[strongSwan] IKEv2 NAT issue

Dennis Frett frett at us.ibm.com
Mon Apr 4 22:48:59 CEST 2011 

I'm running an IKEv2 NAT-T test with Strongswan 4.5.0 behind a NAT


Linux  -------    NAT|  --------  initiator



The IKE_SA_INIT and IKE_AUTH are sent and received from the linux just 
fine. 
Strongswan detects the NAT in front of itself and also returns the 
IKE_AUTH on src port 4500;  dst port 4500 just fine.

However, after that everything that's sent from strongswan is w/ srcport 
4500; dstport 500.
That includes:
- delete child_sa informational 
- any ESP packets that are sent in UDP encap
- any create_child_sa requests.


If i take the same configuration and initiate from strongswan the entire 
NAT exchange works including whatever is sent after IKE_AUTH exchange. 


I'm not seeing where this is a configuration issue, but might be missing 
something. 



traces from strongswan:
Apr  4 01:55:59 blackthumb charon: 16[NET] received packet: from 
10.10.110.204[500] to 9.5.149.53[500]
Apr  4 01:55:59 blackthumb charon: 16[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr  4 01:55:59 blackthumb charon: 16[IKE] 10.10.110.204 is initiating an 
IKE_SA
Apr  4 01:55:59 blackthumb charon: 16[IKE] local host is behind NAT, 
sending keep alives
Apr  4 01:55:59 blackthumb charon: 16[IKE] sending cert request for "C=US, 
O=IBM, CN=BlackthumbCA"
Apr  4 01:55:59 blackthumb charon: 16[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr  4 01:55:59 blackthumb charon: 16[NET] sending packet: from 
9.5.149.53[500] to 10.10.110.204[500]
Apr  4 01:56:01 blackthumb charon: 01[NET] received packet: from 
10.10.110.204[4500] to 9.5.149.53[4500]
Apr  4 01:56:01 blackthumb charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi 
AUTH SA TSi TSr ]
Apr  4 01:56:01 blackthumb charon: 01[CFG] looking for peer configs 
matching 9.5.149.53[%any]...10.10.110.204[10.10.110.204]
Apr  4 01:56:01 blackthumb charon: 01[CFG] selected peer config 
'strongswan-remotehost'
Apr  4 01:56:01 blackthumb charon: 01[IKE] authentication of 
'10.10.110.204' with pre-shared key successful
Apr  4 01:56:01 blackthumb charon: 01[IKE] authentication of '9.5.149.53' 
(myself) with pre-shared key
Apr  4 01:56:01 blackthumb charon: 01[IKE] IKE_SA strongswan-remotehost[1] 
established between 9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr  4 01:56:01 blackthumb charon: 01[IKE] scheduling reauthentication in 
10181s
Apr  4 01:56:01 blackthumb charon: 01[IKE] maximum IKE_SA lifetime 10721s
Apr  4 01:56:01 blackthumb charon: 01[IKE] CHILD_SA 
strongswan-remotehost{1} established with SPIs ce28fab5_i 58db4f08_o and 
TS 9.5.149.53/32 === 10.10.110.204/32 
Apr  4 01:56:01 blackthumb charon: 01[ENC] generating IKE_AUTH response 1 
[ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Apr  4 01:56:01 blackthumb charon: 01[NET] sending packet: from 
9.5.149.53[4500] to 10.10.110.204[4500]
Apr  4 01:56:12 blackthumb charon: 00[DMN] signal of type SIGINT received. 
Shutting down
Apr  4 01:56:12 blackthumb charon: 00[IKE] deleting IKE_SA 
strongswan-remotehost[1] between 
9.5.149.53[9.5.149.53]...10.10.110.204[10.10.110.204]
Apr  4 01:56:12 blackthumb charon: 00[IKE] sending DELETE for IKE_SA 
strongswan-remotehost[1]
Apr  4 01:56:12 blackthumb charon: 00[ENC] generating INFORMATIONAL 
request 0 [ D ]
Apr  4 01:56:12 blackthumb charon: 00[NET] sending packet: from 
9.5.149.53[4500] to 10.10.110.204[500]



Dennis Frett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110404/6f66fa49/attachment.html>

More information about the Users mailing list