Hello Volker, I revert back to our persistent problem with the NATed channel routing while migrating from Strongswan 4.3xx to 5.1.1. I had a chance to obtain the public IP on the server behind the NAT and to correct the ipsec.conf settings.
This is the CN=academ server settings (aka MSC site 192.168.3.0/24) : conn %default left=%defaultroute leftcert=academ2034.hostCert.pem mobike=yes auto=add conn msc-hmnet leftid=msc@ucp leftsendcert = never right=xx.xxx.221.28 rightcert=peercerts/karmaY2034.hostCert.pem rightid=@karma.ucp rightsubnet=192.168.4.0/24 leftsubnet=192.168.3.0/24 keyexchange=ikev2 compress=no auto=start Everything works like a charm, while the server is assigned a public IP. [root@academ ipsec.d]# strongswan up msc-hmnet initiating IKE_SA msc-hmnet[2] to xx.xxx.221.28 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from xx.xxx.195.57[500] to xx.xxx.221.28[500] (708 bytes) received packet: from xx.xxx.221.28[500] to xx.xxx.195.57[500] (465 bytes) parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "OU=CA, CN=certauth" sending cert request for "OU=CA, CN=certauth" authentication of 'msc@ucp' (myself) with RSA signature successful establishing CHILD_SA msc-hmnet generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] sending packet: from xx.xxx.195.57[4500] to xx.xxx.221.28[4500] (556 bytes) received packet: from xx.xxx.221.28[4500] to xx.xxx.195.57[4500] (524 bytes) parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] using trusted ca certificate "OU=CA, CN=certauth" checking certificate status of "OU=hmnet, CN=karma.ucp" certificate status is not available reached self-signed root ca with a path length of 0 using trusted certificate "OU=hmnet, CN=karma.ucp" authentication of 'karma.ucp' with RSA signature successful IKE_SA msc-hmnet[2] established between xx.xxx.195.57[msc@ucp]...xx.xxx.221.28[karma.ucp] scheduling reauthentication in 9919s maximum IKE_SA lifetime 10459s connection 'msc-hmnet' established successfully Feb 1 01:39:05 academ charon: 01[KNL] adding policy 192.168.3.0/24 === 192.168.4.0/24 out (mark 0/0x00000000) Feb 1 01:39:05 academ charon: 01[KNL] adding policy 192.168.4.0/24 === 192.168.3.0/24 in (mark 0/0x00000000) Feb 1 01:39:05 academ charon: 01[KNL] adding policy 192.168.4.0/24 === 192.168.3.0/24 fwd (mark 0/0x00000000) [root@academ ipsec.d]# ping 192.168.4.10 PING 192.168.4.10 (192.168.4.10) 56(84) bytes of data. 64 bytes from 192.168.4.10: icmp_seq=1 ttl=64 time=112 ms --- 192.168.4.10 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 112.362/112.362/112.362/0.000 ms [root@karma ~]# ping 192.168.3.56 PING 192.168.3.56 (192.168.3.56) 56(84) bytes of data. 64 bytes from 192.168.3.56: icmp_seq=1 ttl=64 time=101 ms 64 bytes from 192.168.3.56: icmp_seq=2 ttl=64 time=97.9 ms [root@academ ipsec.d]# strongswan statusall Status of IKE charon daemon (strongSwan 5.1.1, Linux 2.6.18-92.1.10.el5, i686): uptime: 4 minutes, since Feb 01 01:37:34 2014 malloc: sbrk 270336, mmap 0, used 211160, free 59176 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp Listening IP addresses: xx.xxx.195.57 192.168.3.56 Connections: academ.certs.locally.stored: %any...xx.xx.230.112 IKEv2 academ.certs.locally.stored: local: [msc@ucp] uses public key authentication academ.certs.locally.stored: cert: "OU=repr.msc, CN=academ.msc" academ.certs.locally.stored: remote: [vpn.ucp] uses public key authentication academ.certs.locally.stored: cert: "OU=frqx, CN=vpn.ucp" academ.certs.locally.stored: