OpenWrt IKEv2 NAT traversal (or similar) problem

Peter Naulls peter at chocky.org
Tue May 30 15:38:10 PDT 2023


On 5/30/23 18:16, Yousong Zhou wrote:
> On Wednesday, 31 May 2023, Peter Naulls <peter at chocky.org> wrote:
>>
>>
]
> 
> I am afraid the above is still single direction traffic.

Sorry, quite so.  I finished this email in the middle of something else.  There 
is return traffic:

To Google, which works.

16:57:11.936911 IP (tos 0x0, ttl 128, id 43279, offset 0, flags [none], proto 
UDP (17), length 29)
     192.168.113.102.4500 > 89.187.170.130.4500: [udp sum ok] isakmp-nat-keep-alive
16:57:16.597085 IP (tos 0x0, ttl 255, id 43280, offset 0, flags [none], proto 
UDP (17), length 128)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x31b), length 100
16:57:16.597085 IP (tos 0x0, ttl 255, id 43281, offset 0, flags [none], proto 
UDP (17), length 128)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x31c), length 100
16:57:16.629104 IP (tos 0x0, ttl 128, id 43983, offset 0, flags [none], proto 
UDP (17), length 60)
     192.168.113.102.63724 > 192.168.113.3.53: [udp sum ok] 56044+ AAAA? 
www.google.com. (32)
16:57:16.629104 IP (tos 0x0, ttl 128, id 43982, offset 0, flags [none], proto 
UDP (17), length 60)
     192.168.113.102.54875 > 192.168.113.3.53: [udp sum ok] 4736+ A? 
www.google.com. (32)
16:57:16.630048 IP (tos 0x0, ttl 255, id 43282, offset 0, flags [none], proto 
UDP (17), length 128)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x31d), length 100
16:57:16.630050 IP (tos 0x0, ttl 255, id 43283, offset 0, flags [none], proto 
UDP (17), length 128)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x31e), length 100
16:57:16.634072 IP (tos 0x0, ttl 64, id 12085, offset 0, flags [DF], proto UDP 
(17), length 88)
     192.168.113.3.53 > 192.168.113.102.63724: [bad udp cksum 0x6410 -> 0x70cf!] 
56044 q: AAAA? www.google.com. 1/0/0 www.google.com. [1m52s] AAAA 
2607:f8b0:4006:81d::2004 (60)
16:57:16.639834 IP (tos 0x0, ttl 64, id 12086, offset 0, flags [DF], proto UDP 
(17), length 76)
     192.168.113.3.53 > 192.168.113.102.54875: [bad udp cksum 0x6404 -> 0x3314!] 
4736 q: A? www.google.com. 1/0/0 www.google.com. [4m19s] A 142.251.32.100 (48)
16:57:16.654048 IP (tos 0x68, ttl 50, id 41090, offset 0, flags [none], proto 
UDP (17), length 224)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x26d), length 196
16:57:16.665933 IP (tos 0x68, ttl 50, id 41091, offset 0, flags [none], proto 
UDP (17), length 240)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x26e), length 212
16:57:16.668916 IP (tos 0x0, ttl 255, id 43284, offset 0, flags [none], proto 
UDP (17), length 128)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x31f), length 100
16:57:16.711776 IP (tos 0x68, ttl 50, id 41104, offset 0, flags [none], proto 
UDP (17), length 160)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x26f), length 132

To another site, which doesn't:


