[strongSwan] how to tell charon-nm to use 500/udp and 4500/udp

Tobias Brunner tobias at strongswan.org
Thu Jul 14 17:35:51 CEST 2022 

Hi Harald,

>>> is there some way to tell charon-nm to use 4500/udp for the outgoing
>>> connection, instead of an arbitrary port, if available? Same for
>>> 500/udp.
>>
>> You can explicitly configure the ports via strongswan.conf
>> (charon-nm.port and charon-nm.port_nat_t).  Just make sure you don't use
>> charon or charon-systemd on the same host to avoid conflicts.
>>
> 
> Of course I will look into this, but how comes using 500/udp and 4500/udp
> isn't the default?

Primarily, to avoid conflicts with regular (i.e. non-NM) versions of the 
daemon that might be running concurrently on the same system.  Using 
ephemeral source ports also makes using custom server ports easy 
(configurable in the NM plugin) as that would otherwise require changing 
the source port away from 500 anyway.

 > Thats how I read https://wiki.strongswan.org/projects/\
 > strongswan/wiki/ConnSection, left|rightikeport.

Which has absolutely nothing to do with charon-nm (uses a completely 
different configuration interface).

>>> I assume a problem on the AVM Fritzbox in this context. 500/udp and
>>> 4500/udp at both ends appears to be more reliable.
>>
>> That doesn't really make sense as there could always be a NAT in between
>> that changes the source ports.
>>
> 
> I am aware of that. It is not working, i.e. we cannot assume a reasonable
> implementation. Fact is, the traffic returned by my VPN gateway (4500/udp
> to lets say 32480/udp) at the end of phase 2 (IKE2) doesn't reach the home
> office laptop of my colleague (both strongswan). I just cannot say if this
> is sabotaged by his IP provider or if this is a broken stateful package
> filter or some other bug in the Fritzbox. What would be your guess here?

How large is that message?  Although you use 5.9.6 on both ends (i.e. 
IKE fragmentation should generally be enabled), it could still be a 
fragmentation issue if the default fragment size of 1280 bytes is too 
much (you could try reducing charon.fragment_size).

>> Also, has AVM finally released a version of their system that supports
>> IKEv2?  Took them long enough.  But considering their track record
>> regarding IKEv1, I guess we have to expect interoperability issues for
>> the next 20 years.
>>
> This is a misunderstanding. Both peers are running a recent Debian and
> strongswan 5.9.6. The Fritzbox is just the modem/gateway/firewall in
> my colleagues home network. I understand that the Fritzbox runs its own
> IPsec connections. Yet another reason to assume a bug in the Fritzbox
> in this context.

I see.  Can you capture traffic on that box?

Regards,
Tobias

More information about the Users mailing list