[strongSwan] strongswan 5.0.1, iOS4.3.5, problems when client is not behind NAT

Bharath Kumar cbkumar at gmail.com
Fri Dec 28 22:19:20 CET 2012 

Klaus,

You're welcome.

I think AH is only needed if you intend to support that mode. ESP should be
good enough for the case you described.

As to NAT-T, yes, if both sides play well -- which seems to be the case in
your case -- use it alleviates the firewall issues you might otherwise face.

Thanks,
Bharath Kumar




On Fri, Dec 28, 2012 at 11:11 AM, Klaus Darilion <
klaus.mailinglists at pernau.at> wrote:

>
>
> On 28.12.2012 16:34, Bharath Kumar wrote:
>
>> Klaus,
>>
>> The firewall on either end could be blocking ESP traffic (IP Protocol =
>> 50) and that's where forcing NAT-T would help.
>>
>
> Indeed, I was blocking ESP on the server side. I allowed now ESP and it
> works fine now.
>
> Btw: do I also have to allow AH (ip proto 51)? If I understand correctly,
> IPsec tunnel mode only requires ESP.
>
>
> > Have you tried setting
>
>> this in ipsec.conf?
>>       forceencaps=true
>>
>
> This also helped.
>
> I think I will stay with "force NAT traversal" to avoid problems with ESP
> blocking firewalls on the client side.
>
>
> Thanks for the fast response,
> Klaus
>
>
>
>> The traffic in the log file seems to be for Dead Peer Detection.
>>
>> Thanks,
>> Bharath Kumar
>>
>> On Friday, December 28, 2012, Klaus Darilion wrote:
>>
>>     Hi!
>>
>>     I have setup strongSwan 5.0.1 with certificate authentication. The
>>     tunnel creation works fine, and if the iPhone is behind NAT,
>>     strongSwan detects the NAT, uses port 4500 and everything works fine.
>>
>>     But if the iPhone is not behind NAT, the tunnel creation works fine,
>>     but then, if I want to surf on the iPhone it does not work. Attached
>>     is the output of "tail -f /var/log/syslog|grep charon" multiplexed
>>     with "tcpdump -i any -n port 500 or 4500 or host 192.168.102.2":
>>
>>     There is some traffic after the tunnel is created, but what kind of
>>     traffic is this? "real" traffic or some "keep alive" traffic?
>>
>>     Any ideas why it does not work when the client uses a public IP
>> address?
>>
>>     Is it possible to force "NAT" behavior also if clients are not
>>     behind NAT?
>>
>>     Any hints are appreciated.
>>
>>     Thanks
>>     Klaus
>>
>>
>>     # ipsec.conf - strongSwan IPsec configuration file
>>     ##############################**__####################
>>
>>     config setup
>>              charondebug=all
>>
>>     conn RoadWarrior-CiscoIPsec-klaus
>>              type=tunnel
>>              dpdaction=clear
>>              dpddelay=60
>>              dpdtimeout=60
>>              keyexchange=ikev1
>>              authby=xauthrsasig
>>              xauth=server
>>              left=%defaultroute
>>              leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>>
>>              leftfirewall=yes
>>              leftcert=serverCert.pem
>>              right=%any
>>              rightsourceip=192.168.102.2
>>              rightcert=clientCert.pem
>>              auto=add
>>
>>
>>     # strongswan.conf - strongSwan configuration file
>>     ##############################**__###################
>>
>>     charon {
>>              threads = 16
>>              dns1=192.168.99.1
>>     }
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121228/5a55e3ce/attachment.html>

More information about the Users mailing list