child: 192.168.3.0/24 === 192.168.169.0/24 TUNNEL msc-hmnet: %any...xx.xxx.221.28 IKEv2 msc-hmnet: local: [msc@ucp] uses public key authentication msc-hmnet: cert: "OU=repr.msc, CN=academ.msc" msc-hmnet: remote: [karma.ucp] uses public key authentication msc-hmnet: cert: "OU=hmnet, CN=karma.ucp" msc-hmnet: child: 192.168.3.0/24 === 192.168.4.0/24 TUNNEL Security Associations (2 up, 0 connecting): msc-hmnet[2]: ESTABLISHED 2 minutes ago, xx.xxx.195.57[msc@ucp]...xx.xxx.221.28[karma.ucp] msc-hmnet[2]: IKEv2 SPIs: 82d4b4cd14528280_i* 1828eba2706adde0_r, public key reauthentication in 2 hours msc-hmnet[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 msc-hmnet{2}: INSTALLED, TUNNEL, ESP SPIs: c7898787_i c30972d5_o msc-hmnet{2}: AES_CBC_128/HMAC_SHA1_96, 420 bytes_i (5 pkts, 33s ago), 760 bytes_o (5 pkts, 33s ago), rekeying in 41 minutes msc-hmnet{2}: 192.168.3.0/24 === 192.168.4.0/24 academ.certs.locally.stored[1]: ESTABLISHED 4 minutes ago, xx.xxx.195.57[msc@ucp]...xx.xx.230.112[vpn.ucp] academ.certs.locally.stored[1]: IKEv2 SPIs: bf1c502052f227ae_i* 05fe3261f979239b_r, public key reauthentication in 2 hours academ.certs.locally.stored[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 academ.certs.locally.stored{1}: INSTALLED, TUNNEL, ESP SPIs: cdd198f4_i cfc5d5ff_o academ.certs.locally.stored{1}: AES_CBC_128/HMAC_SHA1_96, 336 bytes_i (4 pkts, 226s ago), 608 bytes_o (4 pkts, 226s ago), rekeying in 40 minutes academ.certs.locally.stored{1}: 192.168.3.0/24 === 192.168.169.0/24 Jan 31 22:39:00 karma charon: 06[NET] received packet: from xx.xxx.195.57[500] to xx.xxx.221.28[500] (708 bytes) Jan 31 22:39:00 karma charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Jan 31 22:39:00 karma charon: 06[IKE] xx.xxx.195.57 is initiating an IKE_SA Jan 31 22:39:00 karma charon: 06[IKE] sending cert request for "OU=CA, CN=certauth" Jan 31 22:39:00 karma charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Jan 31 22:39:00 karma charon: 06[NET] sending packet: from xx.xxx.221.28[500] to xx.xxx.195.57[500] (465 bytes) Jan 31 22:39:01 karma charon: 09[NET] received packet: from xx.xxx.195.57[4500] to xx.xxx.221.28[4500] (556 bytes) Jan 31 22:39:01 karma charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Jan 31 22:39:01 karma charon: 09[IKE] received cert request for "OU=CA, CN=certauth" Jan 31 22:39:01 karma charon: 09[CFG] looking for peer configs matching xx.xxx.221.28[karma.ucp]...xx.xxx.195.57[msc@ucp] Jan 31 22:39:01 karma charon: 09[CFG] selected peer config 'msc-hmnet' Jan 31 22:39:01 karma charon: 09[CFG] using trusted ca certificate "OU=CA, CN=certauth" Jan 31 22:39:01 karma charon: 09[CFG] checking certificate status of "OU=repr.msc, CN=academ.msc" Jan 31 22:39:01 karma charon: 09[CFG] certificate status is not available Jan 31 22:39:01 karma charon: 09[CFG] reached self-signed root ca with a path length of 0 Jan 31 22:39:01 karma charon: 09[CFG] using trusted certificate "OU=repr.msc, CN=academ.msc" Jan 31 22:39:01 karma charon: 09[IKE] authentication of 'msc@ucp' with RSA signature successful Jan 31 22:39:01 karma charon: 09[IKE] peer supports MOBIKE Jan 31 22:39:01 karma charon: 09[IKE] authentication of 'karma.ucp' (myself) with RSA signature successful Jan 31 22:39:01 karma charon: 09[IKE] IKE_SA msc-hmnet[4] established between xx.xxx.221.28[karma.ucp]...xx.xxx.195.57[msc@ucp] Jan 31 22:39:01 karma charon: 09[IKE] scheduling reauthentication in 9928s Jan 31 22:39:01 karma charon: 09[IKE] maximum