'Re: [strongSwan] local host is behind NAT, sending keep alives'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    Re: [strongSwan] local host is behind NAT, sending keep alives
From:       Stephen Feyrer <stephen.feyrer () greensill ! com>
Date:       2019-08-14 14:16:52
Message-ID: VI1PR0501MB23361AE25B0225F65F03177394AD0 () VI1PR0501MB2336 ! eurprd05 ! prod ! outlook ! com
[Download RAW message or body]

Hi Team,

An update.

ipsec.conf
conn officeVPN
        aggressive=yes
        type=transport
        authby=secret
        keyexchange=ikev1
        ike=aes128-sha1-modp2048,aes256-sha1-modp2048!
        left=%defaultroute
        leftsourceip=%config
        modeconfig=push
        leftprotoport=udp/l2tp
        right= 50.45.0.51
        rightprotoport=udp/l2tp
        righted=10.0.0.254
        auto=add

ipsec.secret:
50.45.0.51 %any : PSK "StrongKey-Honest!"

strongswan.conf
                keep_alive=0
i_dont_care_about_security_and_use_aggressive_mode_psk=yes

$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
generating AGGRESSIVE request 0  [ SA KE No ID V V V V V ]
sending packet:    from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... \
50.54.0.51[10.0.0.254] scheduling reauthentication in 9761s
maximum IKE_SA lifetime 10301s
generating AGGRESSIVE request 0 [ HASH NAT-D ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (140 bytes)
received packet:    from 50.54.0.51[4500] to 1.0.0.127[4500] (92 bytes)
generating TRANSACTION response 890044400 [ HASH CP ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes)
parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ]

Please help, thanks.


--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer@greensill.com<mailto:stephen.feyrer@greensill.com>
http://www.greensill.com

From: Stephen Feyrer
Sent: 13 August 2019 13:11
To: users@lists.strongswan.org
Subject: local host is behind NAT, sending keep alives

Hey everyone,

I have a laptop tethered via my phone, Ubuntu 18.4.  I am unable to establish a \
connection and none of my research has thus far revealed anything helpful.  Please \
review the below and advise.  Other proprietary clients are able to connect without \
issue.

I have an ipsec.conf file which looks like:

conn officeVPN
        aggressive=yes
        type=tunnel
        authby=secret
        keyexchange=ikev1
        ike=aes128-sha1-modp2048
       esp= aes256-sha256-modp2048
        mobike=no
        left=%defaultroute
        leftsourceip=%config
        modeconfig=push
        leftprotoport=udp/l2tp
        right= 50.45.0.51
        rightprotoport=udp/l2tp
        righted=10.0.0.254
        auto=add
        xauth_identity=user

An ipsec.secrets that looks like:

50.45.0.51 %any : PSK "StrongKey-Honest!"
user %any : XAUTH "password"

An /etc/strongswan.conf that has the following line:

i_dont_care_about_security_and_use_aggressive_mode_psk=yes


Then the ipsec up officeVPN command is run:

$ sudo ipsec up officeVPN
initiating Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51
generating AGGRESSIVE request 0  [ SA KE No ID V V V V V ]
sending packet:    from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
local host is behind NAT, sending keep alives
remote host is behind NAT
IKE_SA officeVPN[1] established between 1.0.0.127[1.0.0.127]... \
50.54.0.51[10.0.0.254] scheduling reauthentication in 9761s
maximum IKE_SA lifetime 10301s
generating AGGRESSIVE request 0 [ HASH NAT-D ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)
received packet:    from 50.54.0.51[4500] to 1.0.0.127[4500] (76 bytes)
generating TRANSACTION response 890044400 [ HASH CP ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (76 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 7654321098 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 2109876543 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
received packet:    from 50.54.0.51[500] to 1.0.0.127[500] (92 bytes)
parsed INFORMATIONAL_V1 request 3210987654 [ HASH N(DPD) ]
generating INFORMATIONAL_V1 request 6543210987 [ HASH N(DPD_ACK) ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
sending keep alive to 50.54.0.51[4500]
deleting IKE_SA officeVPN[1] between 1.0.0.127[1.0.0.127]... 50.54.0.51[10.0.0.254]
sending DELETE for IKE_SA officeVPN[1]
parsed INFORMATIONAL_V1 request 5432109876 [ HASH D ]
sending packet:    from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)
establishing connection 'officeVPN' failed

Thank you.


