[strongSwan] No CHILD_SA tunnel{2} established with nat public IP

Tue, 13 Mar 2018 06:10:00 -0700 

Hi All,
  I am facing a issue while establish tunnel through the nated Public IP. When I connect to the same Strongswan server from LAN I get "*CHILD_SA tunnel{2} established with SPIs cb7bd615_i c3fb87d7_o and TS 172.25.12.38/32 == 172.25.1.23/32"*. But from public network "IKE_SA tunnel is established but CHILD_SA tunnel" is not displayed. Even during the public IP tunneling- "ip route list table 220" no output in the server. Due to that traffic is also not passing. The configuration file is same of both the client. It will be a big help if someone can provide any solution. 


root@Device_BD2009:~# ipsec up tunnel
no files found matching '/etc/strongswan.d/*.conf'
initiating IKE_SA tunnel[1] to X.X.X.X

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) ]

sending packet: from 192.168.1.100[500] to X.X.X.X[500] (1080 bytes)
received packet: from X.X.X.X[500] to 192.168.1.100[500] (464 bytes)

parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]

local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of '192.168.1.100' (myself) with pre-shared key
establishing CHILD_SA tunnel

generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) 
N(EAP_ONLY) ]

sending packet: from 192.168.1.100[4500] to X.X.X.X[4500] (332 bytes)
received packet: from X.X.X.X[4500] to 192.168.1.100[4500] (220 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
authentication of 'X.X.X.X' with pre-shared key successful

IKE_SA tunnel[1] established between 
192.168.1.100[192.168.1.100]...X.X.X.X[X.X.X.X]

scheduling reauthentication in 10015s
maximum IKE_SA lifetime 10555s
connection 'tunnel' established successfully


config setup

        charondebug="all"
        uniqueids=no
        strictcrlpolicy=no
conn %default
conn tunnel #
       left=192.168.1.100
       leftsubnet=192.168.1.100/32
       right=X.X.X.X
       rightsubnet=X.X.X.X/32
       ike=aes256-sha1-modp2048
       esp=aes256-sha1
       keyingtries=1
       keylife=60m
       dpddelay=30s
       dpdtimeout=150s
       dpdaction=clear
       authby=psk
       auto=route
       keyexchange=ikev2
       type=tunnel
       mobike=no
       fragmentation=yes

--
Thanks in advance.






















					Reply via email to