[strongSwan] S2S vpn between strongswan and openbsd with NAT-T doesn't work

Mews, Flavius Flavius.Mews at voith.com
Wed Nov 8 15:25:58 CET 2017 

Hello,

I have an issue with strongswan and an openbsd S2S VPN with NAT between the two endpoints. I have this
issue in the live-envrionment. So I installed a testenvironment under virtualbox. I was able to reproduce this issue.
The vpn connection is shown as established but the tunnel is not installed as "ESP in UDP" although the negotiation
goes over port 4500 and nat was detected. If I disable NAT in the Gateway the VPN works well.
The Openbsd box sends out udp encap packets (if i do a ping from openbsd to ubuntu-server like: ping -I 192.168.222.254 192.168.1.16). The Packets reach
the ubuntu-server but then i see no reply. I Think this is because the tunnel isn't established as udp encap mode. I attached tcpdump captures from both machines.
Does anyone know where the failure is? Is it a configfailure?
Thanks in advance.
Flavius

Here is my setup:
192.168.1.0/24===ubuntu-server 16.04.3 LTS [VPN Endpoint: IP 10.0.0.16] ======= [NAT-Address to ubuntu server 10.0.0.100] NAT-GW-(OpenBSD 6.1) ===== [VPN Endpoint: VPN Endpoint: IP 10.0.0.16] OpenBSD 6.1===192.168.222.0/24

===============<===============================<=============================< VPN is initiated from OpenBSD Box to ubuntu server<=======================================================<



**********************************************************************************************************
ubuntu-server:
runs with 
root at ubuntu-vpn-gw:~# ipsec version
Linux strongSwan U5.3.5/K4.4.0-87-generic

ipsec.conf:
root at ubuntu-vpn-gw:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # strictcrlpolicy=yes
        uniqueids = yes
        charondebug = "ike 3, esp 3, cfg 3, enc 1, lib 2, mgr 3, net 3"

		include /etc/ipsec.d/connections/

connection voith-opnbsdapu
root at ubuntu-vpn-gw:~# cat /etc/ipsec.d/connections/voith-openbsdapu.conf
conn voith-openbsdapu
        type=tunnel
        authby=secret
        auto=add
        aggressive=no
        left=10.0.0.16
        leftsendcert=never
        leftsubnet=192.168.1.0/24
        keyexchange=ikev1
        ikelifetime=8h
        keylife=1h
        right=%any
        rightsubnet=192.168.222.0/24
        ike=aes256-sha2_256-modp1536!
        esp=aes256-sha2_256!
		
root at ubuntu-vpn-gw:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic, x86_64):
  uptime: 29 minutes, since Nov 08 13:42:12 2017
  malloc: sbrk 1486848, mmap 0, used 344048, free 1142800
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  192.168.1.16
  10.0.0.16
  192.168.56.100
Connections:
voith-openbsdapu:  10.0.0.16...%any  IKEv1
voith-openbsdapu:   local:  [10.0.0.16] uses pre-shared key authentication
voith-openbsdapu:   remote: uses pre-shared key authentication
voith-openbsdapu:   child:  192.168.1.0/24 === 192.168.222.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
voith-openbsdapu[1]: ESTABLISHED 29 minutes ago, 10.0.0.16[10.0.0.16]...10.0.0.100[OpenBSD61-VM-4.my.domain]
voith-openbsdapu[1]: IKEv1 SPIs: 39ffa08de8e70bf9_i 1e9d80f29e97d882_r*, pre-shared key reauthentication in 7 hours
voith-openbsdapu[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
voith-openbsdapu{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2742000_i bd0678b6_o
voith-openbsdapu{2}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 34 minutes
voith-openbsdapu{2}:   192.168.1.0/24 === 192.168.222.0/24

**********************************************************************************************************
openbsd 6.1
isakmpd and ipsecctl

root at OpenBSD61-VM-4:/root # cat /etc/ipsec.conf

local_network           = "192.168.222.0/24"
local_vpn_endpoint      = "em1"
remote_vpn_endpoint     = "10.0.0.16"
remote_networks         = "192.168.1.0/24"
phase_one               = "hmac-sha2-256 enc aes-256 group modp1536"
phase_two               = "hmac-sha2-256 enc aes-256 group none"

ike dynamic esp from $local_network to $remote_networks \
        local $local_vpn_endpoint peer $remote_vpn_endpoint \
        main auth $phase_one \
        quick auth $phase_two \
        psk "MYSECRET"
		
root at OpenBSD61-VM-4:/root # ipsecctl -sa
FLOWS:
flow esp in from 192.168.1.0/24 to 192.168.222.0/24 peer 10.0.0.16 srcid OpenBSD61-VM-4.my.domain dstid 10.0.0.16/32 type use
flow esp out from 192.168.222.0/24 to 192.168.1.0/24 peer 10.0.0.16 srcid OpenBSD61-VM-4.my.domain dstid 10.0.0.16/32 type require

SAD:
esp tunnel from 10.0.0.16 to 172.16.0.3 spi 0xb244137a auth hmac-sha2-256 enc aes-256
esp tunnel from 172.16.0.3 to 10.0.0.16 spi 0xcc60d6ed auth hmac-sha2-256 enc aes-256

root at OpenBSD61-VM-4:/root # isakmpd -dKvvvv
143012.343842 Default isakmpd: starting [priv]
143024.253407 Default isakmpd: phase 1 done: initiator id OpenBSD61-VM-4.my.domain, responder id 10.0.0.16, src: 172.16.0.3 dst: 10.0.0.16
143024.256211 Default isakmpd: quick mode done: src: 172.16.0.3 dst: 10.0.0.16

Best regards 

Flavius Mews

-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan_syslog.log
Type: application/octet-stream
Size: 31622 bytes
Desc: strongswan_syslog.log
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171108/ce993965/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcpdumps.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171108/ce993965/attachment-0001.txt>

More information about the Users mailing list