IKE_SA lifetime 10468s Jan 31 22:39:01 karma charon: 09[IKE] CHILD_SA msc-hmnet{3} established with SPIs c30972d5_i c7898787_o and TS 192.168.4.0/24 === 192.168.3.0/24 Jan 31 22:39:01 karma charon: 09[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] Jan 31 22:39:01 karma charon: 09[NET] sending packet: from xx.xxx.221.28[4500] to xx.xxx.195.57[4500] (524 bytes) Feb 1 01:21:46 academ charon: 08[NET] sending packet: from xx.xxx.195.57[4500] to xx.xx.230.112[4500] (1484 bytes) Feb 1 01:21:47 academ charon: 11[NET] received packet: from xx.xx.230.112[4500] to xx.xxx.195.57[4500] (380 bytes) Feb 1 01:21:47 academ charon: 11[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ] Feb 1 01:21:47 academ charon: 11[CFG] using trusted ca certificate "OU=CA, CN=certauth" Feb 1 01:21:47 academ charon: 11[CFG] checking certificate status of "OU=frqx, CN=vpn.ucp" Feb 1 01:21:47 academ charon: 11[CFG] certificate status is not available Feb 1 01:21:47 academ charon: 11[CFG] reached self-signed root ca with a path length of 0 Feb 1 01:21:47 academ charon: 11[CFG] using trusted certificate "OU=frqx, CN=vpn.ucp" Feb 1 01:21:47 academ charon: 11[IKE] authentication of 'vpn.ucp' with RSA signature successful Feb 1 01:21:47 academ charon: 11[IKE] IKE_SA academ.certs.locally.stored[1] established between xx.xxx.195.57[msc@ucp]...xx.xx.230.112[vpn.ucp] Feb 1 01:21:47 academ charon: 11[IKE] IKE_SA academ.certs.locally.stored[1] state change: CONNECTING => ESTABLISHED Feb 1 01:21:47 academ charon: 11[IKE] scheduling reauthentication in 9990s Feb 1 01:21:47 academ charon: 11[IKE] maximum IKE_SA lifetime 10530s Feb 1 01:21:47 academ charon: 11[KNL] adding SAD entry with SPI c39ad460 and reqid {1} (mark 0/0x00000000) Feb 1 01:21:47 academ charon: 11[KNL] using encryption algorithm AES_CBC with key size 128 Feb 1 01:21:47 academ charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Feb 1 01:21:47 academ charon: 11[KNL] using replay window of 32 packets Feb 1 01:21:47 academ charon: 11[KNL] adding SAD entry with SPI ce4ab82c and reqid {1} (mark 0/0x00000000) Feb 1 01:21:47 academ charon: 11[KNL] using encryption algorithm AES_CBC with key size 128 Feb 1 01:21:47 academ charon: 11[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Feb 1 01:21:47 academ charon: 11[KNL] using replay window of 32 packets Feb 1 01:21:47 academ charon: 11[KNL] adding policy 192.168.3.0/24 === 192.168.169.0/24 out (mark 0/0x00000000) Feb 1 01:21:47 academ charon: 11[KNL] adding policy 192.168.169.0/24 === 192.168.3.0/24 in (mark 0/0x00000000) Feb 1 01:21:47 academ charon: 11[KNL] adding policy 192.168.169.0/24 === 192.168.3.0/24 fwd (mark 0/0x00000000) Feb 1 01:21:47 academ charon: 11[KNL] getting a local address in traffic selector 192.168.3.0/24 Feb 1 01:21:47 academ charon: 11[KNL] using host 192.168.3.56 Feb 1 01:21:47 academ charon: 11[KNL] using xxx.xx.195.33 as nexthop to reach xx.xx.230.112 Feb 1 01:21:47 academ charon: 11[KNL] xx.xxx.195.57 is on interface eth1 Feb 1 01:21:47 academ charon: 11[KNL] installing route: 192.168.169.0/24 via 195.91.195.33 src 192.168.3.56 dev eth1 Feb 1 01:21:47 academ charon: 11[KNL] getting iface index for eth1 Feb 1 01:21:47 academ charon: 11[KNL] policy 192.168.3.0/24 === 192.168.169.0/24 out (mark 0/0x00000000) already exists, increasing refcount Feb 1 01:21:47 academ charon: 11[KNL] updating policy 192.168.3.0/24 === 192.168.169.0/24 out (mark 0/0x00000000) Feb 1 01:21:47 academ charon: 11[KNL] policy 192.168.169.0/24 === 192.168.3.0/24 in (mark 0/0x00000000) already exists, increasing refcount Feb 1 01:21:47 academ charon: 11[KNL] updating policy 192.168.169.0/24 === 192.168.3.0/24 in (mark 0/0x00000000) Feb 1 01:21:47 academ charon: 11[KNL] policy 192.168.169.0/24 === 192.168.3.