[strongSwan] strongswan 5.0.1, iOS4.3.5, problems when client is not behind NAT

Fri, 28 Dec 2012 04:30:13 -0800 

Hi!
I have setup strongSwan 5.0.1 with certificate authentication. The tunnel creation works fine, and if the iPhone is behind NAT, strongSwan detects the NAT, uses port 4500 and everything works fine. 


But if the iPhone is not behind NAT, the tunnel creation works fine, but 
then, if I want to surf on the iPhone it does not work. Attached is the 
output of "tail -f /var/log/syslog|grep charon" multiplexed with 
"tcpdump -i any -n port 500 or 4500 or host 192.168.102.2":



There is some traffic after the tunnel is created, but what kind of 
traffic is this? "real" traffic or some "keep alive" traffic?


Any ideas why it does not work when the client uses a public IP address?

Is it possible to force "NAT" behavior also if clients are not behind NAT?

Any hints are appreciated.

Thanks
Klaus


# ipsec.conf - strongSwan IPsec configuration file
##################################################
config setup
        charondebug=all

conn RoadWarrior-CiscoIPsec-klaus
        type=tunnel
        dpdaction=clear
        dpddelay=60
        dpdtimeout=60
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        leftcert=serverCert.pem
        right=%any
        rightsourceip=192.168.102.2
        rightcert=clientCert.pem
        auto=add


# strongswan.conf - strongSwan configuration file
#################################################
charon {
        threads = 16
        dns1=192.168.99.1
}



