[strongSwan] Ping does not come back / but its visible in tcpdump
Valeri Geiser
valeri.geiser at km-logistik-service.de
Mon Nov 25 13:56:10 CET 2019
Hi Tobias,
thank you for the explanation. I was not sure what the issue was, but I
figured that the port 4500 was incorrect. NAT-Traversal was already
disabled on the Lancom, however, with also disabling MOBIKE now I only
see port 500 and by your explanation I understand now a little better
what the issue was.
Best regards,
Valeri
Am 25.11.19 um 13:31 schrieb Tobias Brunner:
> Hi Valeri,
>
>> Here is tcpdump from what I think is the ping and its response (pinging
>> 10.166.47.12 which is assigned to Lancom on ethernet port 1):
>> 22:03:20.304824 IP (tos 0x0, ttl 64, id 1894, offset 0, flags [DF],
>> proto ESP (50), length 140)
>> A.A.A.A > B.B.B.B: ESP(spi=0xbf3e0bb5,seq=0x224), length 120
>> 22:03:20.320540 IP (tos 0x0, ttl 57, id 34530, offset 0, flags [none],
>> proto UDP (17), length 148)
>> B.B.B.B.ipsec-nat-t > A.A.A.A.ipsec-nat-t: [no cksum] UDP-encap:
>> ESP(spi=0xc9012da8,seq=0x223), length 120
>>
>> I am just clueless now and any help is appreciated. Let me know if any
>> further information is required.
> As you can see, the other peer somehow decides to use UDP-encapsulation
> for ESP, even though there apparently is no NAT between the two. Since
> the Linux kernel can't process UDP-encapsulated packets for SAs that
> aren't configured for it (a known limitation) the inbound packets will
> be dropped. I guess by disabling MOBIKE you prevent the other
> implementation from enabling UDP-ecapsulation.
>
> Regards,
> Tobias
--
Bei Fragen oder Unklarheiten stehen wir Ihnen gerne zur Verfügung.
MFG, Valeri Geiser
*KM Logistik - Service GmbH
Hauptstraße 2
66459 Kirkel-Limbach*
*
Phone: *(+49) 68417567899
*Fax: *(+49) 6841 9933441
*Email:*valeri.geiser at km-logistik-service.de
<mailto:valeri.geiser at km-logistik-service.de>
*Web:*http://km-logistik-service.de <http://km-logistik-service.de/>
KM Logistik - Service Gesellschaft mit beschränkter Haftung
Sitz der Gesellschaft: 66459 Kirkel | Geschäftsführer: Klaus Miosga |
Registergericht: Homburg HRB 17405
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191125/6309bd55/attachment-0001.html>
More information about the Users
mailing list