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount Feb 1 01:21:47 academ charon: 11[KNL] updating policy 192.168.169.0/24 === 192.168.3.0/24 fwd (mark 0/0x00000000) Feb 1 01:21:47 academ charon: 11[KNL] getting a local address in traffic selector 192.168.3.0/24 Feb 1 01:21:47 academ charon: 11[KNL] using host 192.168.3.56 Feb 1 01:21:47 academ charon: 11[KNL] using xxx.xx.195.33 as nexthop to reach xx.xx.230.112 Feb 1 01:21:47 academ charon: 11[KNL] xx.xxx.195.57 is on interface eth1 Feb 1 01:21:47 academ charon: 11[IKE] CHILD_SA academ.certs.locally.stored{1} established with SPIs c39ad460_i ce4ab82c_o and TS 192.168.3.0/24 === 192.168.169.0/24 Feb 1 01:21:47 academ charon: 11[IKE] received AUTH_LIFETIME of 9835s, scheduling reauthentication in 9295s Feb 1 01:21:47 academ charon: 11[IKE] peer supports MOBIKE Feb 1 01:21:47 academ charon: 11[IKE] got additional MOBIKE peer address: 192.168.169.110 Feb 1 01:21:47 academ charon: 11[IKE] got additional MOBIKE peer address: 2a01:e35:8aee:6700:2d0:b7ff:fe8f:4fd8 Feb 1 01:21:47 academ charon: 11[IKE] activating new tasks Feb 1 01:21:47 academ charon: 11[IKE] nothing to initiate But once the "academ" server is set behind the NAT (the provider's IP xxx.xx.210.3 ) the routing fails, despite that the tunnel looks to be up: Feb 3 09:00:16 karma charon: 09[NET] received packet: from xxx.xx.210.3[500] to xx.xxx.221.28[500] (708 bytes) Feb 3 09:00:16 karma charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 3 09:00:16 karma charon: 09[IKE] xxx.xx.210.3 is initiating an IKE_SA Feb 3 09:00:16 karma charon: 09[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING Feb 3 09:00:16 karma charon: 09[IKE] remote host is behind NAT Feb 3 09:00:16 karma charon: 09[IKE] sending cert request for "OU=CA, CN=certauth" Feb 3 09:00:16 karma charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Feb 3 09:00:16 karma charon: 09[NET] sending packet: from xx.xxx.221.28[500] to xxx.xx.210.3[500] (465 bytes) Feb 3 09:00:17 karma charon: 06[NET] received packet: from xxx.xx.210.3[4500] to xx.xxx.221.28[4500] (556 bytes) Feb 3 09:00:17 karma charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Feb 3 09:00:17 karma charon: 06[IKE] received cert request for "OU=CA, CN=certauth" Feb 3 09:00:17 karma charon: 06[CFG] looking for peer configs matching xx.xxx.221.28[karma.ucp]...xxx.xx.210.3[msc@ucp] Feb 3 09:00:17 karma charon: 06[CFG] selected peer config 'msc-hmnet' Feb 3 09:00:17 karma charon: 06[CFG] using trusted ca certificate "OU=CA, CN=certauth" Feb 3 09:00:17 karma charon: 06[CFG] checking certificate status of "OU=repr.msc, CN=academ.msc" Feb 3 09:00:17 karma charon: 06[CFG] certificate status is not available Feb 3 09:00:17 karma charon: 06[CFG] reached self-signed root ca with a path length of 0 Feb 3 09:00:17 karma charon: 06[CFG] using trusted certificate "OU=repr.msc, CN=academ.msc" Feb 3 09:00:17 karma charon: 06[IKE] authentication of 'msc@ucp' with RSA signature successful Feb 3 09:00:17 karma charon: 06[IKE] peer supports MOBIKE Feb 3 09:00:17 karma charon: 06[IKE] got additional MOBIKE peer address: 192.168.3.56 Feb 3 09:00:17 karma charon: 06[IKE] authentication of 'karma.ucp' (myself) with RSA