hello andreas, yes, you are right, but this still doesn't solve the problem. i am still stuck...
reading some current posts on APPLEs discussion forum (for ex: http://discussions.apple.com/thread.jspa?threadID=2778039) maybe this is a general problem with iOS > 4.3 ? so i'm very interested if anyone has managed to get the iPad 2 (iOS 4.3.1) connect to strongswan with one or both sides being NATed? or maybe someone has managed to connect to open-/freeSWAN ? (server is on debian 6) any help is really appreciated! thank you Martin Am 30.03.2011 12:37, schrieb Andreas Steffen: > Hello Martin, > > because the responder is NAT-ed you don't have to set > rightsubnetwithin but > > leftsubnetwithin=0.0.0.0/0 > > Regards > > Andreas > > On 30.03.2011 09:57, Martin Kellermann wrote: >> hi, >> >> is there still no solution for this? >> >> i ran into the same situation like Uli getting the >> "cannot respond to IPsec SA request because no connection is known" >> error. >> >> i want the following setup: >> >> iPad<-- NOT NATed --> internet<-- DSL router --> strongswan (NATed) >> >> so just the strongswan server's side is NATed >> >> i recompiled strongswan (on debian) with NAT-T patch enabled and auth.log >> tells: "including NAT-Traversal patch (Version 0.6c)" >> >> ipsec.conf: >> config setup >> nat_traversal=yes >> charonstart=yes >> plutostart=yes >> conn ipads >> authby=psk >> pfs=no >> rekey=no >> type=tunnel >> forceencaps=yes >> esp=aes128-sha1 >> ike=aes128-sha-modp1024 >> left=%defaultroute >> leftprotoport=17/1701 >> right=%any >> rightprotoport=17/%any >> rightsubnetwithin=0.0.0.0/0 >> auto=add >> >> ipsec.secrets: >> 192.168.0.251 %any : PSK "xxxxxxxxxx" >> >> auth.log: >> Mar 29 16:39:45 vpn pluto[28437]: loaded PSK secret for 192.168.0.251 %any >> Mar 29 16:39:45 vpn ipsec_starter[28436]: charon (28444) started after 40 ms >> Mar 29 16:39:45 vpn pluto[28437]: added connection description "ipads" >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> received Vendor ID payload [RFC 3947] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] >> Mar 29 16:39:51 vpn pluto[28437]: packet from 2.206.202.168:500: >> received Vendor ID payload [Dead Peer Detection] >> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: >> responding to Main Mode from unknown peer 2.206.202.168 >> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: >> NAT-Traversal: Result using RFC 3947: i am NATed >> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: ignoring >> informational payload, type IPSEC_INITIAL_CONTACT >> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168 #1: Peer ID >> is ID_IPV4_ADDR: '2.206.202.168' >> Mar 29 16:39:51 vpn pluto[28437]: | NAT-T: new mapping >> 2.206.202.168:500/4500) >> Mar 29 16:39:51 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: sent >> MR3, ISAKMP SA established >> Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> cannot respond to IPsec SA request because no connection is known for >> 188.101.67.77/32===192.168.0.251:4500[192.168.0.251]:17/1701...2.206.202.168:4500[2.206.202.168]:17/%any >> Mar 29 16:39:53 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_ID_INFORMATION to 2.206.202.168:4500 >> Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:39:55 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:39:58 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:40:01 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:40:04 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:40:07 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:40:10 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:40:13 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:40:16 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> Quick Mode I1 message is unacceptable because it uses a previously used >> Message ID 0xcf9299e3 (perhaps this is a duplicated packet) >> Mar 29 16:40:19 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> sending encrypted notification INVALID_MESSAGE_ID to 2.206.202.168:4500 >> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500 #1: >> received Delete SA payload: deleting ISAKMP State #1 >> Mar 29 16:40:23 vpn pluto[28437]: "ipads"[1] 2.206.202.168:4500: >> deleting connection "ipads" instance with peer 2.206.202.168 >> {isakmp=#0/ipsec=#0} >> Mar 29 16:40:23 vpn pluto[28437]: ERROR: asynchronous network error >> report on eth0 for message to 2.206.202.168 port 4500, complainant >> 2.206.202.168: Connection refused [errno 111, origin ICMP type 3 code 3 >> (not authenticated)] >> >> any ideas? >> >> regards >> > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
