[strongSwan] No udp encapsulation behind a NAT device?

Michael Schwartzkopff ms at sys4.de
Tue Aug 4 15:28:19 CEST 2015


Am Dienstag, 4. August 2015, 10:36:21 schrieb Tobias Brunner:
> Hi Michael,
> 
> > VPN connection is established:
> There are no CHILD_SAs listed there.  Only IKE_SAs.  Could you send the
> logs of when the SAs are established (including the initial messages
> where the NAT is detected).  What strongSwan version(s) are you using?

Yes. You are right. Now a child SA is established:

Security Associations (1 up, 0 connecting):
         kd1[1]: ESTABLISHED 2 seconds ago, 
10.6.X.175[10.6.2.175]...54.239.X.154[54.239.X.154]
         kd1[1]: IKEv2 SPIs: 6f060978fe1fac20_i* 2e96922093bddd64_r, pre-
shared key reauthentication in 2 hours
         kd1[1]: IKE proposal: 
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
         kd1{1}:  INSTALLED, TUNNEL, ESP SPIs: ce25f62c_i e5046162_o
         kd1{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 
46 minutes
         kd1{1}:   192.168.X.0/24 === 172.29.X.0/26

I am using 5.1.2-0ubuntu2.3.

The output during the Tunnel establishment is:

initiating IKE_SA kd1[1] to 54.239.x.154
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.6.x.175[500] to 54.239.x.154[500] (1084 bytes)
received packet: from 54.239.x.154[500] to 10.6.x.175[500] (248 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No ]
no IDi configured, fall back on IP address
authentication of '10.6.x.175' (myself) with pre-shared key
establishing CHILD_SA kd1
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr 
N(EAP_ONLY) ]
sending packet: from 10.6.x.175[500] to 54.239.x.154[500] (364 bytes)
received packet: from 54.239.x.154[500] to 10.6.x.175[500] (204 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of '54.239.x.154' with pre-shared key successful
IKE_SA kd1[1] established between 
10.6.x.175[10.6.x.175]...54.239.x.154[54.239.x.154]
scheduling reauthentication in 9771s
maximum IKE_SA lifetime 10311s
CHILD_SA kd1{1} established with SPIs cec2fc9e_i 67a2c2fc_o and TS 
192.168.x.0/24 === 172.29.x.0/26 
connection 'kd1' established successfully

Besides the N(NATD_S_IP) and N(NATD_D_IP) in the first packet I do not see 
anything about NAT.

So it seems the other VPN endpoint does not support NATed connections?

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150804/478bfc5e/attachment.pgp>


More information about the Users mailing list