IPSec IKEv2 with certificate (client to site) with StrongSwan under NAT (LOCAL IP MISMATCH)

QuiteSmart
QuiteSmart Posts: 48  Freshman Member
Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

Hello,

i'm trying to configure an IPSEC IKEv2 VPN with certificate (client to site, without L2TP).

The server is an ATP the client in an android device with StrongSwan.

The firewall is under a router (and i feel that this is the problem since the same configuration works in other places where the firewall is directly responsible of the internet connection), the router is set to forward anything to the firewall (DMZ).

The error is LOCAL IP MISMATCH:

in the strongswan log the most relevant entries are:

invalid notify data lenght for NO__PROPOSAL_CHOSEN (48)

notify verification failed

could not decrypt payloads

message verification failed

IKE_AUTH response with message ID 1 processing failed"

PHASE 1:

PHASE 2:

Any hint?

@PeterUK i fell you have the solution, is it?

All Replies

  • PeterUK
    PeterUK Posts: 3,460  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You seem to of used a subnet 0.0.0.0/0 try host 0.0.0.0 for local policy

Security Highlight