[strongSwan] strongswan vs Fritzbox

Harald Dunkel harri at afaics.de
Wed Aug 3 06:31:14 CEST 2022


Hi folks,

environment:
	VPN gateway running Debian 11 and strongswan 5.9.6
	appr 140 road-warrior devices (Linux, Windows, MacOS/ios)

According to

https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/169_Using-VPN-software-from-another-manufacturer-in-the-home-network/

the Fritzbox (a very popular DSL/cable consumer modem in Germany) supports
just a single ESP connection per remote VPN gateway to pass through. If you
have (lets say) a phone and a laptop to connect to the same VPN gateway in
the office, you are out of luck.

I am not sure if this restriction is reasonable, but actually it seems to be
implemented this way. The VPN connection is established successfully, but ESP
from the VPN gateway to the road-warrior seems to be blocked. After a few
minutes the road-warrior deletes the connection and tries again.

Of course I enabled the encap = yes on the VPN gateway to enforce ESP-in-UDP
encapsulation as a workaround, but I wouldn't like to keep it, affecting all
road warriors, even if they do not own a Fritzbox. It might create new problems.

Do you think charon running on the VPN gateway would be able to detect the
lost ESP traffic and switch over to ESP encapsulation automatically?


Regards

Harri


More information about the Users mailing list