signature successful Feb 3 09:00:17 karma charon: 06[IKE] IKE_SA msc-hmnet[5] established between xx.xxx.221.28[karma.ucp]...xxx.xx.210.3[msc@ucp] Feb 3 09:00:17 karma charon: 06[IKE] IKE_SA msc-hmnet[5] state change: CONNECTING => ESTABLISHED Feb 3 09:00:17 karma charon: 06[IKE] scheduling reauthentication in 10161s Feb 3 09:00:17 karma charon: 06[IKE] maximum IKE_SA lifetime 10701s Feb 3 09:00:17 karma charon: 06[KNL] getting SPI for reqid {3} Feb 3 09:00:17 karma charon: 06[KNL] got SPI ce7ffe2c for reqid {3} Feb 3 09:00:17 karma charon: 06[KNL] adding SAD entry with SPI ce7ffe2c and reqid {3} (mark 0/0x00000000) Feb 3 09:00:17 karma charon: 06[KNL] using encryption algorithm AES_CBC with key size 128 Feb 3 09:00:18 karma charon: 06[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Feb 3 09:00:18 karma charon: 06[KNL] using replay window of 32 packets Feb 3 09:00:18 karma charon: 06[KNL] adding SAD entry with SPI cbd1af5e and reqid {3} (mark 0/0x00000000) Feb 3 09:00:18 karma charon: 06[KNL] using encryption algorithm AES_CBC with key size 128 Feb 3 09:00:18 karma charon: 06[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Feb 3 09:00:18 karma charon: 06[KNL] using replay window of 32 packets Feb 3 09:00:18 karma charon: 06[KNL] adding policy 192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000) Feb 3 09:00:18 karma charon: 06[KNL] adding policy 192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000) Feb 3 09:00:18 karma charon: 06[KNL] adding policy 192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000) Feb 3 09:00:18 karma charon: 06[KNL] getting a local address in traffic selector 192.168.4.0/24 Feb 3 09:00:18 karma charon: 06[KNL] using host 192.168.4.10 Feb 3 09:00:18 karma charon: 06[KNL] using xx.xxx.221.254 as nexthop to reach xxx.xx.210.3 Feb 3 09:00:18 karma charon: 06[KNL] xx.xxx.221.28 is on interface eth1 Feb 3 09:00:18 karma charon: 06[KNL] installing route: 192.168.3.0/24 via 82.239.221.254 src 192.168.4.10 dev eth1 Feb 3 09:00:18 karma charon: 06[KNL] getting iface index for eth1 Feb 3 09:00:18 karma charon: 06[KNL] policy 192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000) already exists, increasing refcount Feb 3 09:00:18 karma charon: 06[KNL] updating policy 192.168.4.0/24 === 192.168.3.0/24 out (mark 0/0x00000000) Feb 3 09:00:18 karma charon: 06[KNL] policy 192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000) already exists, increasing refcount Feb 3 09:00:18 karma charon: 06[KNL] updating policy 192.168.3.0/24 === 192.168.4.0/24 in (mark 0/0x00000000) Feb 3 09:00:18 karma charon: 06[KNL] policy 192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000) already exists, increasing refcount Feb 3 09:00:18 karma charon: 06[KNL] updating policy 192.168.3.0/24 === 192.168.4.0/24 fwd (mark 0/0x00000000) Feb 3 09:00:18 karma charon: 06[KNL] getting a local address in traffic selector 192.168.4.0/24 Feb 3 09:00:18 karma charon: 06[KNL] using host 192.168.4.10 Feb 3 09:00:18 karma charon: 06[KNL] using xx.xxx.221.254 as nexthop to reach xxx.xx.210.3 Feb 3 09:00:18 karma charon: 06[KNL] xx.xxx.221.28 is on interface eth1 Feb 3 09:00:18 karma charon: 06[IKE] CHILD_SA msc-hmnet{3} established with SPIs ce7ffe2c_i cbd1af5e_o and TS 192.168.4.0/24 === 192.168.3.0/24 Feb 3 09:00:18 karma charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] Feb 3 09:00:18 karma charon: 06[NET] sending packet: from xx.xxx.221.28[4500] to xxx.xx.210.3[4500] (524 bytes) msc-hmnet: %any...