Hello, I have an issue with strongswan and an openbsd S2S VPN with NAT between the two endpoints. I have this issue in the live-envrionment. So I installed a testenvironment under virtualbox. I was able to reproduce this issue. The vpn connection is shown as established but the tunnel is not installed as "ESP in UDP" although the negotiation goes over port 4500 and nat was detected. If I disable NAT in the Gateway the VPN works well. The Openbsd box sends out udp encap packets (if i do a ping from openbsd to ubuntu-server like: ping -I 192.168.222.254 192.168.1.16). The Packets reach the ubuntu-server but then i see no reply. I Think this is because the tunnel isn't established as udp encap mode. I attached tcpdump captures from both machines. Does anyone know where the failure is? Is it a configfailure? Thanks in advance. Flavius
Here is my setup:
192.168.1.0/24===ubuntu-server 16.04.3 LTS [VPN Endpoint: IP 10.0.0.16] =======
[NAT-Address to ubuntu server 10.0.0.100] NAT-GW-(OpenBSD 6.1) ===== [VPN
Endpoint: VPN Endpoint: IP 10.0.0.16] OpenBSD 6.1===192.168.222.0/24
===============<===============================<=============================<
VPN is initiated from OpenBSD Box to ubuntu
server<=======================================================<
**********************************************************************************************************
ubuntu-server:
runs with
root@ubuntu-vpn-gw:~# ipsec version
Linux strongSwan U5.3.5/K4.4.0-87-generic
ipsec.conf:
root@ubuntu-vpn-gw:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
uniqueids = yes
charondebug = "ike 3, esp 3, cfg 3, enc 1, lib 2, mgr 3, net 3"
include /etc/ipsec.d/connections/
connection voith-opnbsdapu
root@ubuntu-vpn-gw:~# cat /etc/ipsec.d/connections/voith-openbsdapu.conf
conn voith-openbsdapu
type=tunnel
authby=secret
auto=add
aggressive=no
left=10.0.0.16
leftsendcert=never
leftsubnet=192.168.1.0/24
keyexchange=ikev1
ikelifetime=8h
keylife=1h
right=%any
rightsubnet=192.168.222.0/24
ike=aes256-sha2_256-modp1536!
esp=aes256-sha2_256!
root@ubuntu-vpn-gw:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-87-generic, x86_64):
uptime: 29 minutes, since Nov 08 13:42:12 2017
malloc: sbrk 1486848, mmap 0, used 344048, free 1142800
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
socket-default connmark stroke updown
Listening IP addresses:
192.168.1.16
10.0.0.16
192.168.56.100
Connections:
voith-openbsdapu: 10.0.0.16...%any IKEv1
voith-openbsdapu: local: [10.0.0.16] uses pre-shared key authentication
voith-openbsdapu: remote: uses pre-shared key authentication
voith-openbsdapu: child: 192.168.1.0/24 === 192.168.222.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
voith-openbsdapu[1]: ESTABLISHED 29 minutes ago,
10.0.0.16[10.0.0.16]...10.0.0.100[OpenBSD61-VM-4.my.domain]
voith-openbsdapu[1]: IKEv1 SPIs: 39ffa08de8e70bf9_i 1e9d80f29e97d882_r*,
pre-shared key reauthentication in 7 hours
voith-openbsdapu[1]: IKE proposal:
AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
voith-openbsdapu{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2742000_i
bd0678b6_o
voith-openbsdapu{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
rekeying in 34 minutes
voith-openbsdapu{2}: 192.168.1.0/24 === 192.168.222.0/24
**********************************************************************************************************
openbsd 6.1
isakmpd and ipsecctl
root@OpenBSD61-VM-4:/root # cat /etc/ipsec.conf
local_network = "192.168.222.0/24"
local_vpn_endpoint = "em1"
remote_vpn_endpoint = "10.0.0.16"
remote_networks = "192.168.1.0/24"
phase_one = "hmac-sha2-256 enc aes-256 group modp1536"
phase_two = "hmac-sha2-256 enc aes-256 group none"
ike dynamic esp from $local_network to $remote_networks \
