Klaus, You're welcome.
I think AH is only needed if you intend to support that mode. ESP should be good enough for the case you described. As to NAT-T, yes, if both sides play well -- which seems to be the case in your case -- use it alleviates the firewall issues you might otherwise face. Thanks, Bharath Kumar On Fri, Dec 28, 2012 at 11:11 AM, Klaus Darilion < [email protected]> wrote: > > > On 28.12.2012 16:34, Bharath Kumar wrote: > >> Klaus, >> >> The firewall on either end could be blocking ESP traffic (IP Protocol = >> 50) and that's where forcing NAT-T would help. >> > > Indeed, I was blocking ESP on the server side. I allowed now ESP and it > works fine now. > > Btw: do I also have to allow AH (ip proto 51)? If I understand correctly, > IPsec tunnel mode only requires ESP. > > > > Have you tried setting > >> this in ipsec.conf? >> forceencaps=true >> > > This also helped. > > I think I will stay with "force NAT traversal" to avoid problems with ESP > blocking firewalls on the client side. > > > Thanks for the fast response, > Klaus > > > >> The traffic in the log file seems to be for Dead Peer Detection. >> >> Thanks, >> Bharath Kumar >> >> On Friday, December 28, 2012, Klaus Darilion wrote: >> >> Hi! >> >> I have setup strongSwan 5.0.1 with certificate authentication. The >> tunnel creation works fine, and if the iPhone is behind NAT, >> strongSwan detects the NAT, uses port 4500 and everything works fine. >> >> But if the iPhone is not behind NAT, the tunnel creation works fine, >> but then, if I want to surf on the iPhone it does not work. Attached >> is the output of "tail -f /var/log/syslog|grep charon" multiplexed >> with "tcpdump -i any -n port 500 or 4500 or host 192.168.102.2": >> >> There is some traffic after the tunnel is created, but what kind of >> traffic is this? "real" traffic or some "keep alive" traffic? >> >> Any ideas why it does not work when the client uses a public IP >> address? >> >> Is it possible to force "NAT" behavior also if clients are not >> behind NAT? >> >> Any hints are appreciated. >> >> Thanks >> Klaus >> >> >> # ipsec.conf - strongSwan IPsec configuration file >> ##############################**__#################### >> >> config setup >> charondebug=all >> >> conn RoadWarrior-CiscoIPsec-klaus >> type=tunnel >> dpdaction=clear >> dpddelay=60 >> dpdtimeout=60 >> keyexchange=ikev1 >> authby=xauthrsasig >> xauth=server >> left=%defaultroute >> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> >> >> leftfirewall=yes >> leftcert=serverCert.pem >> right=%any >> rightsourceip=192.168.102.2 >> rightcert=clientCert.pem >> auto=add >> >> >> # strongswan.conf - strongSwan configuration file >> ##############################**__################### >> >> charon { >> threads = 16 >> dns1=192.168.99.1 >> } >> >> >>
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
