<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 03/23/2018 12:18 AM, Tobias Brunner
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:14523617-a5b3-8fcb-f3ad-15a8346f3682@strongswan.org">
<pre wrap="">Hi,
</pre>
<blockquote type="cite">
<pre wrap="">No port 4500 packet hitting its own interface. Only a keep-alive.
</pre>
</blockquote>
<pre wrap="">
That's the only packet that's sent from port 4500 (as also stated in the
log, where it clearly states that kepp-alive is being sent, nothing
else). Since no request to port 4500 ever makes it to the daemon (the
log tells you that too) it naturally won't send any response and so you
also don't see any other packets in tcpdump.
Seems like your DNAT to port 4500 is not working.
Regards,
Tobias
</pre>
</blockquote>
<p>But seems clear that 4500 is getting DNATted. There are four
attempts coming in via ipsec-nat-t (this is CentOS7.4), all the
way to the daemon. So 4500 attempts are getting through the IPSec
gateway's interface, but are not being noticed by the daemon?</p>
<p>In the LAN gateway my Shorewall directive is:</p>
<p>#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL<br>
#
PORT PORT(S) DEST <br>
DNAT net local:192.168.1.16 udp
isakmp,ipsec-nat-t - ð0<br>
</p>
<p><br>
</p>
<p>And in the IPSec gateway <br>
</p>
<font color="#000099"># lsof -i -n -P<br>
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME<br>
charon-sy 41025 root 12u IPv6 12226082 0t0 UDP *:500
<br>
charon-sy 41025 root 13u IPv6 12226083 0t0 UDP
*:4500 <br>
charon-sy 41025 root 14u IPv4 12226084 0t0 UDP *:500
<br>
charon-sy 41025 root 15u IPv4 12226085 0t0 UDP
*:4500 </font><br>
<br>
On an attempt:<br>
<p><font color="#000099"># tcpdump -i eth0 'port 4500'<br>
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size
262144 bytes<br>
10:01:20.504204 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:20.509230 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:20.516809 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:20.540911 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:20.541310 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:20.550701 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:20.553566 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:20.559687 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:22.502784 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:22.508218 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:22.512584 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:22.516938 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:22.521233 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:22.527491 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:22.542394 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:22.545907 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:25.301584 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:25.304550 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:25.307755 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:25.311453 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:25.315206 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:25.319197 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:25.323527 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:25.325219 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:29.255913 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:29.259435 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:29.263905 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:29.266785 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:29.270899 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:29.290882 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:29.291507 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:29.292809 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp:
child_sa ikev2_auth[I]<br>
10:01:38.823739 IP cygnus.darkmatter.org.ipsec-nat-t >
172.56.42.164.31453: isakmp-nat-keep-alive</font><br>
</p>
</body>
</html>