Hi,<div> I am trying to establish an IKEv1 transport mode tunnel that traverses a NAT, but the quick mode negotiation is failing because StrongSwan is not sending the expected number of NAT-OA payloads. My understanding of RFC 3947 is that two NAT-OA payloads should be sent in each direction of the quick mode exchange in transport mode:</div>
<div><br></div><div><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: medium; "><pre style="word-wrap: break-word; white-space: pre-wrap; "> In the case of transport mode, both ends MUST send both original
Initiator and Responder addresses to the other end. For tunnel mode,
both ends SHOULD NOT send original addresses to the other end.</pre></span></div><div><br></div><div> StrongSwan includes a vendor ID payload for RFC 3947, but it only sends one NAT-OA payload, so the tunnel negotiation is failing with an indication that the responder received a malformed payload. Am I misunderstanding something here? It appears StrongSwan isn't conforming to RFC3947 for IKEv1 transport mode.</div>
<div><br></div><div> Thank you for your help! </div><div> </div><div> FYI: Here are the trace excerpts for the vendor id and the sending of the NAT-OA payloads.</div><div><br></div><div><div><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:28:31 linux125 pluto[7549]: | emitting length of ISAKMP Vendor ID Payload: 20</font></div>
<div><font class="Apple-style-span" face="'courier new', monospace"></font><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">Oct 13 12:28:31 linux125 pluto[7549]: | out_vendorid(): sending [RFC 3947]</span></div>
<div><span class="Apple-style-span" style="font-family: 'courier new', monospace; "></span><span class="Apple-style-span" style="font-family: 'courier new', monospace; ">Oct 13 12:28:31 linux125 pluto[7549]: | ***emit ISAKMP Vendor ID Payload:</span></div>
<div><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:28:31 linux125 pluto[7549]: | next payload type: ISAKMP_NEXT_VID</font></div></div><div> </div><div><span class="Apple-style-span" style="font-family: 'Times New Roman'; font-size: medium; "><pre style="word-wrap: break-word; white-space: pre-wrap; ">
<span class="Apple-style-span" style="font-family: arial; white-space: normal; font-size: small; "><br></span></pre><pre style="word-wrap: break-word; white-space: pre-wrap; "><span class="Apple-style-span" style="font-family: arial; white-space: normal; font-size: small; "><pre style="word-wrap: break-word; ">
<span class="Apple-style-span" style="white-space: normal;"><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | client network c0 a8 32 08<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 12<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | ***emit ISAKMP Identification Payload (IPsec DOI):<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | next payload type: ISAKMP_NEXT_NAT-OA<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | ID type: ID_IPV4_ADDR<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | Protocol ID: 0<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | port: 0<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | client network c0 a8 31 04<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | emitting length of ISAKMP Identification Payload (IPsec DOI): 12<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | ***emit ISAKMP NAT-OA Payload:<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | next payload type: ISAKMP_NEXT_NONE<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | ID type: ID_IPV4_ADDR<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | emitting 4 raw bytes of NAT-OA into ISAKMP NAT-OA Payload<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | NAT-OA c0 a8 32 08<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | NAT-OA (S): c0 a8 32 08<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | emitting length of ISAKMP NAT-OA Payload: 12<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | HASH(1) computed:<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | 22 e0 e0 27 ea 47 04 cf 43 8b f9 12 16 1e d1 98<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | last Phase 1 IV: 44 7b 00 db a9 aa ba 2a<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | computed Phase 2 IV:<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | c9 6a 22 8d 5e 2b e6 95 f6 5f 8d 17 cd dc 37 a8<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | encrypting:<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | 01 00 00 14 22 e0 e0 27 ea 47 04 cf 43 8b f9 12<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | 16 1e d1 98 0a 00 00 30 00 00 00 01 00 00 00 01<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | 00 00 00 24 00 03 04 01 0b d6 c6 cb 00 00 00 18<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | 00 03 00 00 80 04 00 04 80 01 00 01 80 02 0e 10<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | 80 05 00 01 05 00 00 14 c1 59 f6 83 e9 2e 00 08<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | 4a fe be 06 80 3e f8 0a 05 00 00 0c 01 00 00 00<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | c0 a8 32 08 15 00 00 0c 01 00 00 00 c0 a8 31 04<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | 00 00 00 0c 01 00 00 00 c0 a8 32 08<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | emitting 4 zero bytes of encryption padding into ISAKMP Message<br>
</font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | encrypting using 3DES_CBC<br></font></span><span class="Apple-style-span" style="white-space: normal; "><font class="Apple-style-span" face="'courier new', monospace">Oct 13 12:30:51 linux125 pluto[7549]: | next IV: ac 0e f4 48 75 9f 06 42</font></span></pre>
<div><br></div></span></pre><pre style="word-wrap: break-word; white-space: pre-wrap; "><span class="Apple-style-span" style="font-family: arial; white-space: normal; font-size: small; "><br></span></pre><pre style="word-wrap: break-word; white-space: pre-wrap; ">
<span class="Apple-style-span" style="font-family: arial; white-space: normal; font-size: small; "><br></span></pre><pre style="word-wrap: break-word; white-space: pre-wrap; "><span class="Apple-style-span" style="font-family: arial; white-space: normal; font-size: small; "><br>
</span></pre></span></div>