strongswan cannot receive IKE_AUTH message on udp 4500 in nat envrionment
i make strongswan as IKEv2 client behind NAT device, and another strongswan as IKEv2 SecGW
strongswan client(192.168.51.43) <=====> (192.168.51.1) NAT device (192.168.104.3) <=====> strongswan SecGW(192.168.104.15)
ipsec tunnel can set up successfully, but when reauth occurs, strongswan client cannot get IKE_AUTH message on udp 4500.
however, i can see IKE_AUTH packets by wireshark on client side.
could you help me check the reason.
i upload the strongswan log and wireshak packets.
#2 Updated by Tobias Brunner over 1 year ago
- Status changed from New to Feedback
Check the log/capture on the responder. Does it receive the requests? Does it respond? Then check what the NAT boxes/firewall do etc. Also, you might want to enable IKEv2 fragmentation (there are IKE_AUTH IP fragments, which might be a problem for some middleboxes).
#3 Updated by zhonghai li over 1 year ago
yes, the responder receives the request and sends the response to the initiator.
and the IKE_AUTH response has arrived at the initiator side. you can see IKE_AUTH messages in the wireshark log.
i run the wireshark tool on the linux of the initator.
i have no idea why initiator strongswan not get the IKE_AUTH response.
if i remove the nat device, IKE_AUTH request/response messages can work well with udp 500