Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec with NAT transversal

    Scheduled Pinned Locked Moved
    IPsec
    2
    4
    122
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oscar.pulgarin
      last edited by

      Hello everyone.
      I am trying to set up an IPsec tunnel with a special feature, from the other end of the tunnel they tell me that they have to have NAT Traversal activated and it is something that has not been worked on before.
      The tunnel does not connect even phase 1, I have reviewed the log records, these are some of the records,any ideas? how have you worked on this before?

      Aug 19 07:19:13 FWHPMNZ001 charon[51242]: 06[IKE] <123118> activating INFORMATIONAL task
      Aug 19 07:19:13 FWHPMNZ001 charon[51242]: 06[ENC] <123118> generating INFORMATIONAL_V1 request 3692828106 [ HASH N(AUTH_FAILED) ]
      Aug 19 07:19:13 FWHPMNZ001 charon[51242]: 06[NET] <123118> sending packet: from 181.57.172.238[4500] to 190.248.53.153[64917] (92 bytes)
      Aug 19 07:19:13 FWHPMNZ001 charon[51242]: 06[IKE] <123118> IKE_SA (unnamed)[123118] state change: CONNECTING => DESTROYING
      Aug 19 07:19:39 FWHPMNZ001 charon[51242]: 03[CFG] vici client 156895 connected
      Aug 19 07:19:39 FWHPMNZ001 charon[51242]: 03[CFG] vici client 156895 registered for: list-sa
      Aug 19 07:19:39 FWHPMNZ001 charon[51242]: 06[CFG] vici client 156895 requests: list-sas
      Aug 19 07:19:39 FWHPMNZ001 charon[51242]: 13[CFG] vici client 156895 disconnected
      Aug 19 07:19:39 FWHPMNZ001 charon[51242]: 06[CFG] vici client 156896 connected
      Aug 19 07:19:39 FWHPMNZ001 charon[51242]: 09[CFG] vici client 156896 registered for: list-sa
      Aug 19 07:19:39 FWHPMNZ001 charon[51242]: 09[CFG] vici client 156896 requests: list-sas
      Aug 19 07:19:39 FWHPMNZ001 charon[51242]: 06[CFG] vici client 156896 disconnected
      Aug 19 07:19:41 FWHPMNZ001 charon[51242]: 13[CFG] vici client 156897 connected
      Aug 19 07:19:41 FWHPMNZ001 charon[51242]: 09[CFG] vici client 156897 registered for: list-sa
      Aug 19 07:19:41 FWHPMNZ001 charon[51242]: 13[CFG] vici client 156897 requests: list-sas
      Aug 19 07:19:41 FWHPMNZ001 charon[51242]: 13[CFG] vici client 156897 disconnected
      Aug 19 07:19:42 FWHPMNZ001 charon[51242]: 13[CFG] vici client 156898 connected
      Aug 19 07:19:42 FWHPMNZ001 charon[51242]: 13[CFG] vici client 156898 registered for: list-sa
      Aug 19 07:19:42 FWHPMNZ001 charon[51242]: 09[CFG] vici client 156898 requests: list-sas
      Aug 19 07:19:42 FWHPMNZ001 charon[51242]: 09[CFG] vici client 156898 disconnected
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[NET] <123119> received packet: from 190.248.53.153[736] to 181.57.172.238[500] (288 bytes)
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[ENC] <123119> parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> looking for an IKEv1 config for 181.57.172.238...190.248.53.153
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> candidate: 181.57.172.238...190.248.53.153, prio 3100
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> found matching ike config: 181.57.172.238...190.248.53.153 with prio 3100
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> local endpoint changed from 0.0.0.0[500] to 181.57.172.238[500]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> remote endpoint changed from 0.0.0.0 to 190.248.53.153[736]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> received NAT-T (RFC 3947) vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[ENC] <123119> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> received DPD vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> received FRAGMENTATION vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> received FRAGMENTATION vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[ENC] <123119> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21🇩🇪00:00:00:00
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> 190.248.53.153 is initiating a Main Mode IKE_SA
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> IKE_SA (unnamed)[123119] state change: CREATED => CONNECTING
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> selecting proposal:
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> proposal matches
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> sending XAuth vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> sending DPD vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> sending FRAGMENTATION vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> sending NAT-T (RFC 3947) vendor ID
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[ENC] <123119> generating ID_PROT response 0 [ SA V V V V ]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[NET] <123119> sending packet: from 181.57.172.238[500] to 190.248.53.153[736] (160 bytes)
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[NET] <123119> received packet: from 190.248.53.153[736] to 181.57.172.238[500] (228 bytes)
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[ENC] <123119> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> remote host is behind NAT
