I have StrongSwan running on a ubuntu server and I'm trying to create an ipsec encrypted VPN tunnel with a Cisco 2821 router . The connection is not working and I cannot figure out why. It appears to complete phase 1, but fails at phase 2. Can anyone provide suggestions? I'm stumped. BTW, my server is in the amazon cloud.
Here is my config:
conn my-conn
type=tunnel
authby=secret
auth=esp
ikelifetime=86400s
keylife=3600s
esp=3des-sha1
ike=3des-sha1-modp1024
keyexchange=ike
pfs=no
forceencaps=yes
# Left security gateway, subnet behind it, nexthop toward right.
left=10.0.0.4
leftsubnet=10.0.0.4/32
leftnexthop=%defaultroute
# Right security gateway, subnet behind it, nexthop toward left.
right=1.2.3.4
rightsubnet=1.2.3.5/32
rightnexthop=%defaultroute
# To authorize this connection, but not actually start it,
# at startup, uncomment this.
auto=start
Here is the output from the logs:
Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: initiating Main Mode
Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Dec 28 18:02:19 myserver pluto[15753]: "my-conn" #330: enabling possible NAT-traversal with method RFC 3947
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [Cisco-Unity]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [Dead Peer Detection]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring Vendor ID payload [883f3a4fb4782a3ae88bf05cdfe38ae0]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: received Vendor ID payload [XAUTH]
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Dec 28 18:02:20 myserver pluto[15753]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: Peer ID is ID_IPV4_ADDR: '1.2.3.4'
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ISAKMP SA established
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #331: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#330}
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 28 18:02:20 myserver pluto[15753]: "my-conn" #330: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
The config given to me to connect to the cisco router was:
Key Management: IKE
Diffie-Hellman Group: Group 2
Encryption Algorithm: 3DES (rec)
Hash Algorithm: SHA-1 (rec.)
Authentication Method: Preshared
Pre-Shared Secret Key: TBC
Life Time: 86400s (24h)
Encryption Phase 2 (IPSec):
Encapsulation: ESP
Encryption Algorithm used: 3DES (rec)
Hash Algorithm: SHA-1 (rec.)
Perfect Forward Secrecy: Groupe 2
Aggressive Mode: NO
Life Time: 3600s (1h)
Best Answer
If I remember correctly, Amazon EC2 uses some NAT to make your instance reachable from the Internet.
While NAT-friendly applications will work seamlessly (think http or ssh), some protocols were designed at a time where end-to-end comunication was the rule, and NAT will break these protocols.
FTP, or SIP (rtp actually) use dynamically-chosen ports, but helpers were designed. STUN for VoIP for example.
In the case of IPSec, phase 1 is successful. This is NAT detection. So your server says in the logs
i am NATed.However, phase 2, which is NAT traversal decision, fails. You may have to enable what Cisco calls 'IPSec NAT Transparency' on both sides. The ipsec payload is thereby not at a layer 3 level (IP), but at layer 4, in UDP.
This is somewhat similar to what openvpn does, but with ssl instead of IPSec.
Have a look at Cisco's site regarding NAT traversal. While cisco-centric, it will help you set up your tunnel.