[strongSwan] NAT mappings of ESP CHILD_SA changed !!!
Tobias Brunner
tobias at strongswan.org
Thu Aug 15 09:04:48 CEST 2013
Hi,
> Does that mean., Target Router's strongswan not handling this Changed
> packet correctly ?
No, the daemon correctly updates the two SAs:
> Aug 14 18:55:23 01[KNL] NAT mappings of ESP CHILD_SA with SPI c22c81c5 and reqid {1} changed, queuing update job
> ...
> Aug 14 18:55:23 10[KNL] updating SAD entry with SPI c22c81c5 from 192.168.3.128[4500]..10.10.0.130[4500] to 192.168.3.128[1003]..10.10.0.130[4500]
> ...
> Aug 14 18:55:23 10[KNL] updating SAD entry with SPI c41a180e from 10.10.0.130[4500]..192.168.3.128[4500] to 10.10.0.130[4500]..192.168.3.128[1003]
But the problem is that after the update an IKE packet is actually
received from port 4500, not 1003, which reverts those updates:
> Aug 14 18:55:32 11[NET] received packet: from 192.168.3.128[4500] to 10.10.0.130[4500] (76 bytes)
> ...
> Aug 14 18:55:32 11[KNL] updating SAD entry with SPI c22c81c5 from 192.168.3.128[1003]..10.10.0.130[4500] to 192.168.3.128[4500]..10.10.0.130[4500]
> ...
> Aug 14 18:55:32 11[KNL] updating SAD entry with SPI c41a180e from 10.10.0.130[4500]..192.168.3.128[1003] to 10.10.0.130[4500]..192.168.3.128[4500]
And such packets continue to arrive from port 4500:
> Aug 14 18:55:42 12[NET] received packet: from 192.168.3.128[4500] to 10.10.0.130[4500] (76 bytes)
So how exactly did you force the change of the NAT mapping? It seems it
doesn't apply to all the traffic.
Regards,
Tobias
More information about the Users
mailing list