[strongSwan] S2S vpn between strongswan and openbsd with NAT-T doesn't work

Tobias Brunner tobias at strongswan.org
Thu Nov 9 09:49:55 CET 2017

Hi Flavius,

As IKEv1 responder the trigger to use UDP encapsulation is the
encapsulation mode sent in the proposals received from the client during
Quick Mode.  If it proposes tunnel mode without encapsulation then the
server won't use UDP encapsulation (there is currently no check if a NAT
was found and we just use the first encap mode attribute from any
proposal).  That's mainly based on what RFC 3947 says about this:

  It is not normally useful to propose both normal tunnel or transport
  mode and UDP-Encapsulated modes.
  Also, the initiator SHOULD NOT include both normal tunnel or
  transport mode and UDP-Encapsulated-Tunnel or UDP-Encapsulated-
  Transport in its proposals.

Could you send me a log with the log level for enc increased to 3 [1].
That should show what the client actually proposes (i.e. if it has
proposals with plain tunnel mode but perhaps also some with UDP

I think OpenBSD also supports IKEv2, I'd recommend you switch to that if
you can.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

More information about the Users mailing list