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> candidate "con3", match: 1/1/3100 (me/other/ike)
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[ENC] <123119> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[NET] <123119> sending packet: from 181.57.172.238[500] to 190.248.53.153[736] (244 bytes)
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[NET] <123119> received packet: from 190.248.53.153[64917] to 181.57.172.238[4500] (108 bytes)
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[ENC] <123119> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> local endpoint changed from 181.57.172.238[500] to 181.57.172.238[4500]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> remote endpoint changed from 190.248.53.153[736] to 190.248.53.153[64917]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] <123119> looking for pre-shared key peer configs matching 181.57.172.238...190.248.53.153[10.206.0.14]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> no peer config found
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> queueing INFORMATIONAL task
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> activating new tasks
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> activating INFORMATIONAL task
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[ENC] <123119> generating INFORMATIONAL_V1 request 1937486309 [ HASH N(AUTH_FAILED) ]
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[NET] <123119> sending packet: from 181.57.172.238[4500] to 190.248.53.153[64917] (92 bytes)
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[IKE] <123119> IKE_SA (unnamed)[123119] state change: CONNECTING => DESTROYING
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 07[CFG] vici client 156899 connected
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 09[CFG] vici client 156899 registered for: list-sa
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 11[CFG] vici client 156899 requests: list-sas
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 07[CFG] vici client 156899 disconnected
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 11[CFG] vici client 156900 connected
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 07[CFG] vici client 156900 registered for: list-sa
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 07[CFG] vici client 156900 requests: list-sas
      Aug 19 07:19:43 FWHPMNZ001 charon[51242]: 07[CFG] vici client 156900 disconnected
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[NET] <123120> received packet: from 190.248.53.153[736] to 181.57.172.238[500] (288 bytes)
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[ENC] <123120> parsed ID_PROT request 0 [ SA V V V V V V V V V V ]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> looking for an IKEv1 config for 181.57.172.238...190.248.53.153
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> candidate: 181.57.172.238...190.248.53.153, prio 3100
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> found matching ike config: 181.57.172.238...190.248.53.153 with prio 3100
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> local endpoint changed from 0.0.0.0[500] to 181.57.172.238[500]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> remote endpoint changed from 0.0.0.0 to 190.248.53.153[736]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> received NAT-T (RFC 3947) vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[ENC] <123120> received unknown vendor ID: 16:f6:ca:16:e4:a4:06:6d:83:82:1a:0f:0a:ea:a8:62
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> received DPD vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> received FRAGMENTATION vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> received FRAGMENTATION vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[ENC] <123120> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21🇩🇪00:00:00:00
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> 190.248.53.153 is initiating a Main Mode IKE_SA
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> IKE_SA (unnamed)[123120] state change: CREATED => CONNECTING
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> selecting proposal:
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> proposal matches
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> sending XAuth vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> sending DPD vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> sending FRAGMENTATION vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> sending NAT-T (RFC 3947) vendor ID
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[ENC] <123120> generating ID_PROT response 0 [ SA V V V V ]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[NET] <123120> sending packet: from 181.57.172.238[500] to 190.248.53.153[736] (160 bytes)
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[NET] <123120> received packet: from 190.248.53.153[736] to 181.57.172.238[500] (228 bytes)
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[ENC] <123120> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> remote host is behind NAT
