[strongSwan] NAT-T UDP-encap ESP received, but no decrypted packets out

hongwei tseng hw.tseng at hotmail.com
Mon Jan 14 08:50:14 CET 2013





I setup a scenarion  [A]  - - -> [NAT] - - -> [B][A] fedora 17, strongswan 5.0.1, is behind a NAT router (ip 192.168.0.2)[NAT] is a linux NAT router (ip 172.16.118.119)[B] fedora 17, strongswan 5.0.1, offer virtual ip pool 192.168.56.2/24 (ip 172.16.118.124) 1. ikev2 and ipsec tunnel were established successfully2. ping 192.168.56.1 [B] from 192.168.56.3[A]3. tcpdump on [B] can sniffered UDP-encap ESP from [A] -> [B], then disappeared ? Anything misconfigured or missed ? Thanks,HW This is the config on [B]:Loading conn 'tun1'
  keyexchange=ikev2
  rekeymargin=3m
  authby=pubkey
  keyingtries=1
  mobike=no
  leftsourceip=192.168.56.2/24
  right=172.16.118.124
  rightsubnet=192.168.56.1/24
  leftid=C=te, CN=test
  rightcert=segw.crt
  ikelifetime=86400s
  keylife=86400s
  ike=aes-sha-modp2048
  esp=aes-sha
  auto=add tcpdump on [B] :14:30:10.930598 IP 172.16.118.119.ipsec-nat-t > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65c), length 132
14:30:11.933938 IP 172.16.118.119.ipsec-nat-t > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65d), length 132
14:30:12.934316 IP 172.16.118.119.ipsec-nat-t > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65e), length 132
14:30:13.936215 IP 172.16.118.119.ipsec-nat-t > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65f), length 132 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130114/1998949f/attachment.html>


More information about the Users mailing list