[strongSwan] More NAT troubles

Will Wykeham will at wykeham.net
Fri Mar 14 16:35:58 CET 2014


After you were all so helpful last time, I have another query. As a variant
on the previous system, I have a fairly simple NAT based network setup I'm
trying to get working:


      +------+                      +--------+               +----+
      |      |                      |        |    + ..... +  |    |
      |  A   +----------------------+   B    +----+       +--+  C |
      |      |                      |        |               |    |
      +------+                      +--------+               +----+
          10.65.112.69      10.65.112.70   10.1.20.14      10.1.40.1

A - VPN client (connection initiator). On a private network with B. Linux
machine under my control.
B - Routing box. Has an interface on the private network, and a 3G (PPP)
interface to the outside world. Performs NAT for private connections (-j
MASQUERADE). Linux machine under my control.
C - Remote gateway. VPN connection responder. A Cisco 2900 (not under my
direct control but configuration changes can be made on request).

The configuration I have on A is:
left=%any
leftfirewall=yes
right=10.1.40.1
rightsubnet=10.31.21.0/24
auto=add

Authentication is with Pre-shared keys.

When I attempt the connection I see the ikev2_init[I] going out and coming
back [R], all Port 500.
It detects the NAT and then sends the ikev2_auth[I] on Port 4500, that
makes it out, and on B I see the ikev2_auth[R] coming back. This has a
destination Port of 4500, but a source port of 500. The MASQUERADE rule
seems to not like this, and so drops the packet. I added an extra DNAT rule
to make sure it got through, and I can then see it arriving at A.
Strongswan on A appears to completely ignore this packet and resends the
ikev2_auth[I].

Is that source port of 500 actually something strange or is it one of those
things that happens? Is that the reason that strongswan is ignoring the
response or is something else going on that I haven't found yet.

I've attached a TCP dump from B of that process happening. It shows data on
both interfaces so you can see the NAT in effect.

