Join Log in
Score:0
avatar Server

how to negotiate a transport-udp-esp-natt SA with a strongswan server

cn flag
freshman.ipsec

I have writen an IKE client to negotiate IPsec SAs with some IKE servers, such as racoon and strongswan.

When the negotiate finished, I send a IPsec-packets(udp-esp packets) from the client machine, the strongswan server machine receives the packet but not handles it.

my transport-udp-natt network scenes: machine A (centos7) machine B(win7) Vmware machine in machine B(centos7) 172.23.25.10 172.23.25.99 192.168.163.1 192.168.163.130 IKE client IKE server udp client udp server

When the negotiate finished, the SA info is different between client and strongswan server In the machine A, the sa is:

172.23.25.10[4500] 172.23.25.99[4500] 
        esp-udp mode=transport spi=3409495451(0xcb38c59b) reqid=0(0x00000000)
        E: aes-cbc  bacca0d7 19fa120b 25202473 99704304 0e826139 f898be77 01b28606 b09ea092
        A: hmac-sha256  b4ded3b3 58214e27 c63d0f91 e4e66912 add797a0 67755537 9003b5b0 0c04338b
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Dec 10 15:35:59 2021   current: Dec 10 15:36:19 2021
        diff: 20(s)     hard: 120(s)    soft: 96(s)
        last: Dec 10 15:36:01 2021      hard: 120(s)    soft: 96(s)
        current: 55(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 120       soft: 96
        sadb_seq=1 pid=349 refcnt=0
172.23.25.99[4500] 172.23.25.10[4500] 
        esp-udp mode=transport spi=244675610(0x0e95741a) reqid=0(0x00000000)
        E: aes-cbc  eb74d7ad 50dd0adf 2e93a40a aada69f6 cb4d2d26 73b76d3b 1ac8c4c1 8534c6cc
        A: hmac-sha256  5029b994 d005f5b6 8b39172a 0b86dc7c 00551e2a 1ef57a13 603e2ee6 bac29afa
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Dec 10 15:35:59 2021   current: Dec 10 15:36:19 2021
        diff: 20(s)     hard: 120(s)    soft: 96(s)
        last:                           hard: 120(s)    soft: 96(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 120       soft: 96
        sadb_seq=0 pid=349 refcnt=0

In the Vmware machine, the SAs added by strongswan is:

192.168.163.130 172.23.25.10 
        esp mode=transport spi=244675610(0x0e95741a) reqid=1(0x00000001)
        E: aes-cbc  eb74d7ad 50dd0adf 2e93a40a aada69f6 cb4d2d26 73b76d3b 1ac8c4c1 8534c6cc
        A: hmac-sha256  5029b994 d005f5b6 8b39172a 0b86dc7c 00551e2a 1ef57a13 603e2ee6 bac29afa
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Dec 10 02:35:29 2021   current: Dec 10 02:35:45 2021
        diff: 16(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=10114 refcnt=0
172.23.25.10 192.168.163.130 
        esp mode=transport spi=3409495451(0xcb38c59b) reqid=1(0x00000001)
        E: aes-cbc  bacca0d7 19fa120b 25202473 99704304 0e826139 f898be77 01b28606 b09ea092
        A: hmac-sha256  b4ded3b3 58214e27 c63d0f91 e4e66912 add797a0 67755537 9003b5b0 0c04338b
        seq=0x00000000 replay=32 flags=0x00000000 state=mature 
        created: Dec 10 02:35:29 2021   current: Dec 10 02:35:45 2021
        diff: 16(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=10114 refcnt=0

I suspect the SAs in Vmware machine lack of port**[4500]** and esp-udp info. because when I use racoon, the Vmware machine can handle the udp packet from machine A. the the SAs added by racoon is like:

