Hello all, We are using strongswan with l2tp ( using xl2tpd ) to provide VPN services for our department. It works great with a client that has a public IP, the ipsec connection is made and then xl2tpd kicks in to provide the tunnel. Our issue here is when we have clients behind a NAT, in the logs we can the ipsec connection getting created and then it just timeouts.
We tried a couple of things, disabling firewall and a few other options but to
no avail, any help on this would be much appreciated.
Sincerely,
Kailesh Mussai
Below is our config:
config setup
charonstart = yes
conn %default
keyingtries = 3
ikelifetime = 3h
keylife = 1h
conn roadwarrior-l2tp
rightprotoport = 17/%any
also = roadwarrior
conn roadwarrior-l2tp-updatedwin
rightprotoport = 17/1701
also = roadwarrior
conn roadwarrior
authby = secret
auto = add
type = transport
left = <public IP here>
leftprotoport = 17/1701
right = %any
rightsubnet = 0.0.0.0/0
Our logs shows:
May 1 16:56:15 new_vpn charon: 12[IKE] received NAT-T (RFC 3947) vendor ID
snip....
May 1 16:56:15 new_vpn charon: 12[IKE] 132.206.54.14 is initiating a Main Mode
IKE_SA
May 1 16:56:15 new_vpn charon: 12[ENC] generating ID_PROT response 0 [ SA V V
V ]
May 1 16:56:15 new_vpn charon: 12[NET] sending packet: from <public_ip>[500]
to <public_ip>[500]
May 1 16:56:15 new_vpn charon: 15[NET] received packet: from <public_ip>[500]
to <public_ip>[500]
May 1 16:56:15 new_vpn charon: 15[ENC] parsed ID_PROT request 0 [ KE No NAT-D
NAT-D ]
May 1 16:56:16 new_vpn charon: 15[IKE] remote host is behind NAT
May 1 16:56:16 new_vpn charon: 15[ENC] generating ID_PROT response 0 [ KE No
NAT-D NAT-D ]
May 1 16:56:16 new_vpn charon: 15[NET] sending packet: from <public_ip>[500]
to <public_ip>[500]
May 1 16:56:16 new_vpn charon: 03[NET] received packet: from <public_ip>[4500]
to <public_ip>[4500]
May 1 16:56:16 new_vpn charon: 03[ENC] parsed ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ]
May 1 16:56:16 new_vpn charon: 03[CFG] looking for pre-shared key peer configs
matching <public_ip>...<public_ip>[10.0.14.4]
May 1 16:56:16 new_vpn charon: 03[CFG] selected peer config "roadwarrior-l2tp"
May 1 16:56:16 new_vpn charon: 03[IKE] IKE_SA roadwarrior-l2tp[9] established
between [<public_ip>]...<public_ip>[10.0.14.4]
May 1 16:56:16 new_vpn charon: 03[IKE] scheduling reauthentication in 10144s
May 1 16:56:16 new_vpn charon: 03[IKE] maximum IKE_SA lifetime 10684s
May 1 16:56:16 new_vpn charon: 03[ENC] generating ID_PROT response 0 [ ID HASH
]
snip ....
May 1 16:56:17 new_vpn charon: 01[ENC] parsed QUICK_MODE request 3956378091 [
HASH SA No ID ID NAT-OA NAT-OA ]
May 1 16:56:17 new_vpn charon: 01[ENC] generating QUICK_MODE response
3956378091 [ HASH SA No ID ID NAT-OA NAT-OA ]
snip ....
May 1 16:56:17 new_vpn charon: 02[NET] received packet: from <public_ip>[4500]
to <public_ip>[4500]
May 1 16:56:17 new_vpn charon: 02[ENC] parsed QUICK_MODE request 3956378091 [
HASH ]
May 1 16:56:17 new_vpn charon: 02[IKE] CHILD_SA roadwarrior{9} established
with SPIs cd43abd1_i 005f3e0d_o and TS <public_ip>/32[udp/l2tp] ===
10.0.14.4/32[udp/62083]
May 1 16:56:37 new_vpn charon: 11[NET] received packet: from <public_ip>[4500]
to <public_ip>[4500]
May 1 16:56:37 new_vpn charon: 11[ENC] parsed INFORMATIONAL_V1 request
2915905331 [ HASH D ]
May 1 16:56:37 new_vpn charon: 11[IKE] received DELETE for ESP CHILD_SA with
SPI 005f3e0d
May 1 16:56:37 new_vpn charon: 11[IKE] closing CHILD_SA roadwarrior{9} with
SPIs cd43abd1_i (553 bytes) 005f3e0d_o (0 bytes) and TS
<public_ip>/32[udp/l2tp] === 10.0.14.4/32[udp/62083]
May 1 16:56:37 new_vpn charon: 16[NET] received packet: from <public_ip>[4500]
to <public_ip>[4500]
May 1 16:56:37 new_vpn charon: 16[ENC] parsed INFORMATIONAL_V1 request
3137403066 [ HASH D ]
May 1 16:56:37 new_vpn charon: 16[IKE] received DELETE for IKE_SA
roadwarrior-l2tp[9]
May 1 16:56:37 new_vpn charon: 16[IKE] deleting IKE_SA roadwarrior-l2tp[9]
between <public_ip>[<public_ip>]...<public_ip>[10.0.14.4]
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
