Re: [strongSwan] NAT + RoadWarrior: cannot create IPsec SA, ISAKMP ok

Andreas Steffen Sat, 12 Feb 2011 23:43:46 -0800

Hello,

because of the NAT situation you must define


rightsubnet=10.10.124.14/32

on the VPN hub or if you have several clients with addresses in
the 10.10.0.0/16 network

rightsubnetwithin=10.10.0.0/16

The third and best alternative would be for the VPN hub
to assign a virtual IP address to each RA client:

On the VPN hub

rightsourceip=10.0.3.0/24 # choose any pool you like

and on the RA client

leftsourceip=%config

Regards

Andreas

On 02/13/2011 08:28 AM, Richard Chan wrote:
> Hello,
> 
> I am testing out the Remote access (RA) +PSK  configuration. It is
> working if the
> two devices are routed. But the if RA is behind NAT, IKE Phase I
> succeeds, Phase II fails.
> 
> From auth.log below, I can see that IKE Phase I succeeds, but then I
> cannot create the Phase II
> SA. Any suggestions?
> 
> moon (the VPN hub)
> 
> ipsec.secrets
> 
> 192.168.123.12 %any : PSK "secret"
> 
> ipsec.conf
> 
> conn hub
> left=192.168.123.12
> leftsubnet=172.25.12.0/24 <http://172.25.12.0/24>
> right=%any
> authby=secret
> auto=add
> 
> carol (the RA client, behind NAT)
> 
> ipsec.secrets
> 
> 10.10.124.14 192.168.123.12 : PSK "secret"
> 
> ipsec.conf
> 
> conn rw
> left=%defaultroute
> right=192.168.123.12
> rightsubnet=172.25.12.0/24 <http://172.25.12.0/24>
> authby=secret
> auto=add
> 
> 
> auth.log on moon:
> 
> Feb 13 15:18:33 vm01 pluto[6774]: | *received 268 bytes from
> 192.168.123.1:1031 <http://192.168.123.1:1031> on eth0
> Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> <http://192.168.123.1:1031>: received Vendor ID payload [strongSwan]
> Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> <http://192.168.123.1:1031>: received Vendor ID payload [XAUTH]
> Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> <http://192.168.123.1:1031>: received Vendor ID payload [Dead Peer
> Detection]
> Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> <http://192.168.123.1:1031>: received Vendor ID payload [RFC 3947]
> Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> <http://192.168.123.1:1031>: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03]
> Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> <http://192.168.123.1:1031>: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02]
> Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> <http://192.168.123.1:1031>: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n]
> Feb 13 15:18:33 vm01 pluto[6774]: packet from 192.168.123.1:1031
> <http://192.168.123.1:1031>: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> Feb 13 15:18:33 vm01 pluto[6774]: | preparse_isakmp_policy: peer
> requests PSK authentication
> Feb 13 15:18:33 vm01 pluto[6774]: | instantiated "hub" for 192.168.123.1
> Feb 13 15:18:33 vm01 pluto[6774]: | creating state object #1 at
> 0x7fe4f2b2db20
> Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_SO_DISCARD,
> timeout in 0 seconds for #1
> Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031
> <http://192.168.123.1:1031> #1: responding to Main Mode from unknown
> peer 192.168.123.1:1031 <http://192.168.123.1:1031>
> Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_RETRANSMIT,
> timeout in 10 seconds for #1
> Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_RETRANSMIT in 10
> seconds for #1
> Feb 13 15:18:33 vm01 pluto[6774]: | 
> Feb 13 15:18:33 vm01 pluto[6774]: | *received 356 bytes from
> 192.168.123.1:1031 <http://192.168.123.1:1031> on eth0
> Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R1
> Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031
> <http://192.168.123.1:1031> #1: NAT-Traversal: Result using RFC 3947:
> peer is NATed
> Feb 13 15:18:33 vm01 pluto[6774]: | inserting event
> EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
> Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_RETRANSMIT,
> timeout in 10 seconds for #1
> Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_RETRANSMIT in 10
> seconds for #1
> Feb 13 15:18:33 vm01 pluto[6774]: | 
> Feb 13 15:18:33 vm01 pluto[6774]: | *received 76 bytes from
> 192.168.123.1:4500 <http://192.168.123.1:4500> on eth0
> Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R2
> Feb 13 15:18:33 vm01 pluto[6774]: "hub"[1] 192.168.123.1:1031
> <http://192.168.123.1:1031> #1: Peer ID is ID_IPV4_ADDR: '10.10.124.14'
> Feb 13 15:18:33 vm01 pluto[6774]: | peer CA:      %none
> Feb 13 15:18:33 vm01 pluto[6774]: | offered CA:   %none
> Feb 13 15:18:33 vm01 pluto[6774]: | switched from "hub" to "hub"
> Feb 13 15:18:33 vm01 pluto[6774]: | instantiated "hub" for 192.168.123.1
> Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:1031
> <http://192.168.123.1:1031> #1: deleting connection "hub" instance with
> peer 192.168.123.1 {isakmp=#0/ipsec=#0}
> Feb 13 15:18:33 vm01 pluto[6774]: | NAT-T: new mapping
> 192.168.123.1:1031/4500 <http://192.168.123.1:1031/4500>)
> Feb 13 15:18:33 vm01 pluto[6774]: | inserting event EVENT_SA_REPLACE,
> timeout in 10530 seconds for #1
> Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:4500
> <http://192.168.123.1:4500> #1: sent MR3, ISAKMP SA established
> Feb 13 15:18:33 vm01 pluto[6774]: | next event EVENT_NAT_T_KEEPALIVE in
> 20 seconds
> Feb 13 15:18:33 vm01 pluto[6774]: | 
> Feb 13 15:18:33 vm01 pluto[6774]: | *received 444 bytes from
> 192.168.123.1:4500 <http://192.168.123.1:4500> on eth0
> Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> Feb 13 15:18:33 vm01 pluto[6774]: | state object not found
> Feb 13 15:18:33 vm01 pluto[6774]: | ICOOKIE:  41 51 f8 ff  2a 0a 4a 34
> Feb 13 15:18:33 vm01 pluto[6774]: | RCOOKIE:  5f 41 53 47  1b fa 54 d7
> Feb 13 15:18:33 vm01 pluto[6774]: | peer:  c0 a8 7b 01
> Feb 13 15:18:33 vm01 pluto[6774]: | state hash entry 25
> Feb 13 15:18:33 vm01 pluto[6774]: | state object #1 found, in STATE_MAIN_R3
> Feb 13 15:18:33 vm01 pluto[6774]: | peer client is 10.10.124.14
> Feb 13 15:18:33 vm01 pluto[6774]: | peer client protocol/port is 0/0
> Feb 13 15:18:33 vm01 pluto[6774]: | our client is subnet 172.25.12.0/24
> <http://172.25.12.0/24>
> Feb 13 15:18:33 vm01 pluto[6774]: | our client protocol/port is 0/0
> Feb 13 15:18:33 vm01 pluto[6774]: "hub"[2] 192.168.123.1:4500
> <http://192.168.123.1:4500> #1: cannot respond to IPsec SA request
> because no connection is known for
> 172.25.12.0/24===192.168.123.12:4500[192.168.123.12]...192.168.123.1:4500[10.10.124.14]===10.10.124.14/32
> <http://172.25.12.0/24===192.168.123.12:4500[192.168.123.12]...192.168.123.1:4500[10.10.124.14]===10.10.124.14/32>
> 
> 
> 
> _______________________________________________
> Users mailing list
> [email protected]
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] NAT + RoadWarrior: cannot create IPsec SA, ISAKMP ok

Reply via email to