 charon: 08[KNL] getting SPI for reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_ALLOCSPI: => 244 bytes @ 
0xb38adc68
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: F4 00 00 00 16 00 01 00 C9 00 00 00 
14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF CF                           
           ....
Nov  9 10:56:46 GW2 charon: 08[KNL] got SPI ccbe182c for reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL] adding SAD entry with SPI ccbe182c and 
reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL]   using encryption algorithm AES_CBC with 
key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL]   using integrity algorithm HMAC_MD5_96 
with key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_UPDSA: => 440 bytes @ 
0xb38adbc4
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: B8 01 00 00 1A 00 05 00 CA 00 00 00 
14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  432: 00 00 00 00 00 00 00 00               
           ........
Nov  9 10:56:46 GW2 charon: 08[KNL] adding SAD entry with SPI c94ea202 and 
reqid {1}
Nov  9 10:56:46 GW2 charon: 08[KNL]   using encryption algorithm AES_CBC with 
key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL]   using integrity algorithm HMAC_MD5_96 
with key size 128
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWSA: => 440 bytes @ 
0xb38adbc4
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: B8 01 00 00 10 00 05 00 CB 00 00 00 
14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  432: 00 00 00 00 00 00 00 00               
           ........
Nov  9 10:56:46 GW2 charon: 08[KNL] adding policy 0.0.0.0/0 === 172.22.0.0/28 
out
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWPOLICY: => 248 bytes @ 
0xb38adc3c
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: F8 00 00 00 13 00 05 00 CC 00 00 00 
14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF FF FF FF FF FF               
           ........
Nov  9 10:56:46 GW2 charon: 08[KNL] adding policy 172.22.0.0/28 === 0.0.0.0/0 in
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWPOLICY: => 248 bytes @ 
0xb38adc3c
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: F8 00 00 00 13 00 05 00 CD 00 00 00 
14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF FF FF FF FF FF               
           ........
Nov  9 10:56:46 GW2 charon: 08[KNL] adding policy 172.22.0.0/28 === 0.0.0.0/0 
fwd
Nov  9 10:56:46 GW2 charon: 08[KNL] sending XFRM_MSG_NEWPOLICY: => 248 bytes @ 
0xb38adc3c
Nov  9 10:56:46 GW2 charon: 08[KNL]    0: F8 00 00 00 13 00 05 00 CE 00 00 00 
14 42 00 00  .............B..

Nov  9 10:56:46 GW2 charon: 08[KNL]  240: FF FF FF FF FF FF FF FF               
           ........
Nov  9 10:56:46 GW2 charon: 08[KNL] getting a local address in traffic selector 
0.0.0.0/0
Nov  9 10:56:46 GW2 charon: 08[KNL] using host %any
Nov  9 10:56:46 GW2 charon: 08[KNL] getting address to reach 174.90.242.85
Nov  9 10:56:46 GW2 charon: 08[KNL] getting interface name for 192.168.21.100
Nov  9 10:56:46 GW2 charon: 08[KNL] 192.168.21.100 is on interface eth0
Nov  9 10:56:46 GW2 charon: 08[KNL] getting iface index for eth0
Nov  9 10:56:46 GW2 charon: 08[KNL] received netlink error: No such process (3)
Nov  9 10:56:46 GW2 charon: 08[KNL] unable to install source route for %any
Nov  9 10:56:46 GW2 charon: 08[IKE] CHILD_SA net2net{1} established with SPIs 
ccbe182c_i c94ea202_o and TS 0.0.0.0/0 === 172.22.0.0/28
Nov  9 10:56:46 GW2 charon: 08[IKE] CHILD_SA net2net{1} established with SPIs 
ccbe182c_i c94ea202_o and TS 0.0.0.0/0 === 172.22.0.0/28
Nov  9 10:57:06 GW2 charon: 10[KNL] querying policy 0.0.0.0/0 === 172.22.0.0/28 
out
Nov  9 10:57:06 GW2 charon: 10[KNL] sending XFRM_MSG_GETPOLICY: => 80 bytes @ 
0xb28ade2c
Nov  9 10:57:06 GW2 charon: 10[KNL]    0: 50 00 00 00 15 00 01 00 CF 00 00 00 
14 42 00 00  P............B..


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] net-to-net with one gateway behind NAT

Reply via email to