<div dir="ltr"><div><font face="courier new, monospace">After you were all so helpful last time, I have another query. As a variant on the previous system, I have a fairly simple NAT based network setup I'm trying to get working:</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace"> +------+ +--------+ +----+</font></div>
<div><font face="courier new, monospace"> | | | | + ..... + | |</font></div><div><font face="courier new, monospace"> | A +----------------------+ B +----+ +--+ C |</font></div>
<div><font face="courier new, monospace"> | | | | | |</font></div><div><font face="courier new, monospace"> +------+ +--------+ +----+</font></div>
<div><font face="courier new, monospace"> 10.65.112.69 10.65.112.70 10.1.20.14 10.1.40.1</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">A - VPN client (connection initiator). On a private network with B. Linux machine under my control.</font></div>
<div><font face="courier new, monospace">B - Routing box. Has an interface on the private network, and a 3G (PPP) interface to the outside world. Performs NAT for private connections (-j MASQUERADE). Linux machine under my control.</font></div>
<div><font face="courier new, monospace">C - Remote gateway. VPN connection responder. A Cisco 2900 (not under my direct control but configuration changes can be made on request).</font></div><div><font face="courier new, monospace"><br>
</font></div><div><font face="courier new, monospace">The configuration I have on A is:</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>left=%any</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>leftfirewall=yes</font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>right=10.1.40.1</font></div><div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>rightsubnet=<a href="http://10.31.21.0/24">10.31.21.0/24</a></font></div>
<div><font face="courier new, monospace"><span class="" style="white-space:pre"> </span>auto=add</font></div><div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Authentication is with Pre-shared keys.</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">When I attempt the connection I see the ikev2_init[I] going out and coming back [R], all Port 500.</font></div><div><font face="courier new, monospace">It detects the NAT and then sends the ikev2_auth[I] on Port 4500, that makes it out, and on B I see the ikev2_auth[R] coming back. This has a destination Port of 4500, but a source port of 500. The MASQUERADE rule seems to not like this, and so drops the packet. I added an extra DNAT rule to make sure it got through, and I can then see it arriving at A. Strongswan on A appears to completely ignore this packet and resends the ikev2_auth[I].</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Is that source port of 500 actually something strange or is it one of those things that happens? Is that the reason that strongswan is ignoring the response or is something else going on that I haven't found yet.</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">I've attached a TCP dump from B of that process happening. It shows data on both interfaces so you can see the NAT in effect.</font></div>
<div><font face="courier new, monospace"><br></font></div><div><font face="courier new, monospace">Thanks in advance,</font></div><div><font face="courier new, monospace">Will</font></div></div>