[strongSwan] strongswan 5.0.1, iOS4.3.5, problems when client is not behind NAT
Bharath Kumar
cbkumar at gmail.com
Fri Dec 28 16:34:24 CET 2012
Klaus,
The firewall on either end could be blocking ESP traffic (IP Protocol = 50)
and that's where forcing NAT-T would help. Have you tried setting this in
ipsec.conf?
forceencaps=true
The traffic in the log file seems to be for Dead Peer Detection.
Thanks,
Bharath Kumar
On Friday, December 28, 2012, Klaus Darilion wrote:
> Hi!
>
> I have setup strongSwan 5.0.1 with certificate authentication. The tunnel
> creation works fine, and if the iPhone is behind NAT, strongSwan detects
> the NAT, uses port 4500 and everything works fine.
>
> But if the iPhone is not behind NAT, the tunnel creation works fine, but
> then, if I want to surf on the iPhone it does not work. Attached is the
> output of "tail -f /var/log/syslog|grep charon" multiplexed with "tcpdump
> -i any -n port 500 or 4500 or host 192.168.102.2":
>
> There is some traffic after the tunnel is created, but what kind of
> traffic is this? "real" traffic or some "keep alive" traffic?
>
> Any ideas why it does not work when the client uses a public IP address?
>
> Is it possible to force "NAT" behavior also if clients are not behind NAT?
>
> Any hints are appreciated.
>
> Thanks
> Klaus
>
>
> # ipsec.conf - strongSwan IPsec configuration file
> ##############################**####################
> config setup
> charondebug=all
>
> conn RoadWarrior-CiscoIPsec-klaus
> type=tunnel
> dpdaction=clear
> dpddelay=60
> dpdtimeout=60
> keyexchange=ikev1
> authby=xauthrsasig
> xauth=server
> left=%defaultroute
> leftsubnet=0.0.0.0/0
> leftfirewall=yes
> leftcert=serverCert.pem
> right=%any
> rightsourceip=192.168.102.2
> rightcert=clientCert.pem
> auto=add
>
>
> # strongswan.conf - strongSwan configuration file
> ##############################**###################
> charon {
> threads = 16
> dns1=192.168.99.1
> }
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121228/15d8b4d4/attachment.html>
More information about the Users
mailing list