[strongSwan] S2S vpn between strongswan and openbsd with NAT-T doesn't work

Mews, Flavius Flavius.Mews at voith.com
Thu Nov 9 23:16:50 CET 2017


Hi Tobias,

thanks for your quick response and the detailed information. I didin't found yet further options in OpenBSD how the NAT- behaviour is working.

I changed the log level enc to 3 and attached the strongswanlog. I also attached a tcpdump from isakmpd which gives detailed information
about the proposals. (Isakmpd makes packet captures for debugging purposes). For me it is not exactly clear where I can find NAT proposals.
Maybe you have a better sight on this capture.

root at ubuntu-vpn-gw:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        uniqueids = yes
        charondebug = "ike 3, esp 3, cfg 3, enc 3, lib 2, mgr 3, net 3, chd 3, knl 2"



> I think OpenBSD also supports IKEv2, I'd recommend you switch to that if you can.

Yes it has. But with IKEv2 I have another issue. When I configure the tunnel in IKEv2 mode Openbsd sends no NAT-Keepalives to the ubuntuserver and the session times out on the nat-gateway. Don't know why.
Proably also a proposal negotiation. 
So my first step was to try the connection with IKEv1 because here I have no NAT-Keepalive problem.

Thanks for your help.


Best regards 

Flavius

-----Original Message-----
From: Tobias Brunner [mailto:tobias at strongswan.org] 
Sent: Thursday, November 09, 2017 9:50 AM
To: Mews, Flavius; Users at lists.strongswan.org
Subject: Re: [strongSwan] S2S vpn between strongswan and openbsd with NAT-T doesn't work

Hi Flavius,

As IKEv1 responder the trigger to use UDP encapsulation is the encapsulation mode sent in the proposals received from the client during Quick Mode.  If it proposes tunnel mode without encapsulation then the server won't use UDP encapsulation (there is currently no check if a NAT was found and we just use the first encap mode attribute from any proposal).  That's mainly based on what RFC 3947 says about this:

  It is not normally useful to propose both normal tunnel or transport
  mode and UDP-Encapsulated modes.
  ...
  Also, the initiator SHOULD NOT include both normal tunnel or
  transport mode and UDP-Encapsulated-Tunnel or UDP-Encapsulated-
  Transport in its proposals.

Could you send me a log with the log level for enc increased to 3 [1].
That should show what the client actually proposes (i.e. if it has proposals with plain tunnel mode but perhaps also some with UDP encapsulation).

I think OpenBSD also supports IKEv2, I'd recommend you switch to that if you can.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: strongswanlog.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171109/8a326d15/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tcpdump-isakmpd-log.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171109/8a326d15/attachment-0003.txt>


More information about the Users mailing list