[strongSwan] how to tell charon-nm to use 500/udp and 4500/udp

[Harald Dunkel]

Hi Tobias,

On 2022-07-14 16:15:29, Tobias Brunner wrote:
> Hi Harald,
> 
>> is there some way to tell charon-nm to use 4500/udp for the outgoing
>> connection, instead of an arbitrary port, if available? Same for
>> 500/udp.
> 
> You can explicitly configure the ports via strongswan.conf
> (charon-nm.port and charon-nm.port_nat_t).  Just make sure you don't use
> charon or charon-systemd on the same host to avoid conflicts.
> 

Of course I will look into this, but how comes using 500/udp and 4500/udp
isn't the default? Thats how I read https://wiki.strongswan.org/projects/\
strongswan/wiki/ConnSection, left|rightikeport.

>> I assume a problem on the AVM Fritzbox in this context. 500/udp and
>> 4500/udp at both ends appears to be more reliable.
> 
> That doesn't really make sense as there could always be a NAT in between
> that changes the source ports.
> 

I am aware of that. It is not working, i.e. we cannot assume a reasonable
implementation. Fact is, the traffic returned by my VPN gateway (4500/udp
to lets say 32480/udp) at the end of phase 2 (IKE2) doesn't reach the home
office laptop of my colleague (both strongswan). I just cannot say if this
is sabotaged by his IP provider or if this is a broken stateful package
filter or some other bug in the Fritzbox. What would be your guess here?

> Also, has AVM finally released a version of their system that supports
> IKEv2?  Took them long enough.  But considering their track record
> regarding IKEv1, I guess we have to expect interoperability issues for
> the next 20 years.
> 
This is a misunderstanding. Both peers are running a recent Debian and
strongswan 5.9.6. The Fritzbox is just the modem/gateway/firewall in
my colleagues home network. I understand that the Fritzbox runs its own
IPsec connections. Yet another reason to assume a bug in the Fritzbox
in this context.


Regards

Harri