Hello Marc, Marc Giger wrote: > Hi Andreas > > Finally I've solved the problem. It works again now. > I've found out, that I have to set nat_traversal to no > to let it communicate over port 500. Port 4500 is > blocked on a firewall in front of the ipsec gw. > > Is this change in the behavor for IKV1 intentional? > The IKE NAT-Traversal RFC 3947 mandates floating to UDP port 4500 if a NAT situation is detected:
In Main Mode, the initiator MUST change ports when sending the ID payload if there is NAT between the hosts. The initiator MUST set both UDP source and destination ports to 4500. All subsequent packets sent to this peer (including informational notifications) MUST be sent on port 4500. In addition, the IKE data MUST be prepended with a non-ESP marker allowing for demultiplexing of traffic, as defined in [RFC3948]. see http://tools.ietf.org/html/rfc3947#section-4 . The only alternative is IPsec passthrough using IKE port and IPsec protocol forwarding where the IKE stays on port 500 and ESP is not encapsulated in UDP. This is achieved with the strongSwan IKEv1 setting nat_traversal = no Best regards Andreas > Thank you very much for your help! > > Greets > > Marc > > > On Tue, 22 Dec 2009 11:30:59 +0100 > Andreas Steffen <andreas.stef...@strongswan.org> wrote: > >> Having a closer look at the strongSwan log I detect: >> >> Dec 21 17:41:17 mgi pluto[11806]: >> "roadwarrior" #1: ignoring CERT_NONE certificate request payload >> >> a certificate request type I have never seen before but I've already >> become used to Juniper's various quirks ;-) >> >> Try to suppress the certificate by setting >> >> leftsendcert=never >> >> Regards >> >> Andreas >> >> Marc Giger wrote: >>> Hello Andreas, >>> >>> Hmmm... >>> >>> It works perfectly with strongswan 2.8.0... >>> I looked into the logfile of the juniper fw >>> and it just says that it reached the # retries... >>> >>> >>> On Mon, 21 Dec 2009 18:59:51 +0100 >>> Andreas Steffen <andreas.stef...@strongswan.org> wrote: >>> >>>> Hello Marc, >>>> >>>> probably your Juniper box never receives message MI3 because the >>>> rather large certificate causes IP fragmentation of the IKE >>>> UDP datagram and the fragments get discarded either by a router >>>> or a firewall. Or your Juniper box has some other problems and >>>> does not send a corresponding notification. Please check the >>>> log on your Juniper box. >>>> >>>> Regards >>>> >>>> Andreas ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
