Hi Harald,
is there some way to tell charon-nm to use 4500/udp for the outgoing
connection, instead of an arbitrary port, if available? Same for
500/udp.
You can explicitly configure the ports via strongswan.conf
(charon-nm.port and charon-nm.port_nat_t). Just make sure you don't use
charon or charon-systemd on the same host to avoid conflicts.
Of course I will look into this, but how comes using 500/udp and 4500/udp
isn't the default?
Primarily, to avoid conflicts with regular (i.e. non-NM) versions of the
daemon that might be running concurrently on the same system. Using
ephemeral source ports also makes using custom server ports easy
(configurable in the NM plugin) as that would otherwise require changing
the source port away from 500 anyway.
> Thats how I read https://wiki.strongswan.org/projects/\
> strongswan/wiki/ConnSection, left|rightikeport.
Which has absolutely nothing to do with charon-nm (uses a completely
different configuration interface).
I assume a problem on the AVM Fritzbox in this context. 500/udp and
4500/udp at both ends appears to be more reliable.
That doesn't really make sense as there could always be a NAT in between
that changes the source ports.
I am aware of that. It is not working, i.e. we cannot assume a reasonable
implementation. Fact is, the traffic returned by my VPN gateway (4500/udp
to lets say 32480/udp) at the end of phase 2 (IKE2) doesn't reach the home
office laptop of my colleague (both strongswan). I just cannot say if this
is sabotaged by his IP provider or if this is a broken stateful package
filter or some other bug in the Fritzbox. What would be your guess here?
How large is that message? Although you use 5.9.6 on both ends (i.e.
IKE fragmentation should generally be enabled), it could still be a
fragmentation issue if the default fragment size of 1280 bytes is too
much (you could try reducing charon.fragment_size).
Also, has AVM finally released a version of their system that supports
IKEv2? Took them long enough. But considering their track record
regarding IKEv1, I guess we have to expect interoperability issues for
the next 20 years.
This is a misunderstanding. Both peers are running a recent Debian and
strongswan 5.9.6. The Fritzbox is just the modem/gateway/firewall in
my colleagues home network. I understand that the Fritzbox runs its own
IPsec connections. Yet another reason to assume a bug in the Fritzbox
in this context.
I see. Can you capture traffic on that box?
Regards,
Tobias
