0

I've been trying to get this up and running and I got it further than I expected but am getting stuck at an error received INVALID_ID_INFORMATION error notify and there's a very peculiar local IP that shows in strongswan's logs, which isn't on the router's LAN (but which is the router's!).

My router TP-Link MR200 is using a mobile 4G connection, and the ISP/mobile operator uses NAT (the router's WAN ip is a 10...*) and the remote IP visible form the internet is also dynamic. I'm trying to create an IPSEC VPN to one of my Ubuntu 16.04 servers on the Internet which has a static IP and runs Strongswan. The TP-Link only knows of IPSEC (...).

TP-Link local subnet is 192.168.10.0/24 TP-Link's local IP is 192.168.10.1 Server's IP is 1.2.3.4/24 (internet accessible)

The link is created, goes up, then I get the above error and then it goes down.

NOTE: The logs also show an odd local IP address that I didn't recognize: 192.168.225.100 ... this IP actually seems to be also TP-Link's because I can access it from it's local LAN and it open's the same web gui!

I then also tried rightsubnet=0.0.0.0/0 ... same error :(

Logs and conf below. Can any kind soul help me get this up please?

Strongswan logs:

Sep  1 21:46:51 ubuntu charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity
Sep  1 21:46:51 ubuntu charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  1 21:46:51 ubuntu charon: 00[JOB] spawning 16 worker threads
Sep  1 21:46:51 ubuntu charon: 06[CFG] received stroke: add connection 'nat-t'
Sep  1 21:46:51 ubuntu charon: 06[CFG] added configuration 'nat-t'
Sep  1 21:47:05 ubuntu charon: 16[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (104 bytes)
Sep  1 21:47:05 ubuntu charon: 16[ENC] parsed ID_PROT request 0 [ SA V ]
Sep  1 21:47:05 ubuntu charon: 16[IKE] received DPD vendor ID
Sep  1 21:47:05 ubuntu charon: 16[IKE] <REMOTE_IP> is initiating a Main Mode IKE_SA
Sep  1 21:47:05 ubuntu charon: 16[ENC] generating ID_PROT response 0 [ SA V V ]
Sep  1 21:47:05 ubuntu charon: 16[NET] sending packet: from 1.2.3.4[500] to <REMOTE_IP>[37861] (116 bytes)
Sep  1 21:47:05 ubuntu charon: 14[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (180 bytes)
Sep  1 21:47:05 ubuntu charon: 14[ENC] parsed ID_PROT request 0 [ KE No ]
Sep  1 21:47:05 ubuntu charon: 14[ENC] generating ID_PROT response 0 [ KE No ]
Sep  1 21:47:05 ubuntu charon: 14[NET] sending packet: from 1.2.3.4[500] to <REMOTE_IP>[37861] (196 bytes)
Sep  1 21:47:05 ubuntu charon: 08[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (76 bytes)
Sep  1 21:47:05 ubuntu charon: 08[ENC] parsed ID_PROT request 0 [ ID HASH ]
Sep  1 21:47:05 ubuntu charon: 08[CFG] looking for pre-shared key peer configs matching 1.2.3.4...<REMOTE_IP>[192.168.225.100]
Sep  1 21:47:05 ubuntu charon: 08[CFG] selected peer config "nat-t"
Sep  1 21:47:05 ubuntu charon: 08[IKE] IKE_SA nat-t[1] established between 1.2.3.4[1.2.3.4]...<REMOTE_IP>[192.168.225.100]
Sep  1 21:47:05 ubuntu charon: 08[IKE] scheduling reauthentication in 3370s
Sep  1 21:47:05 ubuntu charon: 08[IKE] maximum IKE_SA lifetime 3550s
Sep  1 21:47:05 ubuntu charon: 08[ENC] generating ID_PROT response 0 [ ID HASH ]
Sep  1 21:47:05 ubuntu charon: 08[NET] sending packet: from 1.2.3.4[500] to <REMOTE_IP>[37861] (76 bytes)
Sep  1 21:47:06 ubuntu charon: 07[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (300 bytes)
Sep  1 21:47:06 ubuntu charon: 07[ENC] parsed QUICK_MODE request 3165384805 [ HASH SA No KE ID ID ]
Sep  1 21:47:06 ubuntu charon: 07[IKE] received 3600s lifetime, configured 1200s
Sep  1 21:47:06 ubuntu charon: 07[ENC] generating QUICK_MODE response 3165384805 [ HASH SA No KE ID ID ]
Sep  1 21:47:06 ubuntu charon: 07[NET] sending packet: from 1.2.3.4[500] to <REMOTE_IP>[37861] (316 bytes)
Sep  1 21:47:06 ubuntu charon: 06[NET] received packet: from <REMOTE_IP>[37861] to 1.2.3.4[500] (76 bytes)
Sep  1 21:47:06 ubuntu charon: 06[ENC] parsed INFORMATIONAL_V1 request 3226534685 [ HASH N(INVAL_ID) ]
Sep  1 21:47:06 ubuntu charon: 06[IKE] received INVALID_ID_INFORMATION error notify

Strongswan ipsec.conf:

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ike
        authby=secret

conn nat-t
        left=1.2.3.4
        leftsubnet=1.2.3.0/24
        leftfirewall=yes
        lefthostaccess=yes
        right=%any
        rightsubnet=192.168.10.0/24
        auto=add
        esp=aes128-sha1-modp1024

Strongswan's ipsec.secrets

1.2.3.4 : PSK "Abracadabra"

TP-Link IPSEC config (screenshot):

main main

Normadize
  • 141
  • 1
  • 7
  • If `rightsubnet=192.168.10.0/24` then why 192.168.10.1 at the Local Address for VPN? It's supposed to be 192.168.10.0 isn't it? Maybe you should also change the Key Exchange Method to IKEv2 (and set it expilictily on the TP-Link). It makes sense to use the latest protocol if it's supported by both end, right? Are you sure you got a 10... address on the WAN interface? During connection your router identifies itself with 192.168.225.100 as "Local WAN Address" and it's definitely configured on one of the interface because you said it responded to your connection. – bcs78 Sep 02 '18 at 21:57
  • @bcs78 Yes, it should be 192.168.10.0, I'll change it, but that shouldn't matter given the mask is 0 for that group. I'll check again if it supports ikev2, but that shouldn't matter either (the error isn't about that). Yes, i'm sure about the 10.* IP. The router seems to use 192.168.225.100 as the *local* address for the 4G modem. The WAN address is indeed 10.* as assigned by the ISP on 4G mobile (verified with my Android phone as well). – Normadize Sep 04 '18 at 00:06
  • Further screenshot showing 10.* as the WAN Ip seen by the router: https://i.gyazo.com/7cd653f4ced8d63f981012703ea76eef.png – Normadize Sep 04 '18 at 07:52
  • What other kind of "Local Identifier Type" does your TP-Link have? Maybe you could try to change it to "Local LAN IP" (if possible) and explicitly add the `rightid=192.168.10.1` to your strongswan config. – bcs78 Sep 04 '18 at 11:28
  • I'll try next time I'm on site (otherwise it locks me when failing to establish the ipsec connection). If anyone has other ideas, by all means – Normadize Sep 17 '18 at 21:59

0 Answers0