local $local_vpn_endpoint peer $remote_vpn_endpoint \
main auth $phase_one \
quick auth $phase_two \
psk "MYSECRET"
root@OpenBSD61-VM-4:/root # ipsecctl -sa
FLOWS:
flow esp in from 192.168.1.0/24 to 192.168.222.0/24 peer 10.0.0.16 srcid
OpenBSD61-VM-4.my.domain dstid 10.0.0.16/32 type use
flow esp out from 192.168.222.0/24 to 192.168.1.0/24 peer 10.0.0.16 srcid
OpenBSD61-VM-4.my.domain dstid 10.0.0.16/32 type require
SAD:
esp tunnel from 10.0.0.16 to 172.16.0.3 spi 0xb244137a auth hmac-sha2-256 enc
aes-256
esp tunnel from 172.16.0.3 to 10.0.0.16 spi 0xcc60d6ed auth hmac-sha2-256 enc
aes-256
root@OpenBSD61-VM-4:/root # isakmpd -dKvvvv
143012.343842 Default isakmpd: starting [priv]
143024.253407 Default isakmpd: phase 1 done: initiator id
OpenBSD61-VM-4.my.domain, responder id 10.0.0.16, src: 172.16.0.3 dst: 10.0.0.16
143024.256211 Default isakmpd: quick mode done: src: 172.16.0.3 dst: 10.0.0.16
Best regards
Flavius Mews
strongswan_syslog.log
Description: strongswan_syslog.log
####openbsd box#####
root@OpenBSD61-VM-4:/root # tcpdump -ni em1 host 10.0.0.16
tcpdump: listening on em1, link-type EN10MB
14:41:43.726474 172.16.0.3.4500 > 10.0.0.16.4500:udpencap: esp 172.16.0.3 >
10.0.0.16 spi 0xcc60d6ed seq 22 len 136
14:41:44.696051 172.16.0.3.4500 > 10.0.0.16.4500:NAT-T Keepalive
14:41:44.735783 172.16.0.3.4500 > 10.0.0.16.4500:udpencap: esp 172.16.0.3 >
10.0.0.16 spi 0xcc60d6ed seq 23 len 136
14:41:45.726112 172.16.0.3.4500 > 10.0.0.16.4500:udpencap: esp 172.16.0.3 >
10.0.0.16 spi 0xcc60d6ed seq 24 len 136
14:41:46.676652 172.16.0.3.4500 > 10.0.0.16.4500:udpencap: isakmp v1.0 exchange
INFO encrypted
cookie: b0e168cb769497e7->dc1178bf96080c15 msgid: 02790051 len: 108
14:41:46.687415 10.0.0.16.4500 > 172.16.0.3.4500:udpencap: isakmp v1.0 exchange
INFO encrypted
cookie: b0e168cb769497e7->dc1178bf96080c15 msgid: 0a476c8d len: 108 (DF)
14:41:46.725127 172.16.0.3.4500 > 10.0.0.16.4500:udpencap: esp 172.16.0.3 >
10.0.0.16 spi 0xcc60d6ed seq 25 len 136
14:41:47.725354 172.16.0.3.4500 > 10.0.0.16.4500:udpencap: esp 172.16.0.3 >
10.0.0.16 spi 0xcc60d6ed seq 26 len 136
14:41:48.724472 172.16.0.3.4500 > 10.0.0.16.4500:udpencap: esp 172.16.0.3 >
10.0.0.16 spi 0xcc60d6ed seq 27 len 136
####ubuntu-server######
root@ubuntu-vpn-gw:~# tcpdump -ni enp0s8 host 10.0.0.100
14:42:42.789559 IP 10.0.0.100.4500 > 10.0.0.16.4500: isakmp-nat-keep-alive
14:42:42.830415 IP 10.0.0.100.4500 > 10.0.0.16.4500: UDP-encap:
ESP(spi=0xcc60d6ed,seq=0x17), length 136
14:42:43.821356 IP 10.0.0.100.4500 > 10.0.0.16.4500: UDP-encap:
ESP(spi=0xcc60d6ed,seq=0x18), length 136
14:42:44.771309 IP 10.0.0.100.4500 > 10.0.0.16.4500: NONESP-encap: isakmp:
phase 2/others ? inf[E]
14:42:44.777256 IP 10.0.0.16.4500 > 10.0.0.100.4500: NONESP-encap: isakmp:
phase 2/others ? inf[E]
14:42:44.819234 IP 10.0.0.100.4500 > 10.0.0.16.4500: UDP-encap:
ESP(spi=0xcc60d6ed,seq=0x19), length 136
14:42:45.821803 IP 10.0.0.100.4500 > 10.0.0.16.4500: UDP-encap:
ESP(spi=0xcc60d6ed,seq=0x1a), length 136
14:42:46.822675 IP 10.0.0.100.4500 > 10.0.0.16.4500: UDP-encap:
ESP(spi=0xcc60d6ed,seq=0x1b), length 136
14:42:49.795317 IP 10.0.0.100.4500 > 10.0.0.16.4500: NONESP-encap: isakmp:
phase 2/others ? inf[E]
14:42:49.796441 IP 10.0.0.16.4500 > 10.0.0.100.4500: NONESP-encap: isakmp:
phase 2/others ? inf[E]
14:42:54.818747 IP 10.0.0.100.4500 > 10.0.0.16.4500: NONESP-encap: isakmp:
phase 2/others ? inf[E]
14:42:54.823096 IP 10.0.0.16.4500 > 10.0.0.100.4500: NONESP-encap: isakmp:
phase 2/others ? inf[E]
14:42:59.842896 IP 10.0.0.100.4500 > 10.0.0.16.4500: NONESP-encap: isakmp:
phase 2/others ? inf[E]
14:42:59.844659 IP 10.0.0.16.4500 > 10.0.0.100.4500: NONESP-encap: isakmp:
phase 2/others ? inf[E]
14:43:02.813497 IP 10.0.0.100.4500 > 10.0.0.16.4500: isakmp-nat-keep-alive