%any IKEv2 msc-hmnet: local: [karma.ucp] uses public key authentication msc-hmnet: cert: "OU=hmnet, CN=karma.ucp" msc-hmnet: remote: [msc@ucp] uses public key authentication msc-hmnet: cert: "OU=repr.msc, CN=academ.msc" msc-hmnet: child: 192.168.4.0/24 === 192.168.3.0/24 TUNNEL Security Associations (3 up, 0 connecting): msc-hmnet[5]: ESTABLISHED 28 minutes ago, xx.xxx.221.28[karma.ucp]...xxx.xx.210.3[msc@ucp] msc-hmnet[5]: IKEv2 SPIs: 9e00679214ba46c9_i 2fe19cad88f0f615_r*, public key reauthentication in 2 hours msc-hmnet[5]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 msc-hmnet{3}: INSTALLED, TUNNEL, ESP in UDP SPIs: ce7ffe2c_i cbd1af5e_o msc-hmnet{3}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 480 bytes_o (3 pkts, 477s ago), rekeying in 15 minutes msc-hmnet{3}: 192.168.4.0/24 === 192.168.3.0/24 [root@karma ~]# ip xfrm state src xx.xxx.221.28 dst xxx.xx.210.3 proto esp spi 0xcbd1af5e reqid 3 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0x01a716f997bc81250792d1a171c7b9bac38b1cc5 enc cbc(aes) 0xf907745f6ff8e256cdd64ec242529f69 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 src xxx.xx.210.3 dst xx.xxx.221.28 proto esp spi 0xce7ffe2c reqid 3 mode tunnel replay-window 32 flag 20 auth hmac(sha1) 0x8a08c9776fccabd345ab5f26697d5bcea5fa08e5 enc cbc(aes) 0x5bd565f6d9064718e489ec66ad0917a1 encap type espinudp sport 4500 dport 4500 addr 0.0.0.0 I can't ping the 192.168.3.56 server, nor access it any way. The statusall counter shows 0 bytes_i. I am running our of ideas of what could be checked further and how to fix it. The setup was perfectly working under strongswan 4.3 and works well for other connections and even with the Win8 roadwarrior (behind the NAT). Could you go throught once again through the logs and probably suggest to check someting else? Thanks again, Serge > ----- Original Message ----- > From: Volker Rümelin > Sent: 01/21/14 10:55 PM > To: s s > Subject: Re: [strongSwan] strongswan-5.1.x, NATed routing pb > > Hello Serge, > > please look again at the three policies. > > > [root@frqx ~]# ip xfrm policy > > src 192.168.3.0/24 dst 192.168.169.0/24 > > dir in priority 1859 > > tmpl src xx.xx.210.3 dst xx.xx.230.112 > > proto esp reqid 78 mode tunnel > > > > src 192.168.169.0/24 dst 192.168.3.0/24 > > dir out priority 1859 > > tmpl src xx.xx.230.112 dst xx.xx.210.3 > > proto esp reqid 78 mode tunnel > > > > src 192.168.3.0/24 dst 192.168.169.0/24 > > dir fwd priority 1859 > > tmpl src xx.xx.210.3 dst xx.xx.230.112 > > proto esp reqid 78 mode tunnel > > > > > > These are three different policies (in ,out, fwd). For tunnel mode you > need all three. > > > The two outputs are inconsistent between each other (duplicated policy, > > doesn't match the academ's peer). > > Any ideas of what could be checked and twikled more? > > There is nothing wrong here. Because of NAT the host address of academ > is different for frqx. I guess you just forgot to copy/paste the out > policy on academ. The issue is something different. > > > > > I don't see how to push the name resolution to the remote site. > > Although the dns entry exists: > > [root@wave ~]# cat /etc/strongswan/strongswan.conf > > charon { > > # ... > > dns1 = 192.168.0.100 > > nbns1 = 192.168.0.100 > > } > > > > With strongswan 5 add rightdns=192.168.0.100 to connection karma-wave in > ipsec.conf on wave. This works if karma is initiator. > > Regards, > Volker _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users