[strongSwan] UDP encapsulated ESP detection and firewalling

David Nillesen dnillese at une.edu.au
Fri Apr 1 07:52:10 CEST 2016

I'm trying to create an iptables firewall rule to allow UDP encapsulated ESP packets to enter my server.

In my config, client is NAT'd and server has a real IP.

During the session setup, both sides detect that there is NAT and move to a conversation between port 4500 at both ends.

The session establishes correctly, but then it looks like the actual UDP encapsulated payload (ESP? checking I have this correctly) moves to  a UDP stream between two random ports which gets blocked by my iptables firewall.

The DPD continues to be on port 4500 and keeps working.

I do have leftfirewall=yes on the server side, but it doesn't seem to set up a rule to deal with this.

We also run a PaloAlto firewall and the packets just show up as unidentified UDP to it as well which cause it to get dropped.

I'd like to avoid allowing all UDP into the server if possible.

Any suggestions?

For what it's worth, a normal IPSEC session works perfectly provided neither end uses NAT.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160401/a58f302f/attachment.html>

More information about the Users mailing list