[strongSwan] NAT-T UDP-encap ESP received, but no decrypted packets out

hongwei tseng hw.tseng at hotmail.com
Mon Jan 14 11:15:20 CET 2013 


 Hi Andreas, Thanks for your quick reply. Actually, I tested the same config without NAT, it works well. I dump some info on my linux [B].I am not sure if it is caused by the "00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed" message while starting charon. (for quick reproduce, I use psk auth) ip xfrm policy
src 192.168.56.3/32 dst 192.168.56.0/24 
 dir fwd priority 1827 ptype main 
 tmpl src 172.16.118.119 dst 172.16.118.124
  proto esp reqid 1 mode tunnel
src 192.168.56.3/32 dst 192.168.56.0/24 
 dir in priority 1827 ptype main 
 tmpl src 172.16.118.119 dst 172.16.118.124
  proto esp reqid 1 mode tunnel
src 192.168.56.0/24 dst 192.168.56.3/32 
 dir out priority 1827 ptype main 
 tmpl src 172.16.118.124 dst 172.16.118.119
  proto esp reqid 1 mode tunnel
[root at localhost ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.1, Linux 3.3.4-5.fc17.i686, i686):
  uptime: 108 seconds, since Jan 14 18:01:26 2013
  malloc: sbrk 135168, mmap 0, used 71600, free 63568
  worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des sha1 sha2 md5 x509 pem random nonce hmac stroke socket-default updown kernel-netlink kernel-pfkey openssl
Virtual IP pools (size/online/offline):
  192.168.56.2/24: 254/1/0
Listening IP addresses:
  172.16.118.124
Connections:
        tun1:  172.16.118.124...%any  IKEv2
        tun1:   local:  [172.16.118.124] uses pre-shared key authentication
        tun1:   remote: uses pre-shared key authentication
        tun1:   child:  192.168.56.0/24 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
        tun1[1]: ESTABLISHED 78 seconds ago, 172.16.118.124[172.16.118.124]...172.16.118.119[192.168.0.2]
        tun1[1]: IKEv2 SPIs: 4f8da8d36fc953b3_i 3ea89b4569e84f30_r*, pre-shared key reauthentication in 23 hours
        tun1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
        tun1{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c44fa932_i cca368ae_o
        tun1{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 23 hours
        tun1{1}:   192.168.56.0/24 === 192.168.56.3/32  ipsec restart --nofork --debug-all
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.0.1 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Loading config setup
Loading conn 'tun1'
  keyexchange=ikev2
  rekeymargin=3m
  authby=psk
  keyingtries=1
  mobike=no
  leftsourceip=192.168.56.2/24
  right=172.16.118.124
  rightsubnet=192.168.56.1/24
  ikelifetime=86400s
  keylife=86400s
  ike=aes128-sha1_160-modp2048
  esp=aes-sha1_160
  auto=add
found netkey IPsec stack
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.0.1, Linux 3.3.4-5.fc17.i686, i686)
00[LIB] plugin 'farp' failed to load: /usr/local/lib/ipsec/plugins/libstrongswan-farp.so: cannot open shared object file: No such file or directory
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
00[LIB] plugin 'farp' failed to load: /usr/local/lib/ipsec/plugins/libstrongswan-farp.so: cannot open shared object file: No such file or directory
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[LIB]   opening '/etc/ipsec.d/private/segw.key' failed: No such file or directory
00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 3 builders
00[CFG]   loading private key from '/etc/ipsec.d/private/segw.key' failed
00[CFG]   loaded IKE secret for 172.16.118.124 %any
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 x509 pem random nonce hmac stroke socket-default updown kernel-netlink kernel-pfkey openssl
00[JOB] spawning 16 worker threads
charon (2148) started after 20 ms
12[CFG] received stroke: add connection 'tun1'
12[CFG] adding virtual IP address pool 192.168.56.2/24
12[CFG] added configuration 'tun1'
14[NET] received packet: from 172.16.118.119[500] to 172.16.118.124[500]
14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