17:02:12.192380 IP (tos 0x0, ttl 255, id 43526, offset 0, flags [none], proto 
UDP (17), length 144)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x415), length 116
17:02:12.219548 IP (tos 0x0, ttl 255, id 43527, offset 0, flags [none], proto 
UDP (17), length 144)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x416), length 116
17:02:12.374062 IP (tos 0x68, ttl 50, id 6571, offset 0, flags [none], proto UDP 
(17), length 208)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x33b), length 180
17:02:12.382227 IP (tos 0x0, ttl 255, id 43528, offset 0, flags [none], proto 
UDP (17), length 128)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x417), length 100
17:02:12.523997 IP (tos 0x68, ttl 50, id 0, offset 0, flags [DF], proto UDP 
(17), length 128)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x33c), length 100
17:02:12.525249 IP (tos 0x0, ttl 255, id 43529, offset 0, flags [none], proto 
UDP (17), length 112)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x418), length 84
17:02:12.538861 IP (tos 0x68, ttl 50, id 6599, offset 0, flags [none], proto UDP 
(17), length 208)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x33d), length 180
17:02:12.625718 IP (tos 0x0, ttl 255, id 43530, offset 0, flags [none], proto 
UDP (17), length 624)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x419), length 596
17:02:12.855180 IP (tos 0x68, ttl 50, id 0, offset 0, flags [DF], proto UDP 
(17), length 368)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x33e), length 340
17:02:12.856246 IP (tos 0x0, ttl 255, id 43531, offset 0, flags [none], proto 
UDP (17), length 128)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x41a), length 100
17:02:16.063389 IP (tos 0x0, ttl 128, id 43532, offset 0, flags [none], proto 
UDP (17), length 29)
     192.168.113.102.4500 > 89.187.170.130.4500: [udp sum ok] isakmp-nat-keep-alive
17:02:16.797712 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 
192.168.113.3 (34:ba:9a:7b:65:82) tell 192.168.113.102, length 46
17:02:16.798006 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.113.3 is-at 
34:ba:9a:7b:65:82, length 28
17:02:17.310347 IP (tos 0x0, ttl 255, id 43533, offset 0, flags [none], proto 
UDP (17), length 144)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x41b), length 116
17:02:17.310880 IP (tos 0x0, ttl 255, id 43534, offset 0, flags [none], proto 
UDP (17), length 144)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x41c), length 116
17:02:17.329423 IP (tos 0x0, ttl 128, id 43991, offset 0, flags [none], proto 
UDP (17), length 75)
     192.168.113.102.55020 > 192.168.113.3.53: [udp sum ok] 40742+ AAAA? 
v10.events.data.microsoft.com. (47)
17:02:17.329423 IP (tos 0x0, ttl 128, id 43992, offset 0, flags [none], proto 
UDP (17), length 75)
     192.168.113.102.60074 > 192.168.113.3.53: [udp sum ok] 35138+ A? 
v10.events.data.microsoft.com. (47)
17:02:17.329869 IP (tos 0x0, ttl 255, id 43536, offset 0, flags [none], proto 
UDP (17), length 144)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x41e), length 116
17:02:17.329871 IP (tos 0x0, ttl 255, id 43535, offset 0, flags [none], proto 
UDP (17), length 144)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x41d), length 116
17:02:17.358801 IP (tos 0x0, ttl 64, id 24779, offset 0, flags [DF], proto UDP 
(17), length 216)
     192.168.113.3.53 > 192.168.113.102.60074: [bad udp cksum 0x6490 -> 0x2e51!] 
35138 q: A? v10.events.data.microsoft.com. 3/0/0 v10.events.data.microsoft.com. 
[1m47s] CNAME win-global-)
17:02:17.370702 IP (tos 0x0, ttl 64, id 24780, offset 0, flags [DF], proto UDP 
(17), length 261)
     192.168.113.3.53 > 192.168.113.102.55020: [bad udp cksum 0x64bd -> 0xcaa9!] 
40742 q: AAAA? v10.events.data.microsoft.com. 2/1/0 
v10.events.data.microsoft.com. [1m47s] CNAME win-glob)
17:02:17.377951 IP (tos 0x68, ttl 50, id 7602, offset 0, flags [none], proto UDP 
(17), length 288)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x33f), length 260
17:02:17.389917 IP (tos 0x68, ttl 50, id 7604, offset 0, flags [none], proto UDP 
(17), length 336)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x340), length 308
17:02:17.392532 IP (tos 0x0, ttl 255, id 43537, offset 0, flags [none], proto 
UDP (17), length 128)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x41f), length 100
17:02:17.416957 IP (tos 0x68, ttl 50, id 7611, offset 0, flags [none], proto UDP 
(17), length 288)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x341), length 260
17:02:17.429009 IP (tos 0x68, ttl 50, id 7612, offset 0, flags [none], proto UDP 
(17), length 336)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x342), length 308
17:02:17.487013 IP (tos 0x68, ttl 50, id 0, offset 0, flags [DF], proto UDP 
(17), length 128)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x343), length 100
17:02:17.488090 IP (tos 0x0, ttl 255, id 43538, offset 0, flags [none], proto 
UDP (17), length 112)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x420), length 84
17:02:17.489542 IP (tos 0x0, ttl 255, id 43539, offset 0, flags [none], proto 
UDP (17), length 320)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x421), length 292
17:02:17.660384 IP (tos 0x0, ttl 255, id 43540, offset 0, flags [none], proto 
UDP (17), length 112)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x422), length 84
17:02:17.797735 IP (tos 0x0, ttl 255, id 43541, offset 0, flags [none], proto 
UDP (17), length 320)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x423), length 292
17:02:17.901092 IP (tos 0x68, ttl 50, id 0, offset 0, flags [DF], proto UDP 
(17), length 128)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x344), length 100
17:02:19.893671 IP (tos 0x68, ttl 50, id 7925, offset 0, flags [none], proto UDP 
(17), length 656)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x345), length 628
17:02:19.938739 IP (tos 0x0, ttl 255, id 43542, offset 0, flags [none], proto 
UDP (17), length 112)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x424), length 84
17:02:20.019196 IP (tos 0x68, ttl 50, id 7932, offset 0, flags [none], proto UDP 
(17), length 656)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x346), length 628
17:02:20.019378 IP (tos 0x68, ttl 50, id 7933, offset 0, flags [none], proto UDP 
(17), length 656)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x347), length 628
17:02:20.019995 IP (tos 0x0, ttl 255, id 43543, offset 0, flags [none], proto 
UDP (17), length 112)
     192.168.113.102.4500 > 89.187.170.130.4500: [no cksum] UDP-encap: 
ESP(spi=0xc4a096e5,seq=0x425), length 84
17:02:20.111272 IP (tos 0x68, ttl 50, id 7951, offset 0, flags [none], proto UDP 
(17), length 656)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x348), length 628
17:02:20.111446 IP (tos 0x68, ttl 50, id 7952, offset 0, flags [none], proto UDP 
(17), length 656)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x349), length 628
17:02:20.111526 IP (tos 0x68, ttl 50, id 7953, offset 0, flags [none], proto UDP 
(17), length 656)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x34a), length 628
17:02:20.111599 IP (tos 0x68, ttl 50, id 7954, offset 0, flags [none], proto UDP 
(17), length 656)
     89.187.170.130.4500 > 192.168.113.102.4500: [no cksum] UDP-encap: 
ESP(spi=0x0a11bcfe,seq=0x34b), length 628
17:02:20.112186 IP (tos 0x0, ttl 255, id 43544, offset 0, flags [none], proto 
UDP (17), length 112)



> Try wireshark on the windows host itself to collect the traffic before
> entering the tunnel may help. 

Yes, I will do some more exact tracing on Windows; some previous efforts
in this direction didn't help, but I can try again.


  Verbose curl logging (-vvv) is another
> source of information

Yes, unfortunately exactly no data comes back in this case, just the
initial debug for a connection; it'll just eventually timeout.

Thanks.






More information about the openwrt-devel mailing list