192.168.163.130[4500] 172.23.25.10[4500] 
        esp-udp mode=transport spi=217431274(0x0cf5bcea) reqid=0(0x00000000)
        E: des-cbc  7744c128 a553d81a
        A: hmac-md5  af32028d 098ebf1b e0be8a42 84122992
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Dec 10 02:23:59 2021   current: Dec 10 02:24:18 2021
        diff: 19(s)     hard: 120(s)    soft: 96(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=9396 refcnt=0
172.23.25.10[4500] 192.168.163.130[4500] 
        esp-udp mode=transport spi=62789244(0x03be167c) reqid=0(0x00000000)
        E: des-cbc  b2a72540 98f4bfb2
        A: hmac-md5  c745f6b7 f79f5c52 e9f3cafc 38a717d3
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Dec 10 02:23:59 2021   current: Dec 10 02:24:18 2021
        diff: 19(s)     hard: 120(s)    soft: 96(s)
        last: Dec 10 02:24:01 2021      hard: 0(s)      soft: 0(s)
        current: 33(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
        sadb_seq=0 pid=9396 refcnt=0

I have tried modify the config, but failed to generate these SAs. this is my configs: ipsec.conf:

conn %default
    ikelifetime=6m
    keylife=5m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    ike=aes256-sha256-modp1024
    esp=aes256-sha256-modp1024
    authby=psk
    type=transport
    auto=route
    aggresive=no
    fragmentation=no
    rekey=no
    forceencaps=yes

conn trap-b
    left=192.168.163.130
    leftsubnet=192.168.163.0/24
    right=172.23.25.10
    rightsubnet=172.23.25.0/24
    auto=add

conn nat-t
    left=172.23.25.99
    leftsubnet=192.168.163.0/24
    right=172.23.25.10
    rightsubnet=172.23.25.0/24
    auto=add

strongswan.conf:

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        install_routes = no
        filelog {
                charon {
                        path = /etc/strongswan/logs/strongswan.log
                        time_format = %b %e %T
                        ike_name = yes
                        append = yes
                        default = 2
                        flush_line = yes
                }
                stderr {
                        ike = 2
                        kml = 3
                }
        }
}
include strongswan.d/*.conf

Is there any problem with my config? thank you!

47
0 + 0
cn flag
ecdsa
Does your client support NAT traversal (RFC 3947 for IKEv1)? strongSwan only uses UDP encap when a NAT is detected (`forceencaps` simply forces the detection of a NAT by producing a random NAT-D payload for the source address).
0
Reply
cn flag
freshman.ipsec
yes, the client is supported NAT traversal by default. It will send the vendor id of NATT in the first message of the first phase of the negotiation
0
Reply
cn flag
ecdsa
Read the logs to see what happens during the negotiation in regards to the NAT detection.
0
Reply
cn flag
freshman.ipsec
Strongswan printed "Jan 3 21:39:27 14[IKE] <1> faking NAT situation to enforce UDP encapsulation" when processing the second message received in main mode. Is this normal?
0
Reply
cn flag
ecdsa
Yes, that's due to `forceencaps=yes`. But that should cause UDP-encap to get enabled on the SAs. Unless the initiator does not propose transport mode with encap, or it proposes both and the version without encap first (which it shouldn't according to [RFC 3947](https://datatracker.ietf.org/doc/html/rfc3947#section-5.1)). By the way, using transport mode with actual subnets in `left|rightsubnet` is not valid.
0
Reply
cn flag
freshman.ipsec
From your reply, I re-checked the description of RFC3947 and the implementation of the client. I found that the client did not use UDP-Encapsulated-Transport (value 4) when NAT-T was detected in phase1 during the negotiation of phase 2, but always used Transport (value 2) to complete phase 2 negotiation. . Will this cause strongswan not to carry NAT-T when generating SAs?
0
Reply
cn flag
ecdsa
Yep, there will be no UDP-encap if the peer does not propose it. Maybe it works with tunnel mode?
0
Reply
cn flag
freshman.ipsec
The client currently only supports the transport mode, and the tunnel mode is not yet supported. I will optimize the client code, when NAT-T is detected in phase 1, the client will propose UDP-encap in phase 2 to see if it can solve the current problem. Thank you.
0
Reply
cn flag
freshman.ipsec
Thank you for your help, the problem is solved now!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.