[strongSwan] strongswan 5.0.1, iOS4.3.5, problems when client is not behind NAT

Klaus Darilion klaus.mailinglists at pernau.at
Fri Dec 28 20:11:49 CET 2012 


On 28.12.2012 16:34, Bharath Kumar wrote:
> Klaus,
>
> The firewall on either end could be blocking ESP traffic (IP Protocol =
> 50) and that's where forcing NAT-T would help.

Indeed, I was blocking ESP on the server side. I allowed now ESP and it 
works fine now.

Btw: do I also have to allow AH (ip proto 51)? If I understand 
correctly, IPsec tunnel mode only requires ESP.

 > Have you tried setting
> this in ipsec.conf?
>       forceencaps=true

This also helped.

I think I will stay with "force NAT traversal" to avoid problems with 
ESP blocking firewalls on the client side.


Thanks for the fast response,
Klaus


>
> The traffic in the log file seems to be for Dead Peer Detection.
>
> Thanks,
> Bharath Kumar
>
> On Friday, December 28, 2012, Klaus Darilion wrote:
>
>     Hi!
>
>     I have setup strongSwan 5.0.1 with certificate authentication. The
>     tunnel creation works fine, and if the iPhone is behind NAT,
>     strongSwan detects the NAT, uses port 4500 and everything works fine.
>
>     But if the iPhone is not behind NAT, the tunnel creation works fine,
>     but then, if I want to surf on the iPhone it does not work. Attached
>     is the output of "tail -f /var/log/syslog|grep charon" multiplexed
>     with "tcpdump -i any -n port 500 or 4500 or host 192.168.102.2":
>
>     There is some traffic after the tunnel is created, but what kind of
>     traffic is this? "real" traffic or some "keep alive" traffic?
>
>     Any ideas why it does not work when the client uses a public IP address?
>
>     Is it possible to force "NAT" behavior also if clients are not
>     behind NAT?
>
>     Any hints are appreciated.
>
>     Thanks
>     Klaus
>
>
>     # ipsec.conf - strongSwan IPsec configuration file
>     ##############################__####################
>     config setup
>              charondebug=all
>
>     conn RoadWarrior-CiscoIPsec-klaus
>              type=tunnel
>              dpdaction=clear
>              dpddelay=60
>              dpdtimeout=60
>              keyexchange=ikev1
>              authby=xauthrsasig
>              xauth=server
>              left=%defaultroute
>              leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>              leftfirewall=yes
>              leftcert=serverCert.pem
>              right=%any
>              rightsourceip=192.168.102.2
>              rightcert=clientCert.pem
>              auto=add
>
>
>     # strongswan.conf - strongSwan configuration file
>     ##############################__###################
>     charon {
>              threads = 16
>              dns1=192.168.99.1
>     }
>
>

More information about the Users mailing list