### starting VPN on the iPhone

13:16:10.265524 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 1 I 
ident
Dec 28 13:16:10 ds3000 charon: 16[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:10 ds3000 charon: 16[ENC] parsed ID_PROT request 0 [ SA V V V V V 
V V V V V V V V ]
Dec 28 13:16:10 ds3000 charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike 
vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-08 
vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-07 
vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-06 
vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-05 
vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-04 
vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-03 
vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02 
vendor ID
13:16:10.267013 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 1 R 
ident
Dec 28 13:16:10 ds3000 charon: 16[IKE] received draft-ietf-ipsec-nat-t-ike-02\n 
vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received XAuth vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received Cisco Unity vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] received DPD vendor ID
Dec 28 13:16:10 ds3000 charon: 16[IKE] 151.217.223.75 is initiating a Main Mode 
IKE_SA
Dec 28 13:16:10 ds3000 charon: 16[ENC] generating ID_PROT response 0 [ SA V V V 
]
Dec 28 13:16:10 ds3000 charon: 16[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:10.530963 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 1 I 
ident
Dec 28 13:16:10 ds3000 charon: 14[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:10 ds3000 charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D 
NAT-D ]
Dec 28 13:16:10 ds3000 charon: 14[IKE] sending cert request for "C=CH, 
O=MY.DOMAIN strongSwan, CN=MY.DOMAIN strongSwan CA"
Dec 28 13:16:10 ds3000 charon: 14[ENC] generating ID_PROT response 0 [ KE No 
CERTREQ NAT-D NAT-D ]
Dec 28 13:16:10 ds3000 charon: 14[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:10.557742 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 1 R 
ident
13:16:11.555726 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 1 I 
ident[E]
Dec 28 13:16:11 ds3000 charon: 11[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:11 ds3000 charon: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG 
CERTREQ N(INITIAL_CONTACT) ]
Dec 28 13:16:11 ds3000 charon: 11[IKE] ignoring certificate request without data
Dec 28 13:16:11 ds3000 charon: 11[IKE] received end entity cert "C=US, 
O=MY.DOMAIN strongSwan VPN, CN=client klaus"
Dec 28 13:16:11 ds3000 charon: 11[CFG] looking for XAuthInitRSA peer configs 
matching MY.IPSEC.SER.VER...151.217.223.75[C=US, O=MY.DOMAIN strongSwan VPN, 
CN=client klaus]
Dec 28 13:16:11 ds3000 charon: 11[CFG] selected peer config 
"RoadWarrior-CiscoIPsec-klaus"
Dec 28 13:16:11 ds3000 charon: 11[CFG]   using trusted ca certificate "C=CH, 
O=MY.DOMAIN strongSwan, CN=MY.DOMAIN strongSwan CA"
Dec 28 13:16:11 ds3000 charon: 11[CFG] checking certificate status of "C=US, 
O=MY.DOMAIN strongSwan VPN, CN=client klaus"
Dec 28 13:16:11 ds3000 charon: 11[CFG] certificate status is not available
Dec 28 13:16:11 ds3000 charon: 11[CFG]   reached self-signed root ca with a 
path length of 0
Dec 28 13:16:11 ds3000 charon: 11[CFG]   using trusted certificate "C=US, 
O=MY.DOMAIN strongSwan VPN, CN=client klaus"
Dec 28 13:16:11 ds3000 charon: 11[IKE] authentication of 'C=US, O=MY.DOMAIN 
strongSwan VPN, CN=client klaus' with RSA successful
Dec 28 13:16:11 ds3000 charon: 11[IKE] authentication of 'C=CH, O=MY.DOMAIN 
strongSwan VPN, CN=MY.DOMAIN' (myself) successful
Dec 28 13:16:11 ds3000 charon: 11[IKE] sending end entity cert "C=CH, 
O=MY.DOMAIN strongSwan VPN, CN=MY.DOMAIN"
Dec 28 13:16:11 ds3000 charon: 11[ENC] generating ID_PROT response 0 [ ID CERT 
SIG ]
Dec 28 13:16:11 ds3000 charon: 11[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:11.566784 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 1 R 
ident[E]
Dec 28 13:16:11 ds3000 charon: 11[ENC] generating TRANSACTION request 
1459394581 [ HASH CP ]
Dec 28 13:16:11 ds3000 charon: 11[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:11.567165 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R #6[E]
13:16:11.930631 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I #6[E]
13:16:11.930937 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R #6[E]
Dec 28 13:16:11 ds3000 charon: 15[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:11 ds3000 charon: 15[ENC] parsed TRANSACTION response 1459394581 [ 
HASH CP ]
Dec 28 13:16:11 ds3000 charon: 15[IKE] XAuth authentication of 'klaus' 
successful
Dec 28 13:16:11 ds3000 charon: 15[ENC] generating TRANSACTION request 
2063302200 [ HASH CP ]
Dec 28 13:16:11 ds3000 charon: 15[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:12.062785 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I #6[E]
13:16:12.062799 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I #6[E]
Dec 28 13:16:12 ds3000 charon: 03[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
13:16:12.063686 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R #6[E]
Dec 28 13:16:12 ds3000 charon: 03[ENC] parsed TRANSACTION response 2063302200 [ 
HASH CP ]
Dec 28 13:16:12 ds3000 charon: 03[IKE] IKE_SA RoadWarrior-CiscoIPsec-klaus[7] 
established between MY.IPSEC.SER.VER[C=CH, O=MY.DOMAIN strongSwan VPN, 
CN=MY.DOMAIN]...151.217.223.75[C=US, O=MY.DOMAIN strongSwan VPN, CN=client 
klaus]
Dec 28 13:16:12 ds3000 charon: 03[IKE] scheduling reauthentication in 10229s
Dec 28 13:16:12 ds3000 charon: 03[IKE] maximum IKE_SA lifetime 10769s
Dec 28 13:16:12 ds3000 charon: 03[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:12 ds3000 charon: 03[ENC] unknown attribute type (28683)
Dec 28 13:16:12 ds3000 charon: 03[ENC] parsed TRANSACTION request 4096269604 [ 
HASH CP ]
Dec 28 13:16:12 ds3000 charon: 03[IKE] peer requested virtual IP %any
Dec 28 13:16:12 ds3000 charon: 03[CFG] reassigning offline lease to 'klaus'
Dec 28 13:16:12 ds3000 charon: 03[IKE] assigning virtual IP 192.168.102.2 to 
peer 'klaus'
Dec 28 13:16:12 ds3000 charon: 03[ENC] generating TRANSACTION response 
4096269604 [ HASH CP ]
Dec 28 13:16:12 ds3000 charon: 03[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:12.230672 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I oakley-quick[E]
13:16:12.231252 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R oakley-quick[E]
Dec 28 13:16:12 ds3000 charon: 01[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:12 ds3000 charon: 01[ENC] parsed QUICK_MODE request 2753132480 [ 
HASH SA No ID ID ]
Dec 28 13:16:12 ds3000 charon: 01[ENC] generating QUICK_MODE response 
2753132480 [ HASH SA No ID ID ]
Dec 28 13:16:12 ds3000 charon: 01[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:16:12.305790 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I oakley-quick[E]
Dec 28 13:16:12 ds3000 charon: 13[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:16:12 ds3000 charon: 13[ENC] parsed QUICK_MODE request 2753132480 [ 
HASH ]
Dec 28 13:16:12 ds3000 charon: 13[IKE] CHILD_SA RoadWarrior-CiscoIPsec-klaus{7} 
established with SPIs c2e60017_i 00857b31_o and TS 0.0.0.0/0 === 
192.168.102.2/32