--
Stephen Feyrer
DevOps Engineer
Greensill Capital
stephen.feyrer@greensill.com<mailto:stephen.feyrer@greensill.com>
http://www.greensill.com


This message is for the designated recipient only and may contain privileged, \
proprietary or otherwise confidential information. If you have received this in \
error, please contact the sender immediately and delete the original. Any other use \
of this e-mail by you is prohibited. If we collect and use your personal data we will \
use it in accordance with our privacy policy<http://www.greensill.com/privacy/>. \
Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: \
8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, \
United Kingdom. Greensill Capital Pty Limited. Australian Company Number: 154 088 \
132. Registered Office: 62 -66 Woondooma Street, Bundaberg, Queensland 4670, \
Australia.


[Attachment #3 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:x="urn:schemas-microsoft-com:office:excel" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;
	mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0cm;
	mso-margin-bottom-alt:auto;
	margin-left:0cm;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle18
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">An update.<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">ipsec.conf<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">conn officeVPN<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
aggressive=yes<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
type=transport<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;authby=secret<o:p></o:p></p>
 <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;keyexchange=ikev1<o:p></o:p></p>
 <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
ike=aes128-sha1-modp2048,aes256-sha1-modp2048!<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
left=%defaultroute <o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;leftsourceip=%config<o:p></o:p></p>
 <p class="MsoNormal" style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
&nbsp;modeconfig=push<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;leftprotoport=udp/l2tp \
<o:p> </o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;right= \
50.45.0.51<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
rightprotoport=udp/l2tp <o:p> </o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;righted=10.0.0.254<o:p></o:p></p>
 <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;auto=add<o:p></o:p></p>
 <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">ipsec.secret:<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">50.45.0.51 %any : PSK \
&quot;StrongKey-Honest!&quot;<o:p></o:p></p> <p \
class="MsoNormal"><o:p>&nbsp;</o:p></p> <p class="MsoNormal">strongswan.conf \
<o:p></o:p></p> <p class="MsoNormal">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
keep_alive=0<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">i_dont_care_about_security_and_use_aggressive_mode_psk=yes<o:p></o:p></p>
 <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">$ sudo ipsec up \
officeVPN<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">initiating \
Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating AGGRESSIVE request 0&nbsp; [ SA KE No ID V V V \
V V ]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
&nbsp;&nbsp;&nbsp;from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
&nbsp;&nbsp;&nbsp;from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">parsed AGGRESSIVE response 0 [ SA KE \
No ID HASH V NAT-D NAT-D V V V V V ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received NAT-T (RFC 3947) vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received DPD vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received XAuth vendor ID<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received unknown vendor ID: \
00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received FRAGMENTATION vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received FRAGMENTATION vendor \
ID<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">local host is \
behind NAT, sending keep alives<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">remote host is behind NAT<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">IKE_SA officeVPN[1] established between \
1.0.0.127[1.0.0.127]&#8230; 50.54.0.51[10.0.0.254]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">scheduling reauthentication in \
9761s<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">maximum IKE_SA \
lifetime 10301s<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating AGGRESSIVE request 0 [ HASH NAT-D \
]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
&nbsp;&nbsp;&nbsp;from 1.0.0.127[4500] to 50.54.0.51[4500] (140 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
&nbsp;&nbsp;&nbsp;from 50.54.0.51[4500] to 1.0.0.127[4500] (92 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">generating TRANSACTION response \
890044400 [ HASH CP ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending packet: &nbsp;&nbsp;&nbsp;from 1.0.0.127[4500] to \
50.54.0.51[4500] (108 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received packet: &nbsp;&nbsp;&nbsp;from 50.54.0.51[500] to \
1.0.0.127[500] (108 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) \
]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">generating \
INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending packet: &nbsp;&nbsp;&nbsp;from \
1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received packet: &nbsp;&nbsp;&nbsp;from 50.54.0.51[500] to \
