I have writen an IKE client to negotiate IPsec SAs with some IKE servers, such as racoon and strongswan.
When the negotiate finished, I send a IPsec-packets(udp-esp packets) from the client machine, the strongswan server machine receives the packet but not handles it.
my transport-udp-natt network scenes:
machine A (centos7) machine B(win7) Vmware machine in machine B(centos7)
172.23.25.10 172.23.25.99 192.168.163.1 192.168.163.130
IKE client IKE server
udp client udp server
When the negotiate finished, the SA info is different between client and strongswan server
In the machine A, the sa is:
172.23.25.10[4500] 172.23.25.99[4500]
esp-udp mode=transport spi=3409495451(0xcb38c59b) reqid=0(0x00000000)
E: aes-cbc bacca0d7 19fa120b 25202473 99704304 0e826139 f898be77 01b28606 b09ea092
A: hmac-sha256 b4ded3b3 58214e27 c63d0f91 e4e66912 add797a0 67755537 9003b5b0 0c04338b
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Dec 10 15:35:59 2021 current: Dec 10 15:36:19 2021
diff: 20(s) hard: 120(s) soft: 96(s)
last: Dec 10 15:36:01 2021 hard: 120(s) soft: 96(s)
current: 55(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5 hard: 120 soft: 96
sadb_seq=1 pid=349 refcnt=0
172.23.25.99[4500] 172.23.25.10[4500]
esp-udp mode=transport spi=244675610(0x0e95741a) reqid=0(0x00000000)
E: aes-cbc eb74d7ad 50dd0adf 2e93a40a aada69f6 cb4d2d26 73b76d3b 1ac8c4c1 8534c6cc
A: hmac-sha256 5029b994 d005f5b6 8b39172a 0b86dc7c 00551e2a 1ef57a13 603e2ee6 bac29afa
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Dec 10 15:35:59 2021 current: Dec 10 15:36:19 2021
diff: 20(s) hard: 120(s) soft: 96(s)
last: hard: 120(s) soft: 96(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 120 soft: 96
sadb_seq=0 pid=349 refcnt=0
In the Vmware machine, the SAs added by strongswan is:
192.168.163.130 172.23.25.10
esp mode=transport spi=244675610(0x0e95741a) reqid=1(0x00000001)
E: aes-cbc eb74d7ad 50dd0adf 2e93a40a aada69f6 cb4d2d26 73b76d3b 1ac8c4c1 8534c6cc
A: hmac-sha256 5029b994 d005f5b6 8b39172a 0b86dc7c 00551e2a 1ef57a13 603e2ee6 bac29afa
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Dec 10 02:35:29 2021 current: Dec 10 02:35:45 2021
diff: 16(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=10114 refcnt=0
172.23.25.10 192.168.163.130
esp mode=transport spi=3409495451(0xcb38c59b) reqid=1(0x00000001)
E: aes-cbc bacca0d7 19fa120b 25202473 99704304 0e826139 f898be77 01b28606 b09ea092
A: hmac-sha256 b4ded3b3 58214e27 c63d0f91 e4e66912 add797a0 67755537 9003b5b0 0c04338b
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Dec 10 02:35:29 2021 current: Dec 10 02:35:45 2021
diff: 16(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=10114 refcnt=0
I suspect the SAs in Vmware machine lack of port**[4500]** and esp-udp info. because when I use racoon, the Vmware machine can handle the udp packet from machine A.
the the SAs added by racoon is like:
192.168.163.130[4500] 172.23.25.10[4500]
esp-udp mode=transport spi=217431274(0x0cf5bcea) reqid=0(0x00000000)
E: des-cbc 7744c128 a553d81a
A: hmac-md5 af32028d 098ebf1b e0be8a42 84122992
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Dec 10 02:23:59 2021 current: Dec 10 02:24:18 2021
diff: 19(s) hard: 120(s) soft: 96(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=9396 refcnt=0
172.23.25.10[4500] 192.168.163.130[4500]
esp-udp mode=transport spi=62789244(0x03be167c) reqid=0(0x00000000)
E: des-cbc b2a72540 98f4bfb2
A: hmac-md5 c745f6b7 f79f5c52 e9f3cafc 38a717d3
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Dec 10 02:23:59 2021 current: Dec 10 02:24:18 2021
diff: 19(s) hard: 120(s) soft: 96(s)
last: Dec 10 02:24:01 2021 hard: 0(s) soft: 0(s)
current: 33(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3 hard: 0 soft: 0
sadb_seq=0 pid=9396 refcnt=0
I have tried modify the config, but failed to generate these SAs.
this is my configs:
ipsec.conf:
conn %default
ikelifetime=6m
keylife=5m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
ike=aes256-sha256-modp1024
esp=aes256-sha256-modp1024
authby=psk
type=transport
auto=route
aggresive=no
fragmentation=no
rekey=no
forceencaps=yes
conn trap-b
left=192.168.163.130
leftsubnet=192.168.163.0/24
right=172.23.25.10
rightsubnet=172.23.25.0/24
auto=add
conn nat-t
left=172.23.25.99
leftsubnet=192.168.163.0/24
right=172.23.25.10
rightsubnet=172.23.25.0/24
auto=add
strongswan.conf:
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
install_routes = no
filelog {
charon {
path = /etc/strongswan/logs/strongswan.log
time_format = %b %e %T
ike_name = yes
append = yes
default = 2
flush_line = yes
}
stderr {
ike = 2
kml = 3
}
}
}
include strongswan.d/*.conf
Is there any problem with my config? thank you!
