OpenWrt IKEv2 NAT traversal (or similar) problem
yszhou4tech at gmail.com
Tue May 30 15:16:13 PDT 2023
On Wednesday, 31 May 2023, Peter Naulls <peter at chocky.org> wrote:
> I'm trying to track down a problem whereby using Windows VPN, some websites are accessible and some aren't. The problem is 100% OpenWrt, since it works over
> my regular WiFi router.
> Here's what I know (or think I know):
> All the VPN traffic uses UDP port 4500. This is (or should be) a pretty typical
> 22.03 NAT setup. The setup I'm testing against is with privatevpn.com, although
> the actual setup is something else, but the problem is the same.
> Using curl under Windows to try and isolate the problem and tcpdump
> under OpenWrt, mostly looking at br-lan. The upstream is a wwan0 AT&T connection.
> Looking at a fetch to https://www.google.com/ for example I can see there's
> traffic in both directions, the NAT seems to be working as expected and all
> However, if I try and fetch certain sites, and one in particular is
> https://gov.visuallabsinc.com/ then there's still traffic in both directions,
> but whatever is happening, it's not reaching the HTTP layer in curl and
> nothing appears there - just a hang.
> Here's some example traffic:
> 17:02:12.192380 IP (tos 0x0, ttl 255, id 43526, offset 0, flags [none], proto UDP (17), length 144)
> 192.168.113.102.4500 > 220.127.116.11.4500: [no cksum] UDP-encap: ESP(spi=0xc4a096e5,seq=0x415), length 116
> 17:02:12.219548 IP (tos 0x0, ttl 255, id 43527, offset 0, flags [none], proto UDP (17), length 144)
> 192.168.113.102.4500 > 18.104.22.168.4500: [no cksum] UDP-encap: ESP(spi=0xc4a096e5,seq=0x416), length 116
I am afraid the above is still single direction traffic.
> I have tried messing with the usual suspects - MTU, MSS, even put a
> forward rule in the firewall for UDP 4500, but I guess I'm missing something.
> Any suggestions on what else to look at or to try? Let me know if you need
> further details or better traces, etc.
Try wireshark on the windows host itself to collect the traffic before
entering the tunnel may help. Verbose curl logging (-vvv) is another
source of information
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
More information about the openwrt-devel