Project

General

Profile

Issue #3070

strongswan cannot receive IKE_AUTH message on udp 4500 in nat envrionment

Added by zhonghai li over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.3.5
Resolution:
No feedback

Description

hi,

i make strongswan as IKEv2 client behind NAT device, and another strongswan as IKEv2 SecGW

strongswan client(192.168.51.43) <=====> (192.168.51.1) NAT device (192.168.104.3) <=====> strongswan SecGW(192.168.104.15)

ipsec tunnel can set up successfully, but when reauth occurs, strongswan client cannot get IKE_AUTH message on udp 4500.
however, i can see IKE_AUTH packets by wireshark on client side.

could you help me check the reason.
i upload the strongswan log and wireshak packets.

zhonghai li

History

#1 Updated by zhonghai li over 1 year ago

hi,

i mean strongswan client cannot get IKE_AUTH response message from SecGW.

zhonghai li

#2 Updated by Tobias Brunner over 1 year ago

  • Status changed from New to Feedback

Check the log/capture on the responder. Does it receive the requests? Does it respond? Then check what the NAT boxes/firewall do etc. Also, you might want to enable IKEv2 fragmentation (there are IKE_AUTH IP fragments, which might be a problem for some middleboxes).

#3 Updated by zhonghai li over 1 year ago

hi,

yes, the responder receives the request and sends the response to the initiator.

and the IKE_AUTH response has arrived at the initiator side. you can see IKE_AUTH messages in the wireshark log.
i run the wireshark tool on the linux of the initator.

i have no idea why initiator strongswan not get the IKE_AUTH response.

if i remove the nat device, IKE_AUTH request/response messages can work well with udp 500

zhonghai li

#4 Updated by Tobias Brunner over 1 year ago

i have no idea why initiator strongswan not get the IKE_AUTH response.

No idea either. Maybe a local firewall issue (Wireshark works on a different layer and might see messages the daemon does not).

#5 Updated by Tobias Brunner about 1 year ago

  • Category set to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF