Re: [strongSwan] NAT-T UDP-encap ESP received, but no decrypted packets out

Mon, 14 Jan 2013 01:18:14 -0800 

Hi,

Your virtual IP pool range must either be distinct from
the leftsubnet 192.168.56.0/24, e.g.

  rightsourceip=192.168.57.0/24

or you can choose the virtual address pool as a subset
of leftsubnet, e.g.

  rightsourceip=192.168.56.128/25

but then you must add the farp plugin to [B] which handles
the ARP requests as a proxy for the virtual host [A].

Regards

Andreas

On 14.01.2013 08:50, hongwei tseng wrote:

I setup a scenarion  [A]  - - -> [NAT] - - -> [B]
[A] fedora 17, strongswan 5.0.1, is behind a NAT router (ip 192.168.0.2)
[NAT] is a linux NAT router (ip 172.16.118.119)
[B] fedora 17, strongswan 5.0.1, offer virtual ip pool
192.168.56.2/24 (ip 172.16.118.124)

1. ikev2 and ipsec tunnel were established successfully
2. ping 192.168.56.1 [B] from 192.168.56.3[A]
3. tcpdump on [B] can sniffered UDP-encap ESP from [A] -> [B], then
disappeared ?

Anything misconfigured or missed ?

Thanks,
HW

This is the config on [B]:
Loading conn 'tun1'
   keyexchange=ikev2
   rekeymargin=3m
   authby=pubkey
   keyingtries=1
   mobike=no
   leftsourceip=192.168.56.2/24
   right=172.16.118.124
   rightsubnet=192.168.56.1/24
   leftid=C=te, CN=test
   rightcert=segw.crt
   ikelifetime=86400s
   keylife=86400s
   ike=aes-sha-modp2048
   esp=aes-sha
   auto=add

tcpdump on [B] :
14:30:10.930598 IP 172.16.118.119.ipsec-nat-t >
172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65c),
length 132
14:30:11.933938 IP 172.16.118.119.ipsec-nat-t >
172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65d),
length 132
14:30:12.934316 IP 172.16.118.119.ipsec-nat-t >
172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65e),
length 132
14:30:13.936215 IP 172.16.118.119.ipsec-nat-t >
172.16.118.124.ipsec-nat-t: UDP-encap: ESP(spi=0xc70472da,seq=0x65f),
length 132


======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to