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> candidate "con3", match: 1/1/3100 (me/other/ike)
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[ENC] <123120> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[NET] <123120> sending packet: from 181.57.172.238[500] to 190.248.53.153[736] (244 bytes)
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[NET] <123120> received packet: from 190.248.53.153[64917] to 181.57.172.238[4500] (108 bytes)
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[ENC] <123120> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> local endpoint changed from 181.57.172.238[500] to 181.57.172.238[4500]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> remote endpoint changed from 190.248.53.153[736] to 190.248.53.153[64917]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[CFG] <123120> looking for pre-shared key peer configs matching 181.57.172.238...190.248.53.153[10.206.0.14]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> no peer config found
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> queueing INFORMATIONAL task
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> activating new tasks
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> activating INFORMATIONAL task
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[ENC] <123120> generating INFORMATIONAL_V1 request 3221687514 [ HASH N(AUTH_FAILED) ]
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[NET] <123120> sending packet: from 181.57.172.238[4500] to 190.248.53.153[64917] (92 bytes)
      Aug 19 07:20:13 FWHPMNZ001 charon[51242]: 05[IKE] <123120> IKE_SA (unnamed)[123120] state change: CONNECTING => DESTROYING
      Aug 19 07:20:14 FWHPMNZ001 charon[51242]: 12[CFG] vici client 156901 connected
      Aug 19 07:20:14 FWHPMNZ001 charon[51242]: 08[CFG] vici client 156901 registered for: list-sa
      Aug 19 07:20:14 FWHPMNZ001 charon[51242]: 05[CFG] vici client 156901 requests: list-sas
      Aug 19 07:20:14 FWHPMNZ001 charon[51242]: 12[CFG] vici client 156901 disconnected
      Aug 19 07:20:20 FWHPMNZ001 charon[51242]: 13[CFG] vici client 156902 connected
      Aug 19 07:20:20 FWHPMNZ001 charon[51242]: 09[CFG] vici client 156902 registered for: list-sa
      Aug 19 07:20:20 FWHPMNZ001 charon[51242]: 09[CFG] vici client 156902 requests: list-sas
      Aug 19 07:20:20 FWHPMNZ001 charon[51242]: 06[CFG] vici client 156902 disconnected
      Aug 19 07:20:25 FWHPMNZ001 charon[51242]: 15[CFG] vici client 156903 connected
      Aug 19 07:20:25 FWHPMNZ001 charon[51242]: 10[CFG] vici client 156903 registered for: list-sa
      Aug 19 07:20:25 FWHPMNZ001 charon[51242]: 10[CFG] vici client 156903 requests: list-sas
      Aug 19 07:20:25 FWHPMNZ001 charon[51242]: 10[CFG] vici client 156903 disconnected
      Aug 19 07:20:31 FWHPMNZ001 charon[51242]: 14[CFG] vici client 156904 connected
      Aug 19 07:20:31 FWHPMNZ001 charon[51242]: 10[CFG] vici client 156904 registered for: list-sa
      Aug 19 07:20:31 FWHPMNZ001 charon[51242]: 10[CFG] vici client 156904 requests: list-sas
      Aug 19 07:20:31 FWHPMNZ001 charon[51242]: 07[CFG] vici client 156904 disconnected
      Aug 19 07:20:37 FWHPMNZ001 charon[51242]: 03[CFG] vici client 156905 connected
      Aug 19 07:20:37 FWHPMNZ001 charon[51242]: 03[CFG] vici client 156905 registered for: list-sa
      Aug 19 07:20:37 FWHPMNZ001 charon[51242]: 03[CFG] vici client 156905 requests: list-sas
      Aug 19 07:20:37 FWHPMNZ001 charon[51242]: 03[CFG] vici client 156905 disconnected

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @oscar.pulgarin
        last edited by

        @oscar-pulgarin
        Did you state a Peer identifier?
        If so does it have the correct value?
        Maybe try "any".

        O 1 Reply Last reply Reply Quote 0
        • O
          oscar.pulgarin @viragomann
          last edited by

          @viragomann Wow, leaving it with anyone worked immediately, can you give me clarity on what this means? and if it has a lower level of security in communication

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @oscar.pulgarin
            last edited by

            @oscar-pulgarin
            "Any" just accepts any identifier. So it isn't verified.

            By default IPSec use the interface address, which it is connecting through, as identifier and for incoming connections it expects to see the remote gateway IP.
            However, since the endpoint gateway is behind a router, IPSec uses the internal IP 10.206.0.14, which your site doesn't expect and drop the connection.

            But IPSec allows you to state a certain identifier IP. Also there are different identifier types.
            So if the remote site is behind a NAT router there should be stated its public IP as its identifier.

            Anyway if you have stated a certain remote gateway, IPSec only allows connection from this IP. So I don't think, "any" for the remote identifier is a security risk here.
            But you can request them to configure their IPSec properly to use the public IP as identifier, or just enter 10.206.0.14.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post