[strongSwan] strongswan vs Fritzbox
Michael Schwartzkopff
ms at sys4.de
Wed Aug 3 08:23:50 CEST 2022
On 03.08.22 06:31, Harald Dunkel wrote:
> Hi folks,
>
> environment:
> VPN gateway running Debian 11 and strongswan 5.9.6
> appr 140 road-warrior devices (Linux, Windows, MacOS/ios)
>
> According to
>
> https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/169_Using-VPN-software-from-another-manufacturer-in-the-home-network/
>
>
> the Fritzbox (a very popular DSL/cable consumer modem in Germany)
> supports
> just a single ESP connection per remote VPN gateway to pass through.
> If you
> have (lets say) a phone and a laptop to connect to the same VPN
> gateway in
> the office, you are out of luck.
>
> I am not sure if this restriction is reasonable, but actually it seems
> to be
> implemented this way. The VPN connection is established successfully,
> but ESP
> from the VPN gateway to the road-warrior seems to be blocked. After a few
> minutes the road-warrior deletes the connection and tries again.
>
> Of course I enabled the encap = yes on the VPN gateway to enforce
> ESP-in-UDP
> encapsulation as a workaround, but I wouldn't like to keep it,
> affecting all
> road warriors, even if they do not own a Fritzbox. It might create new
> problems.
>
> Do you think charon running on the VPN gateway would be able to detect
> the
> lost ESP traffic and switch over to ESP encapsulation automatically?
>
>
> Regards
>
> Harri
What about UDP encap of the ESP packet (forceencaps = yes)?
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the Users
mailing list