[strongSwan] NAT-T UDP-encap ESP received, but no decrypted packets out
hongwei tseng
hw.tseng at hotmail.com
Mon Jan 14 08:50:14 CET 2013
I setup a scenarion [A] - - -> [NAT] - - -> [B][A] fedora 17, strongswan 5.0.1, is behind a NAT router (ip 192.168.0.2)[NAT] is a linux NAT router (ip 172.16.118.119)[B] fedora 17, strongswan 5.0.1, offer virtual ip pool 192.168.56.2/24 (ip 172.16.118.124) 1. ikev2 and ipsec tunnel were established successfully2. ping 192.168.56.1 [B] from 192.168.56.3[A]3. tcpdump on [B] can sniffered UDP-encap ESP from [A] -> [B], then disappeared ? Anything misconfigured or missed ? Thanks,HW This is the config on [B]:Loading conn 'tun1'
keyexchange=ikev2
rekeymargin=3m
authby=pubkey
keyingtries=1
mobike=no
leftsourceip=192.168.56.2/24
right=172.16.118.124
rightsubnet=192.168.56.1/24
leftid=C=te, CN=test
rightcert=segw.crt
ikelifetime=86400s
keylife=86400s
ike=aes-sha-modp2048
esp=aes-sha
auto=add tcpdump on [B] :14:30:10.930598 IP 172.16.118.119.ipsec-nat-t > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65c), length 132
14:30:11.933938 IP 172.16.118.119.ipsec-nat-t > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65d), length 132
14:30:12.934316 IP 172.16.118.119.ipsec-nat-t > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65e), length 132
14:30:13.936215 IP 172.16.118.119.ipsec-nat-t > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65f), length 132
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130114/1998949f/attachment.html>
More information about the Users
mailing list