Issue #3413
Problems with Checkpoint R77.30 end2end VPN with NAT
Description
Hi,
We are having some problems in order to establish an end2end Ipsec tunnel (with NAT, 10.0.2.2 is an internal IP in our network interface - external ip google connects using NAT) from our strongSwan swanctl 5.6.2 running in a Google Cloud VM on Ubuntu 18.04.4 to a Checkpoint R77.30.
Here the current config on the strongSwan:
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # charondebug="ike 2, knl 3, cfg 0" uniqueids=no strictcrlpolicy=no conn %default authby=psk type=tunnel keyexchange=ikev2 # pfs=yes # Misc timouts settings dpdaction=restart dpddelay=300s dpdtimeout=60s auto=start # reauth=no # rekey=no # modeconfig = push # Phase 1 # ike=aes256-sha256-modp4096! # ikelifetime=24h # Phase 2 # esp=aes256-sha256-modp4096! # lifetime=1h ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1! # NOTE %defaultroute, don't put public ip here conn c1 left=%defaultroute leftid=45.142.214.54 *leftsourceip=%config* right=35.227.30.42 rightsubnet=10.1.0.5/32 rightid=35.227.30.42
We are expecting virtual IP from the Checkpoint R77.30 --> leftsourceip=%config ---- It is expecting virtual ip
With this configuration we see:
ESTABLISHED,IKEv2, 21f840b238cab8b5_i 94aebda5e9928bbd_r* local '[left public IP address]' @ 10.0.2.2[4500] remote '200.7.90.6' @ 200.7.90.6[4500] AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
The logs show:
11[IKE] 200.7.90.6 is initiating an IKE_SA 11[IKE] local host is behind NAT, sending keep alives 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] 11[NET] sending packet: from 10.0.2.2[500] to 200.7.90.6[500] (440 bytes) 15[NET] received packet: from 200.7.90.6[4500] to 10.0.2.2[4500] (300 bytes) 15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(CRASH_DET) SA TSi TSr N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] 15[CFG] looking for peer configs matching 10.0.2.2[%any]...200.7.90.6[200.7.90.6] 15[CFG] selected peer config 'c1' 15[IKE] authentication of '200.7.90.6' with pre-shared key successful 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 15[IKE] authentication of '[right public IP address]' (myself) with pre-shared key 15[IKE] IKE_SA c1[3] established between 10.0.2.2[right side public IP address]...200.7.90.6[200.7.90.6] 15[IKE] scheduling reauthentication in 9992s 15[IKE] maximum IKE_SA lifetime 10532s 15[IKE] expected a virtual IP request, sending FAILED_CP_REQUIRED 15[IKE] configuration payload negotiation failed, no CHILD_SA built 15[IKE] failed to establish CHILD_SA, keeping IKE_SA
On the checkpoint R77.30 we are not seeing the SA proposal nor TSi or TSr
Is there something we need to consider on the StrongSwan configuration or the Checkpoint R77.30 configuration in order to make sure we can pass phase 2?
The other side Checkpoint R77.30 is claiming they don't have an option to enable virtual IP. Is there something we are missing. Every help we can get is welcomed.
Thanks!
History
#1 Updated by Tobias Brunner over 5 years ago
- Description updated (diff)
- Status changed from New to Feedback
leftsourceip is a client option, it makes no sense as responder (see VirtualIP for details).
#2 Updated by Jorge Rovira over 5 years ago
Tobias Brunner wrote:
leftsourceip is a client option, it makes no sense as responder (see VirtualIP for details).
Thanks!
#3 Updated by Tobias Brunner over 5 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required