### tunnel was created successfully

### now doing nothing on the client, waiting for DPD

13:17:12.063615 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R inf[E]
Dec 28 13:17:12 ds3000 charon: 12[IKE] sending DPD request
Dec 28 13:17:12 ds3000 charon: 12[ENC] generating INFORMATIONAL_V1 request 
3313085811 [ HASH N(DPD) ]
Dec 28 13:17:12 ds3000 charon: 12[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:17:12.223312 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I inf[E]
Dec 28 13:17:12 ds3000 charon: 02[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:17:12 ds3000 charon: 02[ENC] parsed INFORMATIONAL_V1 request 
2999607135 [ HASH N(DPD_ACK) ]

### it seems DPD works fine

### now starting the web browser on the iPhone and checking emails on the iPhone

13:17:32.289868 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I inf[E]
13:17:32.290474 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R inf[E]
Dec 28 13:17:32 ds3000 charon: 03[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:17:32 ds3000 charon: 03[ENC] parsed INFORMATIONAL_V1 request 
2805476239 [ HASH N(DPD) ]
Dec 28 13:17:32 ds3000 charon: 03[ENC] generating INFORMATIONAL_V1 request 
1836150469 [ HASH N(DPD_ACK) ]
Dec 28 13:17:32 ds3000 charon: 03[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]

13:17:51.383557 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I inf[E]
Dec 28 13:17:51 ds3000 charon: 01[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:17:51 ds3000 charon: 01[ENC] parsed INFORMATIONAL_V1 request 
2896228455 [ HASH N(DPD) ]
Dec 28 13:17:51 ds3000 charon: 01[ENC] generating INFORMATIONAL_V1 request 
3272131721 [ HASH N(DPD_ACK) ]
Dec 28 13:17:51 ds3000 charon: 01[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:17:51.384221 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R inf[E]

13:18:11.603111 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I inf[E]
Dec 28 13:18:11 ds3000 charon: 13[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:18:11 ds3000 charon: 13[ENC] parsed INFORMATIONAL_V1 request 
2435256353 [ HASH N(DPD) ]
Dec 28 13:18:11 ds3000 charon: 13[ENC] generating INFORMATIONAL_V1 request 
1970616359 [ HASH N(DPD_ACK) ]
Dec 28 13:18:11 ds3000 charon: 13[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:18:11.603817 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R inf[E]

13:18:31.676626 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I inf[E]
Dec 28 13:18:31 ds3000 charon: 11[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
Dec 28 13:18:31 ds3000 charon: 11[ENC] parsed INFORMATIONAL_V1 request 
3672642392 [ HASH N(DPD) ]
Dec 28 13:18:31 ds3000 charon: 11[ENC] generating INFORMATIONAL_V1 request 
382103556 [ HASH N(DPD_ACK) ]
Dec 28 13:18:31 ds3000 charon: 11[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]
13:18:31.677332 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R inf[E]

13:18:51.826454 IP 151.217.223.75.500 > MY.IPSEC.SER.VER.500: isakmp: phase 
2/others I inf[E]
Dec 28 13:18:51 ds3000 charon: 15[NET] received packet: from 
151.217.223.75[500] to MY.IPSEC.SER.VER[500]
13:18:51.827100 IP MY.IPSEC.SER.VER.500 > 151.217.223.75.500: isakmp: phase 
2/others R inf[E]
Dec 28 13:18:51 ds3000 charon: 15[ENC] parsed INFORMATIONAL_V1 request 
2379163917 [ HASH N(DPD) ]
Dec 28 13:18:51 ds3000 charon: 15[ENC] generating INFORMATIONAL_V1 request 
3939530675 [ HASH N(DPD_ACK) ]
Dec 28 13:18:51 ds3000 charon: 15[NET] sending packet: from 
MY.IPSEC.SER.VER[500] to 151.217.223.75[500]

### there is some traffic, but what kind of traffic is this? "real" traffic or 
some "keep alive" traffic?
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users





















					Reply via email to