1.0.0.127[500] (108 bytes) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request \
7654321098 [ HASH N(DPD) ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating INFORMATIONAL_V1 request 2109876543 [ HASH \
N(DPD_ACK) ] <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
&nbsp;&nbsp;&nbsp;from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
&nbsp;&nbsp;&nbsp;from 50.54.0.51[500] to 1.0.0.127[500] (108 bytes) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request \
3210987654 [ HASH N(DPD) ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating INFORMATIONAL_V1 request 6543210987 [ HASH \
N(DPD_ACK) ] <o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">Please help, thanks.<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">--<o:p></o:p></span></b></p>
 <p class="MsoNormal"><b><span \
style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">Stephen \
Feyrer</span></b><b><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></b></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB">DevOps \
Engineer</span><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB">Greensill \
Capital<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB"><a \
href="mailto:stephen.feyrer@greensill.com">stephen.feyrer@greensill.com</a></span><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB"><a \
href="http://www.greensill.com">http://www.greensill.com</a> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" \
style="mso-fareast-language:EN-GB">From:</span></b><span lang="EN-US" \
style="mso-fareast-language:EN-GB"> Stephen Feyrer <br>
<b>Sent:</b> 13 August 2019 13:11<br>
<b>To:</b> users@lists.strongswan.org<br>
<b>Subject:</b> local host is behind NAT, sending keep alives<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">Hey everyone,<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">I have a laptop tethered via my phone, Ubuntu 18.4.&nbsp; I am \
unable to establish a connection and none of my research has thus far revealed \
anything helpful.&nbsp; Please review the below and advise.&nbsp; Other proprietary \
clients are able to connect  without issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">I have an ipsec.conf file which looks like:<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">conn officeVPN<o:p></o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
aggressive=yes<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; type=tunnel \
<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;authby=secret<o:p></o:p></p>
 <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;keyexchange=ikev1<o:p></o:p></p>
 <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
ike=aes128-sha1-modp2048<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;esp= \
aes256-sha256-modp2048<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
&nbsp;mobike=no<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
left=%defaultroute <o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;leftsourceip=%config<o:p></o:p></p>
 <p class="MsoNormal" style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
&nbsp;modeconfig=push<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;leftprotoport=udp/l2tp \
<o:p> </o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;right= \
50.45.0.51<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
rightprotoport=udp/l2tp <o:p> </o:p></p>
<p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;righted=10.0.0.254<o:p></o:p></p>
 <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;auto=add<o:p></o:p></p>
 <p class="MsoNormal" \
style="margin-left:36.0pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
xauth_identity=user<o:p></o:p></p> <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">An ipsec.secrets that looks like:<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">50.45.0.51 %any : PSK \
&quot;StrongKey-Honest!&quot;<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">user %any : XAUTH &#8220;password&#8221;<o:p></o:p></p> <p \
class="MsoNormal"><o:p>&nbsp;</o:p></p> <p class="MsoNormal">An /etc/strongswan.conf \
that has the following line:<o:p></o:p></p> <p \
class="MsoNormal"><o:p>&nbsp;</o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">i_dont_care_about_security_and_use_aggressive_mode_psk=yes<o:p></o:p></p>
 <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">Then the ipsec up officeVPN command is run:<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">$ sudo ipsec up \
officeVPN<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">initiating \
Aggressive Mode IKE_SA officeVPN[1] to 50.54.0.51<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating AGGRESSIVE request 0&nbsp; [ SA KE No ID V V V \
V V ]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
&nbsp;&nbsp;&nbsp;from 1.0.0.127[500] to 50.54.0.51[500] (548 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
&nbsp;&nbsp;&nbsp;from 50.54.0.51[500] to 1.0.0.127[500] (564 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">parsed AGGRESSIVE response 0 [ SA KE \
No ID HASH V NAT-D NAT-D V V V V V ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received NAT-T (RFC 3947) vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received DPD vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received XAuth vendor ID<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received unknown vendor ID: \
