On 28.12.2012 16:34, Bharath Kumar wrote: > Klaus, > > The firewall on either end could be blocking ESP traffic (IP Protocol = > 50) and that's where forcing NAT-T would help.
Indeed, I was blocking ESP on the server side. I allowed now ESP and it works fine now. Btw: do I also have to allow AH (ip proto 51)? If I understand correctly, IPsec tunnel mode only requires ESP. > Have you tried setting > this in ipsec.conf? > forceencaps=true This also helped. I think I will stay with "force NAT traversal" to avoid problems with ESP blocking firewalls on the client side. Thanks for the fast response, Klaus > > The traffic in the log file seems to be for Dead Peer Detection. > > Thanks, > Bharath Kumar > > On Friday, December 28, 2012, Klaus Darilion wrote: > > Hi! > > I have setup strongSwan 5.0.1 with certificate authentication. The > tunnel creation works fine, and if the iPhone is behind NAT, > strongSwan detects the NAT, uses port 4500 and everything works fine. > > But if the iPhone is not behind NAT, the tunnel creation works fine, > but then, if I want to surf on the iPhone it does not work. Attached > is the output of "tail -f /var/log/syslog|grep charon" multiplexed > with "tcpdump -i any -n port 500 or 4500 or host 192.168.102.2": > > There is some traffic after the tunnel is created, but what kind of > traffic is this? "real" traffic or some "keep alive" traffic? > > Any ideas why it does not work when the client uses a public IP address? > > Is it possible to force "NAT" behavior also if clients are not > behind NAT? > > Any hints are appreciated. > > Thanks > Klaus > > > # ipsec.conf - strongSwan IPsec configuration file > ##############################__#################### > config setup > charondebug=all > > conn RoadWarrior-CiscoIPsec-klaus > type=tunnel > dpdaction=clear > dpddelay=60 > dpdtimeout=60 > keyexchange=ikev1 > authby=xauthrsasig > xauth=server > left=%defaultroute > leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> > leftfirewall=yes > leftcert=serverCert.pem > right=%any > rightsourceip=192.168.102.2 > rightcert=clientCert.pem > auto=add > > > # strongswan.conf - strongSwan configuration file > ##############################__################### > charon { > threads = 16 > dns1=192.168.99.1 > } > > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
