Klaus,<div><br></div><div>The firewall on either end could be blocking ESP traffic (IP Protocol = 50) and that's where forcing NAT-T would help. <span></span>Have you tried setting this in ipsec.conf?<div> forceencaps=true</div>
<div><br></div><div>The traffic in the log file seems to be for Dead Peer Detection.</div><div><br></div><div>Thanks,</div><div>Bharath Kumar<br><br>On Friday, December 28, 2012, Klaus Darilion wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi!<br>
<br>
I have setup strongSwan 5.0.1 with certificate authentication. The tunnel creation works fine, and if the iPhone is behind NAT, strongSwan detects the NAT, uses port 4500 and everything works fine.<br>
<br>
But if the iPhone is not behind NAT, the tunnel creation works fine, but then, if I want to surf on the iPhone it does not work. Attached is the output of "tail -f /var/log/syslog|grep charon" multiplexed with "tcpdump -i any -n port 500 or 4500 or host 192.168.102.2":<br>
<br>
There is some traffic after the tunnel is created, but what kind of traffic is this? "real" traffic or some "keep alive" traffic?<br>
<br>
Any ideas why it does not work when the client uses a public IP address?<br>
<br>
Is it possible to force "NAT" behavior also if clients are not behind NAT?<br>
<br>
Any hints are appreciated.<br>
<br>
Thanks<br>
Klaus<br>
<br>
<br>
# ipsec.conf - strongSwan IPsec configuration file<br>
##############################<u></u>####################<br>
config setup<br>
charondebug=all<br>
<br>
conn RoadWarrior-CiscoIPsec-klaus<br>
type=tunnel<br>
dpdaction=clear<br>
dpddelay=60<br>
dpdtimeout=60<br>
keyexchange=ikev1<br>
authby=xauthrsasig<br>
xauth=server<br>
left=%defaultroute<br>
leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
leftfirewall=yes<br>
leftcert=serverCert.pem<br>
right=%any<br>
rightsourceip=192.168.102.2<br>
rightcert=clientCert.pem<br>
auto=add<br>
<br>
<br>
# strongswan.conf - strongSwan configuration file<br>
##############################<u></u>###################<br>
charon {<br>
threads = 16<br>
dns1=192.168.99.1<br>
}<br>
<br>
<br>
</blockquote></div></div>