00:00:00:00:00:00:00:00:00:08:00:00:00:00:00:00<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received FRAGMENTATION vendor ID<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received FRAGMENTATION vendor \
ID<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">local host is \
behind NAT, sending keep alives<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">remote host is behind NAT<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">IKE_SA officeVPN[1] established between \
1.0.0.127[1.0.0.127]&#8230; 50.54.0.51[10.0.0.254]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">scheduling reauthentication in \
9761s<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">maximum IKE_SA \
lifetime 10301s<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating AGGRESSIVE request 0 [ HASH NAT-D \
]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
&nbsp;&nbsp;&nbsp;from 1.0.0.127[4500] to 50.54.0.51[4500] (108 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">received packet: \
&nbsp;&nbsp;&nbsp;from 50.54.0.51[4500] to 1.0.0.127[4500] (76 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">generating TRANSACTION response \
890044400 [ HASH CP ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending packet: &nbsp;&nbsp;&nbsp;from 1.0.0.127[4500] to \
50.54.0.51[4500] (76 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received packet: &nbsp;&nbsp;&nbsp;from 50.54.0.51[500] to \
1.0.0.127[500] (92 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request 4321098765 [ HASH N(DPD) \
]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">generating \
INFORMATIONAL_V1 request 0987654321 [ HASH N(DPD_ACK) ]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending packet: &nbsp;&nbsp;&nbsp;from \
1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">received packet: &nbsp;&nbsp;&nbsp;from \
50.54.0.51[500] to 1.0.0.127[500] (92 bytes) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request \
7654321098 [ HASH N(DPD) ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating INFORMATIONAL_V1 request 2109876543 [ HASH \
N(DPD_ACK) ] <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
&nbsp;&nbsp;&nbsp;from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">received packet: &nbsp;&nbsp;&nbsp;from 50.54.0.51[500] to \
1.0.0.127[500] (92 bytes) <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">parsed INFORMATIONAL_V1 request \
3210987654 [ HASH N(DPD) ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">generating INFORMATIONAL_V1 request 6543210987 [ HASH \
N(DPD_ACK) ] <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:36.0pt">sending packet: \
&nbsp;&nbsp;&nbsp;from 1.0.0.127[4500] to 50.54.0.51[4500] (92 bytes)<o:p></o:p></p> \
<p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500] \
<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500] \
<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500] \
<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending keep alive to 50.54.0.51[4500]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending keep alive to \
50.54.0.51[4500]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">deleting IKE_SA officeVPN[1] between \
1.0.0.127[1.0.0.127]&#8230; 50.54.0.51[10.0.0.254]<o:p></o:p></p> <p \
class="MsoNormal" style="margin-left:36.0pt">sending DELETE for IKE_SA \
officeVPN[1]<o:p></o:p></p> <p class="MsoNormal" style="margin-left:36.0pt">parsed \
INFORMATIONAL_V1 request 5432109876 [ HASH D ]<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">sending packet: &nbsp;&nbsp;&nbsp;from 1.0.0.127[4500] to \
50.54.0.51[4500] (92 bytes)<o:p></o:p></p> <p class="MsoNormal" \
style="margin-left:36.0pt">establishing connection &#8216;officeVPN&#8217; \
failed<o:p></o:p></p> <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">Thank you.<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">--<o:p></o:p></span></b></p>
 <p class="MsoNormal"><b><span \
style="font-size:10.0pt;color:#1F497D;mso-fareast-language:EN-GB">Stephen \
Feyrer</span></b><b><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></b></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB">DevOps \
Engineer</span><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB">Greensill \
Capital<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB"><a \
href="mailto:stephen.feyrer@greensill.com">stephen.feyrer@greensill.com</a></span><span \
style="color:#1F497D;mso-fareast-language:EN-GB"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;color:#A6A6A6;mso-fareast-language:EN-GB"><a \
href="http://www.greensill.com">http://www.greensill.com</a> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<p style="font-size:6pt;  font-family: 'Cambria','times roman',serif;">This message \
is for the designated recipient only and may contain privileged, proprietary or \
otherwise confidential information. If you have received this in error, please \
contact the sender  immediately and delete the original. Any other use of this e-mail \
by you is prohibited. If we collect and use your personal data we will use it in \
accordance with our <a href="http://www.greensill.com/privacy/">privacy policy</a>. \
Greensill Capital (UK) Limited. Registered in England and Wales. Registered Number: \
8126173. Registered Office: One Southampton Street, Covent Garden, London, WC2R 0LR, \
United Kingdom. Greensill  Capital Pty Limited. Australian Company Number: 154 088 \
132. Registered Office: 62 &#8211;66 Woondooma Street, Bundaberg, Queensland 4670, \
Australia.</p> <br>
</body>
</html>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic