IPSec with both devices behind NAT
-
Hi all,
I was just wondering if there was a way to get 2 XG7100s to do IPSec when both devices are behind NAT?
I am looking at a scenario where you have one device where you can port forward on one side but not the other side
It currently looks like this:
Site A = External IP - Internal IP - XG7100 WAN (192.168.40.59) - LAN (172.16.2.1)
Site B = External IP - Internal IP - XG7100 WAN (10.60.0.) - LAN (172.16.1.1).I've got the following settings set up on Site A -
Phase 1
Key Exchange Version : IKEv2
Internet Protocol: IPv4
Interface: Wan
Remote Gateway: (DynDNS address set on unit XG7100 at Site B)
Auth Method: PSK
My Identifier: Distinguished name - DynDNS address of site A XG7100)
Peer Identifier: Peer IP Address
PSK: (shared)
Encryption Algorithm: AES 128bit SH1 DH Group 2
NAT Traversal: Auto
Phase 2
Mode: Tunnel IPv4
Local Network: Lan Subnet
NAT/BINAT Translation: None
Remote Network: Network - 172.16.1.0/24
Protocol: ESP
Encyption Algoyithms: AES 128Bit, AES128-GCM
Hash Algorithms: SHA1
PFS KEy Group: 2
Auto Ping Host: 172.16.1.1Settings on Site B
Phase 1
Key Exchange Version : IKEv2
Internet Protocol: IPv4
Interface: Wan
Remote Gateway: (DynDNS address set on unit XG7100 at Site A)
Auth Method: PSK
My Identifier: Distinguished name - DynDNS address of site B XG7100)
Peer Identifier: Peer IP Address
PSK: (shared)
Encryption Algorithm: AES 128bit SH1 DH Group 2
NAT Traversal: Auto
Phase 2
Mode: Tunnel IPv4
Local Network: Lan Subnet
NAT/BINAT Translation: None
Remote Network: Network - 172.16.2.0/24
Protocol: ESP
Encyption Algoyithms: AES 128Bit, AES128-GCM
Hash Algorithms: SHA1
PFS KEy Group: 2
Auto Ping Host: 172.16.2.1These are the Log Entries
Feb 6 20:20:14 charon 10[KNL] <con1000|35> unable to delete SAD entry with SPI c00a8df1: No such process (3)
Feb 6 20:20:14 charon 10[CHD] <con1000|35> CHILD_SA con1000{32} state change: CREATED => DESTROYING
Feb 6 20:20:14 charon 10[IKE] <con1000|35> IKE_SA con1000[35] state change: CONNECTING => DESTROYING
Feb 6 20:20:14 charon 10[IKE] <con1000|35> establishing IKE_SA failed, peer not responding
Feb 6 20:20:14 charon 10[IKE] <con1000|35> giving up after 5 retransmits
Feb 6 20:19:09 charon 14[IKE] <38> IKE_SA (unnamed)[38] state change: CONNECTING => DESTROYING
Feb 6 20:19:09 charon 14[JOB] <38> deleting half open IKE_SA with 86.3.128.58 after timeout
Feb 6 20:18:59 charon 14[IKE] <38> sending keep alive to 86.3.128.58[500]
Feb 6 20:18:59 charon 14[NET] <con1000|35> sending packet: from 192.168.40.59[4500] to 86.3.128.58[4500] (412 bytes)
Feb 6 20:18:59 charon 14[IKE] <con1000|35> retransmit 5 of request with message ID 1
Feb 6 20:18:39 charon 14[NET] <38> sending packet: from 192.168.40.59[500] to 86.3.128.58[500] (344 bytes)
Feb 6 20:18:39 charon 14[ENC] <38> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Feb 6 20:18:39 charon 14[CFG] <38> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Feb 6 20:18:39 charon 14[IKE] <38> remote host is behind NAT
Feb 6 20:18:39 charon 14[IKE] <38> local host is behind NAT, sending keep alives
Feb 6 20:18:39 charon 14[CFG] <38> received supported signature hash algorithms: sha256 sha384 sha512 identity
Feb 6 20:18:39 charon 14[CFG] <38> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 6 20:18:39 charon 14[CFG] <38> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 6 20:18:39 charon 14[CFG] <38> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 6 20:18:39 charon 14[CFG] <38> proposal matches
Feb 6 20:18:39 charon 14[CFG] <38> selecting proposal:
Feb 6 20:18:39 charon 14[IKE] <38> IKE_SA (unnamed)[38] state change: CREATED => CONNECTING
Feb 6 20:18:39 charon 14[IKE] <38> 86.3.128.58 is initiating an IKE_SA
Feb 6 20:18:39 charon 14[CFG] <38> found matching ike config: 192.168.40.59...basudevtechserver1.ddns.net with prio 3096
Feb 6 20:18:39 charon 14[CFG] <38> candidate: 192.168.40.59...basudevtechserver1.ddns.net, prio 3096
Feb 6 20:18:39 charon 14[CFG] <38> candidate: %any...%any, prio 24
Feb 6 20:18:39 charon 14[CFG] <38> looking for an IKEv2 config for 192.168.40.59...86.3.128.58
Feb 6 20:18:39 charon 14[ENC] <38> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 6 20:18:39 charon 14[NET] <38> received packet: from 86.3.128.58[500] to 192.168.40.59[500] (336 bytes)
Feb 6 20:18:17 charon 14[NET] <con1000|35> sending packet: from 192.168.40.59[4500] to 86.3.128.58[4500] (412 bytes)
Feb 6 20:18:17 charon 14[IKE] <con1000|35> retransmit 4 of request with message ID 1
Feb 6 20:17:53 charon 14[NET] <con1000|35> sending packet: from 192.168.40.59[4500] to 86.3.128.58[4500] (412 bytes)
Feb 6 20:17:53 charon 14[IKE] <con1000|35> retransmit 3 of request with message ID 1
Feb 6 20:17:40 charon 14[NET] <con1000|35> sending packet: from 192.168.40.59[4500] to 86.3.128.58[4500] (412 bytes)
Feb 6 20:17:40 charon 14[IKE] <con1000|35> retransmit 2 of request with message ID 1
Feb 6 20:17:33 charon 09[NET] <con1000|35> sending packet: from 192.168.40.59[4500] to 86.3.128.58[4500] (412 bytes)
Feb 6 20:17:33 charon 09[IKE] <con1000|35> retransmit 1 of request with message ID 1
Feb 6 20:17:29 charon 09[NET] <con1000|35> sending packet: from 192.168.40.59[4500] to 86.3.128.58[4500] (412 bytes)
Feb 6 20:17:29 charon 09[ENC] <con1000|35> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 6 20:17:29 charon 09[IKE] <con1000|35> establishing CHILD_SA con1000{32}
Feb 6 20:17:29 charon 09[CFG] <con1000|35> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ
Feb 6 20:17:29 charon 09[CFG] <con1000|35> 172.16.1.0/24|/0
Feb 6 20:17:29 charon 09[CFG] <con1000|35> proposing traffic selectors for other:
Feb 6 20:17:29 charon 09[CFG] <con1000|35> 172.16.2.0/24|/0
Feb 6 20:17:29 charon 09[CFG] <con1000|35> proposing traffic selectors for us:
Feb 6 20:17:29 charon 09[IKE] <con1000|35> successfully created shared key MAC
Feb 6 20:17:29 charon 09[IKE] <con1000|35> authentication of 'basudevtechclient1.ddns.net' (myself) with pre-shared key
Feb 6 20:17:29 charon 09[IKE] <con1000|35> IKE_AUTH task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> IKE_CERT_PRE task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> reinitiating already active tasks
Feb 6 20:17:29 charon 09[CFG] <con1000|35> received supported signature hash algorithms: sha256 sha384 sha512 identity
Feb 6 20:17:29 charon 09[CFG] <con1000|35> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 6 20:17:29 charon 09[CFG] <con1000|35> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 6 20:17:29 charon 09[CFG] <con1000|35> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 6 20:17:29 charon 09[CFG] <con1000|35> proposal matches
Feb 6 20:17:29 charon 09[CFG] <con1000|35> selecting proposal:
Feb 6 20:17:29 charon 09[IKE] <con1000|35> received CHILDLESS_IKEV2_SUPPORTED notify
Feb 6 20:17:29 charon 09[IKE] <con1000|35> received SIGNATURE_HASH_ALGORITHMS notify
Feb 6 20:17:29 charon 09[IKE] <con1000|35> received FRAGMENTATION_SUPPORTED notify
Feb 6 20:17:29 charon 09[ENC] <con1000|35> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Feb 6 20:17:29 charon 09[NET] <con1000|35> received packet: from 86.3.128.58[500] to 192.168.40.59[500] (344 bytes)
Feb 6 20:17:29 charon 09[NET] <con1000|35> sending packet: from 192.168.40.59[500] to 86.3.128.58[500] (336 bytes)
Feb 6 20:17:29 charon 09[ENC] <con1000|35> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 6 20:17:29 charon 09[CFG] <con1000|35> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Feb 6 20:17:29 charon 09[CFG] <con1000|35> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 6 20:17:29 charon 09[IKE] <con1000|35> IKE_SA con1000[35] state change: CREATED => CONNECTING
Feb 6 20:17:29 charon 09[IKE] <con1000|35> initiating IKE_SA con1000[35] to 86.3.128.58
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating IKE_AUTH_LIFETIME task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating CHILD_CREATE task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating IKE_CONFIG task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating IKE_CERT_POST task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating IKE_AUTH task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating IKE_CERT_PRE task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating IKE_NATD task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating IKE_INIT task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating IKE_VENDOR task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> activating new tasks
Feb 6 20:17:29 charon 09[IKE] <con1000|35> queueing IKE_CONFIG task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> queueing IKE_NATD task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> queueing IKE_INIT task
Feb 6 20:17:29 charon 09[IKE] <con1000|35> queueing IKE_VENDOR task
Feb 6 20:17:29 charon 09[KNL] <con1000|35> unable to delete SAD entry with SPI cb229957: No such process (3)
Feb 6 20:17:29 charon 09[CHD] <con1000|35> CHILD_SA con1000{31} state change: CREATED => DESTROYING
Feb 6 20:17:29 charon 09[IKE] <con1000|35> IKE_SA con1000[35] state change: CONNECTING => CREATED
Feb 6 20:17:29 charon 09[IKE] <con1000|35> peer not responding, trying again (3/3)
Feb 6 20:17:29 charon 09[IKE] <con1000|35> giving up after 5 retransmits
Feb 6 20:16:23 charon 09[IKE] <con1000|35> delaying task initiation, IKE_AUTH exchange in progress
Feb 6 20:16:23 charon 09[IKE] <con1000|35> queueing CHILD_CREATE task
Feb 6 20:16:23 charon 14[KNL] creating acquire job for policy 192.168.40.59/32|/0 === 86.3.128.58/32|/0 with reqid {1}
Feb 6 20:16:13 charon 14[NET] <con1000|35> sending packet: from 192.168.40.59[4500] to 86.3.128.58[4500] (412 bytes)
Feb 6 20:16:13 charon 14[IKE] <con1000|35> retransmit 5 of request with message ID 1
Feb 6 20:15:50 charon 14[IKE] <37> IKE_SA (unnamed)[37] state change: CONNECTING => DESTROYING
Feb 6 20:15:50 charon 14[JOB] <37> deleting half open IKE_SA with 86.3.128.58 after timeout
Feb 6 20:15:40 charon 14[IKE] <37> sending keep alive to 86.3.128.58[500]
Feb 6 20:15:31 charon 14[NET] <con1000|35> sending packet: from 192.168.40.59[4500] to 86.3.128.58[4500] (412 bytes)
Feb 6 20:15:31 charon 14[IKE] <con1000|35> retransmit 4 of request with message ID 1
Feb 6 20:15:20 charon 14[NET] <37> sending packet: from 192.168.40.59[500] to 86.3.128.58[500] (344 bytes)
Feb 6 20:15:20 charon 14[ENC] <37> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Feb 6 20:15:20 charon 14[CFG] <37> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Feb 6 20:15:20 charon 14[IKE] <37> remote host is behind NATAny idea?