[strongSwan] strongswan vs Fritzbox

Michael Schwartzkopff ms at sys4.de
Wed Aug 3 08:26:30 CEST 2022


On 03.08.22 06:31, Harald Dunkel wrote:
> Hi folks,
>
> environment:
>     VPN gateway running Debian 11 and strongswan 5.9.6
>     appr 140 road-warrior devices (Linux, Windows, MacOS/ios)
>
> According to
>
> https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/169_Using-VPN-software-from-another-manufacturer-in-the-home-network/ 
>
>
> the Fritzbox (a very popular DSL/cable consumer modem in Germany) 
> supports
> just a single ESP connection per remote VPN gateway to pass through. 
> If you
> have (lets say) a phone and a laptop to connect to the same VPN 
> gateway in
> the office, you are out of luck.
>
> I am not sure if this restriction is reasonable, but actually it seems 
> to be
> implemented this way. The VPN connection is established successfully, 
> but ESP
> from the VPN gateway to the road-warrior seems to be blocked. After a few
> minutes the road-warrior deletes the connection and tries again.
>
> Of course I enabled the encap = yes on the VPN gateway to enforce 
> ESP-in-UDP
> encapsulation as a workaround, but I wouldn't like to keep it, 
> affecting all
> road warriors, even if they do not own a Fritzbox. It might create new 
> problems.
>
> Do you think charon running on the VPN gateway would be able to detect 
> the
> lost ESP traffic and switch over to ESP encapsulation automatically?
>
>
> Regards
>
> Harri


Sorry, did not read all. I think encap is not bad, even for all users. 
There might be an other scenario, when multiple users are behind the 
same NAT device and encap is needed. Just think about carrier grade NAT, 
that is being implemented.



Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Users mailing list