Hi Everyone,
I appreciate if someone can help me with some configuration issue that I am
facing with.
I have a Linux machine running Strongswan 5.0.4-1 . That machine gets
connected to the internet via a modem ( 3g GSM AT@T)and it gets different IP
address every time it connects( like 10.227.110.112) .Of course this not the
public address and it is behind the AT@T firewall/NAT.
I want to connect my machine to my remote server which has a public IP address.
( host -to -host).
Since my letf ip address keeps changing can I use %any for left ?
I used the following ipsec,conf:( ipsec start ran without error)
version 2
config setup
charondebug = "ike 2,knl 2"
conn 1
keylife=60m
rekeymargin=9m
keyingtries=1
keyexchange=ikev1
left=%any
right=216.177.93.234
authby=secret
auto=add
leftid="@lmu55"
rightid="@lmudiag"
leftfirewall=yes
type=tunnel
When I try to connect I can see the IKE_SA 1 established between two machines:
IKE_SA 1[1] established between 10.227.110.112[lmu55]...216.177.93.234[lmudiag]
but after that it keeps re transmitting keepalive packets to remote machine
port 4500 and after 5 retires it fails with following error:
sending keep alive to 216.177.93.234[4500]
giving up after 5 retransmits
unable to delete SAD entry with SPI c027d68a: No such process (3)
establishing connection '1' failed
At the end I put the whole data captured from my machine for your review.
I truly appreciate if someone can help me with this.
The other end run Openswan on a Centos 5.8 machine. Is there any strongswan
package available for Centos?
Other end is also behind firewall/NAT and its eth0 address is 10.0.12.34
which never changes.
Just to mention in ipsec.conf in strongswan machine if put the current IP
address in left= instead of %any I get the same result.
Thanks,
Farid
root@LMU5k:~# ipsec up 1
initiating Main Mode IKE_SA 1[1] to 216.177.93.234
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 10.227.110.112[500] to 216.177.93.234[500] (224 bytes)
received packet: from 216.177.93.234[500] to 10.227.110.112[500] (140 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.227.110.112[500] to 216.177.93.234[500] (372 bytes)
received packet: from 216.177.93.234[500] to 10.227.110.112[500] (356 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (76 bytes)
received packet: from 216.177.93.234[4500] to 10.227.110.112[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
IKE_SA 1[1] established between 10.227.110.112[lmu55]...216.177.93.234[lmudiag]
scheduling reauthentication in 10233s
maximum IKE_SA lifetime 10773s
generating QUICK_MODE request 1438687057 [ HASH SA No ]
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending retransmit 1 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending retransmit 2 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending retransmit 3 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending keep alive to 216.177.93.234[4500]
sending retransmit 4 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending keep alive to 216.177.93.234[4500]
sending keep alive to 216.177.93.234[4500]
sending retransmit 5 of request message ID 1438687057, seq 4
sending packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)
sending keep alive to 216.177.93.234[4500]
sending keep alive to 216.177.93.234[4500]
sending keep alive to 216.177.93.234[4500]
giving up after 5 retransmits
unable to delete SAD entry with SPI c027d68a: No such process (3)
establishing connection '1' failed
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
