[strongSwan] Ping does not come back / but its visible in tcpdump
Tobias Brunner
tobias at strongswan.org
Mon Nov 25 13:31:18 CET 2019
Hi Valeri,
> Here is tcpdump from what I think is the ping and its response (pinging
> 10.166.47.12 which is assigned to Lancom on ethernet port 1):
> 22:03:20.304824 IP (tos 0x0, ttl 64, id 1894, offset 0, flags [DF],
> proto ESP (50), length 140)
> A.A.A.A > B.B.B.B: ESP(spi=0xbf3e0bb5,seq=0x224), length 120
> 22:03:20.320540 IP (tos 0x0, ttl 57, id 34530, offset 0, flags [none],
> proto UDP (17), length 148)
> B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [no cksum] UDP-encap:
> ESP(spi=0xc9012da8,seq=0x223), length 120
>
> I am just clueless now and any help is appreciated. Let me know if any
> further information is required.
As you can see, the other peer somehow decides to use UDP-encapsulation
for ESP, even though there apparently is no NAT between the two. Since
the Linux kernel can't process UDP-encapsulated packets for SAs that
aren't configured for it (a known limitation) the inbound packets will
be dropped. I guess by disabling MOBIKE you prevent the other
implementation from enabling UDP-ecapsulation.
Regards,
Tobias
More information about the Users
mailing list