[strongSwan] UDP encapsulated ESP detection and firewalling

Andreas Steffen andreas.steffen at strongswan.org
Fri Apr 1 09:03:47 CEST 2016 

Hi David,

ESP-in-UDP encapsulation *always* uses the IKE connection with
port 4500 or its NAT-ed equivalent for transmission. If you still
see DPD on the IKE port but an additional UDP stream with random
ports is used for ESP then something extremely weird is happening.
Do both endpoints run a Linux IPsec stack?

Best regards

Andreas

On 01.04.2016 07:52, David Nillesen wrote:
> I'm trying to create an iptables firewall rule to allow UDP encapsulated
> ESP packets to enter my server.
>
>
> In my config, client is NAT'd and server has a real IP.
>
>
> During the session setup, both sides detect that there is NAT and move
> to a conversation between port 4500 at both ends.
>
>
> The session establishes correctly, but then it looks like the actual UDP
> encapsulated payload (ESP? checking I have this correctly) moves to  a
> UDP stream between two random ports which gets blocked by my iptables
> firewall.
>
>
> The DPD continues to be on port 4500 and keeps working.
>
>
> I do have leftfirewall=yes on the server side, but it doesn't seem to
> set up a rule to deal with this.
>
>
> We also run a PaloAlto firewall and the packets just show up as
> unidentified UDP to it as well which cause it to get dropped.
>
>
> I'd like to avoid allowing all UDP into the server if possible.
>
>
> Any suggestions?
>
> For what it's worth, a normal IPSEC session works perfectly provided
> neither end uses NAT.
>
> Thanks,
> Dave
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160401/14096c6b/attachment.bin>

More information about the Users mailing list