[strongSwan] IKE2 4500 Reply Not Making it Out
Info
infosec at quantum-equities.com
Fri Mar 23 18:22:29 CET 2018
On 03/23/2018 12:18 AM, Tobias Brunner wrote:
> Hi,
>
>> No port 4500 packet hitting its own interface. Only a keep-alive.
> That's the only packet that's sent from port 4500 (as also stated in the
> log, where it clearly states that kepp-alive is being sent, nothing
> else). Since no request to port 4500 ever makes it to the daemon (the
> log tells you that too) it naturally won't send any response and so you
> also don't see any other packets in tcpdump.
>
> Seems like your DNAT to port 4500 is not working.
>
> Regards,
> Tobias
But seems clear that 4500 is getting DNATted. There are four attempts
coming in via ipsec-nat-t (this is CentOS7.4), all the way to the
daemon. So 4500 attempts are getting through the IPSec gateway's
interface, but are not being noticed by the daemon?
In the LAN gateway my Shorewall directive is:
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL
#
PORT PORT(S) DEST
DNAT net local:192.168.1.16 udp
isakmp,ipsec-nat-t - ð0
And in the IPSec gateway
# lsof -i -n -P
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
charon-sy 41025 root 12u IPv6 12226082 0t0 UDP *:500
charon-sy 41025 root 13u IPv6 12226083 0t0 UDP *:4500
charon-sy 41025 root 14u IPv4 12226084 0t0 UDP *:500
charon-sy 41025 root 15u IPv4 12226085 0t0 UDP *:4500
On an attempt:
# tcpdump -i eth0 'port 4500'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:01:20.504204 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:20.509230 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:20.516809 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:20.540911 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:20.541310 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:20.550701 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:20.553566 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:20.559687 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:22.502784 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:22.508218 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:22.512584 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:22.516938 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:22.521233 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:22.527491 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:22.542394 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:22.545907 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:25.301584 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:25.304550 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:25.307755 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:25.311453 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:25.315206 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:25.319197 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:25.323527 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:25.325219 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:29.255913 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:29.259435 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:29.263905 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:29.266785 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:29.270899 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:29.290882 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:29.291507 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:29.292809 IP 172.56.42.164.31453 >
cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa
ikev2_auth[I]
10:01:38.823739 IP cygnus.darkmatter.org.ipsec-nat-t >
172.56.42.164.31453: isakmp-nat-keep-alive
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180323/9e4ecd97/attachment.html>
More information about the Users
mailing list