Hello everyone.
I've set up StrongSwan and want to use it for site-to-site VPN and for Road
Warriors.
Almost everything works really great, but I'm always running into the issue
that my VPN initiators lose connection when reauthentication happens.
My VPN gateway then tells me that it has sent a packet tot he initiators, but
this package never seems to arrive there.
All my initiators are behind NAT without a Port forwarding, so this would make
sense. However, as I understand it, there should be a way to set up the Gateway
so that it never tries to contact the initiators (as they aren't reachable
because of NAT).
Here's the Log entry that's generated on the Gateway when reauthenticaing.
Aug 29 19:52:53 03[NET] received packet: from yy.yy.yy.yy[4500] to
xx.xx.xx.xx[4500] (76 bytes)
Aug 29 19:52:53 03[ENC] parsed INFORMATIONAL request 26 [ D ]
Aug 29 19:52:53 03[IKE] received DELETE for IKE_SA
vpn-initiator-vpn-responder[1]
Aug 29 19:52:53 03[IKE] deleting IKE_SA vpn-initiator-vpn-responder[1] between
xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 03[IKE] IKE_SA deleted
Aug 29 19:52:53 03[ENC] generating INFORMATIONAL response 26 [ ]
Aug 29 19:52:53 03[NET] sending packet: from xx.xx.xx.xx[4500] to
yy.yy.yy.yy[4500] (76 bytes)
Aug 29 19:52:53 01[NET] received packet: from yy.yy.yy.yy[4500] to
xx.xx.xx.xx[4500] (304 bytes)
Aug 29 19:52:53 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
Aug 29 19:52:53 01[IKE] yy.yy.yy.yy is initiating an IKE_SA
Aug 29 19:52:53 01[IKE] remote host is behind NAT
Aug 29 19:52:53 01[IKE] sending cert request for "DC=local, DC=vpn-responder,
CN=vpn-responder-CA"
Aug 29 19:52:53 01[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Aug 29 19:52:53 01[NET] sending packet: from xx.xx.xx.xx[4500] to
yy.yy.yy.yy[4500] (337 bytes)
Aug 29 19:52:53 11[NET] received packet: from yy.yy.yy.yy[4500] to
xx.xx.xx.xx[4500] (300 bytes)
Aug 29 19:52:53 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr
AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Aug 29 19:52:53 11[CFG] looking for peer configs matching
xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 11[CFG] selected peer config 'vpn-initiator-vpn-responder'
Aug 29 19:52:53 11[IKE] authentication of 'vpn-initiator' with pre-shared key
successful
Aug 29 19:52:53 11[IKE] peer supports MOBIKE
Aug 29 19:52:53 11[IKE] authentication of 'vpn-responder' (myself) with
pre-shared key
Aug 29 19:52:53 11[IKE] IKE_SA vpn-initiator-vpn-responder[2] established
between xx.xx.xx.xx[vpn-responder]...yy.yy.yy.yy[vpn-initiator]
Aug 29 19:52:53 11[IKE] CHILD_SA vpn-initiator-vpn-responder{2} established
with SPIs c49c3457_i cbea0c57_o and TS 192.168.255.0/24 === 192.168.245.0/24
Aug 29 19:52:53 11[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) ]
Aug 29 19:52:53 11[NET] sending packet: from xx.xx.xx.xx[4500] to
yy.yy.yy.yy[4500] (220 bytes)
The Gateway is a Debian Wheezy (7.1) with strongswan 5.1.0-1 compiled from
source. Here's the config.
conn %default
ikelifetime=4h
keylife=2h
rekeymargin=3m
keyingtries=10
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
authby=secret
dpdaction=none
dpddelay=30s
dpdtimeout=150s
inactivity=86400
rekey=no
conn vpn-initiator-vpn-responder
left=%defaultroute
leftsubnet=192.168.255.0/24
leftid=@vpn-responder
right=%any
rightsubnet=192.168.245.0/24
rightid=@vpn-initiator
auto=add
My VPN initiator is an OpenWRT ATTITUDE ADJUSTMENT (12.09, r36088) with
strongswan 5.0.0-1 installed as a package. Here's the config:
conn %default
ikelifetime=3h
keylife=20m
rekeymargin=3m
keyingtries=10
keyexchange=ikev2
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
authby=secret
dpdaction=restart
dpddelay=30s
dpdtimeout=150s
inactivity=86400
rekey=yes
conn vpn-initiator-vpn-responder
left=@defaultroute
leftsubnet=192.168.245.0/24
leftid=@vpn-initiator
leftfirewall=yes
right=xx.xx.xx.xx
rightsubnet=192.168.255.0/24
rightid=@vpn-responder
auto=start
I also have several Windows 8 IKEv2 Clients which show exactly the same
behavoir, I'll leave them out fort he moment fort he sake of simplicity.
I'd highly appreciate any help on that issue.
Kind regards
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
