[strongSwan] NAT-T UDP-encap ESP received, but no decrypted packets out

Andreas Steffen andreas.steffen at strongswan.org
Mon Jan 14 10:17:58 CET 2013 

Hi,

Your virtual IP pool range must either be distinct from
the leftsubnet 192.168.56.0/24, e.g.

   rightsourceip=192.168.57.0/24

or you can choose the virtual address pool as a subset
of leftsubnet, e.g.

   rightsourceip=192.168.56.128/25

but then you must add the farp plugin to [B] which handles
the ARP requests as a proxy for the virtual host [A].

Regards

Andreas

On 14.01.2013 08:50, hongwei tseng wrote:
> I setup a scenarion  [A]  - - -> [NAT] - - -> [B]
> [A] fedora 17, strongswan 5.0.1, is behind a NAT router (ip 192.168.0.2)
> [NAT] is a linux NAT router (ip 172.16.118.119)
> [B] fedora 17, strongswan 5.0.1, offer virtual ip pool
> 192.168.56.2/24 (ip 172.16.118.124)
>
> 1. ikev2 and ipsec tunnel were established successfully
> 2. ping 192.168.56.1 [B] from 192.168.56.3[A]
> 3. tcpdump on [B] can sniffered UDP-encap ESP from [A] -> [B], then
> disappeared ?
>
> Anything misconfigured or missed ?
>
> Thanks,
> HW
>
> This is the config on [B]:
> Loading conn 'tun1'
>    keyexchange=ikev2
>    rekeymargin=3m
>    authby=pubkey
>    keyingtries=1
>    mobike=no
>    leftsourceip=192.168.56.2/24
>    right=172.16.118.124
>    rightsubnet=192.168.56.1/24
>    leftid=C=te, CN=test
>    rightcert=segw.crt
>    ikelifetime=86400s
>    keylife=86400s
>    ike=aes-sha-modp2048
>    esp=aes-sha
>    auto=add
>
> tcpdump on [B] :
> 14:30:10.930598 IP 172.16.118.119.ipsec-nat-t >
> 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65c),
> length 132
> 14:30:11.933938 IP 172.16.118.119.ipsec-nat-t >
> 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65d),
> length 132
> 14:30:12.934316 IP 172.16.118.119.ipsec-nat-t >
> 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65e),
> length 132
> 14:30:13.936215 IP 172.16.118.119.ipsec-nat-t >
> 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65f),
> length 132

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130114/bae786b2/attachment.bin>

More information about the Users mailing list