OpenWrt IKEv2 NAT traversal (or similar) problem
Peter Naulls
peter at chocky.org
Tue May 30 14:13:54 PDT 2023
I'm trying to track down a problem whereby using Windows VPN, some websites are
accessible and some aren't. The problem is 100% OpenWrt, since it works over
my regular WiFi router.
Here's what I know (or think I know):
All the VPN traffic uses UDP port 4500. This is (or should be) a pretty typical
22.03 NAT setup. The setup I'm testing against is with privatevpn.com, although
the actual setup is something else, but the problem is the same.
Using curl under Windows to try and isolate the problem and tcpdump
under OpenWrt, mostly looking at br-lan. The upstream is a wwan0 AT&T connection.
Looking at a fetch to https://www.google.com/ for example I can see there's
traffic in both directions, the NAT seems to be working as expected and all
works.
However, if I try and fetch certain sites, and one in particular is
https://gov.visuallabsinc.com/ then there's still traffic in both directions,
but whatever is happening, it's not reaching the HTTP layer in curl and
nothing appears there - just a hang.
Here's some example traffic:
17:02:12.192380 IP (tos 0x0, ttl 255, id 43526, offset 0, flags [none], proto
UDP (17), length 144)
192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
ESP(spi=0xc4a096e5,seq=0x415), length 116
17:02:12.219548 IP (tos 0x0, ttl 255, id 43527, offset 0, flags [none], proto
UDP (17), length 144)
192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap:
ESP(spi=0xc4a096e5,seq=0x416), length 116
I have tried messing with the usual suspects - MTU, MSS, even put a
forward rule in the firewall for UDP 4500, but I guess I'm missing something.
Any suggestions on what else to look at or to try? Let me know if you need
further details or better traces, etc.
Thanks!
More information about the openwrt-devel
mailing list