IPSec IKEv2 with certificate (client to site) with StrongSwan under NAT (LOCAL IP MISMATCH)

QuiteSmart
QuiteSmart Posts: 51  Ally Member
Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN
in Security

Hello,

i'm trying to configure an IPSEC IKEv2 VPN with certificate (client to site, without L2TP).

The server is an ATP the client in an android device with StrongSwan.

The firewall is under a router (and i feel that this is the problem since the same configuration works in other places where the firewall is directly responsible of the internet connection), the router is set to forward anything to the firewall (DMZ).

The error is LOCAL IP MISMATCH:

image.png

in the strongswan log the most relevant entries are:

invalid notify data lenght for NO__PROPOSAL_CHOSEN (48)

notify verification failed

could not decrypt payloads

message verification failed

IKE_AUTH response with message ID 1 processing failed"

PHASE 1:

image.png

PHASE 2:

image.png

Any hint?

@PeterUK i fell you have the solution, is it?

All Replies

  • PeterUK
    PeterUK Posts: 3,693  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    You seem to of used a subnet 0.0.0.0/0 try host 0.0.0.0 for local policy

  • ENGA
    ENGA Posts: 4  Freshman Member
    First Comment

    Hi everyone,

    I have the same issue, same error, and no resolution.

    With the same settings on a firewall with direct internet access (and a public IP on the WAN interface), everything works perfectly: the VPN in Windows 11 connects to the firewall without warnings or errors.

    However, with the same firewall version and firmware, if the firewall is behind a router with a DMZ from the router to the WAN of the firewall, and the certificate is correctly configured with the name of the public connection (using an A record), the VPN doesn’t connect to the firewall.

    I’ve attached screenshots.

    Screenshot 2025-02-21 163103.png
    Screenshot 2025-02-21 162758.png
    Screenshot 2025-02-21 163427.png
    Screenshot 2025-02-21 163655.png

    Thank you all in advance.

    Andrea

  • ENGA
    ENGA Posts: 4  Freshman Member
    First Comment

    Hi everyone,

    I have the same issue, same error, and no resolution.

    With the same settings on a firewall with direct internet access (and a public IP on the WAN interface), everything works perfectly: the VPN in Windows 11 connects to the firewall without warnings or errors.

    However, with the same firewall version and firmware, if the firewall is behind a router with a DMZ from the router to the WAN of the firewall, and the certificate is correctly configured with the name of the public connection (using an A record), the VPN doesn’t connect to the firewall.

    I’ve attached screenshots.

    Screenshot 2025-02-21 162758.png
    Screenshot 2025-02-21 163103.png
    Screenshot 2025-02-21 163427.png
    Screenshot 2025-02-21 163655.png

    Thank you all in advance.

    Andrea

  • ENGA
    ENGA Posts: 4  Freshman Member
    First Comment
  • ENGA
    ENGA Posts: 4  Freshman Member
    First Comment

    The date of the comment is

    February 2025

    not 2024

     

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,085  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @ENGA,

    Since changing to behind NAT scenario, please change your "My address" setting from the "domain name/IPv4" to "Interface option."

    image.png

    The certificate setting doesn't need to change. Hope it helps.

    Zyxel Melen


Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)