[strongSwan] No udp encapsulation behind a NAT device?

Michael Schwartzkopff ms at sys4.de
Tue Aug 4 10:25:35 CEST 2015 

Hi,

I am trying to establish a VPN tunnel to the amazon VNC network. My VPN server 
is behind a nat device.

My config is:

config setup

conn default
        authby=secret
        mobike=no
        ike=aes128-sha1-modp1024!
conn kd1
        authby=secret
        right=54.239.63.A
        rightsubnet=172.29.X.0/26
        left=10.6.2.175
        leftsubnet=192.168.Y.0/24
        auto=start
        leftfirewall=yes
conn kd2
        authby=secret
        right=54.239.63.B
        rightsubnet=172.29.X.0/26
        left=10.6.2.175
        leftsubnet=192.168.Y.0/24
        auto=start
        leftfirewall=yes

VPN connection is established:
Connections:
         kd1:  10.6.2.175...54.239.63.A  IKEv1/2
         kd1:   local:  [10.6.2.175] uses pre-shared key authentication
         kd1:   remote: [54.239.63.A] uses pre-shared key authentication
         kd1:   child:  192.168.Y.0/24 === 172.29.X.0/26 TUNNEL
         kd2:  10.6.2.175...54.239.63.B  IKEv1/2
         kd2:   local:  [10.6.2.175] uses pre-shared key authentication
         kd2:   remote: [54.239.63.B] uses pre-shared key authentication
         kd2:   child:  192.168.Y.0/24 === 172.29.X.0/26 TUNNEL
Security Associations (2 up, 0 connecting):
         kd2[2]: ESTABLISHED 3 seconds ago, 
10.6.2.175[10.6.2.175]...54.239.63.B[54.239.63.B]
         kd2[2]: IKEv2 SPIs: 5562844ae3a92a97_i* c32bcb77d7c624c0_r, pre-
shared key reauthentication in 2 hours
         kd2[2]: IKE proposal: 
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
         kd1[1]: ESTABLISHED 3 seconds ago, 
10.6.2.175[10.6.2.175]...54.239.63.A[54.239.63.A]
         kd1[1]: IKEv2 SPIs: 8f7ac1254782bba1_i* 77dabaf1fda87a2d_r, pre-
shared key reauthentication in 2 hours
         kd1[1]: IKE proposal: 
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

But when I ping a server on the other side, tcpdump shows my esp packets 
leaving my external interface. No udp encapsulation happens. So NAT at the 
next hop fails and no packets are send over the internet.

If I configure forceencaps then the xfrm policy is not set up  and the packets 
are leaving in clear text.

Any ideas what might be wrong? 

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150804/972d39e3/attachment.pgp>

More information about the Users mailing list