Thanks in advance,
Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140314/d849345f/attachment.html>
-------------- next part --------------
15:14:25.860947 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 660)
    10.1.20.14.500 > 10.1.40.1.500: [udp sum ok] isakmp 2.0 msgid 00000000 cookie b2362d68fbe42f37->0000000000000000: parent_sa ikev2_init[I]:
    (sa: len=404
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0100))
            (t: #2 type=integ id=hmac-sha )
            (t: #3 type=prf id=hmac-sha )
            (t: #4 type=dh id=#20 ))
        (p: #2 protoid=isakmp transform=38 len=360
            (t: #1 type=encr id=aes (type=keylen value=0080))
            (t: #2 type=encr id=aes (type=keylen value=00c0))
            (t: #3 type=encr id=aes (type=keylen value=0100))
            (t: #4 type=encr id=3des )
            (t: #5 type=encr id=#23 (type=keylen value=0080))
            (t: #6 type=encr id=#23 (type=keylen value=00c0))
            (t: #7 type=encr id=#23 (type=keylen value=0100))
            (t: #8 type=encr id=#13 (type=keylen value=0080))
            (t: #9 type=encr id=#13 (type=keylen value=00c0))
            (t: #10 type=encr id=#13 (type=keylen value=0100))
            (t: #11 type=encr id=#24 (type=keylen value=0080))
            (t: #12 type=encr id=#24 (type=keylen value=00c0))
            (t: #13 type=encr id=#24 (type=keylen value=0100))
            (t: #14 type=integ id=aes-xcbc )
            (t: #15 type=integ id=hmac-sha )
            (t: #16 type=integ id=#12 )
            (t: #17 type=integ id=hmac-md5 )
            (t: #18 type=integ id=#13 )
            (t: #19 type=integ id=#14 )
            (t: #20 type=prf id=aes128_xcbc )
            (t: #21 type=prf id=hmac-sha )
            (t: #22 type=prf id=#5 )
            (t: #23 type=prf id=hmac-md5 )
            (t: #24 type=prf id=#6 )
            (t: #25 type=prf id=#7 )
            (t: #26 type=dh id=modp2048 )
            (t: #27 type=dh id=#23 )
            (t: #28 type=dh id=#24 )
            (t: #29 type=dh id=modp1536 )
            (t: #30 type=dh id=#19 )
            (t: #31 type=dh id=#20 )
            (t: #32 type=dh id=#21 )
            (t: #33 type=dh id=#26 )
            (t: #34 type=dh id=#25 )
            (t: #35 type=dh id=modp4096 )
            (t: #36 type=dh id=modp8192 )
            (t: #37 type=dh id=modp1024 )
            (t: #38 type=dh id=#22 )))
    (v2ke: len=96 group=#20)
    (nonce: len=32 nonce=(5d8eab2dbe298603cae04fe1d1b8affc8c44e10dedab97f6f068b48e6299d2fd) )
    (n: prot_id=#0 type=16388(nat_detection_source_ip))
    (n: prot_id=#0 type=16389(nat_detection_destination_ip))
15:14:26.870687 IP (tos 0xc0, ttl 254, id 50917, offset 0, flags [none], proto UDP (17), length 445)
    10.1.40.1.500 > 10.1.20.14.500: [udp sum ok] isakmp 2.0 msgid 00000000 cookie b2362d68fbe42f37->26271e9c71101ddf: parent_sa ikev2_init[R]:
    (sa: len=44
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0100))
            (t: #2 type=prf id=hmac-sha )
            (t: #3 type=integ id=hmac-sha )
            (t: #4 type=dh id=#20 )))
    (v2ke: len=96 group=#20)
    (nonce: len=20 nonce=(8cc80ee3612ce277ce44e01cc67a54834c0dd987) )
    (v2vid: len=19 vid=CISCO-DELETE-REASON)
    (v2vid: len=17 vid=FLEXVPN-SUPPORTED)
    (n: prot_id=isakmp type=16388(nat_detection_source_ip))
    (n: prot_id=isakmp type=16389(nat_detection_destination_ip))
    (v2cr: len=101)
    (n: prot_id=isakmp type=16392(http_cert_lookup_supported))
15:14:26.870763 IP (tos 0xc0, ttl 253, id 50917, offset 0, flags [none], proto UDP (17), length 445)
    10.1.40.1.500 > 10.65.112.69.500: [udp sum ok] isakmp 2.0 msgid 00000000 cookie b2362d68fbe42f37->26271e9c71101ddf: parent_sa ikev2_init[R]:
    (sa: len=44
        (p: #1 protoid=isakmp transform=4 len=44
            (t: #1 type=encr id=aes (type=keylen value=0100))
            (t: #2 type=prf id=hmac-sha )
            (t: #3 type=integ id=hmac-sha )
            (t: #4 type=dh id=#20 )))
    (v2ke: len=96 group=#20)
    (nonce: len=20 nonce=(8cc80ee3612ce277ce44e01cc67a54834c0dd987) )
    (v2vid: len=19 vid=CISCO-DELETE-REASON)
    (v2vid: len=17 vid=FLEXVPN-SUPPORTED)
    (n: prot_id=isakmp type=16388(nat_detection_source_ip))
    (n: prot_id=isakmp type=16389(nat_detection_destination_ip))
    (v2cr: len=101)
    (n: prot_id=isakmp type=16392(http_cert_lookup_supported))
15:14:26.948693 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    10.65.112.69.4500 > 10.1.40.1.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000001 cookie b2362d68fbe42f37->26271e9c71101ddf: child_sa  ikev2_auth[I]:
    (v2e: len=316)
15:14:26.948754 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    10.1.20.14.4500 > 10.1.40.1.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000001 cookie b2362d68fbe42f37->26271e9c71101ddf: child_sa  ikev2_auth[I]:
    (v2e: len=316)
15:14:27.110406 IP (tos 0xc0, ttl 254, id 50919, offset 0, flags [none], proto UDP (17), length 104)
    10.1.40.1.500 > 10.1.20.14.4500: [udp sum ok] isakmp 2.0 msgid 00000001 cookie b2362d68fbe42f37->26271e9c71101ddf: child_sa  ikev2_auth[R]:
    (v2e: len=44)
15:14:27.110486 IP (tos 0xc0, ttl 253, id 50919, offset 0, flags [none], proto UDP (17), length 104)
    10.1.40.1.500 > 10.65.112.69.4500: [udp sum ok] isakmp 2.0 msgid 00000001 cookie b2362d68fbe42f37->26271e9c71101ddf: child_sa  ikev2_auth[R]:
    (v2e: len=44)
15:14:27.690978 IP (tos 0x0, ttl 128, id 7862, offset 0, flags [none], proto UDP (17), length 78)
    10.65.121.4.137 > 10.65.123.255.137: [udp sum ok]
15:14:30.950195 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    10.65.112.69.4500 > 10.1.40.1.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000001 cookie b2362d68fbe42f37->26271e9c71101ddf: child_sa  ikev2_auth[I]:
    (v2e: len=316)
15:14:30.950260 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 380)
    10.1.20.14.4500 > 10.1.40.1.4500: [udp sum ok] NONESP-encap: isakmp 2.0 msgid 00000001 cookie b2362d68fbe42f37->26271e9c71101ddf: child_sa  ikev2_auth[I]:
    (v2e: len=316)
15:14:31.130160 IP (tos 0xc0, ttl 254, id 50950, offset 0, flags [none], proto UDP (17), length 104)
    10.1.40.1.500 > 10.1.20.14.4500: [udp sum ok] isakmp 2.0 msgid 00000001 cookie b2362d68fbe42f37->26271e9c71101ddf: child_sa  ikev2_auth[R]:
    (v2e: len=44)
15:14:31.130221 IP (tos 0xc0, ttl 253, id 50950, offset 0, flags [none], proto UDP (17), length 104)
    10.1.40.1.500 > 10.65.112.69.4500: [udp sum ok] isakmp 2.0 msgid 00000001 cookie b2362d68fbe42f37->26271e9c71101ddf: child_sa  ikev2_auth[R]:
    (v2e: len=44)


More information about the Users mailing list