14[IKE] 172.16.118.119 is initiating an IKE_SA
14[IKE] remote host is behind NAT
14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
14[NET] sending packet: from 172.16.118.124[500] to 172.16.118.119[500]
15[NET] received packet: from 172.16.118.119[4500] to 172.16.118.124[4500]
15[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH CP(ADDR) SA TSi TSr N(EAP_ONLY) ]
15[IKE] received 1 cert requests for an unknown ca
15[CFG] looking for peer configs matching 172.16.118.124[172.16.118.124]...172.16.118.119[192.168.0.2]
15[CFG] selected peer config 'tun1'
15[IKE] authentication of '192.168.0.2' with pre-shared key successful
15[IKE] authentication of '172.16.118.124' (myself) with pre-shared key
15[IKE] IKE_SA tun1[1] established between 172.16.118.124[172.16.118.124]...172.16.118.119[192.168.0.2]
15[IKE] scheduling reauthentication in 86111s
15[IKE] maximum IKE_SA lifetime 86291s
15[IKE] peer requested virtual IP %any
15[CFG] assigning new lease to '192.168.0.2'
15[IKE] assigning virtual IP 192.168.56.3 to peer '192.168.0.2'
15[IKE] CHILD_SA tun1{1} established with SPIs c44fa932_i cca368ae_o and TS 192.168.56.0/24 === 192.168.56.3/32 
15[ENC] generating IKE_AUTH response 1 [ IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) ]
15[NET] sending packet: from 172.16.118.124[4500] to 172.16.118.119[4500]
16[NET] received packet: from 172.16.118.119[4500] to 172.16.118.124[4500]
16[ENC] parsed INFORMATIONAL request 2 [ ]
16[ENC] generating INFORMATIONAL response 2 [ ]
16[NET] sending packet: from 172.16.118.124[4500] to 172.16.118.119[4500]
 > Date: Mon, 14 Jan 2013 10:17:58 +0100
> From: andreas.steffen at strongswan.org
> To: hw.tseng at hotmail.com
> CC: users at lists.strongswan.org
> Subject: Re: [strongSwan]  NAT-T UDP-encap ESP received, but no decrypted packets out
> 
> Hi,
> 
> Your virtual IP pool range must either be distinct from
> the leftsubnet 192.168.56.0/24, e.g.
> 
>    rightsourceip=192.168.57.0/24
> 
> or you can choose the virtual address pool as a subset
> of leftsubnet, e.g.
> 
>    rightsourceip=192.168.56.128/25
> 
> but then you must add the farp plugin to [B] which handles
> the ARP requests as a proxy for the virtual host [A].
> 
> Regards
> 
> Andreas
> 
> On 14.01.2013 08:50, hongwei tseng wrote:
> > I setup a scenarion  [A]  - - -> [NAT] - - -> [B]
> > [A] fedora 17, strongswan 5.0.1, is behind a NAT router (ip 192.168.0.2)
> > [NAT] is a linux NAT router (ip 172.16.118.119)
> > [B] fedora 17, strongswan 5.0.1, offer virtual ip pool
> > 192.168.56.2/24 (ip 172.16.118.124)
> >
> > 1. ikev2 and ipsec tunnel were established successfully
> > 2. ping 192.168.56.1 [B] from 192.168.56.3[A]
> > 3. tcpdump on [B] can sniffered UDP-encap ESP from [A] -> [B], then
> > disappeared ?
> >
> > Anything misconfigured or missed ?
> >
> > Thanks,
> > HW
> >
> > This is the config on [B]:
> > Loading conn 'tun1'
> >    keyexchange=ikev2
> >    rekeymargin=3m
> >    authby=pubkey
> >    keyingtries=1
> >    mobike=no
> >    leftsourceip=192.168.56.2/24
> >    right=172.16.118.124
> >    rightsubnet=192.168.56.1/24
> >    leftid=C=te, CN=test
> >    rightcert=segw.crt
> >    ikelifetime=86400s
> >    keylife=86400s
> >    ike=aes-sha-modp2048
> >    esp=aes-sha
> >    auto=add
> >
> > tcpdump on [B] :
> > 14:30:10.930598 IP 172.16.118.119.ipsec-nat-t >
> > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65c),
> > length 132
> > 14:30:11.933938 IP 172.16.118.119.ipsec-nat-t >
> > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65d),
> > length 132
> > 14:30:12.934316 IP 172.16.118.119.ipsec-nat-t >
> > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65e),
> > length 132
> > 14:30:13.936215 IP 172.16.118.119.ipsec-nat-t >
> > 172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65f),
> > length 132
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130114/ab17854c/attachment.html>

More information about the Users mailing list