Hi Eric, > Sorry. Here is a the complete log. This time, I recompiled Strongswan > with socket-dynamic plugin.
You don't need the socket-dynamic plugin. That's only needed if you want do use multiple different source ports (leftikeport). As you can see in the log the client does not send the packet with a non-ESP marker: > Jul 13 18:44:44 ikev2 charon: 03[NET] received packet => 184 bytes @ > 0xafaa49f0 > Jul 13 18:44:44 ikev2 charon: 03[NET] 0: 46 F9 B2 43 68 DA 95 DA 00 > 00 00 00 00 00 00 00 F..Ch........... Instead it starts directly with the initiator SPI and the zeroed responder SPI. Because neither source nor destination port is 500 and the marker is not found charon drops the packet. The problem is that if neither port is 500 there won't be any port floating to port 4500 if a NAT is detected between the two peers. So if UDP encapsulation is enabled on this connection due to a NAT (with MOBIKE this could happen suddenly if the client is mobile and moves behind a NAT router) IKE messages couldn't be distinguished from UDP encapsulated ESP packets on the same ports. So the daemon always assumes that if neither port is 500 a non-ESP marker is prepended to the IKE message. That's how it sends its own messages anyway. I guess as receiver we could be a bit more lenient and just try to process the packet, but unless the client starts adding the marker if a NAT is detected the connection might be broken later. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
