[strongSwan] strongswan vs Fritzbox
Michael Schwartzkopff
ms at sys4.de
Wed Aug 3 08:26:30 CEST 2022
On 03.08.22 06:31, Harald Dunkel wrote:
> Hi folks,
>
> environment:
> VPN gateway running Debian 11 and strongswan 5.9.6
> appr 140 road-warrior devices (Linux, Windows, MacOS/ios)
>
> According to
>
> https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/169_Using-VPN-software-from-another-manufacturer-in-the-home-network/
>
>
> the Fritzbox (a very popular DSL/cable consumer modem in Germany)
> supports
> just a single ESP connection per remote VPN gateway to pass through.
> If you
> have (lets say) a phone and a laptop to connect to the same VPN
> gateway in
> the office, you are out of luck.
>
> I am not sure if this restriction is reasonable, but actually it seems
> to be
> implemented this way. The VPN connection is established successfully,
> but ESP
> from the VPN gateway to the road-warrior seems to be blocked. After a few
> minutes the road-warrior deletes the connection and tries again.
>
> Of course I enabled the encap = yes on the VPN gateway to enforce
> ESP-in-UDP
> encapsulation as a workaround, but I wouldn't like to keep it,
> affecting all
> road warriors, even if they do not own a Fritzbox. It might create new
> problems.
>
> Do you think charon running on the VPN gateway would be able to detect
> the
> lost ESP traffic and switch over to ESP encapsulation automatically?
>
>
> Regards
>
> Harri
Sorry, did not read all. I think encap is not bad, even for all users.
There might be an other scenario, when multiple users are behind the
same NAT device and encap is needed. Just think about carrier grade NAT,
that is being implemented.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the Users
mailing list