OpenWrt IKEv2 NAT traversal (or similar) problem

Peter Naulls peter at
Tue May 30 14:13:54 PDT 2023

I'm trying to track down a problem whereby using Windows VPN, some websites are 
accessible and some aren't.  The problem is 100% OpenWrt, since it works over
my regular WiFi router.

Here's what I know (or think I know):

All the VPN traffic uses UDP port 4500.  This is (or should be) a pretty typical
22.03 NAT setup.  The setup I'm testing against is with, although
the actual setup is something else, but the problem is the same.

Using curl under Windows to try and isolate the problem and tcpdump
under OpenWrt, mostly looking at br-lan. The upstream is a wwan0 AT&T connection.

Looking at a fetch to for example I can see there's
traffic in both directions, the NAT seems to be working as expected and all

However, if I try and fetch certain sites, and one in particular is then there's still traffic in both directions,
but whatever is happening, it's not reaching the HTTP layer in curl and
nothing appears there - just a hang.

Here's some example traffic:

17:02:12.192380 IP (tos 0x0, ttl 255, id 43526, offset 0, flags [none], proto 
UDP (17), length 144) > [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x415), length 116
17:02:12.219548 IP (tos 0x0, ttl 255, id 43527, offset 0, flags [none], proto 
UDP (17), length 144) > [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x416), length 116

I have tried messing with the usual suspects - MTU, MSS, even put a
forward rule in the firewall for UDP 4500, but I guess I'm missing something.

Any suggestions on what else to look at or to try?  Let me know if you need
further details or better traces, etc.


More information about the openwrt-devel mailing list